IR Employee Fell for a Call Center - HTB Sherlocks - Tick Tock
00:00 - Introduction
07:50 - Analyzing the files we have
11:45 - Using Impacket to dump local creds
16:28 - Running MFTECmd to process MFT File and Chainsaw to process logs. These take a while
22:15 - Looking at the Prefetch files to see what programs have been run
29:00 - Looking at the Teamviewer log file
38:15 - Looking at the Firefox History to see when they downloaded TeamViewer
46:15 - Looking at the Chainsaw hunt output... Probably not ideal since some logs didn’t copy well.
1:00:39 - Going over Sysmon logs with JQ to search and filter
1:03:50 - Showing a trick with jq so we can grep entire events to avoid writing a select filter
1:14:10 - Looking at powershell, discovering some encoded commands which is where the bitlocker question is
1:21:00 - Using EvtxECmd to try parsing the logs, discovering the log was empty...
1:27:50 - Looking at when the system time was changed based upon security log
1:45:00 - Having trouble finding the SID of the user, using registr
2 months ago 00:13:03 1
3 months ago 00:18:33 1
4 months ago 00:27:25 1
4 months ago 00:01:42 1
6 months ago 00:14:06 1
6 months ago 01:14:23 1
6 months ago 00:56:06 1
7 months ago 00:59:03 1
8 months ago 00:19:14 1
9 months ago 00:12:51 1
10 months ago 02:25:26 1
10 months ago 01:59:09 8
11 months ago 00:21:33 1
11 months ago 01:07:04 1
11 months ago 00:22:53 1
11 months ago 00:36:33 1
12 months ago 00:04:41 1
1 year ago 01:09:57 1
1 year ago 01:05:24 1
1 year ago 00:03:02 1
![BEAUZ, Ellis & Sarah de Warren - IRL [Monstercat Release]](https://sun9-6.userapi.com/ydIX0UbfjQujazhkpRfGpth82ZRP7t6dOxPgHg/6FwO1CThAlw.jpg)
1 year ago 00:08:39 1
1 year ago 00:01:58 1
1 year ago 00:07:44 1
1 year ago 00:03:43 1
