Questions
Questions are the core of DFIQ. All other DFIQ components are relative to Questions: Approaches describe how to answer the Questions, and Scenarios and Facets organize the Questions logically. Below is an index of all the Questions that are defined as part of DFIQ.
Some quick facts about Questions in DFIQ:
- Questions should be small enough in scope that they can be readily answered
- A single Question can be reused in multiple different Facets
- If a Question has any Approaches defined, it will render as a link to the detailed Question page
Note
Not all the Questions have Approaches defined; in fact, most don't at the moment. If you'd like to contribute an idea for a new Question, or a new Approach for answering an existing Question, please open an issue on GitHub.
Questions Index
| ID | Question | Tags | Approaches |
|---|---|---|---|
| Q1001 | What files were downloaded using a web browser? | NTFS macOS Chrome Web Browser USN Journal Windows Safari SQLite Edge | 3 |
| Q1002 | What USB devices were attached to a computer? | 0 | |
| Q1003 | What files were copied from a computer to a USB device? | 0 | |
| Q1004 | What screenshots were taken on a computer? | 0 | |
| Q1005 | What files have ever been on a computer? | 0 | |
| Q1006 | What files are present on a computer? | 0 | |
| Q1007 | What files were synced or backed-up to external services? | T1567.002 | 0 |
| Q1008 | What programs are installed on a computer? | 0 | |
| Q1009 | What interactions with external cloud storage sites did the actor have using their web browser? | 0 | |
| Q1010 | What was printed from a computer? | 0 | |
| Q1011 | What files were sent or received by a chat application? | 0 | |
| Q1012 | What files were copied from a USB device to a computer? | 0 | |
| Q1013 | What files are present on a USB device? | 0 | |
| Q1014 | What files did the actor open on their computer? | File Knowledge | 0 |
| Q1015 | What syncing activities did external "cloud storage" applications do on a computer? | 0 | |
| Q1016 | What files were sent externally via email attachments? | 0 | |
| Q1017 | Were any files collected into a container? | 0 | |
| Q1018 | What process made the DNS query? | Sysmon DNS Windows CrowdStrike | 3 |
| Q1019 | What web browsers were running at a given time? | Process Execution Web Browser CrowdStrike | 1 |
| Q1020 | What pages did web browsers visit? | Internet Explorer Firefox Chrome SQLite Web Browser Edge Safari | 1 |
| Q1021 | What Chrome extensions are installed? | Web Browser | 0 |
| Q1022 | What actions did a Chrome extension perform? | Chrome Browser Extension Web Browser | 0 |
| Q1023 | Is a given Chrome extension associated with a given domain? | Chrome T1176 | 0 |
| Q1024 | Was an Incognito/Private browser session used? | Process Execution Web Browser CrowdStrike | 1 |
| Q1025 | What external accounts has the actor used in their web browser? | 0 | |
| Q1026 | What files were downloaded from messaging apps? | 0 | |
| Q1027 | Are there any sudden changes in the number of files on a device? | 0 | |
| Q1028 | Was there specialized "anti-forensic" (or "privacy") software on a computer? | 0 | |
| Q1029 | Were any encryption programs used on a computer? | 0 | |
| Q1030 | Were any security or monitoring agents tampered with or disabled? | 0 | |
| Q1031 | How much network traffic was there to/from a machine? | 0 | |
| Q1032 | What actions were taken in an Incognito (or "private") browser session? | 0 | |
| Q1033 | Was shell history cleared? | 0 | |
| Q1034 | Was content copied from a file? | 0 | |
| Q1035 | Were any copies made of sensitive files? | 0 | |
| Q1036 | Have there been any executions of PsExec? | Prefetch Windows Event Logs | 2 |
| Q1037 | Have there been any executions of PsExeSrv? | Prefetch Windows Event Logs | 3 |
| Q1038 | Were any files sent via CLI utilities? | 0 | |
| Q1039 | Are there any detections of exposed service account credentials? | 0 | |
