Home Warzone II
Post
Cancel

Warzone II

Posted Jun 17, 2024
By
2 min read

Scenario

You work as a Tier 1 Security Analyst L1 for a Managed Security Service Provider (MSSP). Again, you’re tasked with monitoring network alerts.

An alert triggered: 

1
2
3

- **Misc activity**, 
- **A Network Trojan Was Detected**, and 
- **Potential Corporate Privacy Violation** 

The case was assigned to you. Inspect the PCAP and retrieve the artifacts to confirm this alert is a true positive. 

Your tools:

Question and Answers section

With Brim (Log Analysis)

Checking the traffic type from the pcap:

1

count() by _path | sort -r

  • What was the alert signature for A Network Trojan was Detected?

Using the Suricata filter:

1

event_type=="alert" | alerts := union(alert.category) by src_ip, dest_ip

Going to logs:

1

- Answer: ET Malware Likely Evil EXE download from MSXMLHTTP non-exe extension M2
  • What was the alert signature for Potential Corporate Privacy Violation?

Got from previous question:

1

- Answer: ET POLICY PE EXE or DLL Windows file download HTTP
  • What was the IP to trigger either alert? Enter your answer in a defanged format. 185[.]118[.]164[.]8
With NetworkMiner (Network Forensics)
  • Provide the full URI for the malicious downloaded file. In your answer, defang the URI.

File correlation with Brim:

Getting the full URI with Wireshark and going to the files downloaded:

Looking at the response packet:

Answer:

  • What is the name of the payload within the cab file?

Go to Wireshark and save the gap1.cab file locally:

Get the sha256 hash of the file:

Hop on VT for more info:

1

- Answer: draw.dll
  • What is the user-agent associated with this network traffic?

It is available in notice, files, and http:

From the notice path:

From the files path:

From the http path:

  • What other domains do you see in the network traffic that are labelled as malicious by VirusTotal? Enter the domains defanged and in alphabetical order. (format: domain[.]zzz,domain[.]zzz)

False Negatives:

  • There are IP addresses flagged as Not Suspicious Traffic. What are the IP addresses? Enter your answer in numerical order and defanged. (format: IPADDR,IPADDR)
1
2

- 64[.]225[.]65[.]166
- 142[.]93[.]211[.]176

  • For the first IP address flagged as Not Suspicious Traffic. According to VirusTotal, there are several domains associated with this one IP address that was flagged as malicious. What were the domains you spotted in the network traffic associated with this IP address? Enter your answer in a defanged format. Enter your answer in alphabetical order, in a defanged format. (format: domain[.]zzz,domain[.]zzz,etc)

1
2
3

- [ulcertification[.]xyz](https://www.virustotal.com/gui/domain/ulcertification[.]xyz)
- [safebanktest[.]top](https://www.virustotal.com/gui/domain/safebanktest[.]top)
- [tocsicambar[.]xyz](https://www.virustotal.com/gui/domain/tocsicambar[.]xyz)
  • Now for the second IP marked as Not Suspicious Traffic. What was the domain you spotted in the network traffic associated with this IP address? Enter your answer in a defanged format. (format: domain[.]zzz)

Hint: Use NetworkMiner

1

2partscow[.]top
TryHackMe, Network Security
TryHackMe
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents