Post IR Investigation Move IT Exploit HTB Sherlocks I Like To
00:00 Introduction 01:10 Going over the questions 03:50 Examing the forensic acquisition files 07:10 Dumping the SAM Database to get hashes of the local accounts 12:25 Running MFTECmd to convert the MFT (Master File Table) Dump to a JSON and CSV 15:35 Analyzing the IIS Access Log 22:30 Showing the files the attacker accessed in the Access Log 27:00 Grabbing the Moveit metasploit script since the useragent hinted at metasploit being ran 36:10 Using Chainsaw to convert the Security event log to JSON and hunt for suspicious events 42:30 Analyzing the MFT JSON Output to discover when a file was written to disk 52:10 Looking at the Powershell Console History to get what commands were ran 55:27 Analyzing the Moveit MYSQL Dump file by copying it into a MySQL Server 1:02:30 Going over the chainsaw hunt on security event log 1:11:40 Looking at and using some jqfu to show specific data 1:21:50 Looking at the strings from the memory d
|
|