Discover and read the best of Twitter Threads about #InvestigationPath
Most recents (3)
There are many paths you could take with this scenario. At a high level, the big question you want to be answered is whether the user or an attacker set up the forwarding rule. But, you've got to ask other, more specific questions to figure that out. #InvestigationPath #DFIR
A lot of great responses this week so I won't rehash every path, but there's an opportunity to explore the disposition and prevalence of the client IP, the timing of the rule creation versus AD auth, potential outgoing spam activity,
A few folks pointed out the timing of the rule creation, which is undoubtedly significant. Was the rule created well before djenkins went on their trip? Right before? During it? Those timings all have different implications.
This scenario was much broader than most, and notice how that invited many more responses and a great diversity in paths to pursue. Sometimes the most challenging of an investigation is knowing which initial #InvestigationPath to take.
Something we know from research is that the initial path (“opening move”) matters.
I shared some of this research in this blog post: chrissanders.org/2016/09/effect….
That effect is a product of the path itself and the evidence being examined.
I shared some of this research in this blog post: chrissanders.org/2016/09/effect….
That effect is a product of the path itself and the evidence being examined.
There is often a best opening move in a scenario, but in those like the one I’ve shared here, there isn’t an obvious opening move without gaining more information first.
Investigation Scenario 🔎
A workstation attempted authentication to every other Windows system on the local network.
What do you look for to start investigating this event?
Assume you have access to any evidence source you want, but no commercial EDR tools.
#InvestigationPath
A workstation attempted authentication to every other Windows system on the local network.
What do you look for to start investigating this event?
Assume you have access to any evidence source you want, but no commercial EDR tools.
#InvestigationPath
Response of the week goes to @DanielOfService.
When available, knowing the expected system role is helpful and sets the context for the next things you'll look for (like the process responsible for the activity). It's also easy to answer.
When available, knowing the expected system role is helpful and sets the context for the next things you'll look for (like the process responsible for the activity). It's also easy to answer.
Many good responses -- lots of folks want to find the source process, which when examined, will reveal a lot regarding disposition. Many want to understand the ratio of success/failed logins. That may not help with disposition, but if malicious, will help with affected scope.
