Chris Sanders πŸ”Ž 🧠

@chrissanders88@infosec.exchange
1.9K Followers
378 Following
811 Posts

Security Analyst, Author, and Instructor, Ed.D.

Studying the intersection of security investigation doctrine, cognitive psychology, and education.

Founder of Applied Network Defense and Rural Tech Fund

Books:
🍯 Intrusion Detection Honeypots
🦈 Practical Packet Analysis
🌐 Applied Network Security Monitoring

Former: Mandiant, InGuardians, Dept of Defense, Roadside Fruit Vendor.

A question well stated is a problem half-solved. #InvestigationTheory

https://chrissanders.org/links/

Bloghttps://chrissanders.org/
Training Courseshttp://networkdefense.co/courses/
Twitterhttps://twitter.com/chrissanders88
Bookshttps://chrissanders.org/publications
More Linkshttps://chrissanders.org/links/
Last week, we launched a high-altitude balloon into the stratosphere. The payload included three Cube Satellite emulators built by rural classroom students we worked with. Their CubeSats collected real atmospheric data, which was returned to the classes for analysis. One of the neater projects we've done with Rural Tech Fund and our partner Teachers in Space. Check out these views from the balloon!

This week, I had the joy of sharing my meteorite collection with two very different classroomsβ€”one full of curious high schoolers and the other full of wide-eyed Pre-K explorers. The questions were wildly different (β€œHow did our gravity capture this Martian rock?” vs. β€œDo you have a piece of the sun?"), but the wonder was the same.

There’s something magical about holding a piece of outer space in your handβ€”and it's even more magical watching someone discover that for the first time. πŸš€β˜„οΈπŸŒŽ

Investigation Scenario πŸ”Ž

PowerShell Script Block Logging (EID 4104) reveals the pictured command was executed:

What do you look for to investigate whether an incident occurred and its extent?

#InvestigationPath #DFIR #SOC

I'm delivering the closing Keynote at RejectionCon (virtually) this year. I'll talk a bit about my story, how poverty charges interest, and some of the ways we provide unique learning opportunities to students at the Rural Tech Fund.
Space is so neat β˜„οΈ

Investigation Scenario πŸ”Ž

You receive an alert that a Linux system is experiencing consistently high CPU usage. Running crontab -l for the related user, you see the pictured entry...

However, when you check again, the crontab entry is gone.

The file listed in the cron job is not currently available at that URL.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Here are the best books I read in 2024...

https://chrissanders.org/2025/01/my-favorite-books-of-2024/

What were your favorites from last year?

My Favorite Books of 2024 | Chris Sanders

Chris Sanders | Information Security Analyst, Author, and Instructor
Not many better ways to ring in the New Year! One of these days I'm gonna talk them into letting me run the grill for a couple of hours. #WaffleHome

Investigation Scenario πŸ”Ž

You've received an alert from the pictured Sigma rule indicating an account lockout occurred in your Azure environment.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

A few favorites from my library... a couple are signed!

I'm thinking about the Carters' and their legacy today πŸ’™