Investigation Package: Gathering Information for PowerShell Analysis | XYZ Company

Gathering Information for PowerShell Analysis

Question

You are aSOC Analyst of a company XYZ that has implemented Microsoft Defender for Endpoint.

You are allocated an incident with alerts related to a doubtful PowerShell command line.

You start by going through the incident and apprehend all the related alerts, devices, and evidence.

You open the alert page to evaluate the Alert and choose to perform further analysis on the device.

You open the Device page and decide that you require remote access to the device to collect more forensics information using custom .ps1 script.

Which type of information is gathered in an Investigation package?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: A

Network transactions, Process and Command History are not collected.

Only Prefetch files are collected.

An investigation package contains the following folders when you collect it from a device as part of the investigation process.

These can help us to identify the present state of devices and methods used by attackers.

Autoruns, installed programs, Network Connections, Prefetch files, Prefetch folder, Processes, Scheduled tasks, Security event log, Services, Windows Server Message Block (SMB) sessions, System Information, Temp Directories, Users and Groups, WdSupportLogs, CollectionSummaryReport.xls

Reference:

An Investigation package in Microsoft Defender for Endpoint is a collection of various pieces of data and artifacts that are gathered from a device during a security investigation. This package is generated when an analyst wants to collect more forensics information from a device and needs to execute custom scripts or commands remotely.

The information gathered in an Investigation package typically includes the following:

A. Prefetch Files: Prefetch files are a Windows feature that keeps track of the applications that are run on a device. These files can provide information about the execution of a particular application, including the time it was last run, the number of times it has been run, and the specific files it accessed during its execution. Prefetch files can be useful in determining if an application was used maliciously or if it was part of normal user activity.

B. Network transactions: Network transactions are communications between a device and other devices on a network. This can include network connections, HTTP requests, DNS queries, and other types of network activity. This information can be useful in identifying network-based attacks or command and control (C2) communications between an attacker and a compromised device.

C. Command History: Command history is a log of commands that have been executed on a device. This can include commands that were run from the command prompt, PowerShell, or other tools. Command history can be useful in identifying suspicious or malicious commands that were run on a device.

D. Process History: Process history is a log of processes that have been executed on a device. This can include the name of the process, the user who executed it, and the time it was executed. Process history can be useful in identifying malicious processes that were executed on a device.

In conclusion, Investigation packages in Microsoft Defender for Endpoint can provide a wealth of information to SOC analysts to investigate security incidents. The types of information gathered in an Investigation package can include Prefetch Files, Network transactions, Command History, and Process History, which can be useful in identifying the root cause of a security incident and taking appropriate actions to remediate the threat.