34:04 It seems like the problem wasn't the dollar sign, but rather the lack of a correct file extension. I ran to the same issue while doing it and got curious on why it wasn't working, turns out the issue was the abscence of the ".mft" or ".bin" extension
Yup it needs to be the .bin extension, I just got lucky back when I recorded this. Later looked at the source code for other features and saw what it was doing.
When I'm forced to use clunky gui's I absolutely hate forensics. However, if I can get the data over to a format I can easily use some bash-fu and queries on then I love it. You'll be surprised at how much learning how to search json blobs will help you down the line, whether its offense/defense or even just a regular developer. I'm sure there's many other fields it helps but those are the ones I can speak from experience on.
Thanks @ippsec for the amazing walkthrough, but to be honest I didn't like some parts of the video in which you were looking for the answer rather than showing how to approach the question ( for instance: applying a regex to find that guid...) forensicators use logic but you use bash 😂 Thanks anyway ❤
Appreciate the feedback! I believe I show the logic behind it after I show the regex, but may over-clickbait it by saying I'm "Cheesing the question", which wasn't the intent. I've done forensic work in the past and these crude searches help quite often. The problem I think a lot of forensic people have is they are very "by the books" and they often try to find things in a book/blog/etc. My goal is to encourage viewers to think outside the box and become independent learners. In this case, I used grep based on a question, but in real investigations, I always ask questions and search for answers to guide my approach. For instance, if I weren’t familiar with the Sherlock attack, I’d simulate it on my machine, then grep logs for unique data tied to the attacker's actions. They would see and use the GUID both when creating and deleting the shadow copy, which provides critical clues. In many investigations, building a timeline chronologically can lead to roadblocks. However, using techniques like those I demonstrated helps uncover potential clues quickly, allowing you to work backward and verify them as part of your investigation. Another example, attackers may configure Defender with some exclusion directories, to have it not flag their malware. If I was a Defender, I'd create the exclusion directory myself then grep the directory and see if it showed up in any event log. IMO, that is the correct way to monitor for exclusions, however I've come across a lot of defenders that write a rule based upon process execution, looking for mpruncmd with the args to exclude a directory. If the attacker renames the process, or uses powershell then they evade that signature. Hope that clears things up a little bit.
Really great vid! As a beginner I tried to use the Event Viewer for those challenge.... but not really a big fan it 💀. Out of curiosity, besides chainsaw is there any other tool you would recommend when doing *.evtx analysis on Linux 🤔?
Really nice that you're doing these Sherlocks more often , they are super easy, but always fun to watch how you tackle does besides the difficulty
Thanks for the video. Keep these Sherlock videos coming! :)
ippSeeeec is the best explication from YT ! :D :D GG Dudee !!
Glad to seeing you 😊
Thank you again!
Buenos días, Ippy. (slap)
34:04 It seems like the problem wasn't the dollar sign, but rather the lack of a correct file extension. I ran to the same issue while doing it and got curious on why it wasn't working, turns out the issue was the abscence of the ".mft" or ".bin" extension
Yup it needs to be the .bin extension, I just got lucky back when I recorded this. Later looked at the source code for other features and saw what it was doing.
Wow ... that's awesome .. i really hate the forensic but it's look like easy when you do that
When I'm forced to use clunky gui's I absolutely hate forensics. However, if I can get the data over to a format I can easily use some bash-fu and queries on then I love it. You'll be surprised at how much learning how to search json blobs will help you down the line, whether its offense/defense or even just a regular developer. I'm sure there's many other fields it helps but those are the ones I can speak from experience on.
Thanks @ippsec for the amazing walkthrough, but to be honest I didn't like some parts of the video in which you were looking for the answer rather than showing how to approach the question ( for instance: applying a regex to find that guid...)
forensicators use logic but you use bash 😂
Thanks anyway ❤
Appreciate the feedback! I believe I show the logic behind it after I show the regex, but may over-clickbait it by saying I'm "Cheesing the question", which wasn't the intent.
I've done forensic work in the past and these crude searches help quite often. The problem I think a lot of forensic people have is they are very "by the books" and they often try to find things in a book/blog/etc.
My goal is to encourage viewers to think outside the box and become independent learners. In this case, I used grep based on a question, but in real investigations, I always ask questions and search for answers to guide my approach.
For instance, if I weren’t familiar with the Sherlock attack, I’d simulate it on my machine, then grep logs for unique data tied to the attacker's actions. They would see and use the GUID both when creating and deleting the shadow copy, which provides critical clues.
In many investigations, building a timeline chronologically can lead to roadblocks. However, using techniques like those I demonstrated helps uncover potential clues quickly, allowing you to work backward and verify them as part of your investigation.
Another example, attackers may configure Defender with some exclusion directories, to have it not flag their malware. If I was a Defender, I'd create the exclusion directory myself then grep the directory and see if it showed up in any event log. IMO, that is the correct way to monitor for exclusions, however I've come across a lot of defenders that write a rule based upon process execution, looking for mpruncmd with the args to exclude a directory. If the attacker renames the process, or uses powershell then they evade that signature.
Hope that clears things up a little bit.
Great stuff! Is there any reliable way to map the EventIDs to their descriptions on Linux without using ChatGPT?
Thank You
Really great vid! As a beginner I tried to use the Event Viewer for those challenge.... but not really a big fan it 💀. Out of curiosity, besides chainsaw is there any other tool you would recommend when doing *.evtx analysis on Linux 🤔?
You may be able to run powershell on linux and do it that way, but I prefer chainsaw (even on windows) having the hunt options is really nice.
Push!
Sir htb box is going down slow , i am vip user ?
873 Rod Turnpike