Скачать с ютуб Log Analysis and Chainsaw Rule Creation - HTB Sherlocks - CrownJewel2 в хорошем качестве

Log Analysis and Chainsaw Rule Creation - HTB Sherlocks - CrownJewel2

00:00 - Introduction 01:15 - Going over the Scenario 02:10 - Running Chainsaw Hunt to get an idea of whats in the log files, seeing a Volume Shadow Copy Mount 04:20 - Running Hayabusa which is another tool that can analyze evtx files, it does a better job out of the box of showing malicious things 07:40 - Question 1: Looking at service start times to find when the latest time a Volume Shadow Copy started 13:10 - Question 2: Looking at the Full Path of the NTDS Dump File, when I say hunt found it was talking about Hayabusa's timeline 19:00 - Looking at how Chainsaw Rules Work so we can create a hunt rule on detecting NTDSUtil Dumping NTDS.DIT 22:00 - Creating the Chainsaw Rule 25:10 - Running the Chainsaw Hunt to detect the NTDSUtil Dumping NTDS.DIT 27:00 - Question 3 and 4: Finding when the dump started and finished 35:10 - Question 5: Getting the Event Source 35:42 - Question 6: Getting the groups NTDSUtil enumerated before running the dump 37:30 - Question 7: Getting the account logon event for the account that started the NTDSUtil Dump