In this scenario, we have some malware that was executed on a windows workstation around November 30th, 2020. How the malware got there is outside the scope of this project. (Did you know that the average attacker dwell time is 300 days? That's 300 days of an attacker having a presence within an environment without being detected ON AVERAGE). Our job is to identify the malware as well as identify any lateral movement.

Then, we're going to use our knowledge to build IOCs to detect this known malware and add them to our custom detection lists. IOCs are NOT threat hunting.

In this directory you will find:
windows-scannermalware-example-FULLEXPORT.json - output logs for zeek and symon data (exported from Gravwell)
windows-scanner-malware-slides.pdf - Backdrop for this investigation

PREAMBLE:
If you are running this in your own instance of Gravwell, you should install the Sysmon and Zeek kits (and then F5 to refresh the UI to activate the actionables). Note: these kits have a dependency on the "network enrichment" kit, which includes the Maxmind GeoIP database, a non-trivial but not massive download.


The exercise data takes place on Nov 30, 2020. Run a search in that timeframe and then do yourself a favor by using the "timeframe lock" feature in the upper right of the UI to hard lock all timeframes and dashboards to that time slice.



Bonus work after the exercise:
UEBA example query. These can get gnarly so we're going to "cheat" and give you this one, but we'll walk through it:
@stats{tag=zeekconn ax orig resp resp_port | ip orig~PRIVATE resp~PRIVATE | stats unique_count(resp_port) by orig resp over 5m | stats sum(unique_count) by orig over 5m
| stats mean(sum) by orig stddev(sum) by orig
| eval stddev != 0
| table -nt orig stddev mean};

tag=zeekconn ax orig resp resp_port | ip orig~PRIVATE resp~PRIVATE | stats unique_count(resp_port) by orig resp over 5m | stats sum(unique_count) by orig over 5m
| lookup -r @stats orig orig (stddev mean)
/*| eval sum > toFloat(mean)+(toFloat(stddev)*2)*/
| chart sum by orig