You are aSOC Analyst of a company XYZ that has implemented Microsoft Defender for Endpoint.
You are allocated an incident with alerts related to a doubtful PowerShell command line.
You start by going through the incident and apprehend all the related alerts, devices, and evidence.
You open the alert page to evaluate the Alert and choose to perform further analysis on the device.
You open the Device page and decide that you require remote access to the device to collect more forensics information using custom .ps1 script.
Which type of information is gathered in an Investigation package?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: A
Network transactions, Process and Command History are not collected.
Only Prefetch files are collected.
An investigation package contains the following folders when you collect it from a device as part of the investigation process.
These can help us to identify the present state of devices and methods used by attackers.
Autoruns, installed programs, Network Connections, Prefetch files, Prefetch folder, Processes, Scheduled tasks, Security event log, Services, Windows Server Message Block (SMB) sessions, System Information, Temp Directories, Users and Groups, WdSupportLogs, CollectionSummaryReport.xls
Reference:
When investigating a security incident, analysts often need to collect additional information to fully understand the scope of the issue and its impact on the organization. One way to collect this information is by creating an Investigation Package, which is a set of data and artifacts gathered from a specific device or set of devices that may be related to the incident.
In the context of Microsoft Defender for Endpoint, an Investigation Package includes various types of data and artifacts that can help an analyst to better understand the suspicious activity on a device. Specifically, an Investigation Package may include the following types of information:
A. Prefetch Files: Prefetch files are a type of Windows artifact that can provide valuable information about how an application or executable file has been used on a device. They contain metadata about how often a file has been executed, when it was last executed, and other details that can help to identify potentially malicious activity.
B. Network transactions: Network transactions refer to any traffic that has been sent or received by the device over the network. This information can be used to identify potential command and control traffic, data exfiltration, or other suspicious network activity that may be related to the incident.
C. Command History: Command history refers to the history of commands that have been executed on the device, either through the command line interface or through a scripting language like PowerShell. This information can be used to identify suspicious or unusual commands that may indicate malicious activity.
D. Process History: Process history refers to a record of all the processes that have been executed on the device, along with details such as the process ID, parent process ID, and other metadata. This information can be used to identify potentially malicious processes that may be related to the incident.
In summary, when an analyst creates an Investigation Package in Microsoft Defender for Endpoint, they may choose to include a range of different data and artifacts, including prefetch files, network transactions, command history, and process history. This information can help the analyst to better understand the scope of the incident and to identify potential sources of malicious activity on the device.