Gravwell is an enterprise data fusion platform that enables security teams to investigate, collaborate, and analyze data from any source, on demand, all with unlimited data collection and retention. Ingest everything. Investigate anything.
In part one of this series, Triage, we left off with a single host likely compromised by a threat
actor who had gained initial access after a user clicked a link, downloaded a file, and opened it.
Once we determined that the file had been downloaded by querying our FileCreation data, we
pivoted to our ProcessEvents to see if anything executed on this user’s machine after our
suspect files were created, to see if we could find any evidence of threat actor activity.
Key: Set time scope to 09/01/2019 -> 01/01/2022
//Query 0//
Refresher from Traige series. Did anything happen after our malicious document was
downloaded?
tag=envolvelabs2-ProcessEvents ax hostname=="4AHX-DESKTOP"
| sort by time asc
| table
//Query 1//
Does the IP “166.135.152.181” in the ligolo command reveal anything else
interesting?
tag=envolvelabs2-ProcessEvents grep "166.135.152.181"
| ax
| sort by time asc
| table
//Query 2//
Did anything else happen on this second machine (NZ6J-LAPTOP) we found?
tag=envolvelabs2-ProcessEvents ax hostname=="NZ6J-LAPTOP"
| sort by time asc
| table