Title
#general
defensivedepth

defensivedepth

04/09/2019, 2:58 PM
hey all - I am giving away a free seat in my online Osquery for Security Analysis course (LearnOsquery.com) Just thumbs up this post and reply to tell me your favorite host artifact when working an investigation. Do that by 9 PM ET Friday and you'll be entered to win!
m

Michael Bailey

04/09/2019, 4:08 PM
The powershell operational log is pretty magical when configured sanely. Script block logging ++
j

John Coast

04/09/2019, 5:44 PM
shellbags, because they have the best artifact name
harveywells

harveywells

04/10/2019, 12:48 PM
On macOS I like looking at file metadata (mdls); on Windows, looking at file timestamp anomalies to see if a program or file was backdated to avoid detection.
a

atom

04/10/2019, 4:44 PM
I've used OSQuery to find people avoiding our corporate monitoring systems(Disabling jamf, adding fake hosts entries for log shipping)
r

reynas

04/12/2019, 7:55 AM
carves for the win! A huge advantage while doing IR
srozb

srozb

04/15/2019, 6:36 AM
It's probably too late, but listing interesting file extensions in webroots/ftproots and smb shared directories is giving me nice results for detecting sensitive data shared by sysadmins violating company policy.
j

John Coast

04/16/2019, 9:21 AM
Hi @defensivedepth, did you announce a winner?
defensivedepth

defensivedepth

04/16/2019, 11:00 AM
Yes, last night....https://twitter.com/chrissanders88/status/1117847833447501825 Thanks for submitting an entry and better luck next time! 🙂 @Michael Bailey @John Coast @harveywells @atom @reynas @srozb
harveywells

harveywells

04/16/2019, 12:39 PM
🎉Congrats Sirius_Malware 🎉