Chris Sanders πŸ”Ž 🧠2d ago

Investigation Scenario πŸ”Ž

A user reports their hard drive is full, but they don't know why. While investigating, you find a series of large, password-protected RAR files that the user knows nothing about.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders πŸ”Ž 🧠Mar 24

Investigation Scenario πŸ”Ž

You've discovered a host with multiple instances of Chrome running the --hidden option.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders πŸ”Ž 🧠Mar 17

Investigation Scenario πŸ”Ž

Browser history for an HR user shows repeated visits to chat.openai[.]com, followed by creation of C:\Users\chris\AppData\Local\Temp\cleanup[.]ps1. The file is not available, and the hash shows no matches in OSINT resources.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders πŸ”Ž 🧠Mar 10

Investigation Scenario πŸ”Ž

A host on your network executed the command β€œnetsh wlan show profile” for the first time.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders πŸ”Ž 🧠Mar 3

Investigation Scenario πŸ”Ž

Your SIEM flags an OAuth consent grant to β€œAdobe Secure Share” from a user's M365 account at 07:13 AM. The audit log shows consent to files.readwrite.all.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders πŸ”Ž 🧠Feb 24

Investigation Scenario πŸ”Ž

You receive a SIEM alert about this file:

C:\Users\bose\Downloads\report.doc

The file copied itself to %TEMP% and the original copy was deleted.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders πŸ”Ž 🧠Feb 17

Investigation Scenario πŸ”Ž

You find Event ID 7045 showing a new service installed: WinUpdateCheck, pointing to C:\ProgramData\wucheck.exe. You report to the SOC lead that this system is infected and needs to be contained.

They ask you to justify that request.

What evidence do you present to elevate this from β€œsuspicious service creation” to confirmed malicious activity? Lead with your strongest likely evidence sources and conclusions.

#InvestigationPath #DFIR #SOC

Chris Sanders πŸ”Ž 🧠Feb 10

Investigation Scenario πŸ”Ž

A user reports OneDrive crashing on startup. You see OneDrive.exe launched as expected, but then you spot conhost.exe spawned within 2 seconds, followed by mshta.exe -- no obvious error dialogs.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders πŸ”Ž 🧠Feb 3

Investigation Scenario πŸ”Ž

Several of your key developers had Notepad++ installed during the time period when the project was believed to have been compromised.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders πŸ”Ž 🧠Jan 27

Investigation Scenario πŸ”Ž

You received an alert that the creation date of a file was changed to a prior year.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC