Discover and read the best of Twitter Threads about #InvestigationPath

Most recents (3)

There are many paths you could take with this scenario. At a high level, the big question you want to be answered is whether the user or an attacker set up the forwarding rule. But, you've got to ask other, more specific questions to figure that out. #InvestigationPath #DFIR
A lot of great responses this week so I won't rehash every path, but there's an opportunity to explore the disposition and prevalence of the client IP, the timing of the rule creation versus AD auth, potential outgoing spam activity,
A few folks pointed out the timing of the rule creation, which is undoubtedly significant. Was the rule created well before djenkins went on their trip? Right before? During it? Those timings all have different implications.
Read 8 tweets
This scenario was much broader than most, and notice how that invited many more responses and a great diversity in paths to pursue. Sometimes the most challenging of an investigation is knowing which initial #InvestigationPath to take.
Something we know from research is that the initial path (“opening move”) matters.

I shared some of this research in this blog post: chrissanders.org/2016/09/effect….

That effect is a product of the path itself and the evidence being examined.
There is often a best opening move in a scenario, but in those like the one I’ve shared here, there isn’t an obvious opening move without gaining more information first.
Read 7 tweets
Investigation Scenario 🔎

A workstation attempted authentication to every other Windows system on the local network.

What do you look for to start investigating this event?

Assume you have access to any evidence source you want, but no commercial EDR tools.

#InvestigationPath
Response of the week goes to @DanielOfService.

When available, knowing the expected system role is helpful and sets the context for the next things you'll look for (like the process responsible for the activity). It's also easy to answer.

Many good responses -- lots of folks want to find the source process, which when examined, will reveal a lot regarding disposition. Many want to understand the ratio of success/failed logins. That may not help with disposition, but if malicious, will help with affected scope.
Read 6 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!