Investigation Scenario 🔎 You received the depicted Suricata alert related to Impacket usage. What do you look for to investigate whether an incident occurred and its extent? #InvestigationPath #DFIR #SOC - ThreadSky

About ThreadSky

chrissanders88.bsky.social • 97 days ago

Investigation Scenario 🔎

You received the depicted Suricata alert related to Impacket usage.

What do you look for to investigate whether an incident occurred and its extent?

#InvestigationPath #DFIR #SOC

Comments

eflags.bsky.social•97 days ago

Impacket may be being used for Lateral Movement via smbexec, you should examine the source of the traffic for execution artifacts and the destination host for the creation of a service and batch script for command execution. You can start with event logs

cyberdef.bsky.social•97 days ago

I completely agree! In addition to event logs and signs of new services or scripts on the target system, I suggest examining SMB traffic for anomalies, correlating suspicious events on the network, and using an EDR tool to detect processes related to lateral movement tools like smbexec :)

bluespock.bsky.social•96 days ago

Investigate in general means ask the right questions & find the answers. Investigations happens in many fields (apart from cyber) - police cases, medical work, accidents, IT troubleshooting, code debugging, etc. At the core of any investigation is framing the tight questions in the right order.

bluespock.bsky.social•96 days ago

Step 1 - for any human when presented with a cyber security alert is to triage it. Triage means - determine (with a high degree of confidence) if this is likely to be malicious or likely to be benign.

bluespock.bsky.social•96 days ago

If the conclusion of triage is "likely to be malicious" - then the work of figuring out the answers to: what happened, how did it happen, what is the extent & impact and how do we contain/mitigate/remediate takes place.

bluespock.bsky.social•96 days ago

The questions to ask for that alert to traige it are:
what is the src ip/host?
what is the dst ip/host?
what was the user name used to log in over SMB?
is there a correlation between the human who owns the src host & the user name to log in to the dst host?

Posting Rules

Be respectful to others
No spam or self-promotion
Stay on topic
Follow Bluesky's terms of service

Comments

Posting Rules

Reply