[THM] Warzone 2

0xStn
5 min readJul 20

--

You work as a Tier 1 Security Analyst L1 for a Managed Security Service Provider (MSSP). Again, you’re tasked with monitoring network alerts.

An alert triggered: Misc activity, A Network Trojan Was Detected, and Potential Corporate Privacy Violation.

The case was assigned to you. Inspect the PCAP and retrieve the artifacts to confirm this alert is a true positive.

Your tools:

1-What was the alert signature for A Network Trojan was Detected?

first, I will move to the Suricata alerts query on the right of the screen

we can see here the src and dest IPs of this alert

after that, we will use this filter to get all alert events

event_type=="alert" 

then, we will start to look for those IPs

..look I found something

2-What was the alert signature for Potential Corporate Privacy Violation?

here I will go to check the Suricata alerts

we have it mmm…

so I will use this filter to filter out this category

"Potential Corporate Privacy Violation"

3-What was the IP to trigger either alert? Enter your answer in a defanged format.

it’s simple… we can just look at 2 log detail screenshots that we took

and use src_ip in cyber Chef to get our answer

4-Provide the full URI for the malicious downloaded file. In your answer, defang the URI.

I went to file Activity query to see if there is a suspicious activity or not, and…

we got a hit!

the suspicious IP that we found alerts from, download a file

so, I will use Wireshark and search with the file name to get more details by stream

or just filter with the name of the file in the brim

5-What is the name of the payload within the cab file?

we can take the file hash to look for on virus total

we can find this hash in our first screenshot from the previous question

6-What is the user-agent associated with this network traffic?

we can get user_agent from any one of the 3 programs

…here I used the Wireshark from our last tcp stream

7-What other domains do you see in the network traffic that are labelled as malicious by VirusTotal? Enter the domains defanged and in alphabetical order. (format: domain[.]zzz,domain[.]zzz)

we have multiple suspicious domains (5) related to this file
so we cannot decide which one made a successful conn
we can see this here…

we can filter out the connection statues by using this filter

method=="GET" | cut host, status_code, status_msg

and!

we got it…

8-There are IP addresses flagged as Not Suspicious Traffic. What are the IP addresses? Enter your answer in numerical order and defanged. (format: IPADDR,IPADDR)

let’s check the suricata source and dest alerts

9-For the first IP address flagged as Not Suspicious Traffic. According to VirusTotal, there are several domains associated with this one IP address that was flagged as malicious. What were the domains you spotted in the network traffic associated with this IP address? Enter your answer in a defanged format. Enter your answer in alphabetical order, in a defanged format. (format: domain[.]zzz,domain[.]zzz, etc)

let’s take the IP and search on virus total about this related domains

nice we’ve got a hit…

→ let’s filter it on the brim and verify it

we can use this filter to filter out the IP queries and see if it match or not

64.225.65.166 | cut query

horaaa!!!

10-Now for the second IP marked as Not Suspicious Traffic. What was the domain you spotted in the network traffic associated with this IP address? Enter your answer in a defanged format. (format: domain[.]zzz)

In this case I will use brim and use the same filter but I will change the IP

142.93.211.176 | cut query

I wanna clarify that some cases can be solved by NM, WS, or brim.

but in this challenge, I referred to the brim in most questions because some cases didn’t need me to explore traffic deeply.

so… thanks for reading, hope I could help you with my write-up,
if you have a question or comment on this write-up , please text me 🙌😊

--

--