Blue Team CTF: Warzone 1
To continue to work on my ability to parse logs and sniff out possible IOC's, I will be tackling another blue team CTF with a focus on traffic analysis using Brim and Wireshark, and also using sources like VirusTotal to inspect IP addresses and domains for past malicious activity.
The scenario: So I work for an MSSP and I received multiple alerts that I have to triage to confirm if it's a true positive or negative. I will have to investigate PCAPs for the IOC's. They gave us Wireshark, Brim, and Network Miner for our investigation.
We will first seek out the alert signature of a possible C2 by utilizing this search query in Brim:
event_type=="alert" | count() by alert.severt, alert.category | sort count
I then searched the traffic view to inspect the alert's content to find the alert signature.
Next, they asked me for the defanged source IP address for the investigation. The use of defanged IP addresses is to decrease the risk of accidental use. The defanged IP is: 172[.]16[.]1[.]102
In the follow-up question, they are looking for the defanged destination IP address, which is: 169[.]239[.]128[.]11
I will now inspect the destination IP address in VirusTotal to check passive DNS replication. This can give us an idea of where the domain may have pointed to in the past, what subdomains may exist, do the domains point to a given IP network or what domain names may be hosted by a given name server. Upon inspection, it looks like the domain with the most detections is fidufagios[.]com.
While in VirusTotal I also look up the threat group and malware family attributed to this address which is TA505 and Mirrorblast. This information was found under the community and relations tabs.
The investigation is also asking for the majority file type of communicating files associated with this IP. This is also found under the relations tab on VirusTotal. The majority communicating file is a Windows installer. (This is not true as per VirusTotal, which is a win32 exe. .This is a process where dll's are stored. Its possible at the time of the creation of this CTF it was indeed a Windows Installer)
领英推荐
Next up we'll inspect the user agent of the suspect IP address. We will use this search string to weed out the answer: _path=="http" | cut id.orig_h, id.resp_h, id.resp_p, user_agent | uniq -c
There are two other IP addresses here that were found when running the search query: _path=="http" | cut id.orig_h, id.resp_h, host | uniq -c
After checking IP addresses against VirusTotal they appear to also have connections to the threat group TA505. (Another thing the creators of this CTF took into consideration is that 3 of the IP addresses besides the original are all connected to TA505)
There were two files downloaded by the two supporting IP addresses. I ran the search string: _path=="http" | cut id.orig_h,id.resp_h, host, method, uri | uniq -c?which enabled me to find one of the file names. but I had to do a generic search on the IP address and search the packet details to find the second file.
There were also two files that were downloaded from 185.10.68.235 with the filter.msi file. We will open Wireshark to dig a little deeper. When in Wireshark I searched the traffic for the IP and followed the TCP stream to get a more granular perspective.?
Finally, I will inspected the other file downloaded from 192.36.27.92 which also downloaded two other files. I will take the same approach by opening the pcap in Wireshark and following the TCP stream for a closer look.
That concludes this CTF. It was interesting and good practice, but I think it's time I move on to more difficult challenges. This CTF was rated at a difficulty of medium. I think that I'm going to try hard next time.