Investigation Scenario

You have detected the creation of msiexec.exe in the bin directory of ManageEngine SupportCenter Plus.

Sigma rule source and important references: https://detection.fyi/sigmahq/sigma/emerging-threats/2021/exploits/cve-2021-44077/file_event_win_cve_2021_44077_poc_default_files/

What do you look for to investigate whether an incident occurred?

Investigation Scenario

You have received an alert that ~300 registry keys were created and then deleted on a Windows system within a few minutes.

What do you look for to investigate whether an incident occurred?

Investigation Scenario

You’ve discovered a developer workstation running an FTP server. The system owner is on vacation and can’t be reached.

What do you look for to investigate whether an incident occurred, its source, and its impact?

Investigation Scenario

You have detected unauthorized modification to /etc/libaudit.conf on a Linux server.

What do you look for to investigate whether an incident occurred and its impact? What could an attacker have done here?

Investigation Scenario

PowerShell Script Block Logging (EID 4104) reveals the pictured command was executed:

What do you look for to investigate whether an incident occurred and its extent?

Investigation Scenario

You’ve received an alert derived from a Sigma rule indicating a short name path was used in the command line.

Sigma Rule Source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml

What do you look for to investigate whether an incident occurred?

Investigation Scenario

A server on your network suddenly sent DNS requests to several (100+) known malicious domains. but did not connect to them.

What do you look for to investigate the source and disposition of this event?

Investigation Scenario

Proxy logs show a Linux database server making HTTP requests with an empty User Agent string.

You don't have PCAP or other network logs.

What do you look for to investigate whether an incident occurred?

Investigation Scenario

Your CFO has returned from another country and they are concerned an untrusted party accessed their Mac laptop.

What do you look for to investigate whether an incident occurred? Where do you focus your first few steps?

Investigation Scenario

You receive an alert that a Linux system is experiencing consistently high CPU usage. Running crontab -l for the related user, you see the pictured entry...

However, when you check again, the crontab entry is gone.

The file listed in the cron job is not currently available at that URL.

What do you look for to investigate whether an incident occurred?

Investigation Scenario

A user workstation executed gpedit.msc for an unknown reason.

What do you look for to investigate whether an incident occurred?

Investigation Scenario

While threat hunting, you’ve discovered a host receiving HTTPS traffic on port TCP/53.

What do you look for to investigate whether an incident occurred?

Investigation Scenario

You've received an alert from the pictured Sigma rule indicating an account lockout occurred in your Azure environment.

What do you look for to investigate whether an incident occurred?

Investigation Scenario

You’ve discovered a 3 year old account named “testuser” on your Windows domain. Nobody knows who created it.

What do you look for to investigate whether this account has been used for any malicious activity?

Investigation Scenario

An employee was terminated for moonlighting with a competitor. While reviewing their Windows laptop, you find Slack is installed.

What do you look for to investigate their Slack use and if an incident occurred?

Investigation Scenario

You've detected potentially suspicious Telegram API usage with the pictured Sigma rule.

What do you look for to investigate whether an incident occurred?

Investigation Scenario

You’ve discovered a Windows 10 host placed in the wrong AD OU. As a result, WSUS did not pick it up for automatic updates for at least two years.

What do you look for to investigate whether it has been compromised?

Investigation Scenario

You’ve discovered the pictured log entry in /var/log/auth.log on a Linux server. Root login through SSH is supposed to be disabled on company systems.

What do you look for to investigate whether an incident occurred?

Assume you have access to whatever digital evidence source you need.

Investigation Scenario

A user's Windows workstation appears to display a ransom note associated with the BLACK CAT ransomware family. However, no files seem to be encrypted on the system.

What do you look for to investigate whether the ransomware executed successfully and the extent of the compromise?

Investigation Scenario

You’ve discovered a web server on your network running a version of WordPress that has not been updated for 3 years.

What do you look for to investigate whether a successful attack has been conducted against this server?