In part one of this series, Triage, we left off with a single host likely compromised by a threatactor who had gained initial access after a user clicked a link, downloaded a file, and opened it.Once we determined that the file had been downloaded by querying our FileCreation data, wepivoted to our ProcessEvents to see if anything executed on this user’s machine after oursuspect files were created, to see if we could find any evidence of threat actor activity.
Key: Set time scope to 09/01/2019 -> 01/01/2022
//Query 0//Refresher from Traige series. Did anything happen after our malicious document wasdownloaded?
tag=envolvelabs2-ProcessEvents ax hostname=="4AHX-DESKTOP"| sort by time asc| table
//Query 1//Does the IP “188.8.131.52” in the ligolo command reveal anything elseinteresting?
tag=envolvelabs2-ProcessEvents grep "184.108.40.206"| ax| sort by time asc| table
//Query 2//Did anything else happen on this second machine (NZ6J-LAPTOP) we found?
tag=envolvelabs2-ProcessEvents ax hostname=="NZ6J-LAPTOP"| sort by time asc| table