Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Chris Sanders πŸ”Ž 🧠 Profile picture
@chrissanders88
Nov 8, 2022 β€’ 6 tweets β€’ 2 min read β€’ Read on X
Investigation Scenario πŸ”Ž

A workstation attempted authentication to every other Windows system on the local network.

What do you look for to start investigating this event?

Assume you have access to any evidence source you want, but no commercial EDR tools.

#InvestigationPath
Response of the week goes to @DanielOfService.

When available, knowing the expected system role is helpful and sets the context for the next things you'll look for (like the process responsible for the activity). It's also easy to answer.

Many good responses -- lots of folks want to find the source process, which when examined, will reveal a lot regarding disposition. Many want to understand the ratio of success/failed logins. That may not help with disposition, but if malicious, will help with affected scope.
This example and the responses demonstrate how interpreting evidence can provide different types of cues. Dispositional cues hint at whether something is malicious or benign, and relational cues hint at the presence of additional relationships relevant to the investigation.
When possible, it's often more important to focus on the dispositional cues rather than the relational clues for the sake of expediency at the early stages of an investigation. Some relationships don't matter if you can quickly prove a benign disposition.
As always, a few paths with some leading to the same place. If you played along, pay special attention to how your knowledge of specific evidence sources influenced your choices and the cues you're able to identify or puruse. #InvestigationPath

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with Chris Sanders πŸ”Ž 🧠

Chris Sanders πŸ”Ž 🧠 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @chrissanders88

Chris Sanders πŸ”Ž 🧠 Profile picture
Jul 19, 2023
I’m excited to launch our latest online course, YARA for Security Analysts.

We built this course for people who want to learn to write YARA rules for detection engineering, system triage, incident response, and threat intel research.

#Yara #DetectionEngineering #DFIR #Malware YARA for Security Analysts
In the course, you’ll learn how to use YARA to detect malware, triage compromised systems, and collect threat intelligence. No prior YARA experience is required.

You can learn all about the course and register here: . It's discounted right now for launch.networkdefense.co/courses/yara/
Steve Miller (@stvemillertime) is the primary instructor for this course. I was so excited to work with him because he is one of our industry's best detection engineering minds.
Read 9 tweets
Chris Sanders πŸ”Ž 🧠 Profile picture
Mar 10, 2023
There are many paths you could take with this scenario. At a high level, the big question you want to be answered is whether the user or an attacker set up the forwarding rule. But, you've got to ask other, more specific questions to figure that out. #InvestigationPath #DFIR
A lot of great responses this week so I won't rehash every path, but there's an opportunity to explore the disposition and prevalence of the client IP, the timing of the rule creation versus AD auth, potential outgoing spam activity,
A few folks pointed out the timing of the rule creation, which is undoubtedly significant. Was the rule created well before djenkins went on their trip? Right before? During it? Those timings all have different implications.
Read 8 tweets
Chris Sanders πŸ”Ž 🧠 Profile picture
Nov 29, 2022
This scenario was much broader than most, and notice how that invited many more responses and a great diversity in paths to pursue. Sometimes the most challenging of an investigation is knowing which initial #InvestigationPath to take.
Something we know from research is that the initial path (β€œopening move”) matters.

I shared some of this research in this blog post: chrissanders.org/2016/09/effect….

That effect is a product of the path itself and the evidence being examined.
There is often a best opening move in a scenario, but in those like the one I’ve shared here, there isn’t an obvious opening move without gaining more information first.
Read 7 tweets
Chris Sanders πŸ”Ž 🧠 Profile picture
Nov 2, 2022
When an attacker gains initial access to a system on a network, common actions are:

1. Scanning the network for pivot targets
2. Pillaging the system for valuable files
3. Stealing credentials from the system

Each provides an opportunity for honeypot-based detection 🧡

1/
When an attacker is scanning the network for pivot targets, a listening honey service on a common port that is placed on that network segment is likely to receive a probe. That probe generates an alert indicating the compromised source host.

2/
When an attacker is pillaging the system for useful files, an enticingly named honey file is likely to be accessed (either directly or after exfil). When opened, that file contacts a listening server that generates an alert.

3/ An attacking system that co...
Read 9 tweets
Chris Sanders πŸ”Ž 🧠 Profile picture
Oct 31, 2022
One of the underappreciated benefits of the increased acceptance of remote work β€” it makes more jobs accessible to folks with disabilities. Since April 2020, the amount of disabled folks participating in the workforce has increased 5%. bloomberg.com/news/articles/… A line graph from the US Bu...
Even when a workplace is accessible to someone with a disability (and despite the ADA, many are not), the commute there may not be. Eliminating. that commute opens up a lot of possibilities.
The benefits here are not just about new folks gaining access to the workforce…it’s also a win that disabled folks already working have access to a greater number and diversity of jobs. More options means more social mobility.
Read 5 tweets
Chris Sanders πŸ”Ž 🧠 Profile picture
Sep 14, 2022
I was speaking to a security team earlier this week and we spent some time talking about creating a culture of curiosity. A few things I shared... 1/ 🧡
Curiosity is the desire to know something, and it's one of the most important traits security practitioners can possess. 2/
The more curious you are, the faster you learn and gain experience. We often describe experience in terms of years, but quality and diversity of experience are usually more important than duration. 3/
Read 15 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(