Investigation Scenario 🔎

The information in the screenshot was logged by System EID 7.

What do you look for to investigate whether an incident occurred?

BONUS: What are some legitimate scenarios in which you might observe this behavior?

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

An instance of chome.exe executed with the --load-extension option.

What do you look for to investigate whether an incident occurred and its source?

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

A middle school IT admin noticed a Chrome Extension added to a student's laptop with permissions ["proxy", "webRequest", "tabs"].

What do you look for to investigate if an incident or policy violation occurred?

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

A detection tool indicated a host might be infected with the Lumma stealer, but the signature is not visible.

What do you look for to investigate whether an infection from this malware has occurred and how it got there?

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

A macOS system performed a DNS query for a .onion domain.

The system doesn't have an EDR available -- only native logging.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

A host on your network executed a process whose parent process is mftrace.exe.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

@chrissanders88 While winword.exe will frequently and legitimately create temp files ending with .tmp for speed and data integrity, the regular expression doesn’t match the expected format based on Microsoft documentation. As such, I would begin by determining what Word document was loaded into Microsoft Word and its source file directory. Seeing the document reside in the user’s downloads or desktop folder would be a suspicious indicator and warrant a look at the user’s email or proxy logs to identify its true source. Additionally, I’d perform analysis using oledump/olevba to identify potentially suspicious streams in the word document such as embedded vba code or other p-code commands. This analysis might shed some light on whether we can expect the source Word file to create the temp files in question and their purpose along with any other suspicious command execution. I would also perform direct analysis on the created tmp files to see if they are actually tmp files and what they might contain. A threat actor might drop temp files to trick the victim into thinking they are legitimate in nature. I’d also take a look at the winword parent process to look for other suspicious child processes (not typical), network connections, or registry modifications. Assuming we have enough suspicious behavior, pivot analysis to identify any other users exhibiting the same IOCs would be prudent. Calculated hashes of the files in question would be useful for potential threat intelligence investigations or additional pivot analysis in the environment. #soc #dfir #InvestigationPath

Investigation Scenario 🔎

You've discovered winword.exe as the parent process to files matching the following regular expression pattern: [a-z0-9]{4}\.tmp

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

This is the 100th #InvestigationPath scenario I've published, so I'm doing some giveaways! If you make an effortful response, you'll have an opportunity to win a free seat in one of my courses or an Analyst
Skills Vault subscription: https://www.networkdefense.co/skillsvault/

Investigation Scenario 🔎

While reviewing company code in Github, you discover odd javascript that downloads+executes a file from an unknown domain that is currently inaccessible.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Tomorrow's #InvestigationPath scenario will be the 100th I've published. To celebrate, I'm giving away free stuff. Anybody who replies to that post and participates (with meaningful effort) has a chance to win a free course seat, subscription to my analyst skills vault, or book.

Investigation Scenario 🔎

Using network traffic, you've observed an HTTP request to a Github Gist page that contains a comma-separated list of 10 IP addresses.

What do you look for to investigate whether an incident occurred and its source?

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

A file named netview_windows.exe was executed on a system on your network.

What do you look for to investigate whether an incident occurred?

Native data sources only -- no EDR or external tools.

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

You have detected the creation of msiexec.exe in the bin directory of ManageEngine SupportCenter Plus.

Sigma rule source and important references: https://detection.fyi/sigmahq/sigma/emerging-threats/2021/exploits/cve-2021-44077/file_event_win_cve_2021_44077_poc_default_files/

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

You have received an alert that ~300 registry keys were created and then deleted on a Windows system within a few minutes.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

You’ve discovered a developer workstation running an FTP server. The system owner is on vacation and can’t be reached.

What do you look for to investigate whether an incident occurred, its source, and its impact?

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

You have detected unauthorized modification to /etc/libaudit.conf on a Linux server.

What do you look for to investigate whether an incident occurred and its impact? What could an attacker have done here?

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

The process explorer.exe spawned rundll32.exe on a system on your network.

What do you look for to investigate whether an incident occurred?

Assume you have access to whatever digital evidence source you need.

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

A user reports that all the files in their documents/desktop folders are gone after returning to the office on Monday. They swear they didn’t delete them.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

PowerShell Script Block Logging (EID 4104) reveals the pictured command was executed:

What do you look for to investigate whether an incident occurred and its extent?

#InvestigationPath #DFIR #SOC