Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
pawb.fun is one of the many independent Mastodon servers you can use to participate in the fediverse.
This instance aimed at any and all within the furry fandom, though anyone is welcome! We're friendly towards members of the LGBTQ+ community and aiming to offer a safe space for our users.

Administered by:

Server stats:

305
active users

pawb.fun: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7+glitch

#InvestigationPath

0 posts0 participants0 posts today
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>A user workstation executed gpedit.msc for an unknown reason. </p><p>What do you look for to investigate whether an incident occurred?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>You’ve discovered the pictured log entry in /var/log/auth.log on a Linux server. Root login through SSH is supposed to be disabled on company systems.</p><p>What do you look for to investigate whether an incident occurred?</p><p>Assume you have access to whatever digital evidence source you need.</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>I blessed a lot of hearts on this one. Remember..</p><p>- It's an investigation scenario, not a response scenario<br>- As much as you want to assume breach, you still gotta prove it<br>- I never mentioned whether the server was externally facing, which changes a lot of thing. It's not meant to be a trick question, but it is meant to make sure you don't skip over some inquiry that may seem obvious, but is essential to cover. There's some anchoring bias that happens here when folks hear WordPress (or any frequently vulnerable software) is involved. </p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>You’ve discovered a web server on your network running a version of WordPress that has not been updated for 3 years.</p><p>What do you look for to investigate whether a successful attack has been conducted against this server?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>An unknown wireless network with a strong signal has appeared inside your corporate office.</p><p>What do you look for to investigate whether an incident occurred, and its extent?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>Several Windows computers on your network have blue-screened.</p><p>What do you look for to investigate whether an attack has occurred?</p><p>This one is obviously based on recent events, but let's bracket the scenario away from those events and approach it without that recency bias.</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>You’ve been given the hard drive of an IT employee suspected of using their computer to leak company secrets on public forums.</p><p>What do you look for to investigate whether an incident occurred?</p><p>For this scenario, I want you to be specific about the evidence sources you’ll examine to find your desired artifacts.</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>I chose this scenario because it's one I've encountered in my time as a pen tester and in forensic scenarios. When you're dealing with specialized software, it's helpful to know how an attacker might approach unexpected access to it. So, about that...</p><p>It might not be that often that an attacker actively seeks out a Tomcat server, but if they happen across one that might help them achieve their goals, they'll absolutely try to take advantage of that, particularly if it's as easy as using a default credential.</p><p>A common scenario for an attacker with admin access here is to deploy a web shell that allows them to issue commands to the underlying operating system. If Tomcat is running as an admin, the attacker can usually leverage that into direct interactive access in a number of ways.</p><p>I've gone from this exact scenario to domain admin and seen real attackers do it as well. When you understand how it happens, you can consider the places where those actions might leave evidence.</p><p>During the time users were logged in, were any new applications deployed? Were any new WAR files written to the system? Were any underlying system commands executed? Were there any changes to remote access policies? It's all about furthering access here in most cases.</p><p>Remember, the server could have been setup by a legit user who just neglected to change the credentials. It's worth asking them. Either way, you'll need to differentiate benign from malicious use. There are lots of good ideas for that in folks' replies.</p><p>Speaking of web servers, do you know where they all are in your environment? How would you know if a new one popped up? That’s something to think about... 🚀</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>During a third-party penetration test, someone discovered an internal Apache Tomcat server using default credentials.</p><p>What do you look for to investigate whether an attacker has used those credentials maliciously?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>An employee is suspected of having communicated company information to an outside person. You have an image of their hard drive.</p><p>What do you look for to investigate whether an incident occurred and its extent?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>An attacker used stolen credentials to authenticate to a Windows file server.</p><p>What do you look for to investigate the extent of their compromise on the system?</p><p>Assume you have access to whatever digital evidence source you need, but no commercial EDR tool. </p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>During incident response, you discover a recently created file named 1.wad on a system the attacker accessed.</p><p>What do you look for to investigate whether the file is involved in the compromise and how the attacker might have used it? </p><p>Assume you have access to whatever digital evidence source you need.</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOCAnalyst" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SOCAnalyst</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>A system mounted a file named TXRTN_8291834.iso.</p><p>What do you look for to determine if this system is infected and identify the potential malware?</p><p>The file is no longer available but you can use any other evidence source you like.</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InvestigationPath</span></a></p>
ExploreLive feeds
About