Post IR Investigation - MoveIT Exploit - HTB Sherlocks - I Like To
00:00 - Introduction
01:10 - Going over the questions
03:50 - Examing the forensic acquisition files
07:10 - Dumping the SAM Database to get hashes of the local accounts
12:25 - Running MFTECmd to convert the MFT (Master File Table) Dump to a JSON and CSV
15:35 - Analyzing the IIS Access Log
22:30 - Showing the files the attacker accessed in the Access Log
27:00 - Grabbing the Moveit metasploit script since the useragent hinted at metasploit being ran
36:10 - Using Chainsaw to convert the Security event log to JSON and hunt for suspicious events
42:30 - Analyzing the MFT JSON Output to discover when a file was written to disk
52:10 - Looking at the Powershell Console History to get what commands were ran
55:27 - Analyzing the Moveit MYSQL Dump file by copying it into a MySQL Server
1:02:30 - Going over the chainsaw hunt on security event log
1:11:40 - Looking at Security.json and using some jq-fu to show specific data
1:21:50 - Looking at the strings from the memory dump, to see commands ran and the actual webshell
1:26:30 - Showing the Defender log with Chainsaw
Watch video Post IR Investigation - MoveIT Exploit - HTB Sherlocks - I Like To online without registration, duration hours minute second in high quality. This video was added by user IppSec 17 November 2023, don't forget to share it with your friends and acquaintances, it has been viewed on our site 11,746 once and liked it 413 people.