Transitioning: Triage to Investigation - Sweep

We now know of at least 2 machines in our environment that were compromised by this threat
actor’s campaigns, and know of a minimum total of 8 users that received phishing emails. Lets
try and sweep for our payload using a key indicator that we identified during our investigation;
infector.exe’s staging directory.

Key: Set time scope to 09/01/2019 -> 01/01/2022

//Query 9//
Lets do a sweep for “infector.exe”, we know there are multiple hashes, so let's try a
naive search for the folder we have seen it staged in "C:\ProgramData\USOShared\"

tag=envolvelabs2-FileCreationEvents ax
| regex -e path "C:\\ProgramData\\USOShared\\"
| table

//Query 10//
Well, it looks like we have 7 victims, and not all of them saw "infector.exe"! There are
multiple filenames for the payload.

tag=envolvelabs2-FileCreationEvents ax path
~"C:\\ProgramData\\USOShared\\"
| count by sha256 filename
| table sha256 filename count

//Query 11//
Lets see if we can find those suspect files by hash anywhere else + Lets do a double
compound query to see which users are being impacted.

@badfiles{
tag=envolvelabs2-FileCreationEvents ax
| regex -e path "C:\\ProgramData\\USOShared\\"
| table -nt sha256
};

@employees{
tag=envolvelabs2-Employees ax
| table -nt hostname username name
};

tag=envolvelabs2-FileCreationEvents ax
| lookup -s -r @badfiles sha256 sha256
| lookup -s -r @employees hostname hostname (username name)
| table

TOP