What hunt options should i pick in Velociraptor to get back the data needed? Seems like all the ones that i think make the most sense are not pulling back what’s needed.

Sometimes you have to change the parameters, but the first two questions I got from the files that are already on the machine on Desktop.

I am stuck on

  • 2 Determine the registry key used for persistence and enter it as your answer.
  • 2 Determine the folder that contains all Mimikatz-related files and enter the full path as your answer.
1 Like

I found using Velociraptor to be tedious and didn’t provide me the results I needed to answer the questions. Mind you I was probably just not versed on the tool enough.

I used similar to what bb0rges used. Tools already on the box to answer the questions. Think about other tools used in previous modules to view processes since, if memory serves, two of the questions involve a process.

I solved the task using three collections, not any other data from the target machine. I pulled the results to my local machine and analyzed them there.

The first collection I only used because it was heavily hinted at in the first task, but there are other ways to solve that one. The second one was very generic and often suggested/used throughout the module. I could solve all but one question using that. The third one was extremely specific because I didn’t find the answer in the second collection.

I also noticed that some discussed collections like the memory dump cannot be executed, at least not without pulling some additional executables from the web. The questions can be solved without them.

By the way, I also struggled a bit with the registry key question because I didn’t find the right formatting right away. The answer shall have the full key, but not the value. So the answer format is HKEY...\...\... etc.

1 Like

Can you please guide me on the 2nd question on hunting the IP address of C2 command and control?

Can you please guide me on the 2nd question on hunting the IP address of C2 command and control?

search for the network connection for the first answer.

Could you please give me a little bit hint… Since I found the key, but still incorrect. I use the full key name until ixxxxxxxxxe , still incorrect…

Nevermind. I found it… Just some kind of wording stuff in the question made me confused.

1 Like

Sysinternal tools available on the host are pretty helpful. I don’t like these modules, you have to guess or find workarounds instead of being able to simply re-create the steps.