Transitioning: Triage to Investigation - Well That’s New

From our previous triage efforts, we should recognize that the machine “NZ6J-LAPTOP” was
not seen in our initial investigation, therefore we should dig into how “infector.exe” ended up on
it! Let's pivot back into the machine’s FileCreationEvents data to see if we can determine how
the malicious binary was delivered.

Key: Set time scope to 09/01/2019 -> 01/01/2022

//Query 3//
Lets pivot back into the machine (NZ6J-LAPTOP) to see if there are any interesting
files

tag=envolvelabs2-FileCreationEvents ax hostname=="NZ6J-LAPTOP"
| sort by time asc
| table

//Query 4//
Where did the file “IT_PASSWORD_RESET_TOOL.zip” come from, thats different
than what we saw on “4AHX-DESKTOP”

tag=envolvelabs2-OutboundBrowsing ax
| words "IT_PASSWORD_RESET_TOOL.zip"
| table

//Query 5//
Lets correlate our second victim machine “NZ6J-LAPTOP” back to an employee
identity and assigned IP
NOTE: Assignment of IP to this Machine is in 2018-10-04!

tag=envolvelabs2-Employees ax hostname=="NZ6J-LAPTOP"
| table

//Query 6//
Lets pivot on the newly discovered URL “updatesoftware.com” that we saw
delivering a link with “IT_PASSWORD_RESET_TOOL.zip”

tag=envolvelabs2-Email ax
| grep "updatesoftware.com" "security.info"
| table

TOP