Pipe Dream

Background

Entropic Inc. is in the recovery phase of a high-impact intrusion. The organization has multiple concerns including:

• undiscovered persistence
• incomplete containment
• the possibility of recompromise

Assignment

You are tasked with creating a detection to uncover any residual presence or follow-on compromise. The IR team has provided a subset of logs for development purposes (which include Security EID 4688 and Sysmon EID 18 events). They have also created a validation dataset. Your detection must be performant for both datasets.

Intelligence

Analysts assess with high confidence that the malware is based on Cobalt Strike. The threat actor uses multiple process injection techniques to blend in with normal Chrome.exe behavior. The beacons appear to have custom configurations that evade conventional named pipe detections.

---

Notes

This challenge is the first ACE detection engineering challenge. It has 1 question that requires a query in OpenSearch SQL or PPL. At the time of release, there are no modules on SQL or PPL. If you don't have experience with either, I recommend PPL. It's similar to multiple popular query languages you may be familiar with. There are two places to use PPL queries. These are available in the main menu:

• Query Workbench
• Observability > Event Analytics

I recommend using Event Analytics since it has more exploration and visualization capabilities than the workbench.

The base query you can start with for PPL is:

search index=winlogbeat-*

For a good rundown on PPL, check out the documentation. In addition to the familiar pipe commands, PPL supports a long list of SQL functions.

Tip: Unlike some popular query languages, the bool expression in the where command doesn't support implicit like. You can tokenize the search term with the match() function. Example:

search index=winlogbeat-* | where match(winlog.event_data.ProcessName,'chrome.exe')