Gravwell is an enterprise data fusion platform that enables security teams to investigate, collaborate, and analyze data from any source, on demand, all with unlimited data collection and retention. Ingest everything. Investigate anything.
We now know of at least 2 machines in our environment that were compromised by this threat
actor’s campaigns, and know of a minimum total of 8 users that received phishing emails. Lets
try and sweep for our payload using a key indicator that we identified during our investigation;
infector.exe’s staging directory.
Key: Set time scope to 09/01/2019 -> 01/01/2022
//Query 9//
Lets do a sweep for “infector.exe”, we know there are multiple hashes, so let's try a
naive search for the folder we have seen it staged in "C:\ProgramData\USOShared\"
tag=envolvelabs2-FileCreationEvents ax
| regex -e path "C:\\ProgramData\\USOShared\\"
| table
//Query 10//
Well, it looks like we have 7 victims, and not all of them saw "infector.exe"! There are
multiple filenames for the payload.
tag=envolvelabs2-FileCreationEvents ax path
~"C:\\ProgramData\\USOShared\\"
| count by sha256 filename
| table sha256 filename count
//Query 11//
Lets see if we can find those suspect files by hash anywhere else + Lets do a double
compound query to see which users are being impacted.
@badfiles{
tag=envolvelabs2-FileCreationEvents ax
| regex -e path "C:\\ProgramData\\USOShared\\"
| table -nt sha256
};
@employees{
tag=envolvelabs2-Employees ax
| table -nt hostname username name
};
tag=envolvelabs2-FileCreationEvents ax
| lookup -s -r @badfiles sha256 sha256
| lookup -s -r @employees hostname hostname (username name)
| table