TryHackMe: Brim Walkthrough (SOC Level 1)

Welcome to this walkthrough of the Brim Room on TryHackMe. In this room we look at Brim, yet another pcap analysis tool. Brim is an open-source desktop application that processes pcap files and logs files. Its primary focus is providing search and analytics.

https://tryhackme.com/room/brim

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Now, let’s move on!

Task 1: Introduction

BRIM is an open-source desktop application that processes pcap files and logs files. Its primary focus is providing search and analytics. In this room, you will learn how to use Brim, process pcap files and investigate log files to find the needle in the haystack! This room expects you to be familiar with basic security concepts and processing Zeek log files. We suggest completing the “Network Fundamentals” path and the “Zeek room” before starting working in this room. 

Questions

Read the task above.

Answer: No answer needed

Task 2: What is Brim?

Brim is an open-source desktop application designed for efficient processing and analysis of pcap and log files, using Zeek logs and Suricata rules for detection. It supports:

• Packet Capture Files (pcap) from tools like tcpdump, Wireshark, and tshark.
• Log Files such as structured Zeek logs.

Brim simplifies analyzing large pcaps (over 1GB) by providing a fast, GUI-based alternative to Wireshark and Zeek, reducing manual processing effort.

Comparison with Wireshark & Zeek:

• Best for: Investigating large pcaps and correlating logs.
• GUI: Available (unlike Zeek).
• Sniffing: Not supported (unlike Wireshark & Zeek).
• Pcap processing & filtering: Supported by all.
• Log processing & signature detection: Supported by Brim & Zeek (not Wireshark).
• Handling large pcaps: Better than Wireshark but less efficient than Zeek.

Brim is ideal for medium-to-large pcap analysis, where Wireshark is best for packet-level inspection and Zeek excels at event correlation and scripting.

So in essence, Brim is a bit easier to work because of its GUI, but has limited packet-level uses, and also can’t handle very large pcaps well.

Questions

Read the task above.

Answer: No answer needed

Task 3: The Basics

Here is a brief summary of the room, but take a look at TryHackMe for a full coverage of the basics.

Brim’s landing page provides an interface for importing files and accessing three key sections: Pools, Queries, and History.

• Pools represent imported files (e.g., pcap logs) that Brim processes into Zeek logs. Users can view logs in a timeline, hover for details, and export results.
• Log Correlation allows users to track relationships between log entries, filter values, count fields, sort data, perform whois lookups, and open packets in Wireshark.
• Queries & History help users analyze data efficiently. The query library offers predefined and custom queries that can be executed and tracked under the History tab.

Brim includes 12 premade queries and enables users to add new ones for streamlined investigations.

Questions

Process the “sample.pcap” file and look at the details of the first DNS log that appear on the dashboard. What is the “qclass_name”?

Start up Brim, and import the sample.pcap file by pressing the Choose Files button in the middle of the screen.

Select the pcap file and it will get loaded. You should see the following screen:

We can look at the details by right clicking on the first DNS log entry (look for the blue dns tag) and afterwards press Open details.

Look in the Log Details panel on the right, and you should see the qclass_name valaue: C_INTERNET.

Answer: C_INTERNET

Look at the details of the first NTP log that appear on the dashboard. What is the “duration” value?

 Click on the first NTP log (light grey ntp tag) and if your log details are still open, you should be able to see the duration in the bottom of the log details panel. If you closed it right click the log and press Open Details once more.

The answer is 0.005 seconds.

Answer: 0.005

Look at the details of the STATS packet log that is visible on the dashboard. What is the “reassem_tcp_size”?

As before, find the first STATS packet log (green tag) and look in the Log Details for the reassem_tcp_size.

You should see the answer: 540.

Answer: 540

Task 4: Default Queries

Brim provides 12 premade queries to analyze network activity from a pcap file efficiently. These queries help analysts detect anomalies, investigate threats, and create custom queries based on available log data.
The queries cover these areas:

1. Overall Activity – Summarizes log data to understand available information before deeper analysis.
2. Windows Networking Activity – Focuses on Windows-specific events like SMB enumeration, logins, and service exploits.
3. Unique Network Connections & Data Transfer – Identifies unique connections and correlates them with data transfer to detect suspicious activity.
4. DNS & HTTP Methods – Lists DNS queries and HTTP methods, helping detect anomalies in web traffic.
5. File Activity – Tracks file interactions, including MIME types, names, and hash values, to detect data leaks.
6. IP Subnet Statistics – Identifies subnet communications to detect unusual external connections.
7. Suricata Alerts – Uses Suricata rules to highlight potential threats, categorized by source, destination, and subnet.

