Chris Sanders πŸ”Ž 🧠

@[email protected]
1.9K Followers
375 Following
1,022 Posts

Security Analyst, Author, and Instructor, Ed.D.

Studying the intersection of security investigation doctrine, cognitive psychology, and education.

Founder of Applied Network Defense and Rural Tech Fund

Books:
🍯 Intrusion Detection Honeypots
🦈 Practical Packet Analysis
🌐 Applied Network Security Monitoring

Former: Mandiant, InGuardians, Dept of Defense, Roadside Fruit Vendor.

A question well stated is a problem half-solved. #InvestigationTheory

https://chrissanders.org/links/

Bloghttps://chrissanders.org/
Training Courseshttp://networkdefense.co/courses/
Twitterhttps://twitter.com/chrissanders88
Bookshttps://chrissanders.org/publications
More Linkshttps://chrissanders.org/links/
Chris Sanders πŸ”Ž 🧠1d ago

Investigation Scenario πŸ”Ž

You've discovered a host with multiple instances of Chrome running the --hidden option.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders πŸ”Ž 🧠Mar 17

Investigation Scenario πŸ”Ž

Browser history for an HR user shows repeated visits to chat.openai[.]com, followed by creation of C:\Users\chris\AppData\Local\Temp\cleanup[.]ps1. The file is not available, and the hash shows no matches in OSINT resources.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Show threadChris Sanders πŸ”Ž 🧠Mar 10
I post these scenarios every Tuesday! We're up to 135 of them so far! If you enjoy them, you'll probably like my Investigation Theory class where I work with folks directly on improving their investigative skills leverage principles from cognitive science: https://www.networkdefense.co/courses/
Courses β€” Applied Network Defense

Applied Network Defense
Chris Sanders πŸ”Ž 🧠Mar 10

Investigation Scenario πŸ”Ž

A host on your network executed the command β€œnetsh wlan show profile” for the first time.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders πŸ”Ž 🧠Mar 3

Investigation Scenario πŸ”Ž

Your SIEM flags an OAuth consent grant to β€œAdobe Secure Share” from a user's M365 account at 07:13 AM. The audit log shows consent to files.readwrite.all.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders πŸ”Ž 🧠Feb 25
A whole unit of political science, sociology, economics, and behavioral science could be taught on this one.
Show threadChris Sanders πŸ”Ž 🧠Feb 25
...From a study that found that people with a more competitive worldview tend to see antagonistic behavior by leaders as a sign of competence and effectiveness, and are generally more tolerant of such behavior.
Chris Sanders πŸ”Ž 🧠Feb 24
Big batch of FREE Milo and the Midnight Meteorite copies headed out to public schools today. Today's copies headed to schools in CA, NM, OR, MI, AL, AZ, TN, OH, KY, WI, IL, MS, and PA!
Show threadChris Sanders πŸ”Ž 🧠Feb 24
If you happen to know a teacher in a Title 1 or rural school, they can fill out this form to request a free copy: https://docs.google.com/forms/d/e/1FAIpQLSenTOlVdK7Vw8cMhnkHlTy5zN28XYY7l4E7S3RMrvbZTnk1sg/viewform?usp=header
Book Request Form: Milo and the Midnight Meteorite

Thank you for your interest in bringing "Milo and the Midnight Meteorite" to your classroom, library, or school! Please fill out the form below to request copies of the book be donated to you to utilize with your students. We will be in touch with you about your request. *Subject to availability. Filling out a book request does not guarantee that your request will be fulfilled.

Google Docs
Chris Sanders πŸ”Ž 🧠Feb 24

Investigation Scenario πŸ”Ž

You receive a SIEM alert about this file:

C:\Users\bose\Downloads\report.doc

The file copied itself to %TEMP% and the original copy was deleted.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC