Chris Sanders ๐Ÿ”Ž ๐Ÿง 6d ago

Investigation Scenario ๐Ÿ”Ž

Browser history for an HR user shows repeated visits to chat.openai[.]com, followed by creation of C:\Users\chris\AppData\Local\Temp\cleanup[.]ps1. The file is not available, and the hash shows no matches in OSINT resources.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders ๐Ÿ”Ž ๐Ÿง Mar 10

Investigation Scenario ๐Ÿ”Ž

A host on your network executed the command โ€œnetsh wlan show profileโ€ for the first time.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders ๐Ÿ”Ž ๐Ÿง Mar 3

Investigation Scenario ๐Ÿ”Ž

Your SIEM flags an OAuth consent grant to โ€œAdobe Secure Shareโ€ from a user's M365 account at 07:13 AM. The audit log shows consent to files.readwrite.all.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders ๐Ÿ”Ž ๐Ÿง Feb 24

Investigation Scenario ๐Ÿ”Ž

You receive a SIEM alert about this file:

C:\Users\bose\Downloads\report.doc

The file copied itself to %TEMP% and the original copy was deleted.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders ๐Ÿ”Ž ๐Ÿง Feb 17

Investigation Scenario ๐Ÿ”Ž

You find Event ID 7045 showing a new service installed: WinUpdateCheck, pointing to C:\ProgramData\wucheck.exe. You report to the SOC lead that this system is infected and needs to be contained.

They ask you to justify that request.

What evidence do you present to elevate this from โ€œsuspicious service creationโ€ to confirmed malicious activity? Lead with your strongest likely evidence sources and conclusions.

#InvestigationPath #DFIR #SOC

Chris Sanders ๐Ÿ”Ž ๐Ÿง Feb 10

Investigation Scenario ๐Ÿ”Ž

A user reports OneDrive crashing on startup. You see OneDrive.exe launched as expected, but then you spot conhost.exe spawned within 2 seconds, followed by mshta.exe -- no obvious error dialogs.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders ๐Ÿ”Ž ๐Ÿง Feb 3

Investigation Scenario ๐Ÿ”Ž

Several of your key developers had Notepad++ installed during the time period when the project was believed to have been compromised.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders ๐Ÿ”Ž ๐Ÿง Jan 27

Investigation Scenario ๐Ÿ”Ž

You received an alert that the creation date of a file was changed to a prior year.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders ๐Ÿ”Ž ๐Ÿง Jan 20

Investigation Scenario ๐Ÿ”Ž

You know an attacker accessed several customer support workstations in the past month based on discovery of a consistent persistence mechanism. You suspect wider access, but auth logs only go back 24h.

How can you determine where else the attacker went?

#InvestigationPath #DFIR #SOC

Chris Sanders ๐Ÿ”Ž ๐Ÿง Jan 13

Investigation Scenario ๐Ÿ”Ž

While reviewing group membership on a Windows domain, you discover that the account of a former IT employee is still active. They left the company nearly a year ago.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC