@chrissanders88.bsky.social
Digital Forensic Analyst, Researcher, Author Ed.D. Founder Applied Network Defense and Rural Tech Fund Former Mandiant, InGuardians, DoD Author: Intrusion Detection Honeypots, Practical Packet Analysis, Applied NSM
I post these scenarios every Tuesday! We're up to 135 of them so far! If you enjoy them, you'll probably like my Investigation Theory class where I work with folks directly on improving their investigative skills leverage principles from cognitive science: www.networkdefense.co/courses/
Investigation Scenario ๐
A host on your network executed the command โnetsh wlan show profileโ for the first time.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
Your SIEM flags an OAuth consent grant to โAdobe Secure Shareโ from a user's M365 account at 07:13 AM. The audit log shows consent to files.readwrite.all.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Source: www.apa.org/pubs/journa...
...From a study that found that people with a more competitive worldview tend to see antagonistic behavior by leaders as a sign of competence and effectiveness, and are generally more tolerant of such behavior.
A whole unit of political science, sociology, economics, and behavioral science could be taught on this one.
We fulfill them as we can. The more folks buy, the more we're able to give away. We also have a "Buy 1 + Give 1" option available on the website: milosmeteorite.com
If you happen to know a teacher in a Title 1 or rural school, they can fill out this form to request a free copy: docs.google.com/forms/d/e/1...
Big batch of FREE Milo and the Midnight Meteorite copies headed out to public schools today. Today's copies headed to schools in CA, NM, OR, MI, AL, AZ, TN, OH, KY, WI, IL, MS, and PA!
Investigation Scenario ๐
You receive a SIEM alert about this file:
C:\Users\bose\Downloads\report.doc
The file copied itself to %TEMP% and the original copy was deleted.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
What evidence do you present to elevate this from โsuspicious service creationโ to confirmed malicious activity? Lead with your strongest likely evidence sources and conclusions.
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
You find Event ID 7045 showing a new service installed: WinUpdateCheck, pointing to C:\ProgramData\wucheck.exe. You report to the SOC lead that this system is infected and needs to be contained.
They ask you to justify that request.
Source: www.pnas.org/doi/abs/10....
"...the propensity for prosocial behavior may be reduced in states of cognitive fatigue resulting from the extended exertion of self-control." similar to "sleep-like activity"
Prolonged cognitive fatigue โก๏ธ frontal cortex changes โก๏ธ more aggressive and uncooperative
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
A user reports OneDrive crashing on startup. You see OneDrive.exe launched as expected, but then you spot conhost.exe spawned within 2 seconds, followed by mshta.exe -- no obvious error dialogs.
What do you look for to investigate whether an incident occurred?
I'll pick one of my favorite responses this week for a free subscription to my Analyst Skills Vault: networkdefense.co/skillsvault
Investigation Scenario ๐
Several of your key developers had Notepad++ installed during the time period when the project was believed to have been compromised.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
You received an alert that the creation date of a file was changed to a prior year.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
In a time when I don't feel like there's a lot of innovation going on in the candy space, Nerds Gummy Clusters are genuinely pretty special.
Investigation Scenario ๐
You know an attacker accessed several customer support workstations in the past month based on discovery of a consistent persistence mechanism. You suspect wider access, but auth logs only go back 24h. How can you determine where else the attacker went?
#InvestigationPath
Investigation Scenario ๐
While reviewing group membership on a Windows domain, you discover that the account of a former IT employee is still active. They left the company nearly a year ago.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Source: psycnet.apa.org/fulltext/20...
"People tend to show a bias in favor of higher paid peers as collaboration partners, while they show an aversion to hiring people with higher pay histories as subordinates."
By understanding what the file is expected to do, you can then examine evidence to determine if those things happened and their impact. If you can't directly prove execution, proving these things can indirectly prove it.
Now, "what changes were made to the system?" is too broad. You could look in a hundred places to answer that without narrowing the path further.
Some options here include...
1. OSINT research on the executable (hash, file name, other details)
2. Execute the file in a sandbox
That first question is pretty solid. However, there's a gap between the first and the second. Just because a host downloads a file doesn't mean the file executes. A meaningful follow-up becomes, "Did the host execute the EXE?"
"Did the host successfully download the EXE? If so, what changes were made to the system?"
How could we improve this investigative path with stronger questions?
#SOC #DFIR
Semi-annual reminder that if you're one of my Applied Network Defense students, you have access to my open office hours. I just updated those for the first half of the year. Details inside your class portal.