| Q1040 | Are there any interaction with the cloud project resources from an unknown external IP address (including Tor Exit nodes, C2 tagged addresses)? | 0 | |
| Q1041 | Are there any unexpected successful API calls from an unknown external IP address (including Tor Exit nodes, C2 tagged addresses)? | 0 | |
| Q1042 | Are there any APIs recently enabled? | 0 | |
| Q1043 | Are there any role bindings to cluster admin for anonymous users? | 0 | |
| Q1044 | Are there any unexpected resources created under the cloud project? | 0 | |
| Q1045 | Are there any unknown accounts created? | 0 | |
| Q1046 | Are there any unknown role bindings created? | 0 | |
| Q1047 | Are there any suspicious modifications to the cloud project firewall rules/policies? | 0 | |
| Q1048 | Are there any suspicious modifications to the cloud project logging configuration? | 0 | |
| Q1049 | Is there an unusual increase of traffic between resource in the cloud project? | 0 | |
| Q1050 | Are there any GCS buckets within the cloud project shared externally? | 0 | |
| Q1051 | Are there any signs of data within the cloud project being transferred externally? | 0 | |
| Q1052 | What browser extensions (non-Chrome) are installed? | Web Browser | 0 |
| Q1053 | What Launch Agents are configured? | T1543.001 macOS | 0 |
| Q1054 | What Launch Daemons are configured? | T1543.004 macOS | 0 |
| Q1055 | What Windows logon scripts are configured? | T1037.001 Windows | 0 |
| Q1056 | What login hooks are configured? | T1037.002 macOS | 0 |
| Q1057 | What network logon scripts are configured? | T1037.003 Windows | 0 |
| Q1058 | What domain accounts have been created? | T1136.002 Windows | 0 |
| Q1059 | What local accounts have been created? | T1136.001 Linux Windows macOS | 0 |
| Q1060 | What AT jobs are configured? | Linux T1053.002 macOS | 0 |
| Q1061 | What Scheduled Tasks are configured? | T1053.005 Windows | 0 |
| Q1062 | What cron jobs are configured? | T1053.003 Linux macOS | 0 |
| Q1063 | What periodic scripts are configured? | macOS | 0 |
| Q1064 | What systemd timers are configured? | Linux T1053.006 | 0 |
| Q1065 | What files are referenced in Registry "Run" keys? | Windows T1547.001 | 0 |
| Q1066 | What items are in startup folders? | Windows T1547.001 | 0 |
| Q1067 | What system services are installed? | Linux Windows macOS | 0 |
| Q1068 | When were system services last modified? | Linux Windows macOS | 0 |
| Q1069 | Are there any indications of dylib hijacking? | T1574.004 macOS | 0 |
| Q1070 | Are there any indications of dylib proxying? | macOS | 0 |
| Q1071 | Are there any indications of dynamic linker hijacking? | T1574.006 Linux macOS | 0 |
| Q1072 | Did Chrome's DNS Prefetching cause a DNS query? | Web Browser DNS | 0 |
| Q1073 | Have there been any modifications to the "hosts" file? | 0 | |
| Q1074 | Were any system event logs cleared? | T1070.001 CrowdStrike T1070.002 macOS Linux Windows Event Logs | 2 |
| Q1075 | Is the recipient account controlled by the sender? | 0 | |
| Q1076 | Were the files screenshots? | 0 | |
| Q1077 | Were there bulk downloads from Google Drive? | 0 | |
| Q1078 | Were the files copies? | 0 | |
| Q1079 | Is there a history of communication with the recipients? | 0 | |
| Q1080 | How many external recipients does the email have? | 0 | |
| Q1081 | Does the user have a recently provisioned host? | 0 | |
| Q1082 | Were any files sent via AirDrop? | 0 | |
| Q1083 | Were any files sent via Bluetooth? | T1011.001 | 0 |
| Q1084 | What data was uploaded to a website via a web browser? | 0 | |
| Q1085 | What DNS requests have been made from a system? | 0 | |
| Q1086 | What web-based email messages were viewed in a web browser? | 0 | |
| Q1087 | Did the user access any common PaaS/SaaS services? | 0 | |
| Q1088 | Did the user connect to any non-Company systems using the command line? | 0 | |
| Q1089 | Did the user download any Citrix configuration (.ica) files? | 0 | |
| Q1090 | Did the user interact with any git repositories? | 0 |