IR Employee Fell for a Call Center - HTB Sherlocks - Tick Tock
ฝัง
- เผยแพร่เมื่อ 29 มิ.ย. 2024
- 00:00 - Introduction
07:50 - Analyzing the files we have
11:45 - Using Impacket to dump local creds
16:28 - Running MFTECmd to process MFT File and Chainsaw to process logs. These take a while
22:15 - Looking at the Prefetch files to see what programs have been run
29:00 - Looking at the Teamviewer log file
38:15 - Looking at the Firefox History to see when they downloaded TeamViewer
46:15 - Looking at the Chainsaw hunt output... Probably not ideal since some logs didn't copy well.
1:00:39 - Going over Sysmon logs with JQ to search and filter
1:03:50 - Showing a trick with jq so we can grep entire events to avoid writing a select filter
1:14:10 - Looking at powershell, discovering some encoded commands which is where the bitlocker question is
1:21:00 - Using EvtxECmd to try parsing the logs, discovering the log was empty...
1:27:50 - Looking at when the system time was changed based upon security log
1:45:00 - Having trouble finding the SID of the user, using registry hives to get this information
1:54:50 - Using date to help us convert date formats
I am really enjoying your Sherlock videos - keep up the good work Ippsec
Thanks for your videos, i wait for them more than any series of movies
Hope you enjoy it -- Certainly went a lot longer than I ever expected, was thinking it would be 30 minutes.
@@ippsec I will enjoy it for sure, as every other video, I actually like 1+ hour long video more. I love the way you go in depth with explanations and the way you explain everything.
Even though the video is longer than you expected, watching your natural ways and live approach to things is really valuable for us, for me at least :) Thanks for the great work, as always.
These DFIR challenges are super dope. Hope you are going to keep on with the sherlock series or even with more blue team content, especially IR. 👌😎
great video! hope to see many more!
Nothing i just want to tell you, just you are awesome
I found you on social media, and was finally able to put a relative face to the voice, but i think its and edited photo. Its nice to see your face bro 😊😊
Amazing, Thanks for the video.
I also liked this 1+ hours of video, and live is even better
enjoy your videos
Wow, is Ippsec also planning to do Sherlocks every week. Respect.
Who else is not doing challenges and still busying setting up/improving their hacking environment to get optimal productivity and efficiency?
Just me?
MVP2023 👏🎉
Hey, Ippsec awesome video as always. Are you going to do anything for your members? The model you currently have doesn't really work imho. All the special content will be released anyway. E.g. do you have any experience in advanced reverse engineering malware ? Like emulation, anti evasion techniques, defeating control flow flattening and such
I plan to do streams at the start of next year, the vods will likely be available to members for a longer period. I will make it free eventually as I don’t want to paywall knowledge. I know it’s not the most profitable, but if I was in it for profit I would have converted the videos to be a HTB VIP perk.
I don’t do a lot of advanced malware reversing. Maybe in a stream we can still play with it
@@ippsec awesome sounds good!
Prefet files has like 8 timestamps when exe was run and records of cca 10 seconds what exe was loading like files, dlls etc ...
I gotta see, the format with you in the foreground for the sherlocks is pretty nice. Any thoughts on doing that for your other videos when you make them?
It's possible. I'm still playing with the idea as I really don't like when the text is going behind me.
@@ippsec Easy fix, make yourself smaller in the corner. I can't explain why, but it's a really nice touch to be able to see you talking as you explain stuff.
Yeah, just be aware that the bottom left corner will cut of text. If it's important just dynamically adjust your camera. It will be a pain at first, but it's worth trying out.
It will add more personality to your videos.
@ominousSHELL not easy to do that when the camera doesn’t run in a vm.
@@ippsec Oh, I don't know anything about streaming and recording. But, you can probably find something. I mean John Hammond pulls it off in his videos, maybe it's worth to ask how he does it.
Push!
Are you using any plugins in Obsidian? What happened to cherry? 😅
Nope no plugins - Just like Obsidian more than Cherry Tree. Markdown is a much friendlier format than what cherry uses which i think was xml.
Most people miss %appdata%/Roaming
What is the note tool you are using?
Obsidian
Thanks! @@ippsec
Hey Ipp, let's watch Tom and Jerry and play Tony Hawk's Pro Skater 3 on the PlayStation®1
probably better if you avoid reading challenges questions before diving into anaysis. That would be more of realistic.
I think it would be hard to structure the video that way. Would be more realistic but wouldn’t know how deep to always go when doing the forensics, so the video probably would be a lot longer
First?