Investigation Scenario 🔎

A workstation attempted authentication to every other Windows system on the local network.

What do you look for to start investigating this event?

Assume you have access to any evidence source you want, but no commercial EDR tools.

#InvestigationPath

Response of the week goes to @DanielOfService.

When available, knowing the expected system role is helpful and sets the context for the next things you'll look for (like the process responsible for the activity). It's also easy to answer.

Many good responses -- lots of folks want to find the source process, which when examined, will reveal a lot regarding disposition. Many want to understand the ratio of success/failed logins. That may not help with disposition, but if malicious, will help with affected scope.

This example and the responses demonstrate how interpreting evidence can provide different types of cues. Dispositional cues hint at whether something is malicious or benign, and relational cues hint at the presence of additional relationships relevant to the investigation.

When possible, it's often more important to focus on the dispositional cues rather than the relational clues for the sake of expediency at the early stages of an investigation. Some relationships don't matter if you can quickly prove a benign disposition.

As always, a few paths with some leading to the same place. If you played along, pay special attention to how your knowledge of specific evidence sources influenced your choices and the cues you're able to identify or puruse. #InvestigationPath