Skip to main content
HashnodeSOC Analyst LabsSOC Analyst Labs

Command Palette

Search for a command to run...

Brim | Tryhackme Walkthrough

Updated
4 min read
U
Umamaheswari B
👋Hi, I’m Umamaheswari Through this blog, I share visual walkthroughs and hands-on investigations on PCAP, phishing, Splunk, ELK, malware, and digital forensics—based on labs from TryHackMe, HackTheBox and CyberDefenders. Feel free to connect or ask questions — I am more happy to help.
Part of seriesNetwork Traffic Analysis

BRIM is an open-source desktop application that processes pcap files and logs files. Its primary focus is providing search and analytics.

It uses the Zeek log processing format. It also supports Zeek signatures and Suricata Rules for detection.

It can handle two types of data as an input;

  • Packet Capture Files: Pcap files created with tcpdump, tshark and Wireshark like applications.

  • Log Files: Structured log files like Zeek logs.

Dashboard:

To add a pcap file: go over POOLS tab click on + icon

  • POOLS : we’ll see PCAP files loaded into Brim

  • Queries: BRIM : shows default available queries Created by Brim

  • You can also add custom queries using the “+” icon — we can give this query Name, Description,tags and reuse later.

  • history section stores all previously searched queries

    Over TOP:

  • Select any log and click Packets — it opens the selected log directly in Wireshark.

  • shows the time range when this pcap file captured packets

Log Details & Correlation

  • When you select a log, the log details appear on the right side.

  • Scroll down to view the Correlation tab, which shows IP, port, bytes, packets transferred between selected connection

  • You can right-click any field (IP, domain, PORT, Service ..etc) to filter or count by that field

  • we can also perform WHOIS or VirusTotal lookups

Task 3: The Basics

Process the "sample.pcap" file and look at the details of the first DNS log that appear on the dashboard. What is the "qclass_name"?

Ans: C_INTERNET

Look at the details of the first NTP log that appear on the dashboard. What is the "duration" value?

Ans: 0.005

Look at the details of the STATS packet log that is visible on the dashboard. What is the "reassem_tcp_size"?

Ans: 540

Task 5: Default Queries

Investigate the files. What is the name of the detected GIF file?

Ans: cat01_with_hidden_text.gif

Investigate the conn logfile. What is the number of the identified city names?

Ans: 2

Hint:You can filter the conn logfile and then view the available sections by scrolling thehorizontal bar.— takes time SO filter fields and then count city field only

path=="conn" | cut geo.resp.countrycode, geo.resp.region, geo.resp.city |

count by geo.resp.city

Investigate the Suricata alerts. What is the Signature id of the alert category "Potential Corporate Privacy Violation"?

Ans: 2012887

Task 6: Exercise: Threat Hunting with Brim | Malware C2 Detection

What is the name of the file downloaded from the CobaltStrike C2 connection?

Ans: 4564.exe

In “HTTP requests” — suscpious: IP address as host and 4564.exe

What is the number of CobaltStrike connections using port 443?

ans: 328

Hint: the IP starting with "104" is CobaltStrike.

the file downloaded which is 4564.exe is associated with this IP 104.168.44.45

Select this C2 suspected  ip, -- right click -- filter ==value

right click on port 443 -- count by filed

There is an additional C2 channel in used the given case. What is the name of the secondary C2 channel?

ans: IcedID

Hint: event_type=="alert" | cut alert.signature | sort -r | uniq -c | sort -r count

from the results — choose alert.signature filed — right click — count by field

there are 2 malware names, Dridex and IcedID

Task 7: Exercise: Threat Hunting with Brim | Crypto Mining

How many connections used port 19999?

Ans: 22

Query: cut id.orig_h, id.resp_p, id.resp_h | sort  | uniq -c | sort -r— give in task or just go over “Connection received data” | sort by ip, — richt click — count by filed

What is the name of the service used by port 6666?

Ans: irc

Query discussed in task:_path=="conn" | cut id.resp_p, service | sort | uniq -c | sort -r count

add PORT

What is the amount of transferred total bytes to "101.201.172.235:8888"?

Ans: 3729

query discussed in task: _path=="conn" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes or Default queries =”Connection Received Data”

then sort by IP and PORT

What is the detected MITRE tactic id?

Ans: TA0040

Hint: Investigate the alert logs without filter and find the tactic id field.

query discussed in task: To map MITRE ATT&CK details

event_type=="alert" | cut alert.category, alert.metadata.mitre_technique_name, alert.metadata.mitre_technique_id, alert.metadata.mitre_tactic_name | sort | uniq -c

tactic_id = alert.metadata.mitre_tactic_id add it to above query OR filter this only filed

Congratulations! You just finished the Brim room.

#brim#tryhackmewalkthrough#logs

Comments

Join the discussion

No comments yet. Be the first to comment.

Network Traffic Analysis

Part 4 of 9
Up next

Wireshark | Traffic Analysis

Task 2: Nmap Scans Use the "Desktop/exercise-pcaps/nmap/Exercise.pcapng" file.What is the total number of the "TCP Connect" scans? Ans: 1000 Which scan type is used to scan the TCP port 80? Ans: TCP

More from this blog

S

SOC Analyst Labs

39 posts

Hands-on blue team journey covering phishing analysis, threat detection, threat intelligence, network and endpoint log analysis, web traffic analysis, and SIEM monitoring on TryHackMe and Let’s Defend