Share this page!

Chris Sanders 🔎 🧠 Profile picture
Twitter logo
Mar 10 8 tweets 3 min read
There are many paths you could take with this scenario. At a high level, the big question you want to be answered is whether the user or an attacker set up the forwarding rule. But, you've got to ask other, more specific questions to figure that out. #InvestigationPath #DFIR
A lot of great responses this week so I won't rehash every path, but there's an opportunity to explore the disposition and prevalence of the client IP, the timing of the rule creation versus AD auth, potential outgoing spam activity,
A few folks pointed out the timing of the rule creation, which is undoubtedly significant. Was the rule created well before djenkins went on their trip? Right before? During it? Those timings all have different implications.
As a general focus, you could spend time finding anomalies from the user's normal baseline or identifying signs of compromise on their system. Either way, you'll build a timeline of relevant events and draw inferences from that.
Many folks jumped straight to containment, and I can understand why because that's an easy call in this scenario -- high risk and low-impact decision in some cases. However, you still have to investigate the scenario even after you've contained it.
My response of the week is from Seth, who was very detailed and covered a lot of meaningful angles. ImageImageImage
By the way, how would you go about auditing the inbox/forwarding rules setup across your user base? Something to think about... 🚀
I post an investigation scenario every week!

❓Tuesday: I post the scenario to comment on ✅ Friday: I share some of my thoughts and pick a favorite response

If you like these scenarios, you’ll probably also like some of my writing and courses here: chrissanders.org/links/.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Chris Sanders 🔎 🧠

Chris Sanders 🔎 🧠 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @chrissanders88

Chris Sanders 🔎 🧠 Profile picture
Nov 29, 2022
This scenario was much broader than most, and notice how that invited many more responses and a great diversity in paths to pursue. Sometimes the most challenging of an investigation is knowing which initial #InvestigationPath to take.
Something we know from research is that the initial path (“opening move”) matters.

I shared some of this research in this blog post: chrissanders.org/2016/09/effect….

That effect is a product of the path itself and the evidence being examined.
There is often a best opening move in a scenario, but in those like the one I’ve shared here, there isn’t an obvious opening move without gaining more information first.
Read 7 tweets
Chris Sanders 🔎 🧠 Profile picture
Nov 8, 2022
Investigation Scenario 🔎

A workstation attempted authentication to every other Windows system on the local network.

What do you look for to start investigating this event?

Assume you have access to any evidence source you want, but no commercial EDR tools.

#InvestigationPath
Response of the week goes to @DanielOfService.

When available, knowing the expected system role is helpful and sets the context for the next things you'll look for (like the process responsible for the activity). It's also easy to answer.

Many good responses -- lots of folks want to find the source process, which when examined, will reveal a lot regarding disposition. Many want to understand the ratio of success/failed logins. That may not help with disposition, but if malicious, will help with affected scope.
Read 6 tweets
Chris Sanders 🔎 🧠 Profile picture
Nov 2, 2022
When an attacker gains initial access to a system on a network, common actions are:

1. Scanning the network for pivot targets
2. Pillaging the system for valuable files
3. Stealing credentials from the system

Each provides an opportunity for honeypot-based detection 🧵

1/
When an attacker is scanning the network for pivot targets, a listening honey service on a common port that is placed on that network segment is likely to receive a probe. That probe generates an alert indicating the compromised source host.

2/
When an attacker is pillaging the system for useful files, an enticingly named honey file is likely to be accessed (either directly or after exfil). When opened, that file contacts a listening server that generates an alert.

3/ An attacking system that co...
Read 9 tweets
Chris Sanders 🔎 🧠 Profile picture
Oct 31, 2022
One of the underappreciated benefits of the increased acceptance of remote work — it makes more jobs accessible to folks with disabilities. Since April 2020, the amount of disabled folks participating in the workforce has increased 5%. bloomberg.com/news/articles/… A line graph from the US Bu...
Even when a workplace is accessible to someone with a disability (and despite the ADA, many are not), the commute there may not be. Eliminating. that commute opens up a lot of possibilities.
The benefits here are not just about new folks gaining access to the workforce…it’s also a win that disabled folks already working have access to a greater number and diversity of jobs. More options means more social mobility.
Read 5 tweets
Chris Sanders 🔎 🧠 Profile picture
Sep 14, 2022
I was speaking to a security team earlier this week and we spent some time talking about creating a culture of curiosity. A few things I shared... 1/ 🧵
Curiosity is the desire to know something, and it's one of the most important traits security practitioners can possess. 2/
The more curious you are, the faster you learn and gain experience. We often describe experience in terms of years, but quality and diversity of experience are usually more important than duration. 3/
Read 15 tweets
Chris Sanders 🔎 🧠 Profile picture
Sep 4, 2022
Some definitions I operate from...

The digital forensic investigation is the systematic inquiry and examination of evidence to gain an accurate perception of whether a compromise has occurred, and to what extent.
Digital forensics is... the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources to facilitate or further... (cont.)
...the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.

That definition is from Palmer (2001).
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(