BRIM

BASICS

Process the "sample.pcap" file and look at the details of the first DNS log that appear on the dashboard. What is the "qclass_name"?

root@thm:~$ which brim
 /usr/bin/brim

root@thm:~$ brim
BRIM > Import Files > Desktop > Exercise-Files > sample.pcap
BRIM > Dashboard > 2017-03-03T20:02:33.387074Z dns CjZFhy3jhLPcrHP1jc ... > right-click > open details
 * look for the 1st occurrence of dns log in the dashboard
 
 * qclass_name: C_INTERNET

Look at the details of the first NTP log that appear on the dashboard. What is the "duration" value?

root@thm:~$ which brim
 /usr/bin/brim

root@thm:~$ brim
BRIM > Import Files > Desktop > Exercise-Files > sample.pcap
BRIM > Dashboard > 2017-03-03T20:02:45.706238Z ntp CYGUjM1Ar2CyNM7zGh ... > right-click > open details
 * look for the 1st occurrence of ntp log in the dashboard
 
 * Duration: 0.005 seconds

Look at the details of the STATS packet log that is visible on the dashboard. What is the "reassem_tcp_size"?

root@thm:~$ which brim
 /usr/bin/brim

root@thm:~$ brim
BRIM > Import Files > Desktop > Exercise-Files > sample.pcap
BRIM > Dashboard > 2017-03-03T20:02:11.009848Z stats zeek ... > right-click > open details
 * look for the 1st occurrence of STATS log in the dashboard
 
 * reassem_tcp_size: 540

DEFAULT QUERIES

Investigate the files. What is the name of the detected GIF file?

root@thm:~$ which brim
 /usr/bin/brim

root@thm:~$ brim
BRIM > Import Files > Desktop > Exercise-Files > task4-sample-b.pcap
BRIM > QUERIES > FILE ACTIVITY
BRIM > DASHBOARD > MIME_TYPE > image/gif > right-click > open details
 * look for a file that has a .gif extension
 
 * filename: cat01_with_hidden_text.gif

Investigate the conn logfile. What is the number of the identified city names?

root@thm:~$ which brim
 /usr/bin/brim

root@thm:~$ brim
BRIM > Import Files > Desktop > Exercise-Files > task4-sample-b.pcap
BRIM > Query Bar
 Search: _path=="conn" | cut geo.resp.country_code, geo.resp.region, geo.resp.city
BRIM > DASHBOARD > geo.resp.city
 * visually count
 
 * 2

Investigate the Suricata alerts. What is the Signature id of the alert category "Potential Corporate Privacy Violation"?

root@thm:~$ which brim
 /usr/bin/brim

root@thm:~$ brim
BRIM > Import Files > Desktop > Exercise-Files > task4-sample-b.pcap
BRIM > QUERIES > SURICATA ALERTS BY CATEGORY
BRIM > DASHBOARD > Potential Corporate Privacy Violation > right-click > open details > ALERT > CATEGORY > right-click > Pivot to Logs
 * look for "alert.signature.id"
 
 * 2,012,887

EXERCISE: THREAT HUNTING WITH BRIM | MALWARE C2 DETECTION

What is the name of the file downloaded from the CobaltStrike C2 connection?

root@thm:~$ which brim
 /usr/bin/brim

root@thm:~$ brim
BRIM > Import Files > Desktop > Exercise-Files > task6-malware-c2.pcap

#step 2: identify frequently communicated hosts
BRIM > Query: _path == "conn" | cut id.orig_h, id.resp_p, id.resp_h | sort  | uniq -c | sort -r count
 valued>id>orig_h       value>id>resp_p       value>id>resp_h     count
 10.22.5.47             443                   104.168.44.45       75         
 ...
 
 * the output data will provide analysts where to focus
    - this will help identify external IPs that could be potentially malicious

#step 3a: identify most active ports/services
BRIM > Query: _path == "conn" | cut id.resp_p, service | sort | uniq -c | sort -r count
 value>id>resp_p     value>service     count
 443                 ssl               367
 53                  dns               184
 ...

 * the output data will provide analysts which service focus
    
#step 3b (DNS): drill down suspected service and build hypothesis
BRIM > Query: _path == "dns" | count() by query | sort -r
 query            count
 hashingold.top   49
 ... 
 
 * the output data will highlight out of the ordinary dns queries

#step 3c (DNS): utilize virustotal to identify possible malicious domains
root@dco:~$ BROWSER > https://www.virustotal.com/gui/home/upload
 search: hashingold.top
 
 * automate the process using a script and utilize virustotal's API

#step 3d (HTTP): 
BRIM > Query: _path == "http" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c | sort value.uri
 value>id>orig_h     value>id>resp_h     value>id>resp_p    value>host
 10.22.5.47          104.168.44.45       80                 104.168.44.45
 ...

 * the output data will detect file download requests from IP addresses that are assumed as malicious. 
 
