Latest posts tagged with #InvestigationPath on Bluesky
Investigation Scenario π
A host on your network executed the command βnetsh wlan show profileβ for the first time.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
Your SIEM flags an OAuth consent grant to βAdobe Secure Shareβ from a user's M365 account at 07:13 AM. The audit log shows consent to files.readwrite.all.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
You receive a SIEM alert about this file:
C:\Users\bose\Downloads\report.doc
The file copied itself to %TEMP% and the original copy was deleted.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
What evidence do you present to elevate this from βsuspicious service creationβ to confirmed malicious activity? Lead with your strongest likely evidence sources and conclusions.
#InvestigationPath #DFIR #SOC
Investigation Scenario π
Several of your key developers had Notepad++ installed during the time period when the project was believed to have been compromised.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Terminal window showing Sigma rule for "File Creation Date Changed" with selections, filters, file paths, and notes for DFIR investigation.
Investigation Scenario π
You received an alert that the creation date of a file was changed to a prior year.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
You know an attacker accessed several customer support workstations in the past month based on discovery of a consistent persistence mechanism. You suspect wider access, but auth logs only go back 24h. How can you determine where else the attacker went?
#InvestigationPath
Investigation Scenario π
While reviewing group membership on a Windows domain, you discover that the account of a former IT employee is still active. They left the company nearly a year ago.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
While reviewing asset scanning reports, youβve discovered a Mint Linux system that does not appear on any change request.
What do you look for to investigate the origin of the system and whether malicious activity occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
While reviewing web logs on a Linux Apache server, you discover inbound requests for PHP pages. However, the server is not reported to host PHP content.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
A Windows system executed dsa.msc for the first time.
What do you look for to investigate whether an incident occurred AND its scope?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
You've found a new entry in ShimCache on Windows 10: C:\Users\Public\svchost32.exe with a last modified timestamp predating system boot.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
A user reports their Chrome homepage keeps changing to cryptocoin websites after setting a new wallpaper they downloaded from a Reddit post.
What do you look for to confirm a malware infection and investigate its impact on the system?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
A public-facing web server is no longer accessible from the browser. Your director believes a denial of service attack may be the cause.
What do you look for to investigate the cause of the availability issue?
#InvestigationPath #DFIR #SOC
This IP is not part of the vendor's known IP space.
What do you look for to investigate whether the update was tampered with upstream?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
While attending a conference, a user reports they were connected to a rogue access point for a couple of hours rather than the official conference wifi.
What do you look for to investigate the impact of the incident?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
Someone inside your network opened a file containing a honeytoken. The file is a spreadsheet on a web server that isn't linked anywhere publicly facing.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
AV on a point of sale system flags a new startup entry named βPSLService.exeβ in C:\Users\Public\Kiosk\.
Festive fall plugin or cred stealer? Something else?
What are your first few moves to investigate this finding?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
You've come across a log for the following execution:
msiexec.exe /i "\\10.0.0.5\share\patch.msi" /qn
The file is not available on the remote host.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
A user reported that their workstation appears to reboot every night.
Unfortunately, due to admin error, Windows Event logging is disabled on the host.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
You've observed a system making the following HTTP request to an unknown IP address:
GET /1742214432 HTTP/1.1
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
This file was found on a user workstation: app.any.run/tasks/39d47...
What do you look for to investigate it was executed and the extent of its effect on the system?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
Antivirus flagged (but did not block) execution of a file with the IMPHASH
ba5546933531fafa869b1f86a4e2a959.
What do you look for to investigate whether an incident occurred and its impact?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
A teacherβs laptop shows a spike in traffic to api[.]school-supplies-check[.]com every morning at 8:05 AM. You cannot access anything at this domain.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
Your managed service provider called and said they discovered a domain admin user account they don't recognize. It's about two months old.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Image: C:\Python39\python.exe, Loaded DLL: C:\Users\user\AppData\Local\Temp\load.dll
Investigation Scenario π
The information in the screenshot was logged by System EID 7.
What do you look for to investigate whether an incident occurred?
BONUS: What are some legitimate scenarios in which you might observe this behavior?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
An instance of chome.exe executed with the --load-extension option.
What do you look for to investigate whether an incident occurred and its source?
#InvestigationPath #DFIR #SOC
Investigation Scenario π
A middle school IT admin noticed a Chrome Extension added to a student's laptop with permissions ["proxy", "webRequest", "tabs"].
What do you look for to investigate if an incident or policy violation occurred?
#InvestigationPath #DFIR #SOC
