Regarding Questions 8 and 9 specifically, be advised that different information sources may round the seconds differently.
So if you are somewhat confident that something might be the right answer, try the values ± 1 second as well.
Did you resolve this machine? because I can assume that when you open a new RDP session, you close another one a few seconds before the previous one, but these are assumptions.
But i think that doesn’t work in this way.
Guesswork the likes of “there were probably a few seconds between sessions” is not required. There will always be some artifact which gives you the answer without math, if not accounting for the ± 1 second margin of error.
The problem is that we can see the moment of the sessions in the JLs, but not the end… we have the sensation that we are forgetting any artifact… even i used the bmc tools to search other flags but… i cannot see the exactly hour of the end of the RDP sessions, can someone give us a hint?
I solved Q5. It is a bit of an unconventional approach for forensics, think like an attacker would.
Still stuck on Q1 and 6-9. Any nudge on 1?
See the artifacts of the user
Hello everyone. I got only 1 Q left and this is Q5. I am stuck on it for days.
What I tried:
- Cracking NTLM from the hives and using it as a password;
- Deciphering DPAPI encrypted credential files;
- Using creds from powershell commands;
- Checking clipboard payloads, clipboard history files;
- Going through every text format file.
What am I missing, could anyone help me, please?
For the question 1, try to see in SAM if you lost something there
1 Like
how did u manage to answer q from 6-9 ? and for q5 did u check the powershell hsitory ?
For question 5 maybe is better if you try to replicate the attack. If you see in the desktop of the victim was used mimikatz… this is the way
For 6-9 - prefetch, .rdp, rdpbitmap will help.
For q5 I did check the powershell commands but creds from there don’t work. Gotta try mimikatz dpapi once again I guess, just like DeepBlueBT90 says.
Thanks, will try mimikatz again more carefully.
how it comes bro ? i mean the last rdp session and also the duration i cant find them there the bitmap only benefits me in order to know the name of the tool thatsall
Default.rdp only contains the ip and the timestamp for modification but the timestamp dosnt work and for the bitmap it is impossible to rebuild the images u cant , and for the pre rdp session form the mstsc.exe file but wrong answer
It worked. Thank you for pointing me in the right direction.
I’m stucked only at q8. Can someone give me a hint? Thanks!
It sounds like you’re working on the Sherlock Latus challenge in a CTF or similar environment. