With this week’s #InvestigationPath, we’re trying to determine if someone used a legitimate tool for malicious purposes. There are a few things to consider here, but I want to focus on the idea of relationships.

Everything we care about in investigations centers on relationships — when they start, end, and change. A host connects to another host, a user logs into a system, a system executes a file… all relationships.

In this case, even with a single event we have several relationships we want to understand better, and each represents its own investigation path. For example, many mentioned the relationship between bitsadmin.exe and the parent process that launched it.

We care about process hierarchies because most processes are typically launched from a predictable set of parents. When a process has an unexpected parent, that becomes noteworthy. We expect svchost.exe to launch bitsadmin.exe, but maybe not powershell or an Office application.

Of course, sometimes this sort of analysis reveals new relationships to explore. If bitsadmin.exe was run from Microsoft Word, we know that a user opened a file in Word. That extends the path back in time. It also suggests the existence of other, yet unknown relationships. Where did the file come from?

There are more relationships and characteristics to examine here. What about the relationship between the system that executed BITS and the remote host it connected to? What was transferred? Is it normal for a user in this role to launch bitsadmin? Lots of good ideas in the replies.

An event is a start, end, or change in a relationship. A relationship always has at least two entities. The entities have characteristics and the relationship itself has characteristics. I describe this way of thinking as part of my TERC model.

As you break down investigations, think about the relationships you already know about and the ones that are suggested by the evidence you have available. Examine the characteristics of those entities and the relationships. That's how you make sense and move forward.

My response of the week goes to @bherund on Twitter who put in some detailed and diverse thoughts and even included a few lab screenshots with examples (see the whole thread). https://twitter.com/bherund/status/1651674968646733824

Speaking of relationships, what are the most common ones you spend time investigating? That’s something to think about… 🚀 #DFIR #SOCAnalyst

This is why I created a Security Engineering *org* at my last place.

Included devsecops, sec architects, cloudsec, threat modeling, and sec engineers (devs) that could onboard with a production for months at a time.

Set up best practices and *help* mitigate priority issues.