Hello
i am stuck in this exercise:
Investigate the USN Journal located at “C:\Users\johndoe\Desktop\kapefiles\ntfs%5C%5C.%5CC%3A$Extend$UsnJrnl%3A$J” to determine how “advanced_ip_scanner.exe” was introduced to the compromised system. Enter the name of the associated process as your answer. Answer format: _.exe
i parsed the Journal to CSV file. i can see the advanced_ip_scanner.exe.
also ran this powershell:
- Run these commands in powershell:
- python C:\Users\johndoe\Desktop\files\USN-Journal-Parser-master\usnparser\usn.py -f ‘C:\Users\johndoe\Desktop\kapefiles\ntfs%5C%5C.%5CC%3A$Extend$UsnJrnl%3A$J’ -o C:\Users\johndoe\Desktop\usn_output.csv -c
- $time1 = [DateTime]::ParseExact(“2023-08-10 09:00:00.000000”, “yyyy-MM-dd HH:mm:ss.ffffff”, $null)
- $time2 = [DateTime]::ParseExact(“2023-08-10 10:00:00.000000”, “yyyy-MM-dd HH:mm:ss.ffffff”, $null)
- Import-Csv -Path C:\Users\johndoe\Desktop\usn_output.csv | Where-Object { $.‘FileName’ -match ‘.exe$|.txt$|.msi$|.bat$|.ps1$|.iso$|.lnk$’ } | Where-Object { $.timestamp -as [DateTime] -ge $time1 -and $_.timestamp -as [DateTime] -lt $time2 }
i cant figure out.
any hint