Questions

Investigate the files. What is the name of the detected GIF file?

Open the task4-sample-b.pcap file in Brim.

Since we are talking about a GIF file, we can probably use the default Brim query called File Activity. Select it on the left Queries menu.

You should see two frames, and one of them corresponds to a gif file. This file is called cat01_with_hidden_text.gif.

Answer: cat01_with_hidden_text.gif

Investigate the conn logfile. What is the number of the identified city names?

OK! This one is very confusing. Firstly, it does not mention that we have to switch back to the sample.pcap file. Secondly. it asks us about something we have not learned about yet?

Anyway, I found out that we have to use the sample.pcap file. But where does the connection log from? Well it basicly is like our old friend Zeek. When Brim processes PCAP files, it uses Zeek. So in the background it creates all those different log files that we have learned about in the Zeek room. The conn log is one of Zeek’s default logs, which contains network connection metadata.

To only show connection logs in Brim we need to add the following in the search input:

_path=="conn"

This shows the connection log data. Have a look around and you should see the geo.orig.city field. Now we can use some CLI type magic to find what we need. We can continue by entering the following query:

_path=="conn" | cut geo.orig.city

This will only show the city field. But hey, we can even sort this field and remove all duplicate values:

_path=="conn"| cut geo.resp.city | sort | uniq -c

Now we have found two unique cities:

Answer: 2

Investigate the Suricata alerts. What is the Signature id of the alert category “Potential Corporate Privacy Violation”?

Back to the task4-sample-b.pcap file again.

Simply press the Suricata Alerts by Category in the default Brim queries list.

Here we see the different alert categories. Now we just have to modify the query to also show us the signature id. I added the alert.signature and alert.signature_id fields:

event_type=="alert" | count() by alert.severity,alert.category,alert.signature,alert.signature_id | sort count

We can see that the relevant signature id is 2,012,887.

Answer: 2,012,887

Task 5: Use Cases

This tasks covers a variety of common analysis queries to use in Brim when you work as security analysts.

1. Identifying Communicated Hosts
   • Lists all active hosts on the network.
   • _path=="conn" | cut id.orig_h, id.resp_h | sort | uniq
2. Detecting Frequent Communications
   • Identifies hosts communicating most often, useful for spotting exfiltration or backdoor activities.
   • _path=="conn" | cut id.orig_h, id.resp_h | sort | uniq -c | sort -r
3. Investigating Active Ports
   • Helps uncover hidden activities by analyzing frequently used ports.
   • _path=="conn" | cut id.resp_p, service | sort | uniq -c | sort -r count
4. Detecting Long Connections
   • Flags unusual persistent connections, which may indicate backdoors.
   • _path=="conn" | cut id.orig_h, id.resp_p, id.resp_h, duration | sort -r duration
5. Analyzing Data Transfers
   • Helps identify possible data exfiltration or malware distribution.
   • _path=="conn" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes
6. Monitoring DNS & HTTP Queries
   • Detects suspicious domain requests, useful for spotting C2 communications.
   • _path=="dns" | count () by query | sort -r
   • _path=="http" | count () by uri | sort -r
7. Identifying Suspicious IPs and Hostnames
   • Investigates rogue devices and out-of-ordinary connections.
   • _path=="dhcp" | cut host_name, domain
   • _path=="conn" | put classnet := network_of(id.resp_h) | cut classnet | count() by classnet | sort -r
8. Detecting File Transfers
   • Investigates suspicious file movements, including malware and sensitive data.
   • filename!=null
9. Analyzing SMB Activity
   • Examines potential lateral movement and malicious file sharing.
   • _path=="dce_rpc" OR _path=="smb_mapping" OR _path=="smb_files"
10. Reviewing Security Alerts

• Correlates logs from IDS/IPS solutions like Zeek or Suricata.
• event_type=="alert" or _path=="notice" or _path=="signatures"


This structured approach helps security analysts quickly identify and respond to threats using Brim’s powerful filtering and search capabilities.

