Questions
Questions are the core of DFIQ. All other DFIQ components are relative to Questions: Approaches describe how to answer the Questions, and Scenarios and Facets organize the Questions logically. Below is an index of all the Questions that are defined as part of DFIQ.
Some quick facts about Questions in DFIQ:
- Questions should be small enough in scope that they can be readily answered
- A single Question can be reused in multiple different Facets
- If a Question has any Approaches defined, it will render as a link to the detailed Question page
Note
Not all the Questions have Approaches defined; in fact, most don't at the moment. If you'd like to contribute an idea for a new Question, or a new Approach for answering an existing Question, please open an issue on GitHub.
Questions Index
| ID | Question | Tags | Approaches |
|---|---|---|---|
| Q1001 | What files were downloaded using a web browser? | Windows Edge USN Journal Safari macOS SQLite Chrome NTFS Web Browser | 3 |
| Q1002 | What USB devices were attached to a computer? | 0 | |
| Q1003 | What files were copied from a computer to a USB device? | 0 | |
| Q1004 | What screenshots were taken on a computer? | 0 | |
| Q1005 | What files have ever been on a computer? | 0 | |
| Q1006 | What files are present on a computer? | 0 | |
| Q1007 | What files were synced or backed-up to external services? | T1567.002 | 0 |
| Q1008 | What programs are installed on a computer? | 0 | |
| Q1009 | What interactions with external cloud storage sites did the actor have using their web browser? | 0 | |
| Q1010 | What was printed from a computer? | 0 | |
| Q1011 | What files were sent or received by a chat application? | 0 | |
| Q1012 | What files were copied from a USB device to a computer? | 0 | |
| Q1013 | What files are present on a USB device? | 0 | |
| Q1014 | What files did the actor open on their computer? | File Knowledge | 0 |
| Q1015 | What syncing activities did external "cloud storage" applications do on a computer? | 0 | |
| Q1016 | What files were sent externally via email attachments? | 0 | |
| Q1017 | Were any files collected into a container? | 0 | |
| Q1018 | What process made the DNS query? | CrowdStrike Sysmon DNS Windows | 3 |
| Q1019 | What web browsers were running at a given time? | CrowdStrike Process Execution Web Browser | 1 |
| Q1020 | What pages did web browsers visit? | SQLite Edge Chrome Firefox Internet Explorer Safari Web Browser | 1 |
| Q1021 | What Chrome extensions are installed? | Web Browser | 0 |
| Q1022 | What actions did a Chrome extension perform? | Chrome Browser Extension Web Browser | 0 |
| Q1023 | Is a given Chrome extension associated with a given domain? | Chrome T1176 | 0 |
| Q1024 | Was an Incognito/Private browser session used? | CrowdStrike Process Execution Web Browser | 1 |
| Q1025 | What external accounts has the actor used in their web browser? | 0 | |
| Q1026 | What files were downloaded from messaging apps? | 0 | |
| Q1027 | Are there any sudden changes in the number of files on a device? | 0 | |
| Q1028 | Was there specialized "anti-forensic" (or "privacy") software on a computer? | 0 | |
| Q1029 | Were any encryption programs used on a computer? | 0 | |
| Q1030 | Were any security or monitoring agents tampered with or disabled? | 0 | |
| Q1031 | How much network traffic was there to/from a machine? | 0 | |
| Q1032 | What actions were taken in an Incognito (or "private") browser session? | 0 | |
| Q1033 | Was shell history cleared? | 0 | |
| Q1034 | Was content copied from a file? | 0 | |
| Q1035 | Were any copies made of sensitive files? | 0 | |
| Q1036 | Have there been any executions of PsExec? | Prefetch Event Logs Windows | 2 |
| Q1037 | Have there been any executions of PsExeSrv? | Prefetch Event Logs Windows | 3 |
| Q1038 | Were any files sent via CLI utilities? | 0 | |
| Q1039 | Are there any detections of exposed service account credentials? | 0 | |
