Hello, I am stuck on the last 4 question of this skill assessment. I can’t manage to hunt the IP address of C2 (control and command) and persistence registry key. Any hints on what artifact I should look into? anything would help. Velociraptor is not very intuitive to use.
If I remember correctly, you should find the answer in the collection .rar/folder that is already on the Desktop of the machine. Since we are talking about a C2 Communication, I would recommend you inspect all Network and CobaltStrike Artifacts/Results, since we are looking for a C2 Beacon detected, you should find the IP without a problem.
Try looking through process creation events using Sysmon and Security logs.
Hint for where to find the logs
You can find these at \uploads\auto\C%3A\Windows\System32\winevt\Logs after you unzip your Velociraptor collection of ‘Windows.KapeFiles.Targets’ configured for ‘SANS_Triage’