Questions

Read the task above.

Answer: No answer needed.

Task 6: Exercise: Threat Hunting with Brim | Malware C2 Detection

It is just another malware campaign spread with CobaltStrike. We know an employee clicks on a link, downloads a file, and then network speed issues and anomalous traffic activity arises. Now, open Brim, import the sample pcap and go through the walkthrough.

With that out of the way, I won’t cover the theory here, as we will be going through most of the mentioned analyses while discussing the questions. Let’s go!

Questions

What is the name of the file downloaded from the CobaltStrike C2 connection?

Open up the task6-malware-c2.pcap file in Brim.

Let’s start by looking at the Activity overview, which can be run by click on the default Brim query or by entering the following in the query input field:

count() by _path | sort -r

We can see that there are many alternatively log file to look at.

Now let’s look at the frequently communicated hosts:

cut id.orig_h, id.resp_p, id.resp_h | sort  | uniq -c | sort -r count

As you can see there is a lot of communication going from 10.22.5.47 to 104.168.44.45.

We can also look at the most commonly seen ports:

_path=="conn" | cut id.resp_p, service | sort | uniq -c | sort -r count

This seems pretty normal I guess? But there is a lot of DNS traffic.

We can take a closer look at these by running the following query (or select the Unique DNS Queries default Brim query):

_path=="dns" | count() by query | sort -r

Those are some weird looking domains!

We can get VirusTotal info by right clicking a domain, and pressing VirusTotal Lookup.

But unfortunately the VM has not internet connection, so it should be safe to check i t on your own pc 🙂

https://www.virustotal.com/gui/domain/hashingold.top/relations

Definitely a malicious domain I think. There are a list of IP addresses the domain name resolve to which we can read underneath Passive DNS Replication.

And hey! If you look at some of these, for example 45.147.228.138, it is included in the DNS log we looked at before. And the same IP also is visible for one of the other domains: ouldmakeithapp.top:

https://www.virustotal.com/gui/search/ouldmakeithapp.top

Let’s move on, and have a look at the HTTP requests:

_path=="http" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c | sort value.uri

Here we see a suspicious file download! Coming from the IP address we found in the beginning of the exercise (10.168.44.45):

Great, we have the answer: 4564.exe.

Answer: 4564.exe

What is the number of CobaltStrike connections using port 443?

According to the THM room creator, these findings (file and IP addresses) are associated with CobalStrike, and they represent C2 communication.

We can see more by looking at the Suricata logs:

event_type=="alert" | count() by alert.severity,alert.category | sort count

This also shows that alerts have been thrown on malicious activity by Suricata.

Now, to answer the question on the number of CobaltStrike connections we need to go a bit back to investigating the IP address from which the .exe file was downloaded:

https://www.virustotal.com/gui/ip-address/104.168.44.45

Indeed, the IP is considered suspicious and related to CobalStrike, as mentioned under Relations.

To find out how many connections come from this IP address and port 443 we can use the following query in Brim:

_path=="conn" and id.resp_h==104.168.44.45 and id.resp_p==443 | count()

The answer is 328.

Answer: 328

There is an additional C2 channel in used the given case. What is the name of the secondary C2 channel?

Let’s have another look at the VirusTotal page on the suspicous IP:

https://www.virustotal.com/gui/ip-address/104.168.44.45

Here, under Relations, you will see 2022-01-12-IOCs-for-IcedID-with-Cobalt-Strike-and-DarkVNC.txt being mentioned. 

VirusTotal infoFurthermore, we if we look at the signatures from the Suricata logs again:

event_type=="alert" | cut alert.signature | sort -r | uniq -c | sort -r count

IcedID is also mentioned in the second to last row.

This seems to be the secondary C2 channel. You can read more about it here:

https://attack.mitre.org/software/S0483

IcedID (also known as BokBot) can function as a secondary C2 channel in several ways. It often acts as an initial access broker for other malware, including Cobalt Strike, by providing a stealthy, persistent backdoor that attackers can use if their primary C2 is disrupted.

