Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>You have detected unauthorized modification to /etc/libaudit.conf on a Linux server. </p><p>What do you look for to investigate whether an incident occurred and its impact? What could an attacker have done here?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SOC</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.
Administered by:
Server stats:
278active users
shakedown.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.7
#InvestigationPath
0 posts · 0 participants · 0 posts today
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>Proxy logs show a Linux database server making HTTP requests with an empty User Agent string.</p><p>You don't have PCAP or other network logs. </p><p>What do you look for to investigate whether an incident occurred?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>You’ve discovered a web server on your network running a version of WordPress that has not been updated for 3 years.</p><p>What do you look for to investigate whether a successful attack has been conducted against this server?</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SOC</span></a></p>
Chris Sanders 🔎 🧠<p>Investigation Scenario 🔎</p><p>You discover an unusual scheduled task named "UpdateCheck" on a Windows system. The task triggers a PowerShell script located at "C:\Windows\Temp\update[.]ps1</p><p>What do you look for to investigate whether an incident occurred?</p><p>You don't have immediate file system access (you can't grab the file quickly), but assume you have access to whatever other digital evidence source you need (system logs, network data, and so on).</p><p><a href="https://infosec.exchange/tags/InvestigationPath" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InvestigationPath</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/SOCAnalyst" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SOCAnalyst</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload