toad.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon server operated by David Troy, a tech pioneer and investigative journalist addressing threats to democracy. Thoughtful participation and discussion welcome.

Administered by:

Server stats:

214
active users

#InvestigationPath

0 posts0 participants0 posts today
Chris Sanders 🔎 🧠<p>This is the 100th <a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> scenario I've published, so I'm doing some giveaways! If you make an effortful response, you'll have an opportunity to win a free seat in one of my courses or an Analyst <br>Skills Vault subscription: <a href="https://www.networkdefense.co/skillsvault/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">networkdefense.co/skillsvault/</span><span class="invisible"></span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>While reviewing company code in Github, you discover odd javascript that downloads+executes a file from an unknown domain that is currently inaccessible.</p><p>What do you look for to investigate whether an incident occurred?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Tomorrow's <a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> scenario will be the 100th I've published. To celebrate, I'm giving away free stuff. Anybody who replies to that post and participates (with meaningful effort) has a chance to win a free course seat, subscription to my analyst skills vault, or book.</p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>You have detected unauthorized modification to /etc/libaudit.conf on a Linux server. </p><p>What do you look for to investigate whether an incident occurred and its impact? What could an attacker have done here?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>PowerShell Script Block Logging (EID 4104) reveals the pictured command was executed:</p><p>What do you look for to investigate whether an incident occurred and its extent?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>You’ve received an alert derived from a Sigma rule indicating a short name path was used in the command line.</p><p>Sigma Rule Source: <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/SigmaHQ/sigma/blob/</span><span class="invisible">master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml</span></a></p><p>What do you look for to investigate whether an incident occurred?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>Proxy logs show a Linux database server making HTTP requests with an empty User Agent string.</p><p>You don't have PCAP or other network logs. </p><p>What do you look for to investigate whether an incident occurred?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>A user workstation executed gpedit.msc for an unknown reason. </p><p>What do you look for to investigate whether an incident occurred?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>While threat hunting, you’ve discovered a host receiving HTTPS traffic on port TCP/53. </p><p>What do you look for to investigate whether an incident occurred?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>You’ve discovered a 3 year old account named “testuser” on your Windows domain. Nobody knows who created it.</p><p>What do you look for to investigate whether this account has been used for any malicious activity?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>An employee was terminated for moonlighting with a competitor. While reviewing their Windows laptop, you find Slack is installed.</p><p>What do you look for to investigate their Slack use and if an incident occurred?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>You’ve discovered a Windows 10 host placed in the wrong AD OU. As a result, WSUS did not pick it up for automatic updates for at least two years.</p><p>What do you look for to investigate whether it has been compromised?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>You’ve discovered the pictured log entry in /var/log/auth.log on a Linux server. Root login through SSH is supposed to be disabled on company systems.</p><p>What do you look for to investigate whether an incident occurred?</p><p>Assume you have access to whatever digital evidence source you need.</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>A user's Windows workstation appears to display a ransom note associated with the BLACK CAT ransomware family. However, no files seem to be encrypted on the system. </p><p>What do you look for to investigate whether the ransomware executed successfully and the extent of the compromise?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>A user workstation started sending TCP SYN packets to dozens of other hosts on the network. You’ve never seen the host exhibit this behavior before.</p><p>What do you look for to investigate whether an incident occurred?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>You’ve discovered a web server on your network running a version of WordPress that has not been updated for 3 years.</p><p>What do you look for to investigate whether a successful attack has been conducted against this server?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>A user reported receiving a suspicious link over Telegram. The message mentioned your company, but they didn't click it. Others may have also received it.</p><p>What do you look for to investigate whether an incident occurred?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>A user reports to you that they opened an emailed PDF they believed to be from a legitimate sender, but later realized it was not. </p><p>What do you look for to determine if an incident occurred and its extent?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>An unknown wireless network with a strong signal has appeared inside your corporate office.</p><p>What do you look for to investigate whether an incident occurred, and its extent?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>Several Windows computers on your network have blue-screened.</p><p>What do you look for to investigate whether an attack has occurred?</p><p>This one is obviously based on recent events, but let's bracket the scenario away from those events and approach it without that recency bias.</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>