Answer: IcedID

Task 7: Exercise: Threat Hunting with Brim | Crypto Mining

Cryptocurrencies are frequently on the agenda with their constantly rising value and legal aspect. The ability to obtain cryptocurrencies by mining other than purchasing is becoming one of the biggest problems in today’s corporate environments.
Attackers not only compromise the systems and ask for a ransom, but sometimes they also install mining tools (cryptojacking). Other than the attackers and threat actors, sometimes internal threats and misuse of trust and privileges end up installing coin miners in the corporate environment.

Usually, mining cases are slightly different from traditional compromising activities. Internal attacks don’t typically contain major malware samples. However, this doesn’t mean they aren’t malicious as they are exploiting essential corporate resources like computing power, internet, and electricity.
Also, crypto mining activities require third party applications and tool installations which could be vulnerable or create backdoors. Lastly, mining activities are causing network performance and stability problems. Due to these known facts, coin mining is becoming one of the common use cases of threat hunters.

Questions

How many connections used port 19999?

Start up Brim, and load the task7-crypto-mine.pcapng file.

Let’s start by looking at the Activity Overview Brim query:

count() by _path | sort -r

Not a lot of different types of logs! Now let’s look at frequently communicated hosts:

cut id.orig_h, id.resp_p, id.resp_h | sort  | uniq -c | sort -r

There is a lot of traffic from IP 192.168.1.100 to a lot of different IP addresses.

Let’s look at the different destination ports:

_path=="conn" | cut id.resp_p, service | sort | uniq -c | sort -r count

Lots of unusual ports here.

We also find answers to the first two questions. There are 22 connections to port 16666 in the log.

Answer: 22

What is the name of the service used by port 6666?

This one we can also answer by looking at the previous screenshot: irc. IRC (Internet Relay Chat) is a text-based chat system for instant messaging, and quite a thing when I was young. Hah!

Answer: irc

What is the amount of transferred total bytes to “101.201.172.235:8888”?

Let’s move on. Let’s look at the total of transferred data bytes:

_path=="conn" | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes

There is a LOT of traffic originating from the suspicious IP address. We have also found the answer total the current questions, with the relevant entry highlighted in the above screenshot. The answer is 3,729.

Answer: 3,729

What is the detected MITRE tactic id?

We are nearly done. Let’s figure out the MITRE tactic id. Let’s have a look at the Suricata logs:

event_type=="alert" | count() by alert.severity,alert.category | sort count

Sure enough, Suricata has detected crypto currency mining activity.

We can even add the src_ip to the query:

There are lots of alerts on the connections from 192.168.1.100. We can look closer at the connections from 192.168.1.100 by using:

_path=="conn" | 192.168.1.100

Lots of connections to different destination IP addresses, and one of them is definitely suspicious:

https://www.virustotal.com/gui/ip-address/103.3.62.64/relations

Now, let’s focus on the final question. To use the Suricata logs to discover mapped out MITRE ATT&CK techniques we can use the following query:

event_type=="alert" | cut alert.category, alert.metadata.mitre_technique_name, alert.metadata.mitre_technique_id, alert.metadata.mitre_tactic_name | sort | uniq -c

We have the Tactic (Impact), and we can either google our way to the answer or update the query to include the tactic ID.

Update the query to this:

event_type=="alert" | cut alert.category, alert.metadata.mitre_technique_name, alert.metadata.mitre_technique_id, alert.metadata.mitre_tactic_name, alert.metadata.mitre_tactic_id | sort | uniq -c | sort value.alert.metadata.mitre_technique_name

But the answer is also found here:

https://attack.mitre.org/tactics/TA0040

Answer: TA0040

Task 8: Conclusion

Congratulations! You just finished the Brim room.

In this room, we covered Brim, what it is, how it operates, and how to use it to investigate threats. 

Now, we invite you to complete the Brim challenge room: Masterminds

Questions

Read the task above.

Answer: No answer needed.

Congratulations on completing Brim!!!

Congratulations on finishing this walkthrough of the TryHackMe Brim room.
I really enjoyed this room. I thought the earlier covered Zeek was a great tool, but it did get a bit annoying working with all the different logs from the command-line. Brim is a great and easier to use tool that builds upon Zeek. It’s awesome!

Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.

Like my articles?

You are welcome to comment on this post, or share my post with friends.
I would be even more grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg