Important questions

Questions for incidents.

1.1 Important questions to ask during an attack.

It can provide important insights into how we can get out of trouble.

What have happened, what do we have of indicators?

1.1.1 What have the artefacts been used to / for?

  • Have the files been run?
  • How did they get in?
  • With what input?
  • With what output?
  • Created as a service?
  • Are they set to autorun? (Is autorun enabled or disabled?)
  • Are the artifacts removed subsequently or are they freely available?
  • Do we know what files do? (test on sandbox)

1.1.2 Who have used the files?

  • local user, domain user, remote user?
  • What are your Rights?
  • Are there any domain admins at all?
  • Who have run the files?
  • Which user level did the files run on (admin, normal user?)

1.1.3 Where were the artefacts found?

  • Shell bag, MRU, Event Logs, Services, MFT, NTFS?
  • Memory?
  • Data Streams?
  • Where they payload from other connected IPs / URLs
  • Path to File / Registry DB

1.1.4 When are artefacts from?

  • What data layers are timestamps downloaded?
  • Where are the remaining timestamps?
  • Do we Trust the time stamps or are they obfuscated by malware.

1.1.5 What files have we selected and on what basis?

  • How we have classified files as interesting?
  • What is the filtration method is used?
  • Which search criteria?
  • What analysis methods?