Top Tweets for #InvestigationPath
Investigation Scenario ๐
You believe a Linux server was used as a jump box to pivot into another network segment, but the network traffic would not have crossed a sensor boundary for logging.
What evidence do you look for to prove the belief?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
You run IT for a public high school. A teacher observed a student using AI to generate ideas for accessing the school grading system and reported it.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
You've discovered a host with multiple instances of Chrome running the --hidden option.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
A host on your network executed the command โnetsh wlan show profileโ for the first time.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
Your SIEM flags an OAuth consent grant to โAdobe Secure Shareโ from a user's M365 account at 07:13 AM. The audit log shows consent to files.readwrite.all.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
You receive a SIEM alert about this file:
C:\Users\bose\Downloads\report.doc
The file copied itself to %TEMP% and the original copy was deleted.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
Several of your key developers had Notepad++ installed during the time period when the project was believed to have been compromised.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
You received an alert that the creation date of a file was changed to a prior year.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
While reviewing group membership on a Windows domain, you discover that the account of a former IT employee is still active. They left the company nearly a year ago.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
While reviewing asset scanning reports, youโve discovered a Mint Linux system that does not appear on any change request.
What do you look for to investigate the origin of the system and whether malicious activity occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
While reviewing web logs on a Linux Apache server, you discover inbound requests for PHP pages. However, the server is not reported to host PHP content.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
A Windows system executed dsa.msc for the first time.
What do you look for to investigate whether an incident occurred AND its scope?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
You've found a new entry in ShimCache on Windows 10: C:\Users\Public\svchost32.exe with a last modified timestamp predating system boot.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
While attending a conference, a user reports they were connected to a rogue access point for a couple of hours rather than the official conference wifi.
What do you look for to investigate the impact of the incident?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
Someone inside your network opened a file containing a honeytoken. The file is a spreadsheet on a web server that isn't linked anywhere publicly facing.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
AV on a point of sale system flags a new startup entry named โPSLService.exeโ in C:\Users\Public\Kiosk\.
Festive fall plugin or cred stealer? Something else?
What are your first few moves to investigate this finding?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
You've come across a log for the following execution:
msiexec.exe /i "\\10.0.0.5\share\patch.msi" /qn
The file is not available on the remote host.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
A user reported that their workstation appears to reboot every night.
Unfortunately, due to admin error, Windows Event logging is disabled on the host.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Investigation Scenario ๐
You've observed a system making the following HTTP request to an unknown IP address:
GET /1742214432 HTTP/1.1
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Last Seen Hashtags on Sotwe
เธฃเธฒเธเธเธธเธฃเธต
Seen from Thailand
ๅคง้ธไบบๅฟๆพ
Seen from Chile
ElVertigoHorizontal
Seen from United Kingdom
autumn
Seen from Brazil
เนเธขเนเธเธชเธฒเธงเธชเธฑเธเธฅเธฒเธข
Seen from Thailand
peg
Seen from United Kingdom
Chudai
Seen from United Arab Emirates
wataa
Seen from United States
เธเธฅเธดเธเธเธตเนเนเธเนเธเธเนเธฒเธง
Seen from Israel
่ไพฟๅจ
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers