IR Employee Fell for a Call Center - HTB Sherlocks - Tick Tock
00:00 - Introduction
07:50 - Analyzing the files we have
11:45 - Using Impacket to dump local creds
16:28 - Running MFTECmd to process MFT File and Chainsaw to process logs. These take a while
22:15 - Looking at the Prefetch files to see what programs have been run
29:00 - Looking at the Teamviewer log file
38:15 - Looking at the Firefox History to see when they downloaded TeamViewer
46:15 - Looking at the Chainsaw hunt output... Probably not ideal since some logs didn't copy well.
1:00:39 - Going over Sysmon logs with JQ to search and filter
1:03:50 - Showing a trick with jq so we can grep entire events to avoid writing a select filter
1:14:10 - Looking at powershell, discovering some encoded commands which is where the bitlocker question is
1:21:00 - Using EvtxECmd to try parsing the logs, discovering the log was empty...
1:27:50 - Looking at when the system time was changed based upon security log
1:45:00 - Having trouble finding the SID of the user, using registry hives to get this information
1:54:50 - Using date to help us convert date formats
Watch video IR Employee Fell for a Call Center - HTB Sherlocks - Tick Tock online without registration, duration hours minute second in high quality. This video was added by user IppSec 15 December 2023, don't forget to share it with your friends and acquaintances, it has been viewed on our site 9,277 once and liked it 247 people.