Playlist - Triage to Investigations

Triage to Investigations

This video is a follow-up to our Triage series, with that covering our initial Alert and follow-on triage. In this video, we are going to investigate our environment based on indicators uncovered in our initial analysis; don’t worry, we’ll refresh you on those initial findings!

Using Gravwell, we will explore our data and conduct our investigation as we try to understand the extent of our organization’s potential compromise.

Data Sources https://github.com/KC7-Foundation/kc7_data/tree/main/envolvelabs2

Key: Set time scope to 09/01/2019 -> 01/01/2022

//Query 0//

Refresher from Traige series. Did anything happen after our malicious document was

downloaded?

tag=envolvelabs2-ProcessEvents ax hostname=="4AHX-DESKTOP"

| sort by time asc

| table

//Query 1//

Does the IP “166.135.152.181” in the ligolo command reveal anything else

interesting?

tag=envolvelabs2-ProcessEvents grep "166.135.152.181"

| ax

| sort by time asc

| table

//Query 2//

Did anything else happen on this second machine (NZ6J-LAPTOP) we found?

tag=envolvelabs2-ProcessEvents ax hostname=="NZ6J-LAPTOP"

| sort by time asc

| table

//Query 3//

Lets pivot back into the machine (NZ6J-LAPTOP) to see if there are any interesting

files

tag=envolvelabs2-FileCreationEvents ax hostname=="NZ6J-LAPTOP"

| sort by time asc

| table

//Query 4//

Where did the file “IT_PASSWORD_RESET_TOOL.zip” come from, thats different

than what we saw on “4AHX-DESKTOP”

tag=envolvelabs2-OutboundBrowsing ax

| words "IT_PASSWORD_RESET_TOOL.zip"

| table

//Query 5//

Lets correlate our second victim machine “NZ6J-LAPTOP” back to an employee

identity and assigned IP

NOTE: Assignment of IP to this Machine is in 2018-10-04!

tag=envolvelabs2-Employees ax hostname=="NZ6J-LAPTOP"

| table

//Query 6//

Lets pivot on the newly discovered URL “updatesoftware.com” that we saw

delivering a link with “IT_PASSWORD_RESET_TOOL.zip”

tag=envolvelabs2-Email ax

| grep "updatesoftware.com" "security.info"

| table

//Query 7//

The sender "amelia_lozano@wesellbeakers.com" is the same between both phishing

campaigns that resulted in infector.exe compromise, are there any others we are missing?

tag=envolvelabs2-Email ax sender=="amelia_lozano@wesellbeakers.com"

| sort by time asc

| table

//Query 8//

Lets use our query fu to get a better of idea of the breakdown of campaigns

tag=envolvelabs2-Email ax sender=="amelia_lozano@wesellbeakers.com"

| count by subject link

| table subject link count

//Query 9//

Lets do a sweep for “infector.exe”, we know there are multiple hashes, so let's try a

naive search for the folder we have seen it staged in "C:\ProgramData\USOShared\"

tag=envolvelabs2-FileCreationEvents ax

| regex -e path "C:\\ProgramData\\USOShared\\"

| table

//Query 10//

Well, it looks like we have 7 victims, and not all of them saw "infector.exe"! There are

multiple filenames for the payload.

tag=envolvelabs2-FileCreationEvents ax path

~"C:\\ProgramData\\USOShared\\"

| count by sha256 filename

| table sha256 filename count

//Query 11//

Lets see if we can find those suspect files by hash anywhere else + Lets do a double

compound query to see which users are being impacted.

@badfiles{

tag=envolvelabs2-FileCreationEvents ax

| regex -e path "C:\\ProgramData\\USOShared\\"

| table -nt sha256

};

@employees{

tag=envolvelabs2-Employees ax

| table -nt hostname username name

};

tag=envolvelabs2-FileCreationEvents ax

| lookup -s -r @badfiles sha256 sha256

| lookup -s -r @employees hostname hostname (username name)

| table