 #step 3e (HTTP): utilize virustotal to identify and validate hypothesis
root@dco:~$ BROWSER > https://www.virustotal.com/gui/home/upload
 search: 104.168.44.45
 
 * the output data will highlight abnormal activity and the malicious IP addresses
 
BRIM > QUERIES > HTTP Requests
BRIM > DASHBOARD > {10.22.5.47 <> 104.168.44.45}
 * /download/4564.exe

What is the number of CobaltStrike connections using port 443?

root@thm:~$ which brim
 /usr/bin/brim

root@thm:~$ brim
BRIM > Import Files > Desktop > Exercise-Files > task6-malware-c2.pcap

#step 2: identify frequently communicated hosts
BRIM > Query: _path == "conn" | cut id.orig_h, id.resp_p, id.resp_h | sort  | uniq -c | sort -r count
 valued>id>orig_h       value>id>resp_p       value>id>resp_h     count
 10.22.5.47             443                   104.168.44.45       75         
 ...
 
 * the output data will provide analysts where to focus
    - this will help identify external IPs that could be potentially malicious

#step 3a: identify most active ports/services
BRIM > Query: _path == "conn" | cut id.resp_p, service | sort | uniq -c | sort -r count
 value>id>resp_p     value>service     count
 443                 ssl               367
 53                  dns               184
 ...

 * the output data will provide analysts which service focus
    
#step 3b (DNS): drill down suspected service and build hypothesis
BRIM > Query: _path == "dns" | count() by query | sort -r
 query            count
 hashingold.top   49
 ... 
 
 * the output data will highlight out of the ordinary dns queries

#step 3c (DNS): utilize virustotal to identify possible malicious domains
root@dco:~$ BROWSER > https://www.virustotal.com/gui/home/upload
 search: hashingold.top
 
 * automate the process using a script and utilize virustotal's API

#step 3d (HTTP): 
BRIM > Query: _path == "http" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c | sort value.uri
 value>id>orig_h     value>id>resp_h     value>id>resp_p    value>host
 10.22.5.47          104.168.44.45       80                 104.168.44.45
 ...

 * the output data will detect file download requests from IP addresses that are assumed as malicious. 
 
 #step 3e (HTTP): utilize virustotal to identify and validate hypothesis
root@dco:~$ BROWSER > https://www.virustotal.com/gui/home/upload
 search: 104.168.44.45
 
 * the output data will highlight abnormal activity and the malicious IP addresses
 
BRIM > Query: _path=="conn" | 104.168.44.45 | cut id.orig_h, id.resp_p, id.resp_h | sort | uniq -c
 * 328

There is an additional C2 channel in used the given case. What is the name of the secondary C2 channel?

root@thm:~$ which brim
 /usr/bin/brim

root@thm:~$ brim
BRIM > Import Files > Desktop > Exercise-Files > task6-malware-c2.pcap

#step 2: identify frequently communicated hosts
BRIM > Query: _path == "conn" | cut id.orig_h, id.resp_p, id.resp_h | sort  | uniq -c | sort -r count
 valued>id>orig_h       value>id>resp_p       value>id>resp_h     count
 10.22.5.47             443                   104.168.44.45       75         
 ...
 
 * the output data will provide analysts where to focus
    - this will help identify external IPs that could be potentially malicious

#step 3a: identify most active ports/services
BRIM > Query: _path == "conn" | cut id.resp_p, service | sort | uniq -c | sort -r count
 value>id>resp_p     value>service     count
 443                 ssl               367
 53                  dns               184
 ...

 * the output data will provide analysts which service focus
    
#step 3b (DNS): drill down suspected service and build hypothesis
BRIM > Query: _path == "dns" | count() by query | sort -r
 query            count
 hashingold.top   49
 ... 
 
 * the output data will highlight out of the ordinary dns queries

#step 3c (DNS): utilize virustotal to identify possible malicious domains
root@dco:~$ BROWSER > https://www.virustotal.com/gui/home/upload
 search: hashingold.top
 
 * automate the process using a script and utilize virustotal's API

#step 3d (HTTP): 
BRIM > Query: _path == "http" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c | sort value.uri
 value>id>orig_h     value>id>resp_h     value>id>resp_p    value>host
 10.22.5.47          104.168.44.45       80                 104.168.44.45
 ...

 * the output data will detect file download requests from IP addresses that are assumed as malicious. 
 
