Chris Sanders 🔎 🧠

Investigation Scenario 🔎

Your SIEM flags an OAuth consent grant to “Adobe Secure Share” from a user's M365 account at 07:13 AM. The audit log shows consent to files.readwrite.all.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Source: www.apa.org/pubs/journa...

...From a study that found that people with a more competitive worldview tend to see antagonistic behavior by leaders as a sign of competence and effectiveness, and are generally more tolerant of such behavior.

Flowchart illustrating relationships between competitive worldview, perceived behaviors, and leadership effectiveness, with study references noted.

A whole unit of political science, sociology, economics, and behavioral science could be taught on this one.

Milo and the Midnight Meteorite Are you ready to embark on a cosmic adventure? Milo and the Midnight Meteorite is a captivating children’s book that sparks curiosity about meteorites and the magnificent universe we inhabit!

We fulfill them as we can. The more folks buy, the more we're able to give away. We also have a "Buy 1 + Give 1" option available on the website: milosmeteorite.com

Book Request Form: Milo and the Midnight Meteorite Thank you for your interest in bringing "Milo and the Midnight Meteorite" to your classroom, library, or school! Please fill out the form below to request copies of the book be donated to you to utilize with your students. We will be in touch with you about your request. *Subject to availability. Filling out a book request does not guarantee that your request will be fulfilled.

If you happen to know a teacher in a Title 1 or rural school, they can fill out this form to request a free copy: docs.google.com/forms/d/e/1...

A stack of sealed packages contains copies of "Milo and the Midnight Meteorite," featuring a child and a dog on the cover.

Big batch of FREE Milo and the Midnight Meteorite copies headed out to public schools today. Today's copies headed to schools in CA, NM, OR, MI, AL, AZ, TN, OH, KY, WI, IL, MS, and PA!

Investigation Scenario 🔎

You receive a SIEM alert about this file:

C:\Users\bose\Downloads\report.doc

The file copied itself to %TEMP% and the original copy was deleted.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

What evidence do you present to elevate this from “suspicious service creation” to confirmed malicious activity? Lead with your strongest likely evidence sources and conclusions.

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

You find Event ID 7045 showing a new service installed: WinUpdateCheck, pointing to C:\ProgramData\wucheck.exe. You report to the SOC lead that this system is infected and needs to be contained.

They ask you to justify that request.

Source: www.pnas.org/doi/abs/10....

Dense block of academic text explaining how mental fatigue from prolonged cognitive effort can impair self-control and increase impulsive, aggressive social behavior.

"...the propensity for prosocial behavior may be reduced in states of cognitive fatigue resulting from the extended exertion of self-control." similar to "sleep-like activity"

Prolonged cognitive fatigue ➡️ frontal cortex changes ➡️ more aggressive and uncooperative

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

A user reports OneDrive crashing on startup. You see OneDrive.exe launched as expected, but then you spot conhost.exe spawned within 2 seconds, followed by mshta.exe -- no obvious error dialogs.

What do you look for to investigate whether an incident occurred?

AND Analyst Skills Vault The AND Analyst Skills Vault is a subscription-based service that provides access to our growing collection of standalone video lessons built by domain experts. We add new lessons monthly for security analysts, forensic investigators, malware analysts, threat hunters, intelligence analysts, and other defensive security practitioners.

I'll pick one of my favorite responses this week for a free subscription to my Analyst Skills Vault: networkdefense.co/skillsvault

Investigation Scenario 🔎

Several of your key developers had Notepad++ installed during the time period when the project was believed to have been compromised.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

sigma/rules/windows/file/file_change/file_change_win_2022_timestomping.yml at master · SigmaHQ/sigma Main Sigma Rule Repository. Contribute to SigmaHQ/sigma development by creating an account on GitHub.

Scenario based on this Sigma rule: github.com/SigmaHQ/sig...

Terminal window showing Sigma rule for "File Creation Date Changed" with selections, filters, file paths, and notes for DFIR investigation.

Investigation Scenario 🔎

You received an alert that the creation date of a file was changed to a prior year.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

In a time when I don't feel like there's a lot of innovation going on in the candy space, Nerds Gummy Clusters are genuinely pretty special.

Investigation Scenario 🔎

You know an attacker accessed several customer support workstations in the past month based on discovery of a consistent persistence mechanism. You suspect wider access, but auth logs only go back 24h. How can you determine where else the attacker went?

#InvestigationPath

Investigation Scenario 🔎

While reviewing group membership on a Windows domain, you discover that the account of a former IT employee is still active. They left the company nearly a year ago.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Source: psycnet.apa.org/fulltext/20...

Academic paper title and abstract about how visible pay disparities influence teaming: people favor higher‑paid peers as collaborators but avoid hiring them as subordinates.

"People tend to show a bias in favor of higher paid peers as collaboration partners, while they show an aversion to hiring people with higher pay histories as subordinates."

By understanding what the file is expected to do, you can then examine evidence to determine if those things happened and their impact. If you can't directly prove execution, proving these things can indirectly prove it.

Now, "what changes were made to the system?" is too broad. You could look in a hundred places to answer that without narrowing the path further.

Some options here include...
1. OSINT research on the executable (hash, file name, other details)
2. Execute the file in a sandbox

That first question is pretty solid. However, there's a gap between the first and the second. Just because a host downloads a file doesn't mean the file executes. A meaningful follow-up becomes, "Did the host execute the EXE?"

"Did the host successfully download the EXE? If so, what changes were made to the system?"

How could we improve this investigative path with stronger questions?

#SOC #DFIR

Neon teal text reading "CHRIS SANDERS OFFICE HOURS" set against a starry night sky above a silhouetted ridge and tree.

Semi-annual reminder that if you're one of my Applied Network Defense students, you have access to my open office hours. I just updated those for the first half of the year. Details inside your class portal.

Investigation Scenario 🔎

While reviewing asset scanning reports, you’ve discovered a Mint Linux system that does not appear on any change request.

What do you look for to investigate the origin of the system and whether malicious activity occurred?

#InvestigationPath #DFIR #SOC

You can donate to the RTF here: ruraltechfund.org/donate