Transitioning: Triage to Investigation - Back In Action

In part one of this series, Triage, we left off with a single host likely compromised by a threat
actor who had gained initial access after a user clicked a link, downloaded a file, and opened it.
Once we determined that the file had been downloaded by querying our FileCreation data, we
pivoted to our ProcessEvents to see if anything executed on this user’s machine after our
suspect files were created, to see if we could find any evidence of threat actor activity.

Key: Set time scope to 09/01/2019 -> 01/01/2022

//Query 0//
Refresher from Traige series. Did anything happen after our malicious document was

tag=envolvelabs2-ProcessEvents ax hostname=="4AHX-DESKTOP"
| sort by time asc
| table

//Query 1//
Does the IP “” in the ligolo command reveal anything else

tag=envolvelabs2-ProcessEvents grep ""
| ax
| sort by time asc
| table

//Query 2//
Did anything else happen on this second machine (NZ6J-LAPTOP) we found?

tag=envolvelabs2-ProcessEvents ax hostname=="NZ6J-LAPTOP"
| sort by time asc
| table