Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>This file was found on a user workstation: <a href="https://app.any.run/tasks/39d47711-d3cd-42f7-836b-55e442f5643c" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/39d47711-d3c</span><span class="invisible">d-42f7-836b-55e442f5643c</span></a></p><p>What do you look for to investigate it was executed and the extent of its effect on the system?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
veganism.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Veganism Social is a welcoming space on the internet for vegans to connect and engage with the broader decentralized social media community.
Administered by:
Server stats:
268active users
veganism.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.0-alpha.5
#InvestigationPath
2 posts · 2 participants · 0 posts today
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>Antivirus flagged (but did not block) execution of a file with the IMPHASH <br>ba5546933531fafa869b1f86a4e2a959. </p><p>What do you look for to investigate whether an incident occurred and its impact?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>A teacher’s laptop shows a spike in traffic to api[.]school-supplies-check[.]com every morning at 8:05 AM. You cannot access anything at this domain.</p><p>What do you look for to investigate whether an incident occurred?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>Your managed service provider called and said they discovered a domain admin user account they don't recognize. It's about two months old.</p><p>What do you look for to investigate whether an incident occurred?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>PowerShell Script Block Logging (EID 4104) reveals the pictured command was executed:</p><p>What do you look for to investigate whether an incident occurred and its extent?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SOC</span></a></p>
VegansExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload