Questions
Questions are the core of DFIQ. All other DFIQ components are relative to Questions: Approaches describe how to answer the Questions, and Scenarios and Facets organize the Questions logically. Below is an index of all the Questions that are defined as part of DFIQ.
Some quick facts about Questions in DFIQ:
- Questions should be small enough in scope that they can be readily answered
- A single Question can be reused in multiple different Facets
- If a Question has any Approaches defined, it will render as a link to the detailed Question page
Note
Not all the Questions have Approaches defined; in fact, most don't at the moment. If you'd like to contribute an idea for a new Question, or a new Approach for answering an existing Question, please open an issue on GitHub.
Questions Index
| ID | Question | Tags | Approaches |
|---|---|---|---|
| Q1054 | What Launch Daemons are configured? | macOS T1543.004 | 0 |
| Q1017 | Were any files collected into a container? | 0 | |
| Q1057 | What network logon scripts are configured? | T1037.003 Windows | 0 |
| Q1050 | Are there any GCS buckets within the cloud project shared externally? | 0 | |
| Q1080 | How many external recipients does the email have? | 0 | |
| Q1074 | Were any system event logs cleared? | T1070.001 T1070.002 Linux Windows macOS | 0 |
| Q1065 | What files are referenced in Registry "Run" keys? | T1547.001 Windows | 0 |
| Q1058 | What domain accounts have been created? | T1136.002 Windows | 0 |
| Q1055 | What Windows logon scripts are configured? | Windows T1037.001 | 0 |
| Q1072 | Did Chrome's DNS Prefetching cause a DNS query? | Web Browser DNS | 0 |
| Q1012 | What files were copied from a USB device to a computer? | 0 | |
| Q1014 | What files did the actor open on their computer? | File Knowledge | 0 |
| Q1019 | What web browsers were running at a given time? | Web Browser | 0 |
| Q1083 | Were any files sent via Bluetooth? | T1011.001 | 0 |
| Q1075 | Is the recipient account controlled by the sender? | 0 | |
| Q1002 | What USB devices were attached to a computer? | 0 | |
| Q1028 | Was there specialized "anti-forensic" (or "privacy") software on a computer? | 0 | |
| Q1067 | What system services are installed? | macOS Linux Windows | 0 |
| Q1063 | What periodic scripts are configured? | macOS | 0 |
| Q1078 | Were the files copies? | 0 | |
| Q1027 | Are there any sudden changes in the number of files on a device? | 0 | |
| Q1041 | Are there any unexpected successful API calls from an unknown external IP address (including Tor Exit nodes, C2 tagged addresses)? | 0 | |
| Q1021 | What Chrome extensions are installed? | Web Browser | 0 |
| Q1069 | Are there any indications of dylib hijacking? | macOS T1574.004 | 0 |
| Q1001 | What files were downloaded using a web browser? | NTFS Safari USN Journal Windows macOS Edge SQLite Chrome Web Browser | 3 |
| Q1004 | What screenshots were taken on a computer? | 0 | |
| Q1039 | Are there any detections of exposed service account credentials? | 0 | |
| Q1024 | Was an Incognito/Private browser session used? | Web Browser | 0 |
| Q1071 | Are there any indications of dynamic linker hijacking? | T1574.006 macOS Linux | 0 |
| Q1005 | What files have ever been on a computer? | 0 | |
| Q1052 | What browser extensions (non-Chrome) are installed? | Web Browser | 0 |
| Q1056 | What login hooks are configured? | macOS T1037.002 | 0 |
| Q1049 | Is there an unusual increase of traffic between resource in the cloud project? | 0 | |
| Q1015 | What syncing activities did external "cloud storage" applications do on a computer? | 0 | |
| Q1010 | What was printed from a computer? | 0 | |
| Q1006 | What files are present on a computer? | 0 | |
| Q1035 | Were any copies made of sensitive files? | 0 | |
| Q1025 | What external accounts has the actor used in their web browser? | 0 | |
| Q1047 | Are there any suspicious modifications to the cloud project firewall rules/policies? | 0 | |
| Q1003 | What files were copied from a computer to a USB device? | 0 | |
| Q1045 | Are there any unknown accounts created? | 0 | |
| Q1053 | What Launch Agents are configured? | macOS T1543.001 | 0 |
| Q1016 | What files were sent externally via email attachments? | 0 | |
| Q1009 | What interactions with external cloud storage sites did the actor have using their web browser? | 0 | |
| Q1044 | Are there any unexpected resources created under the cloud project? | 0 | |
| Q1018 | What process made the DNS query? | DNS | 0 |
| Q1064 | What systemd timers are configured? | T1053.006 Linux | 0 |
| Q1037 | Have there been any executions of PsExeSrv? | Prefetch Event Logs Windows | 3 |
| Q1079 | Is there a history of communication with the recipients? | 0 | |
| Q1038 | Were any files sent via CLI utilities? | 0 | |
| Q1036 | Have there been any executions of PsExec? | Prefetch Event Logs Windows | 2 |
| Q1008 | What programs are installed on a computer? | 0 | |
| Q1084 | What data was uploaded to a website via a web browser? | 0 | |
| Q1030 | Were any security or monitoring agents tampered with or disabled? | 0 | |
| Q1032 | What actions were taken in an Incognito (or "private") browser session? | 0 | |
| Q1070 | Are there any indications of dylib proxying? | macOS | 0 |
| Q1077 | Were there bulk downloads from Google Drive? | 0 | |
| Q1013 | What files are present on a USB device? | 0 | |
| Q1046 | Are there any unknown role bindings created? | 0 | |
| Q1023 | Is a given Chrome extension associated with a given domain? | Chrome T1176 | 0 |
| Q1062 | What cron jobs are configured? | macOS Linux T1053.003 | 0 |
| Q1059 | What local accounts have been created? | T1136.001 macOS Linux Windows | 0 |
| Q1048 | Are there any suspicious modifications to the cloud project logging configuration? | 0 | |
| Q1060 | What AT jobs are configured? | T1053.002 macOS Linux | 0 |
| Q1042 | Are there any APIs recently enabled? | 0 | |
| Q1051 | Are there any signs of data within the cloud project being transferred externally? | 0 | |
| Q1068 | When were system services last modified? | macOS Linux Windows | 0 |
| Q1082 | Were any files sent via AirDrop? | 0 | |
| Q1029 | Were any encryption programs used on a computer? | 0 | |
| Q1061 | What Scheduled Tasks are configured? | Windows T1053.005 | 0 |
| Q1081 | Does the user have a recently provisioned host? | 0 | |
| Q1066 | What items are in startup folders? | T1547.001 Windows | 0 |
| Q1026 | What files were downloaded from messaging apps? | 0 | |
| Q1020 | What pages did web browsers visit? | Safari Internet Explorer Edge Firefox SQLite Chrome Web Browser | 1 |
| Q1043 | Are there any role bindings to cluster admin for anonymous users? | 0 | |
| Q1040 | Are there any interaction with the cloud project resources from an unknown external IP address (including Tor Exit nodes, C2 tagged addresses)? | 0 | |
| Q1033 | Was shell history cleared? | 0 | |
| Q1073 | Have there been any modifications to the "hosts" file? | 0 | |
| Q1007 | What files were synced or backed-up to external services? | T1567.002 | 0 |
| Q1076 | Were the files screenshots? | 0 | |
| Q1022 | What actions did a Chrome extension perform? | Chrome Web Browser Browser Extension | 0 |
| Q1011 | What files were sent or received by a chat application? | 0 | |
| Q1034 | Was content copied from a file? | 0 | |
| Q1031 | How much network traffic was there to/from a machine? | 0 |