Post IR Investigation - MoveIT Exploit - HTB Sherlocks - I Like To
00:00 - Introduction
01:10 - Going over the questions
03:50 - Examing the forensic acquisition files
07:10 - Dumping the SAM Database to get hashes of the local accounts
12:25 - Running MFTECmd to convert the MFT (Master File Table) Dump to a JSON and CSV
15:35 - Analyzing the IIS Access Log
22:30 - Showing the files the attacker accessed in the Access Log
27:00 - Grabbing the Moveit metasploit script since the useragent hinted at metasploit being ran
36:10 - Using Chainsaw to convert the Security event log to JSON and hunt for suspicious events
42:30 - Analyzing the MFT JSON Output to discover when a file was written to disk
52:10 - Looking at the Powershell Console History to get what commands were ran
55:27 - Analyzing the Moveit MYSQL Dump file by copying it into a MySQL Server
1:02:30 - Going over the chainsaw hunt on security event log
1:11:40 - Looking at Security.json and using some jq-fu to show specific data
1:21:50 - Looking at the strings from the memory dump, to see commands ran and the actual webshell
1:26:30 - Showing the Defender log with Chainsaw
Смотрите видео Post IR Investigation - MoveIT Exploit - HTB Sherlocks - I Like To онлайн без регистрации, длительностью часов минут секунд в хорошем качестве. Это видео добавил пользователь IppSec 17 Ноябрь 2023, не забудьте поделиться им ссылкой с друзьями и знакомыми, на нашем сайте его посмотрели 11,746 раз и оно понравилось 413 людям.