#investigationpath β Public Fediverse posts
Live and recent posts from across the Fediverse tagged #investigationpath, aggregated by home.social.
-
Investigation Scenario π
You've discovered a user workstation with the Chrome Remote Desktop plugin installed. There's no business reason for the user to have this plugin, and they don't recall installing it.
What do you look for to investigate whether an incident occurred and the extent of its impact?
-
Investigation Scenario π
You've discovered a user workstation with the Chrome Remote Desktop plugin installed. There's no business reason for the user to have this plugin, and they don't recall installing it.
What do you look for to investigate whether an incident occurred and the extent of its impact?
-
Investigation Scenario π
You've discovered a user workstation with the Chrome Remote Desktop plugin installed. There's no business reason for the user to have this plugin, and they don't recall installing it.
What do you look for to investigate whether an incident occurred and the extent of its impact?
-
Investigation Scenario π
You've discovered a user workstation with the Chrome Remote Desktop plugin installed. There's no business reason for the user to have this plugin, and they don't recall installing it.
What do you look for to investigate whether an incident occurred and the extent of its impact?
-
Investigation Scenario π
You've discovered a user workstation with the Chrome Remote Desktop plugin installed. There's no business reason for the user to have this plugin, and they don't recall installing it.
What do you look for to investigate whether an incident occurred and the extent of its impact?
-
Investigation Scenario π
While creating new user accounts in Active Directory, you find that several legitimate user accounts with no apparent connection are part of an undocumented group named "test".
What do you look for to investigate whether an incident occurred? Focus on the efficiency of your investigative actions here.
-
Investigation Scenario π
A high-level company exec received an email that someone logged into their social media account from a country they were not in. The exec noted that they use the same password in several places.
What do you look for to investigate whether an incident occurred on the corporate network?
-
Investigation Scenario π
You believe a Linux server was used as a jump box to pivot into another network segment, but the network traffic would not have crossed a sensor boundary for logging.
What evidence do you look for to prove the belief?
-
With this scenario, many places exist to dive into the investigation. As with many things, we're concerned about disposition (is this malicious), prevalence (what systems are affected), and relationships (what happened on the affected systems).
There are a lot of direct places you can look to determine if you're dealing with malicious intent.
- The email (content)
- The attachment (OneNote file)
- The source of the email (IP address, domain, metadata)
If you are convinced the email and file are malicious, the next most important things are prevalence and execution.
Who else received the file / phishing messages?
Did anyone open the OneNote file?
Both of these questions should be relatively easy to answer with access to the appropriate evidence sources: mail logs and execution logs.
While we'd like to hope the original user didn't open the OneNote file, we can't be absolutely sure of that and it probably warrants a quick verification. You can look for the direct evidence of execution (OneNote itself) or capability matches -- evidence of what the OneNote file does after it's opened (child processes launched, connections to external domains/IPs, host configuration changes, and so on).
Lots of diversity in the response to the original scenario and I love to see it. I appreciate the folks who tried to be thorough as well as the folks who focused on the quick wins.
Speaking of OneNote documents, have you ever dug into one before to extract malicious URLs? What might that process look like for you?
My response of the week goes to @HacksWhatILacks on Twitter. I appreciate that he started by predicting some possible scenarios (we call this forecasting) and then basing his investigative approach on that forecast. https://x.com/HacksWhatILacks/status/1790626463047471431
Thatβs something to think aboutβ¦ π #InvestigationPath #DFIR #SOCAnalyst
-
Investigation Scenario π
This script shown in the image was executed on a system in your network.
What do you look for to investigate whether an incident occurred and determine its extent?
-
Investigation Scenario π
Sysmon alerted you (w/ Event ID 6) that a system loaded the HW.sys driver.
What do you look for to investigate whether an incident occurred?
Assume you have access to whatever digital evidence source you need.
-
A lot hinges on the content of the PowerShell script. What does it do? If executed, those things were done to the system youβre concerned about. Of course, I told you that you donβt have immediate file system access, which limits the easiest option for getting answers.
When you think about investigations in terms of questions, you begin to realize that the answers can often come from more than one source. A few folks highlighted great ideas! For example, if PS Script Block logging is enabled and the script is executed, you can likely retrieve much of the executed code from there. You might also be able to retrieve a copy from a system backup, shadow copies, or memory.
Even if you can't see the code, you do know when it was scheduled to execute since you found the associated scheduled task. That gives you the power to use correlation!
When we correlate, we identify relationships between different data entries. Here, we look for timestamps near the execution of the PS script. That's also what we'd call a pivot, as you pivot off a field in one data source to examine another. There are quite a few places you might pivot from this scenario. You could look at process executions, user logins, newly created files, network connections, and more. There's some strategy and thoughtfulness in where you choose to start here.
Speaking of alternative data sources, what's another common investigative question you might ask that could be answered with more than one data source? What are those sources?
Thatβs something to think aboutβ¦ π #InvestigationPath #DFIR #SOCAnalyst
-
Investigation Scenario π
You discover an unusual scheduled task named "UpdateCheck" on a Windows system. The task triggers a PowerShell script located at "C:\Windows\Temp\update[.]ps1
What do you look for to investigate whether an incident occurred?
You don't have immediate file system access (you can't grab the file quickly), but assume you have access to whatever other digital evidence source you need (system logs, network data, and so on).
-
Investigation Scenario π
You received an alert from a Sigma rule indicating files were renamed to include double extensions.
What do you look for to investigate whether an incident occurred?
The referenced rule: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml
Assume you have access to whatever digital evidence source you need.
-
Investigation Scenario π
A user forwarded you a phishing message they received that appears to target your company. They said that they didnβt click the link in the message.
What do you look for to investigate whether an incident occurred?
Yes, that's broad, but that's intentional π
Assume you have access to whatever digital evidence source you need.
-
Investigation Scenario π
Flow data reveals a developerβs MacOS system started downloading and uploading small amounts of data to an IP address associated with Dropbox.
What do you look for to investigate whether an incident occurred?
Assume you can access whatever digital evidence source you need, but no commercial EDR tool is installed or available.