One the heels of my first post on this topic, I wanted to follow up with some additional case studies that might demonstrate how digital forensics can provide insight into human activity and behavior, as part of an investigation.
Targeted Threat Actor
I was working a targeted threat actor response, and while we were continuing to collect information for scoping, so we could move to containment, we found that on one day, from one endpoint, the threat actor pushed their RAT installer to 8 endpoints, and had the installer launched via a Scheduled Task. Then, about a week later, we saw that the threat actor had pushed out another version of their RAT to a completely separate endpoint, by dropping the installer into the StartUp folder for an admin account.
Now, when I showed up on-site for this engagement, I walked into a meeting that served as the “war room”, and before I got a chance to introduce myself, or find out what was going on, one of the admins came up to me and blurted out, “we don’t use communal admin accounts.” Yes, I know…very odd. No, “hi, I’m Steve”, nothing like that. Just this comment about accounts. So, I filed it away.
The first thing we did once we got started was roll out our EDR tech, and begin getting insight into what was going on…which accounts had been compromised, which were the nexus systems the threat actor was operating from, how they were getting in, etc. After all, we couldn’t establish a perimeter and move to containment until we determined scope, etc.
So we found this RAT installer in the StartUp folder for an admin account…a communal admin account. We fo
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: