Video - Detection Engineering In Gravwell

Detection Engineering

The purpose of this content is to showcase Gravwell’s search capabilities through a slightly different lens than those of previous videos: that of a detection engineer.

While we are building on findings from our previous videos in this series, our objectives have shifted; namely, we are aiming to develop queries that will allow us to discover threat actor activity on a proactive basis.

All data used in this training material is courtesy of and available from the KC7-Foundation.
Data Source Click Here

/* Query 1 */

tag=envolvelabs-* grep Ceramic_Village.xls Hidden_Sand.docx Hidden_leaf.docx Curtain_Village.zip

| table TAG DATA

/* Query 2 */

tag=envolvelabs-* grep

ba8a996a117702b946e07dd12d030956efddc159a5e775c18b1a7fb10df13902

cd6355ba77bf37be2027c2016cd37f9e08f7025e067903a45b3d37b7c11afdbf

6c35723e76ecc4fe8e5d1f6ef8bb96c8f163e020fd367c2a260295432ad11ed6

261e6dc6c25734ddaba007bedb8b474d7be4803d8e724d42637775bd7cc397aa

| table TAG DATA

/* Query 3 */

tag=envolvelabs-ProcessEvents grep

ba8a996a117702b946e07dd12d030956efddc159a5e775c18b1a7fb10df13902

cd6355ba77bf37be2027c2016cd37f9e08f7025e067903a45b3d37b7c11afdbf

6c35723e76ecc4fe8e5d1f6ef8bb96c8f163e020fd367c2a260295432ad11ed6

261e6dc6c25734ddaba007bedb8b474d7be4803d8e724d42637775bd7cc397aa

| ax

| table

/* Query 4 */

tag=envolvelabs-ProcessEvents grep

ba8a996a117702b946e07dd12d030956efddc159a5e775c18b1a7fb10df13902

cd6355ba77bf37be2027c2016cd37f9e08f7025e067903a45b3d37b7c11afdbf

6c35723e76ecc4fe8e5d1f6ef8bb96c8f163e020fd367c2a260295432ad11ed6

261e6dc6c25734ddaba007bedb8b474d7be4803d8e724d42637775bd7cc397aa

| ax

| count by process_commandline

| sort by count desc

| table process_commandline count

/* Query 5 */

tag=envolvelabs-ProcessEvents ax parent_process_name != "cmd.exe"

process_commandline ~ "plink"

| table

/* Query 6 */

tag=envolvelabs-ProcessEvents ax parent_process_name != "cmd.exe"

| grep -e process_commandline "plink" "whoami" "ping"

| table

/* Query 7 */

tag=envolvelabs-ProcessEvents ax parent_process_name != "cmd.exe"

| grep -e process_commandline "plink" "whoami" "ping"

| count by parent_process_name

| sort by count desc

| table parent_process_name count

/* Query 8 */

tag=envolvelabs-ProcessEvents ax

| regex -e process_commandline

"(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]

|[01]?[0-9][0-9]?)$"

| count by parent_process_name process_commandline

| sort by count desc

| table parent_process_name process_commandline count

/* Query 9 */

tag=envolvelabs-ProcessEvents ax

| regex -e process_commandline

"(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]

|[01]?[0-9][0-9]?)$"

| table