Post IR Investigation - MoveIT Exploit - HTB Sherlocks - I Like To

Published: 17 November 2023
on channel: IppSec

11,746

413

00:00 - Introduction
01:10 - Going over the questions
03:50 - Examing the forensic acquisition files
07:10 - Dumping the SAM Database to get hashes of the local accounts
12:25 - Running MFTECmd to convert the MFT (Master File Table) Dump to a JSON and CSV
15:35 - Analyzing the IIS Access Log
22:30 - Showing the files the attacker accessed in the Access Log
27:00 - Grabbing the Moveit metasploit script since the useragent hinted at metasploit being ran
36:10 - Using Chainsaw to convert the Security event log to JSON and hunt for suspicious events
42:30 - Analyzing the MFT JSON Output to discover when a file was written to disk
52:10 - Looking at the Powershell Console History to get what commands were ran
55:27 - Analyzing the Moveit MYSQL Dump file by copying it into a MySQL Server
1:02:30 - Going over the chainsaw hunt on security event log
1:11:40 - Looking at Security.json and using some jq-fu to show specific data
1:21:50 - Looking at the strings from the memory dump, to see commands ran and the actual webshell
1:26:30 - Showing the Defender log with Chainsaw

Watch video Post IR Investigation - MoveIT Exploit - HTB Sherlocks - I Like To online, duration hours minute second in high quality that is uploaded to the channel IppSec 17 November 2023. Share the link to the video on social media so that your subscribers and friends will also watch this video. This video clip has been viewed 11,746 times and liked it 413 visitors.

443