Hello Amazing Hackers.
This is badboy_17 with a new room, Masterminds from Tryhackme.
In this room we gonna learn incident response Through using Brim software.
If you aren’t familiar with brim too much then don’t worry 😁 here badboy_17 gonna help you to use brim with the shortest & coolest way 😀.
So don’t wasting time Let’s move on.
Three machines in the Finance department at Pfeffer PLC were compromised. We suspect the initial source of the compromise happened through a phishing attempt and by an infected USB drive. The Incident Response team managed to pull the network traffic logs from the endpoints.Let’s Use Brim to investigate the network traffic for any indicators of an attack and determine who stands behind the attacks.
Deploy the machine attached to this task; it will be visible in the split-screen view once it is ready.
Start by loading the Infection1 packet capture in Brim to investigate the compromise event for the first machine. All the PCAPs can be found here: /home/ubuntu/Desktop/PCAPs
[Infection 1]
Double-click on the brim software on the attached VM.
Choose the Infection1.pcap from the PCAPs directory
Give it time to load
If we click on the highlighted packet we’ll see like this
Question-1.1:
So we got answer of first question.
Question-1.2:
Then the second Question is about two domain that gave 404 Error code.
If we search 404 we get the two host/domain. easy af 😁
Question-1.3:
Let’s do a easy search .write “1309” & we got the answer .
Question-1.4:
For Solving this, there is pre built filters. Click on the “Unique DNS Queries” .
Easy Isn’t it? 😀
Question-1.5:
Same like before, just use the Filters. This time Click on “HTTP Requests”.
Double click on the packet to copy the answer.
Question-1.6:
From the Previous filter we got the answer here. Look there is a executable i.e an exe file. So that is the malicious Executable file and from same packet we got the IP.
Question-1.7:
from second question we got two domain. Searching on Virsutotal we got some result but nothing useful.
After Reading the Hint — “Check what the Community has to say.”
I went to communtiy tab. There is a Pastebin Link. From there i got the name of Malware.
[Infection 2]
Navigate to the PCAPs directory & open Infection2.pcap file.
Question-2.1:
As Usual Easy First question 😁
Question-2.2:
Just use “HTTP Post Requests” filter and the ip address is front of you. ;)
Question-2.3:
From previous Question we saw there is three requests. So you know the answer 😆
Question-2.4:
The Binary means an executable i.e exe file and Again with “HTTP Requests” filter we got our answer 😀
Question-2.5:
We just have to give the full URI Path.Double click on packet & copy to give the answer.
Question-2.6:
We know the answer :)
Question-2.7:
Use “Suricata alert by Source and Destination”. From there we got the source and destination ip.
Question-2.8:
Here we’ve given a site URLhaus Database and asked to find the name of the stealer of that trojan.
In that Website searching by this
“hypercustom.top/jollion/apines.exe” query we got the result.
[Infection 3]
load the Infection3.pcapng and Start the investigation -
Question-3.1:
Starting with easy question.
Question-3.2:
This is somewhat a tricky question. and a tricky question after long time
The Question asked to give the domain where the binary was downloaded.
using “HTTP Requests” filter and from hint i added “ |sort ts ” , i got the answer.
Question-3.3:
It asked about the IP of that three domains.
EASY PEASY😝
Question-3.4:
The first IP address of previous question that means we are talking about “xfhoahegue.ru”. So with“Unique DNS Queries” filter and adding “ | xfhoahegue.ru ” we got our answer.
Question-3.5:
We can get it after filtering with “HTTP Requests”.
Question-3.6:
Hint says “Try to type “user_agent” in the search bar.”
Clearing every filter and after refereshing the pcapng file type “user-agent” in the search bar. we got some result. Double clicking on any “xfhoahegue.ru” containing packet we should get the user agent. Double click to copy and get the answer.
Question-3.7:
Using “Activity Overview” we got total amount of DNS Connections made
Question-3.8:
Searching for “ “xfhoahegue” worm name” in the google, the first result gave me the answer.
So this is the END.
So How you enjoyed using BRIM? For Me BRIM is really cool & i’ve enjoyed this room so much. Special Thanks to heavenraiza & RussianPanda for creating such an Awesome room. 🙏
Let’s hope to see you again with some juicy stuff.
Untill Then This is badboy_17 & I really do Thank you for joining with me.♥️