Log Analysis and Chainsaw Rule Creation - HTB Sherlocks - CrownJewel2

Name: Log Analysis and Chainsaw Rule Creation - HTB Sherlocks - CrownJewel2
Uploaded: 2024-11-01T19:59:05Z
Channel: IppSec
Description: 00:00 - Introduction 01:15 - Going over the Scenario 02:10 - Running Chainsaw Hunt to get an idea of whats in the log files, seeing a Volume Shadow Cop...

IppSec · Beginner ·🖊️ Copywriting & Content Strategy ·1y ago

00:00 - Introduction 01:15 - Going over the Scenario 02:10 - Running Chainsaw Hunt to get an idea of whats in the log files, seeing a Volume Shadow Copy Mount 04:20 - Running Hayabusa which is another tool that can analyze evtx files, it does a better job out of the box of showing malicious things 07:40 - Question 1: Looking at service start times to find when the latest time a Volume Shadow Copy started 13:10 - Question 2: Looking at the Full Path of the NTDS Dump File, when I say hunt found it was talking about Hayabusa's timeline 19:00 - Looking at how Chainsaw Rules Work so we can create …

Watch on YouTube ↗ (saves to browser)

Chapters (13)

Introduction

1:15 Going over the Scenario

2:10 Running Chainsaw Hunt to get an idea of whats in the log files, seeing a Volu

4:20 Running Hayabusa which is another tool that can analyze evtx files, it does a

7:40 Question 1: Looking at service start times to find when the latest time a Volu

13:10 Question 2: Looking at the Full Path of the NTDS Dump File, when I say hunt fo

19:00 Looking at how Chainsaw Rules Work so we can create a hunt rule on detecting N

22:00 Creating the Chainsaw Rule

25:10 Running the Chainsaw Hunt to detect the NTDSUtil Dumping NTDS.DIT

27:00 Question 3 and 4: Finding when the dump started and finished

35:10 Question 5: Getting the Event Source

35:42 Question 6: Getting the groups NTDSUtil enumerated before running the dump

37:30 Question 7: Getting the account logon event for the account that started the N

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →