Obsidian Vault
HTB-Sherlock
TickTock
Questions
zz01 - What was the name of the executable that was uploaded as a C2 Agent
zz02 -What was the session id for in the initial access
zz03 -The attacker attempted to set a bitlocker password on the C drive what was the password
zz04 -What name was used by the attacker
zz05 -What IP address did the C2 connect back to
zz06 -What category did Windows Defender give to the C2 binary file
zz07 -What was the filename of the powershell script the attackers used to manipulate time
zz08 -What time did the initial access connection start
zz09 -What is the SHA1 and SHA2 sum of the malicious binary
zz10 -How many times did the powershell script change the time on the machine
zz11 - What is the SID of the victim user
00 - What we have
02 - Interesting
05 - Registry hives
10 - Creds
15 - Events log
20 - prefetch
25 - MFT
30 - TeamViewer Log
35 - Browser History
50 - Chainsaw Hunt
55 - Powershell Console History
60 - evtx
65 - Defender logs
70 - ShaSum
interesting
...
Attacker's WS : DESKTOP-R30EAMH
Victim's WS : DESKTOP-R30EAMH
Interactive Graph
Table Of Contents
interesting