Queries and History
1
count() by _path | sort -r
Checking smb or dce_rpc path:
1
_path matches smb* OR _path=="dce_rpc" | sort -r _path
Output:
Unique Network Connections and Transferred Data
1
2
3
Command 1: _path=="conn" | cut id.orig_h, id.resp_p, id.resp_h | sort | uniq
Command 2: _path=="conn" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes
DNS and HTTP Methods
1
2
3
Command 1: _path=="dns" | count() by query | sort -r
Command 2: _path=="http" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c
File Activity
1
filename!=null | cut_path, tx_hosts, rx_hosts, conn_uids, mime_type,filename, md5, sha1
IP Subnet Statistics
1
_path=="conn" | put classnet := network_of(id.resp_h) | cut classnet | count() by classnet | sort -r
Suricata Alerts
1
2
3
4
5
Command 1: event_type=="alert" | count() by alert.severity,alert.category | sort count
Command 2: event_type=="alert" | alerts := union(alert.category) by src_ip, dest_ip
Command 3: event_type=="alert" | alerts := union(alert.category) by network_of(dest_ip)
Checking identified city names
1
_path=="conn" | cut geo.resp.city | sort -r | uniq
Brim Query Reference
Basic Search:
1
Find logs containing this IP: 10.0.0.1
Logical Operators:
1
192 and NTP
Filter values:
1
id.orig_h==192.168.121.40
List specific log file contents:
1
_path=="conn"
Count field values:
1
count () by _path
Sort findings:
1
count () by _path | sort -r
Cut specific field from a log file:
1
_path=="conn" | cut id.orig_h, id.resp_p, id.resp_h
List unique values:
1
_path=="conn" | cut id.orig_h, id.resp_p, id.resp_h | sort | uniq
Communicated hosts:
1
_path=="conn" | cut id.orig_h, id.resp_h | sort | uniq
Frequently communicated hosts:
1
_path=="conn" | cut id.orig_h, id.resp_h | sort | uniq -c | sort -r
Most Active Ports:
1
2
-> _path=="conn" | cut id.resp_p, service | sort | uniq -c | sort -r count
-> _path=="conn" | cut id.orig_h, id.resp_h, id.resp_p, service | sort id.resp_p | uniq -c | sort -r
Long connections:
1
_path=="conn" | cut id.orig_h, id.resp_p, id.resp_h, duration | sort -r duration
Transferred Data:
1
_path=="conn" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes
DNS and HTTP queries:
1
2
-> _path=="dns" | count () by query | sort -r
-> _path=="http" | count () by uri | sort -r
Suspicious Hostnames:
1
_path=="dhcp" | cut host_name, domain
Suspicious IP Addresses:
1
_path=="conn" | put classnet := network_of(id.resp_h) | cut classnet | count() by classnet | sort -r
Detect Files:
1
filename!=null
SMB Activity:
1
_path=="dce_rpc" OR _path=="smb_mapping" OR _path=="smb_files"
Known Patterns:
1
event_type=="alert" or _path=="notice" or _path=="signatures"
Threat Hunting with Brim - Malware C2 Detection
Query 1:
1
count() by _path | sort -r
Output:
Query 2: Extract unique ports and communicating IPs
1
$ cut id.orig_h, id.resp_p, id.resp_h | sort | uniq -c | sort -r count
Output:
Query 3: Look at the port numbers and available services
1
_path=="conn" | cut id.resp_p, service | sort | uniq -c | sort -r count
Query 4: Checking all DNS queries
1
_path=="dns" | count() by query | sort -r
1
- Use VirusTotal on these.
Query 5: look at the HTTP requests before narrowing down our investigation with the found malicious IP addresses.
1
_path=="http" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c | sort value.uri
1
- Important IP -> 104.168.44.45 becauses of download file request
Query 6: Checking Suricata logs
1
event_type=="alert" | count() by alert.severity,alert.category | sort count
Please note, Adversaries using CobaltStrike are usually skilled threats and don’t rely on a single C2 channel
Query 7: Checking downloaded Cobalt Strike C2:
1
_path=="http" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c | sort value.uri
Query 8: Checking the CobaltStrike connections using port 443
1
event_type=="alert" | cut dest_port | sort | count() by dest_port
Query 9: Checking the secondary C2 channel:
1
event_type=="alert" | cut alert.signature |sort | uniq -c | sort -r count
Threat Hunting with Brim : CryptoMining
Query 1:
1
count() by _path | sort -r
Query 2: Review the frequently communicated hosts to see if there is an anomaly indicator
1
cut id.orig_h, id.resp_p, id.resp_h | sort | uniq -c | sort -r
Output:
Query 3: Port numbers and available services before focusing on the suspicious IP address
1
_path=="conn" | cut id.resp_p, service | sort | uniq -c | sort -r count
Output:
Query 4: Transferred data bytes to support our findings and find more indicators
1
_path=="conn" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes
Output:
Query 5: Hunt the low hanging fruits with the help of Suricata rules. Let’s investigate the Suricata logs
1
event_type=="alert" | count() by alert.severity,alert.category | sort count
Query 6: Let’s dig deeper and discover which data pool is used for the mining activity. First, we will list the associated connection logs with the suspicious IP, and then we will run a VirusTotal search against the destination IP.
1
_path=="conn" | 192.168.1.100
Query 7: use Suricata logs to discover mapped out MITRE ATT&CK techniques
1
event_type=="alert" | cut alert.category, alert.metadata.mitre_technique_name, alert.metadata.mitre_technique_id, alert.metadata.mitre_tactic_name | sort | uniq -c
Output:
Now we can identify the mapped out MITRE ATT&CK details as shown in the table below:
Query 8: Checking the number of connections on a specific port. In this case, port 19999:
1
_path=="conn" | 19999 | count()
Query 9: Checking the name of service used for a specific port. In this case, its port 6666:
Query 10: Checking the amount of total bytes transferred on a specific <ip>:<port> combination. In this case, 101.201.172.235:8888:
1
_path=="conn" | 101.201.172.235 | 8888 | put total_bytes := orig_bytes + resp_bytes | cut uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, orig_bytes,resp_bytes,total_bytes
Query 11: Checking Suricata log alerts and their MITRE attack Technique name and ID:
1
event_type=="alert" | cut alert.category, alert.metadata.mitre_technique_name, alert.metadata.mitre_technique_id, alert.metadata.mitre_tactic_name | sort | uniq -c
Output:
