Lessons/Detection Engineering/DE Part 1: Pivoting

DE Part 1: Pivoting

Detection Engineering: Overview

DE Part 1: Pivoting

DE Part 2: Automating Detections & Notifications

Part 0: Introduction - Video 1

Part 1: Understanding A Query - Video 2

Part 2: Operating on Enumerated Fields - Video 3

Part 3: Interacting with Enumerated Fields - Video 4

Part 4: A High Level View - Video 5

Part 5: Advanced Operating on Enumerated Fields - Video 6

Part 6: Finding The Victims - Video 7

Part 7: Hunting For A Phish - Video 8

Transitioning: Triage to Investigation - Introduction

Transitioning: Triage to Investigation - Back In Action

Transitioning: Triage to Investigation - Well That’s New

Transitioning: Triage to Investigation - Campaigns

Transitioning: Triage to Investigation - Sweep

FLOWs - How Payloads Move Through Nodes

Flows - SOAR for Log Management

How To: Auto Extractors (AX)

How To: Macros

How To: Actionables

How To: Systems Overview (new features)

How To: Rapid Deployment - Installation to alerts in 3 mins

How-To: Compound Queries & Non-Temporal Joins

Bootcamp - Lesson 01

While many organizations tend to rely on indicators of compromise as the key to threat actor
detection, good detection engineers recognize that these indicators are often just initial pivots
for discovering tools, techniques, and procedures. Lets pivot on some of the indicators included
in our faux intelligence report and see if we can uncover any additional insights into our threat
actors.

/* Query 1 */
tag=envolvelabs-* grep Ceramic_Village.xls Hidden_Sand.docx Hidden_leaf.docx Curtain_Village.zip
| table TAG DATA

/* Query 2 */
tag=envolvelabs-* grep
ba8a996a117702b946e07dd12d030956efddc159a5e775c18b1a7fb10df13902
cd6355ba77bf37be2027c2016cd37f9e08f7025e067903a45b3d37b7c11afdbf
6c35723e76ecc4fe8e5d1f6ef8bb96c8f163e020fd367c2a260295432ad11ed6
261e6dc6c25734ddaba007bedb8b474d7be4803d8e724d42637775bd7cc397aa
| table TAG DATA

/* Query 3 */
tag=envolvelabs-ProcessEvents grep
ba8a996a117702b946e07dd12d030956efddc159a5e775c18b1a7fb10df13902
cd6355ba77bf37be2027c2016cd37f9e08f7025e067903a45b3d37b7c11afdbf
6c35723e76ecc4fe8e5d1f6ef8bb96c8f163e020fd367c2a260295432ad11ed6
261e6dc6c25734ddaba007bedb8b474d7be4803d8e724d42637775bd7cc397aa
| ax
| table

/* Query 4 */
tag=envolvelabs-ProcessEvents grep
ba8a996a117702b946e07dd12d030956efddc159a5e775c18b1a7fb10df13902
cd6355ba77bf37be2027c2016cd37f9e08f7025e067903a45b3d37b7c11afdbf
6c35723e76ecc4fe8e5d1f6ef8bb96c8f163e020fd367c2a260295432ad11ed6
261e6dc6c25734ddaba007bedb8b474d7be4803d8e724d42637775bd7cc397aa
| ax
| count by process_commandline
| sort by count desc
| table process_commandline count

/* Query 5 */
tag=envolvelabs-ProcessEvents ax parent_process_name != "cmd.exe"
process_commandline ~ "plink"
| table

/* Query 6 */
tag=envolvelabs-ProcessEvents ax parent_process_name != "cmd.exe"
| grep -e process_commandline "plink" "whoami" "ping"
| table

/* Query 7 */
tag=envolvelabs-ProcessEvents ax parent_process_name != "cmd.exe"
| grep -e process_commandline "plink" "whoami" "ping"
| count by parent_process_name
| sort by count desc
| table parent_process_name count

/* Query 8 */
tag=envolvelabs-ProcessEvents ax
| regex -e process_commandline
"(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]
|[01]?[0-9][0-9]?)$"
| count by parent_process_name process_commandline
| sort by count desc
| table parent_process_name process_commandline count

/* Query 9 */
tag=envolvelabs-ProcessEvents ax
| regex -e process_commandline
"(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]
|[01]?[0-9][0-9]?)$"
| table