Investigation Scenario 🔎

You believe a Linux server was used as a jump box to pivot into another network segment, but the network traffic would not have crossed a sensor boundary for logging.

What evidence do you look for to prove the belief?

#InvestigationPath #DFIR #SOC

When you hear the word "identity" in cybersecurity, what does that mean to you? How do you define it?

Investigation Scenario 🔎

You run IT for a public high school. A teacher observed a student using AI to generate ideas for accessing the school grading system and reported it.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Investigation Theory — Applied Network Defense

If you like these scenarios, you'll love my Investigation Theory course. We go through many of them, I give you individualized feedback on your responses, and share strategies for approaching them based on reliable investigative doctrine.

www.networkdefense.co/courses/inv...

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

A user reports their hard drive is full, but they don't know why. While investigating, you find a series of large, password-protected RAR files that the user knows nothing about.

Most people don't need to understand the full history of psych or computing, or the nuances of field ontology. However, most WILL benefit from understanding field epistemology, limitations, and interactions that meet the world they experience daily.

A course that prepares someone to see through a field's lens will look fundamentally different than a course that prepares someone to be a practitioner within that field. Applied Field 101 vs. Field 101 for Practitioners.

The article discusses challenges in teaching introductory psychology courses and the need for effective reform to enhance student understanding.

This article is about intro psych courses, but it highlights a common problem across many fields at universities, including tech-related. Introductory courses are designed to prepare students for further study in a field, yet in reality, may be their only exposure to it.

Investigation Scenario 🔎

You've discovered a host with multiple instances of Chrome running the --hidden option.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

Browser history for an HR user shows repeated visits to chat.openai[.]com, followed by creation of C:\Users\chris\AppData\Local\Temp\cleanup[.]ps1. The file is not available, and the hash shows no matches in OSINT resources.

Courses — Applied Network Defense

I post these scenarios every Tuesday! We're up to 135 of them so far! If you enjoy them, you'll probably like my Investigation Theory class where I work with folks directly on improving their investigative skills leverage principles from cognitive science: www.networkdefense.co/courses/

Investigation Scenario 🔎

A host on your network executed the command “netsh wlan show profile” for the first time.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

Your SIEM flags an OAuth consent grant to “Adobe Secure Share” from a user's M365 account at 07:13 AM. The audit log shows consent to files.readwrite.all.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Source: www.apa.org/pubs/journa...

...From a study that found that people with a more competitive worldview tend to see antagonistic behavior by leaders as a sign of competence and effectiveness, and are generally more tolerant of such behavior.

Flowchart illustrating relationships between competitive worldview, perceived behaviors, and leadership effectiveness, with study references noted.

A whole unit of political science, sociology, economics, and behavioral science could be taught on this one.

Milo and the Midnight Meteorite Are you ready to embark on a cosmic adventure? Milo and the Midnight Meteorite is a captivating children’s book that sparks curiosity about meteorites and the magnificent universe we inhabit!

We fulfill them as we can. The more folks buy, the more we're able to give away. We also have a "Buy 1 + Give 1" option available on the website: milosmeteorite.com

Book Request Form: Milo and the Midnight Meteorite Thank you for your interest in bringing "Milo and the Midnight Meteorite" to your classroom, library, or school! Please fill out the form below to request copies of the book be donated to you to utilize with your students. We will be in touch with you about your request. *Subject to availability. Filling out a book request does not guarantee that your request will be fulfilled.

If you happen to know a teacher in a Title 1 or rural school, they can fill out this form to request a free copy: docs.google.com/forms/d/e/1...

A stack of sealed packages contains copies of "Milo and the Midnight Meteorite," featuring a child and a dog on the cover.

Big batch of FREE Milo and the Midnight Meteorite copies headed out to public schools today. Today's copies headed to schools in CA, NM, OR, MI, AL, AZ, TN, OH, KY, WI, IL, MS, and PA!

Investigation Scenario 🔎

You receive a SIEM alert about this file:

C:\Users\bose\Downloads\report.doc

The file copied itself to %TEMP% and the original copy was deleted.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

What evidence do you present to elevate this from “suspicious service creation” to confirmed malicious activity? Lead with your strongest likely evidence sources and conclusions.

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

You find Event ID 7045 showing a new service installed: WinUpdateCheck, pointing to C:\ProgramData\wucheck.exe. You report to the SOC lead that this system is infected and needs to be contained.

They ask you to justify that request.

Source: www.pnas.org/doi/abs/10....

Dense block of academic text explaining how mental fatigue from prolonged cognitive effort can impair self-control and increase impulsive, aggressive social behavior.

"...the propensity for prosocial behavior may be reduced in states of cognitive fatigue resulting from the extended exertion of self-control." similar to "sleep-like activity"

Prolonged cognitive fatigue ➡️ frontal cortex changes ➡️ more aggressive and uncooperative

#InvestigationPath #DFIR #SOC

Investigation Scenario 🔎

A user reports OneDrive crashing on startup. You see OneDrive.exe launched as expected, but then you spot conhost.exe spawned within 2 seconds, followed by mshta.exe -- no obvious error dialogs.

What do you look for to investigate whether an incident occurred?

AND Analyst Skills Vault The AND Analyst Skills Vault is a subscription-based service that provides access to our growing collection of standalone video lessons built by domain experts. We add new lessons monthly for security analysts, forensic investigators, malware analysts, threat hunters, intelligence analysts, and other defensive security practitioners.

I'll pick one of my favorite responses this week for a free subscription to my Analyst Skills Vault: networkdefense.co/skillsvault

Investigation Scenario 🔎

Several of your key developers had Notepad++ installed during the time period when the project was believed to have been compromised.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC