Why Lists>
Windows Incident Response – H. Carvey
So much of what we see in cybersecurity, in SOC, DFIR, red teaming/ethical hacking/pen testing, seems to be predicated on lists. Okay, so what’s up with lists, you ask. What’s the “so, what?” Lists are great…they often show us new tools that we’d hadn’t seen or heard about, possibly tools that might be more effective or efficient for us and our workflows. Lists, particularly checklists, can be useful. Are lists enough? I recently ran across a specific kind of list…the “cheat sheet”. It was different from some other similar cheat sheets I’d seen because it was broken down by Windows Event Log file, with the “event IDs of interest” listed beneath each heading. However, even though this cheat sheet was “different”, it was still just a list and it still wasn’t sufficient for analysis today. Why is that? Because a simple list doesn’t give you the how, nor does it give you the why. We need to focus less on simple lists and more on developing investigative goals and artifact constellations, so that we can understand what that entry means within the overall context of our investigation, and what it means when the entry is absent.
Link: https://windowsir.blogspot.com/2023/02/why-lists.html