NRW.social

1 Beitrag1 Beteiligte*r0 Beiträge heute

Chris Sanders 🔎 🧠Investigation Scenario 🔎You have detected unauthorized modification to /etc/libaudit.conf on a Linux server. What do you look for to investigate whether an incident occurred and its impact? What could an attacker have done here?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎The process explorer.exe spawned rundll32.exe on a system on your network.What do you look for to investigate whether an incident occurred?Assume you have access to whatever digital evidence source you need.<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎A user reports that all the files in their documents/desktop folders are gone after returning to the office on Monday. They swear they didn’t delete them.What do you look for to investigate whether an incident occurred?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎PowerShell Script Block Logging (EID 4104) reveals the pictured command was executed:What do you look for to investigate whether an incident occurred and its extent?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎You’ve received an alert derived from a Sigma rule indicating a short name path was used in the command line.Sigma Rule Source: <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml</a>What do you look for to investigate whether an incident occurred?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎A server on your network suddenly sent DNS requests to several (100+) known malicious domains. but did not connect to them.What do you look for to investigate the source and disposition of this event?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎Proxy logs show a Linux database server making HTTP requests with an empty User Agent string.You don't have PCAP or other network logs. What do you look for to investigate whether an incident occurred?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎You’ve discovered a Windows system with screenshots of the user’s desktop in the %appdata%\ScreenShot\ directory.What do you look for to investigate whether an incident occurred?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎You retrieved a running process list from a single department of 20 Windows systems.What is your approach to find anomalies in this data set? What do you look for to investigate whether an incident occurred?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎Your CFO has returned from another country and they are concerned an untrusted party accessed their Mac laptop. What do you look for to investigate whether an incident occurred? Where do you focus your first few steps? <a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎You discovered a suspicious PDF on a user’s workstation and found this sandbox report referencing it: <a href="https://app.any.run/tasks/e5ac2e36-ba65-41b1-8d6d-ab98e29e9cf3" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://app.any.run/tasks/e5ac2e36-ba65-41b1-8d6d-ab98e29e9cf3</a>What do you look for to investigate whether the system was infected and its extent?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎You receive an alert that a Linux system is experiencing consistently high CPU usage. Running crontab -l for the related user, you see the pictured entry...However, when you check again, the crontab entry is gone. The file listed in the cron job is not currently available at that URL. What do you look for to investigate whether an incident occurred?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎A user workstation executed gpedit.msc for an unknown reason. What do you look for to investigate whether an incident occurred?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎While threat hunting, you’ve discovered a host receiving HTTPS traffic on port TCP/53. What do you look for to investigate whether an incident occurred?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎A user workstation executed a file named newapp.exe from their AppData/Roaming directory.What do you look for to investigate whether an incident occurred? For bonus points, what malware family do you suspect is associated with this activity?You don't have access to the file.<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎You've received an alert from the pictured Sigma rule indicating an account lockout occurred in your Azure environment. What do you look for to investigate whether an incident occurred?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎You’ve discovered a 3 year old account named “testuser” on your Windows domain. Nobody knows who created it.What do you look for to investigate whether this account has been used for any malicious activity?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎An employee was terminated for moonlighting with a competitor. While reviewing their Windows laptop, you find Slack is installed.What do you look for to investigate their Slack use and if an incident occurred?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎While hunting through DNS traffic, you encounter a series of queries whose contents appear nonsensical. What do you look for to investigate whether an incident occurred?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Chris Sanders 🔎 🧠Investigation Scenario 🔎You received the depicted Suricata alert related to Impacket usage.What do you look for to investigate whether an incident occurred and its extent?<a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InvestigationPath</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a>

Frühere Suchanfragen

Suchoptionen

Verwaltet von:

Serverstatistik:

#InvestigationPath