TryHackMe WriteUp: Warzone 2
This article explains how to find Warzone 2 solutions.
Challenge Name: Warzone 2 by Tryhackme & ujohn
This challenge is related to triggered incident by an IDS or an IPS. It involves investigation and activities related to Security Analyst L1 Role.
Note: Wireshark and Brim are the tools that were used while solving this challenge. You can refer this article to learn how to use Brim & this article to learn how to use Wireshark
Once the machine is started, open the split screen view. Once opened, you need to open 2 things. First is open the pcap capture file (Zone2.pcap) in Wireshark and secondly open it in Brim. You can locate Brim under the tools folder.
In this challenge Wireshark is used to analyze the captured traffic and Brim is used to know about the triggered alerts.
So now let’s directly jump to the questions….
Q1: What was the alert signature for A Network Trojan was Detected?
Now as it is asked to find the alert signature, let's use Brim to know more about the alerts triggered. Once the Zone2.pcap file is loaded into Brim, select Suricate alerts by Source & Destination. It will show all the alerts triggered along with the source and destination IP addresses.
Now note the source IP (185.118.164.8) for the Network Trojan was Detected alert. Search for all the traffic which involves that source IP.
In the first alert you can see the alert mentioning download of some malware. Double click on that alert to see more details about it.
There you can find alert signature, the answer to the question.
Q2: What was the alert signature for Potential Corporate Privacy Violation?
This question is same as Q1, but for different alert. So, you can find the alert signature for this alert in the same way. The source IP for this alert is same as earlier alert.
Q3: What was the IP to trigger either alert? Enter your answer in a defanged format.
We already had found the IP in Q1. The alert was triggered by the Source IP that we had found. Just put it in the defanged format; 8.8.8.8 is written in defanged format as 8[.]8[.]8[.]8.
Note about writing in defanged format: When any IP or URL that is found while dealing with the alerts, being an L1 Security Analyst it's a good practice to write them in defanged format in your investigation report. So, that it does not remain clickable as such IPs and URLs could be malicious.
Q4: Provide the full URI for the malicious downloaded file. In your answer, defang the URI.
When you had made a search with the source IP address in Brim, along with the alerts there was also an HTTP request in the log.
Open that log, you can find there the Host and the URI, combine it to make build the full URL. Write it in defanged format; if URL is google.com/redirect=xyz.com, it’s defanged format is google[.]com/redirect=xyz[.]com
Q5: What is the name of the payload within the cab file?
Again, come back to the search results of the source IP. There you can find the notice in the logs.
Open those logs and inside it you can observe that it is about the same file that was downloaded using the URL we found in above question. So that means this notice log is related to the same file download for which we found URL in previous question. Looking more in the log, we can find the LINK related to Virus Total, which is making some request to check the hash reputation in Virus Total. Either try to open that link or just copy the hash (f3e9e7f321deb1a3408053168a6a67c6cd70e114) in the link and manually search it in the Virus Total.
When you search that hash in Virus Total, you can find the name of the malicious file in the Virus Total Results.
Q6: What is the user-agent associated with this network traffic?
Again open the HTTP request log that we had opened in Q4. In the log you can find the user agent used while making that HTTP request.
Q7: What other domains do you see in the network traffic that are labelled as malicious by VirusTotal? Enter the domains defanged and in alphabetical order. (format: domain[.]zzz,domain[.]zzz)
Now this needs the traffic to be analyzed to find the other malicious domains that the device made contact. To do this use below mentioned query to filter out the traffic in Brim.
method=="GET" | cut ip, host, status_code
In the results obtained from the above query, look for the hosts with status code as 200 and check their reputation on Virus Total and write them in defanged format.
Q8: There are IP addresses flagged as Not Suspicious Traffic. What are the IP addresses? Enter your answer in numerical order and defanged. (format: IPADDR,IPADDR)
In Brim, again select Suricate alerts by Source & Destination as we did in Q1. Look for source IPs corresponding to Not Suspicious Traffic alert.
Q9: For the first IP address flagged as Not Suspicious Traffic. According to VirusTotal, there are several domains associated with this one IP address that was flagged as malicious. What were the domains you spotted in the network traffic associated with this IP address? Enter your answer in a defanged format. Enter your answer in alphabetical order, in a defanged format. (format: domain[.]zzz,domain[.]zzz,etc)
Now to find the domains associated with first IP, use the below mentioned query.
replace_this_with_ip | cut query
This query filters out the domains related to the IP. Check their reputation on Virus Total and you may find it as Malicious ones.
Q10: Now for the second IP marked as Not Suspicious Traffic. What was the domain you spotted in the network traffic associated with this IP address? Enter your answer in a defanged format. (format: domain[.]zzz)
Use the same query in the above question for the respective IP to find the domains related to that IP
Okay…. this one got bit lengthy, but I hope you were able to find all the answers with ease. Well, while writing this writeup I figured out that this room can be solved by using only just Brim😅. Although, while solving the room I had used Wireshark for few questions. For any queries do leave your comment.
Thank You for reading.
Knowledge is power, so keep gaining! 😈
