INTRODUCTION TO DIGITAL FORENSICS - Skills Assessment

I’m stuck in one of the skill assessment questions, working with Velociraptor is getting annoying.
Any hint or minimum help is welcome!! :grinning:

This is the question:

Determine the folder that contains all Mimikatz-related files and enter the full path as your answer.

If I had the other Rapid Triage tools this would be easy, but using only Velociraptor Artifact Collections is kind of hard…

Hello, I am stuck on the last 4 question of this skill assessment. I can’t manage to hunt the IP address of C2 (control and command) and persistence registry key. Any hints on what artifact I should look into? anything would help. Velociraptor is not very intuitive to use.

1 Like

Hello Hashira,

If I remember correctly, you should find the answer in the collection .rar/folder that is already on the Desktop of the machine. Since we are talking about a C2 Communication, I would recommend you inspect all Network and CobaltStrike Artifacts/Results, since we are looking for a C2 Beacon detected, you should find the IP without a problem.

1 Like

I thought they might have changed the name since I couldn’t find it so I searched in rename.

path: C:\Users\j0seph\AppData\Local\mimik

Try looking through process creation events using Sysmon and Security logs.

Hint for where to find the logs

You can find these at \uploads\auto\C%3A\Windows\System32\winevt\Logs after you unzip your Velociraptor collection of ‘Windows.KapeFiles.Targets’ configured for ‘SANS_Triage’

Further hint

They didn’t rename mimikatz.exe.