| Q1040 | Are there any interaction with the cloud project resources from an unknown external IP address (including Tor Exit nodes, C2 tagged addresses)? | 0 | |
| Q1041 | Are there any unexpected successful API calls from an unknown external IP address (including Tor Exit nodes, C2 tagged addresses)? | 0 | |
| Q1042 | Are there any APIs recently enabled? | 0 | |
| Q1043 | Are there any role bindings to cluster admin for anonymous users? | 0 | |
| Q1044 | Are there any unexpected resources created under the cloud project? | 0 | |
| Q1045 | Are there any unknown accounts created? | 0 | |
| Q1046 | Are there any unknown role bindings created? | 0 | |
| Q1047 | Are there any suspicious modifications to the cloud project firewall rules/policies? | 0 | |
| Q1048 | Are there any suspicious modifications to the cloud project logging configuration? | 0 | |
| Q1049 | Is there an unusual increase of traffic between resource in the cloud project? | 0 | |
| Q1050 | Are there any GCS buckets within the cloud project shared externally? | 0 | |
| Q1051 | Are there any signs of data within the cloud project being transferred externally? | 0 | |
| Q1052 | What browser extensions (non-Chrome) are installed? | Web Browser | 0 |
| Q1053 | What Launch Agents are configured? | T1543.001 macOS | 0 |
| Q1054 | What Launch Daemons are configured? | macOS T1543.004 | 0 |
| Q1055 | What Windows logon scripts are configured? | T1037.001 Windows | 0 |
| Q1056 | What login hooks are configured? | T1037.002 macOS | 0 |
| Q1057 | What network logon scripts are configured? | Windows T1037.003 | 0 |
| Q1058 | What domain accounts have been created? | T1136.002 Windows | 0 |
| Q1059 | What local accounts have been created? | T1136.001 macOS Linux Windows | 0 |
| Q1060 | What AT jobs are configured? | macOS Linux T1053.002 | 0 |
| Q1061 | What Scheduled Tasks are configured? | T1053.005 Windows | 0 |
| Q1062 | What cron jobs are configured? | macOS Linux T1053.003 | 0 |
| Q1063 | What periodic scripts are configured? | macOS | 0 |
| Q1064 | What systemd timers are configured? | T1053.006 Linux | 0 |
| Q1065 | What files are referenced in Registry "Run" keys? | T1547.001 Windows | 0 |
| Q1066 | What items are in startup folders? | T1547.001 Windows | 0 |
| Q1067 | What system services are installed? | macOS Linux Windows | 0 |
| Q1068 | When were system services last modified? | macOS Linux Windows | 0 |
| Q1069 | Are there any indications of dylib hijacking? | macOS T1574.004 | 0 |
| Q1070 | Are there any indications of dylib proxying? | macOS | 0 |
| Q1071 | Are there any indications of dynamic linker hijacking? | T1574.006 macOS Linux | 0 |
| Q1072 | Did Chrome's DNS Prefetching cause a DNS query? | DNS Web Browser | 0 |
| Q1073 | Have there been any modifications to the "hosts" file? | 0 | |
| Q1074 | Were any system event logs cleared? | CrowdStrike T1070.002 Windows T1070.001 Event Logs macOS Linux | 2 |
| Q1075 | Is the recipient account controlled by the sender? | 0 | |
| Q1076 | Were the files screenshots? | 0 | |
| Q1077 | Were there bulk downloads from Google Drive? | 0 | |
| Q1078 | Were the files copies? | 0 | |
| Q1079 | Is there a history of communication with the recipients? | 0 | |
| Q1080 | How many external recipients does the email have? | 0 | |
| Q1081 | Does the user have a recently provisioned host? | 0 | |
| Q1082 | Were any files sent via AirDrop? | 0 | |
| Q1083 | Were any files sent via Bluetooth? | T1011.001 | 0 |
| Q1084 | What data was uploaded to a website via a web browser? | 0 | |
| Q1085 | What DNS requests have been made from a system? | 0 | |
| Q1086 | What web-based email messages were viewed in a web browser? | 0 | |
| Q1087 | Did the user access any common PaaS/SaaS services? | 0 | |
| Q1088 | Did the user connect to any non-Company systems using the command line? | 0 | |
| Q1089 | Did the user download any Citrix configuration (.ica) files? | 0 | |
| Q1090 | Did the user interact with any git repositories? | 0 |