Post IR Investigation - MoveIT Exploit - HTB Sherlocks - I Like To

00:00 - Introduction 01:10 - Going over the questions 03:50 - Examing the forensic acquisition files 07:10 - Dumping the SAM Database to get hashes of the local accounts 12:25 - Running MFTECmd to convert the MFT (Master File Table) Dump to a JSON and CSV 15:35 - Analyzing the IIS Access Log 22:30 - Showing the files the attacker accessed in the Access Log 27:00 - Grabbing the Moveit metasploit script since the useragent hinted at metasploit being ran 36:10 - Using Chainsaw to convert the Security event log to JSON and hunt for suspicious events 42:30 - Analyzing the MFT JSON Output to discover when a file was written to disk 52:10 - Looking at the Powershell Console History to get what commands were ran 55:27 - Analyzing the Moveit MYSQL Dump file by copying it into a MySQL Server 1:02:30 - Going over the chainsaw hunt on security event log 1:11:40 - Looking at Security.json and using some jq-fu to show specific data 1:21:50 - Looking at the strings from the memory dump, to see commands ran and the actual webshell 1:26:30 - Showing the Defender log with Chainsaw