Download Chainsaw: https://github.com/WithSecureLabs/chainsaw00:00 - Introduction, going over the scenario talking about dumping NTDS and why its incredibly bad when an attacker does this
03:00 - Running chainsaw with the hunt operator, not getting much information
06:55 - Looking at what types of events were captured and using ChatGPT to give us event names for each ID
15:20 - Question 1: Looking at Event ID 7036 to see when Volume Shadow Copy Service entered a running state
19:00 - Showing how you could cheese the question by grepping for the word shadow
20:40 - Question 2: Looking at Event ID 4799 to see what groups VSSVC.EXE Enumerated
25:10 - Question 3: Getting the PID of VSSVC.EXE from the above log (event 4799)
25:40 - Question 4: Getting the GUID of the Volume Shadow Copy
33:38 - Question 5: Dumping the MFT Dump with Chainsaw and searching for ntds.dit to see where it exists on disk
36:35 - Question 6: Getting the timestamp the NTDS.DIT file was dumped
37:00 - Question 7: Searching the folder the NTDS.DIT was dumped to in order to find the other file that was dumped
Support the originator by clicking the read the rest link below.
