Logs and captured traffic show the attack across systems and over the wire — lateral movement, command-and-control, and exfiltration. Reconstruct the path, end to end.
Why: no single host holds the whole story — logs from authentication, endpoints, proxies, and firewalls together reveal how an attacker moved across the environment — so cross-system log analysis reconstructs the full incident. When: correlate logs by user, host, IP, and time to trace initial access through lateral movement. Where: this is the DFIR side of the SIEM/detection work, applied after the fact to a confirmed incident.
Trace the attack across systems by correlating logs:
initial access auth logs: first anomalous login (where from?)
execution endpoint/process logs: what they ran
lateral movement auth + network logs: which hosts next, via what
C2 / exfil proxy/DNS/firewall logs: outbound to where, how much
Pivot on shared keys (user, host, IP, time) to follow the chain end-to-end.Why: a packet capture is ground truth for what crossed the network — it can reveal command-and-control channels, credentials sent in the clear, and data being exfiltrated. When: analyze a pcap from the incident window with Wireshark/tshark, following the suspicious conversations. Where: even encrypted traffic yields metadata (who talked to whom, when, how much), which exposes beaconing and exfiltration patterns.
# Triage a capture from the command line (tshark), then pivot into Wireshark:
tshark -r capture.pcap -q -z conv,ip # top talkers (who <-> who)
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | sort | uniq -c
# ^ unusual/algorithmic domains = possible C2 (DGA) or exfil-over-DNS
# Follow a suspicious TCP stream in Wireshark: right-click -> Follow -> TCP StreamWhy: two behaviors define most intrusions on the wire — command-and-control (regular "beacon" callbacks to the attacker) and exfiltration (data leaving) — and both have recognizable patterns even without decrypting payloads. When: look for periodic connections to unfamiliar hosts and large or steady outbound transfers. Where: recognizing these patterns both aids forensics and feeds new detection rules to catch the next occurrence.
COMMAND & CONTROL (C2) signatures:
- regular, periodic callbacks (beaconing) to one external host
- small consistent requests + larger responses (tasking)
- traffic to newly-registered or algorithmic (DGA) domains
EXFILTRATION signatures:
- large or steady OUTBOUND transfers, often off-hours
- data tunneled over DNS/HTTPS to an unexpected destination
Feed every pattern you confirm back into detection (Threat Detection course).