A manual approach
In some cases, we might not have the same level of visibility because it might be that we do not have these types of EDR products installed on our endpoints. This requires us to take a more manual approach to the process.
There are some main things that we need to inspect to try and find evidence:
- The local file system and running memory
- Event logs
- Task Scheduler and BITS
- Registry changes
- Evidence from security products such as Microsoft Defender or third-party security tools
Hopefully, you have an idea about which user opened the attachment and whether the computer is still logged in with the user’s credentials so that you can get insight into whatever is running on the machine.
If the user has logged out or has stopped the machine, you should try and log on to the machine with a local administrator account if you have it; just make sure that the machine is not connected to the network.
There are a lot of places where...
