Why do many #DFIR reports lack about network forensics? I don't think finding the C2 address is enough. Why don't you create a timeline using the network data? Like 👇 "C2 comm started with 5min sleep, then was changed to 10sec and data transfer was observed during this period...
11
7
6
105
Because 9 times out of 10 this data doesn’t exist in the clients environment. Lucky to get Windows event logs that haven’t rolled…
2
19
Replying to @highonc0ffee @Cyb3rMonk
A-fucking-men!

Feb 2, 2022 · 2:06 AM UTC

1
7
Replying to @hal_pomeranz @highonc0ffee @Cyb3rMonk
Seconded (not that you need it, nobody who does IR in real life should be arguing with you)
1
3
Our perspective is colored by being third-party IR teams. Orgs that have good network telemetry are generally mature enough to have working IR capability in-house and so would never call us.
1
4
more replies