We covered Brim which is an open source packet and log analyzer. Brim has powerful features that make it ideal for large packet capture files because it has GUI interface combined with powerful search engine and query system. We also covered two practical scenarios where we used Brim to investigate malware infection and crypto mining activity. This was part of TryHackMe Brim SOC Level 1 pathway.

Get Blue Team Study Notes

The Complete Practical Metasploit Framework Course

Challenge Description

Learn and practice log investigation, pcap analysis and threat hunting with Brim.

Video Highlights

Room Answers

Process the “sample.pcap” file and look at the details of the first DNS log that appear on the dashboard. What is the “qclass_name”?

Look at the details of the first NTP log that appear on the dashboard. What is the “duration” value?

Look at the details of the STATS packet log that is visible on the dashboard. What is the “reassem_tcp_size”?

Investigate the files. What is the name of the detected GIF file?

Investigate the conn logfile. What is the number of the identified city names?

Investigate the Suricata alerts. What is the Signature id of the alert category “Potential Corporate Privacy Violation”?

What is the name of the file downloaded from the CobaltStrike C2 connection?

What is the number of CobaltStrike connections using port 443?

There is an additional C2 channel in used the given case. What is the name of the secondary C2 channel?

How many connections used port 19999?

What is the name of the service used by port 6666?

What is the amount of transferred total bytes to “101.201.172.235:8888”?

What is the detected MITRE tactic id?

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles