Warzone2: One thing I am starting to enjoy about these Warzone labs is how realistic they feel. This was not just another “find the answer” challenge. This actually felt like I was sitting in front of a real SOC dashboard during a shift, trying to determine whether an IDS alert was a false positive or an active threat that needed escalation.

This time, I worked as a simulated Tier 1 SOC Analyst at an MSSP. Multiple IDS/IPS alerts were triggered, and the case was assigned to me for triage and investigation.

The alerts included:

• Misc Activity
• A Network Trojan Was Detected
• Potential Corporate Privacy Violation

The objective was simple in theory but very realistic in practice:

Determine whether the alerts represented a true positive incident by analyzing the PCAP and extracting the relevant indicators of compromise (IOCs).

Unlike the previous Warzone investigation, this one took me longer than expected. The room estimated about 30 minutes, but I spent nearly an hour working through the investigation properly. Interestingly, I only used Brim and VirusTotal throughout the entire process.

At first, I thought that was a disadvantage, but looking back now, it actually forced me to think more like an analyst to instead of relying heavily on multiple tools.

Initial Triage and Alert Investigation

I started by loading the PCAP into Brim to review the Suricata alerts.

The first thing I wanted to establish was:

• Which IP triggered the alerts
• What type of traffic was involved
• Whether malware delivery actually occurred

Inside Brim, I filtered the alerts and quickly identified the suspicious external IP address: 1x5[.]xxxx[.]xx[.]8

At this point, the investigation started becoming more interesting because I could see multiple alerts firing around the same timestamp.

The alert signatures identified were: ET MALWARE Likely Evil EXE download from MXXXXHTTP non-exe extension M2 and ET POLICY PE EXE or DLL Windows file download HTTP

Immediately, this suggested:

• executable delivery over HTTP
• suspicious file download behavior
• possible malware staging activity

That was enough for me to treat the case seriously.

Following the HTTP Traffic

After identifying the suspicious IP address, I pivoted into the HTTP traffic associated with it.

This is where the investigation slowed me down a bit.

At first, I could only see partial HTTP GET requests inside Brim, and I struggled to reconstruct the full malicious URI. I initially focused too much on the alerts themselves instead of pivoting directly into the HTTP logs tied to the destination IP.

Eventually, I filtered the traffic properly and found the request that mattered.

The malicious URI was: awhxxxxxxxxxxxxxe[.]com/xxx/fxla[.]php?l=gap1[.]cab

At that moment, the investigation shifted from “suspicious traffic” into confirmed malware delivery territory.

Several indicators stood out immediately:

• Randomized suspicious domain structure
• CAB archive delivery
• PHP download endpoint
• HTTP-based payload retrieval

The traffic pattern itself already looked malicious before even checking threat intelligence.

Still in Warzone2: Malware Payload Discovery

The downloaded CAB file eventually led to the malware payload: dxxx.dll

This was important because it confirmed that the alert was not simply noise or a harmless executable transfer. A DLL payload being downloaded through suspicious HTTP traffic strongly reinforced the likelihood of active malware delivery. At this point, I considered the alert a true positive.

User-Agent Analysis

Another artifact recovered during the investigation was the user-agent associated with the malicious traffic:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E)

One thing I am starting to notice during malware investigations is how often attackers use outdated or abnormal user-agents to imitate legitimate traffic.

Seeing Internet Explorer style traffic tied to malware delivery immediately raised additional suspicion.

Threat Intelligence Pivoting with VirusTotal

After identifying the indicators, I pivoted into VirusTotal to validate the infrastructure and identify related malicious domains.

This part honestly felt the most like real SOC work.

Instead of simply answering questions, I had to:

• correlate infrastructure
• pivot across indicators
• validate suspicious activity
• separate malicious from supposedly “non-suspicious” traffic

Additional malicious domains identified included:

a-zxxxxer[.]com, knockxxxxxxxts[.]com

What made the investigation more interesting was the discovery that some IPs marked as “Not Suspicious Traffic” were actually associated with malicious infrastructure when checked against VirusTotal intelligence.

The flagged IP addresses were:

64[.]xxx[.]65[.]xxx, 1xx[.]x3[.]2xx[.]xxx

Associated malicious domains included:

sxxxxxxtest[.]top
txxxxmxar[.]xyz
ulxxxtifxxxion[.]xyz
2pxxxxow[.]top

This was a very important lesson because it reinforced something analysts constantly face in real environments:

Not every malicious indicator is immediately classified correctly by detection systems.

Sometimes analysts must validate suspicious activity manually through investigation and threat intelligence correlation.

Challenges I Faced During the Investigation

The biggest challenge during this room was reconstructing the malicious download chain properly.

I initially became too focused on the Suricata alerts themselves instead of pivoting directly into the underlying HTTP traffic.

Because of that:

• I spent extra time locating the full URI
• I had to manually correlate timestamps
• I needed multiple pivots between alerts and HTTP events

Another challenge was trusting my own analysis.

At several points, I already had enough evidence to conclude the activity was malicious, but I kept second-guessing whether I had missed something.

Ironically, that hesitation is probably a normal part of being a junior analyst because validating a true positive requires confidence in both the evidence and your investigative process.

Final Investigation Conclusion

After correlating:

• IDS alerts
• malicious HTTP traffic
• CAB file delivery
• DLL payload extraction
• VirusTotal intelligence
• associated malicious infrastructure

I concluded that the incident was a confirmed true positive involving malicious payload delivery over HTTP.

The activity demonstrated indicators consistent with:

• malware staging
• suspicious executable delivery
• potentially compromised infrastructure
• malicious external communications

What My Escalation Notes Would Look Like to L2:

Escalation Summary

A true positive malware delivery event was identified during IDS alert investigation. Multiple Suricata alerts were triggered involving suspicious HTTP traffic from external IP 1xx[.]xx8[.]xxx[.]x to internal host 1x.x.3.xxx.

Key Findings

• Alert Signatures:
  • ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
  • ET POLICY PE EXE or DLL Windows file download HTTP
• Malicious URI:
  • awxxxxxxxxxxxxxxxxx[.]com/xxxx/fxla[.]php?l=gap1[.]cab
• Downloaded Payload:
  • draw.dll
• Suspicious User-Agent:
  • Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E)

Additional Threat Intelligence

Associated malicious domains identified through VirusTotal correlation:

• a-xxxxr[.]com
• knoxxxxghts[.]com
• saxxxtest[.]top
• toxxxxbar[.]xyz
• ulxxxficxxxn[.]xyz
• 2xxxxow[.]top

Recommendation

Recommend:

• host isolation
• endpoint triage
• memory analysis
• IOC blocking
• additional investigation into potential malware execution and persistence mechanisms

My Final Thoughts

This investigation felt significantly closer to real SOC operations than many beginner labs I have worked through before.

What stood out most was not simply finding the answers, but learning how to:

• pivot between alerts and traffic
• validate true positives
• reconstruct malware delivery
• correlate threat intelligence
• document findings clearly for escalation

Even though the investigation took me longer than expected, I actually think that was a good thing. Rushing through alerts is how analysts miss important evidence.

This room reinforced that careful analysis, patience, and good pivoting techniques matter far more than speed alone.

Have you read the Warzone 1 write-up: Warzone Malware Investigation Alert Triage

Visit my everyday playground here