IR Employee Fell for a Call Center HTB Sherlocks Tick Tock
00:00 Introduction 07:50 Analyzing the files we have 11:45 Using Impacket to dump local creds 16:28 Running MFTECmd to process MFT File and Chainsaw to process logs. These take a while 22:15 Looking at the Prefetch files to see what programs have been run 29:00 Looking at the Teamviewer log file 38:15 Looking at the Firefox History to see when they downloaded TeamViewer 46:15 Looking at the Chainsaw hunt Probably not ideal since some logs didn t copy well. 1:00:39 Going over Sysmon logs with JQ to search and filter 1:03:50 Showing a trick with jq so we can grep entire events to avoid writing a select filter 1:14:10 Looking at powershell, discovering some encoded commands which is where the bitlocker question is 1:21:00 Using EvtxECmd to try parsing the logs, discovering the log was 1:27:50 Looking at when the system time was changed based upon security log 1:45:00 Having trouble finding the SID of the user, using registr
|
|