 #step 3e (HTTP): utilize virustotal to identify and validate hypothesis
root@dco:~$ BROWSER > https://www.virustotal.com/gui/home/upload
 search: 104.168.44.45
 
 * the output data will highlight abnormal activity and the malicious IP addresses
 
BRIM > Query: event_type=="alert" | cut alert.signature | sort -r | uniq -c | sort -r count
 * ET MALWARE Win32/IcedID Request Cookie
 
root@thm:~$ BROWSER > https://www.virustotal.com
 search: 104.168.44.45 > relations
  - Scanned	Detections	Type   	        Name
2025-01-03	0/ 61           Text	        ips.txt
2024-06-07	0/ 62           Text	        2022-01-12-IOCs-for-IcedID-with-Cobalt-Strike-and-DarkVNC.txt
2022-01-19	0/ 56           Network capture	cobalt.pcap

EXERCISE: THREAT HUNTING WITH BRIM | CRYPTO MINING

How many connections used port 19999?

root@thm:~$ which brim
 /usr/bin/brim

root@thm:~$ brim
BRIM > Import Files > Desktop > Exercise-Files > task7-crypto-mine.pcapng

#step 2: identify frequently communicated hosts to detect any anomaly indicators
BRIM > Query: _path == "conn" | cut id.orig_h, id.resp_p, id.resp_h | sort  | uniq -c | sort -r count
 192.168.1.100    3333   52.31.186.94   2
 ...

 * the output data will provide analysts where to focus
    - this will help identify external IPs that could be potentially malicious

#step 3: identify most active ports/services
BRIM > Query: _path == "conn" | cut id.resp_p, service | sort | uniq -c | sort -r count
 19999   22

What is the name of the service used by port 6666?

root@thm:~$ which brim
 /usr/bin/brim

root@thm:~$ brim
BRIM > Import Files > Desktop > Exercise-Files > task7-crypto-mine.pcapng

#step 2: identify frequently communicated hosts to detect any anomaly indicators
BRIM > Query: _path == "conn" | cut id.orig_h, id.resp_p, id.resp_h | sort  | uniq -c | sort -r count
 192.168.1.100    3333   52.31.186.94   2
 ...

 * the output data will provide analysts where to focus
    - this will help identify external IPs that could be potentially malicious

#step 3: identify most active ports/services
BRIM > Query: _path == "conn" | cut id.resp_p, service | sort | uniq -c | sort -r count
 6666   irc   40

What is the amount of transferred total bytes to "101.201.172.235:8888"?

root@thm:~$ which brim
 /usr/bin/brim

root@thm:~$ brim
BRIM > Import Files > Desktop > Exercise-Files > task7-crypto-mine.pcapng

#step 2: identify frequently communicated hosts to detect any anomaly indicators
BRIM > Query: _path == "conn" | cut id.orig_h, id.resp_p, id.resp_h | sort  | uniq -c | sort -r count
 192.168.1.100    3333   52.31.186.94   2
 ...

 * the output data will provide analysts where to focus
    - this will help identify external IPs that could be potentially malicious

#step 3: identify most active ports/services
BRIM > Query: _path == "conn" | cut id.resp_p, service | sort | uniq -c | sort -r count
 6666   irc   40
 ...
     
#step 3f: analyze transferred data bytes
BRIM > Query: _path == "conn" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes
 CpxVR11UKEe7LhlWae  192.168.1.100  60740  101.201.172.235  8888  141  3588  3729
 ...

 * the output should highlight IP addresses that have huge amount of traffic

What is the detected MITRE tactic id?

root@thm:~$ which brim
 /usr/bin/brim

root@thm:~$ brim
BRIM > Import Files > Desktop > Exercise-Files > task7-crypto-mine.pcapng

#step 2: identify frequently communicated hosts to detect any anomaly indicators
BRIM > Query: _path == "conn" | cut id.orig_h, id.resp_p, id.resp_h | sort  | uniq -c | sort -r count
 192.168.1.100    3333   52.31.186.94   2
 ...

 * the output data will provide analysts where to focus
    - this will help identify external IPs that could be potentially malicious

#step 3: identify most active ports/services
BRIM > Query: _path == "conn" | cut id.resp_p, service | sort | uniq -c | sort -r count
 6666   irc   40
 ...
     
#step 3f: analyze transferred data bytes
BRIM > Query: _path == "conn" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes
 CpxVR11UKEe7LhlWae  192.168.1.100  60740  101.201.172.235  8888  141  3588  3729
 ...

 * the output should highlight IP addresses that have huge amount of traffic

#step 4: gather/hunt the low hanging fruits with Suricata rules/logs.
BRIM > Query: event_type=="alert" | count() by alert.severity,alert.category | sort count
 ...
 2  Crypto Currency Mining Activity Detected  944

 * the output will highlight the malicious activities detected by Suricata
    - this requires the use of suricata rules
 
#step 4d: utilize suricata logs to correlate the event to a MITRE ATT&CK techniques
BRIM > Query: event_type=="alert" | alert.metadata.mitre_tactic_id | sort | uniq

 * SURICATA CATEGORY        MITRE TECHNIQUE NAME   MITRE TECHNIQUE ID    MITRE TACTIC NAME
   Crypto Currency Mining   Resource_Hijacking     [TA0040]              Impact

PreviousZEEK NextWIRESHARK: BASICS

Last updated 10 months ago