IR Employee Fell for a Call Center - HTB Sherlocks - Tick Tock
00:00 - Introduction
07:50 - Analyzing the files we have
11:45 - Using Impacket to dump local creds
16:28 - Running MFTECmd to process MFT File and Chainsaw to process logs. These take a while
22:15 - Looking at the Prefetch files to see what programs have been run
29:00 - Looking at the Teamviewer log file
38:15 - Looking at the Firefox History to see when they downloaded TeamViewer
46:15 - Looking at the Chainsaw hunt output... Probably not ideal since some logs didn’t copy well.
1:00:39 - Going over Sysmon logs with JQ to search and filter
1:03:50 - Showing a trick with jq so we can grep entire events to avoid writing a select filter
1:14:10 - Looking at powershell, discovering some encoded commands which is where the bitlocker question is
1:21:00 - Using EvtxECmd to try parsing the logs, discovering the log was empty...
1:27:50 - Looking at when the system time was changed based upon security log
1:45:00 - Having trouble finding the SID of the user, using registr
4 years ago 00:01:27 369
5 months ago 01:59:09 5
2 years ago 00:02:48 1
1 year ago 00:08:39 1
10 months ago 00:07:44 1
1 year ago 00:05:59 1
2 years ago 00:09:21 1
9 years ago 00:06:11 1
1 year ago 00:04:54 1
6 months ago 00:22:53 1
6 months ago 00:36:33 1
5 months ago 00:56:06 2
3 years ago 00:02:11 2
4 years ago 00:03:07 1
4 years ago 00:05:19 1
1 year ago 00:16:04 14
7 months ago 00:04:41 1
2 years ago 00:06:20 1
3 years ago 00:35:18 1
3 years ago 00:02:00 1
8 months ago 00:03:02 39
![BEAUZ, Ellis & Sarah de Warren - IRL [Monstercat Release]](https://sun9-6.userapi.com/ydIX0UbfjQujazhkpRfGpth82ZRP7t6dOxPgHg/cf6YbFVaaO8.jpg)
1 year ago 00:16:04 6
7 months ago 01:05:24 1
7 months ago 01:09:57 1
