Investigation Scenario 🔎
While threat hunting, you’ve discovered a host receiving HTTPS traffic on port TCP/53.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
While threat hunting, you’ve discovered a host receiving HTTPS traffic on port TCP/53.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Comments
I’d probably start looking at host logs though at some point you’re going to need to figure out why your boundary is allowing this kind of traffic to a presumably-not-DNS-server.