We covered Brim which is an open source packet and log analyzer. Brim has powerful features that make it ideal for large packet capture files because it has GUI interface combined with powerful search engine and query system. We also covered two practical scenarios where we used Brim to investigate malware infection and crypto mining activity. This was part of TryHackMe Brim SOC Level 1 pathway.
Learn and practice log investigation, pcap analysis and threat hunting with Brim.
Brim is an open-source desktop application that processes pcap files and logs files, with a primary focus on providing search and analytics. It uses the Zeek log processing format. It also supports Zeek signatures and Suricata Rules for detection.
It can handle two types of data as an input;
- Packet Capture Files: Pcap files created with tcpdump, tshark and Wireshark like applications.
- Log Files: Structured log files like Zeek logs.
Brim is built on open-source platforms:
- Zeek: Log generating engine.
- Zed Language: Log querying language that allows performing keywoırd searches with filters and pipelines.
- ZNG Data Format: Data storage format that supports saving data streams.
- Electron and React: Cross-platform UI.
We mentioned that Brim had 12 premade queries in the previous task. Let’s see them in action! Now, open Brim, import the sample pcap and go through the walkthrough.
Reviewing Overall Activity
This query provides general information on the pcap file. The provided information is valuable for accomplishing further investigation and creating custom queries. It is impossible to create advanced or case-specific queries without knowing the available log files.
Windows Specific Networking Activity
This query focuses on Windows networking activity and details the source and destination addresses and named pipe, endpoint and operation detection. The provided information helps investigate and understand specific Windows events like SMB enumeration, logins and service exploiting.
Unique Network Connections and Transferred Data
These two queries provide information on unique connections and connection-data correlation. The provided info helps analysts detect weird and malicious connections and suspicious and beaconing activities. The uniq list provides a clear list of unique connections that help identify anomalies. The data list summarises the data transfer rate that supports the anomaly investigation hypothesis.
Look at the details of the first NTP log that appear on the dashboard. What is the “duration” value?
Look at the details of the STATS packet log that is visible on the dashboard. What is the “reassem_tcp_size”?
Investigate the conn logfile. What is the number of the identified city names?
Investigate the Suricata alerts. What is the Signature id of the alert category “Potential Corporate Privacy Violation”?
What is the number of CobaltStrike connections using port 443?
There is an additional C2 channel in used the given case. What is the name of the secondary C2 channel?