→
Questions to ask during an attack
The right questions provide important insight into how to get out of trouble. What happened, and what indicators do we have?
→
What were the artifacts used for?
- Have the files been run? How did they get in? With what input/output?
- Created as a service? Set to autorun (enabled or disabled)?
- Were the artifacts removed afterwards, or are they freely available?
- Do we know what the files do? (test in a sandbox)
→
Who used the files?
- Local, domain or remote user? What rights?
- Are there domain admins at all?
- Who ran the files, and at what privilege level (admin vs normal user)?
→
Where were the artifacts found?
- Shellbags, MRU, Event Logs, Services, MFT, NTFS?
- Memory? Data streams?
- Payload from other connected IPs/URLs? Path to file / registry.
→
When are the artifacts from?
- Which data layers were timestamps taken from? Where are the remaining timestamps?
- Do we trust the timestamps, or are they obfuscated by malware?
→
What did we select, and why?
- How did we classify files as interesting? What filtration method?
- Which search criteria and analysis methods?