From our previous triage efforts, we should recognize that the machine “NZ6J-LAPTOP” wasnot seen in our initial investigation, therefore we should dig into how “infector.exe” ended up onit! Let's pivot back into the machine’s FileCreationEvents data to see if we can determine howthe malicious binary was delivered.
Key: Set time scope to 09/01/2019 -> 01/01/2022
//Query 3//Lets pivot back into the machine (NZ6J-LAPTOP) to see if there are any interestingfiles
tag=envolvelabs2-FileCreationEvents ax hostname=="NZ6J-LAPTOP"| sort by time asc| table
//Query 4//Where did the file “IT_PASSWORD_RESET_TOOL.zip” come from, thats differentthan what we saw on “4AHX-DESKTOP”
tag=envolvelabs2-OutboundBrowsing ax| words "IT_PASSWORD_RESET_TOOL.zip"| table
//Query 5//Lets correlate our second victim machine “NZ6J-LAPTOP” back to an employeeidentity and assigned IPNOTE: Assignment of IP to this Machine is in 2018-10-04!
tag=envolvelabs2-Employees ax hostname=="NZ6J-LAPTOP"| table
//Query 6//Lets pivot on the newly discovered URL “updatesoftware.com” that we sawdelivering a link with “IT_PASSWORD_RESET_TOOL.zip”
tag=envolvelabs2-Email ax| grep "updatesoftware.com" "security.info"| table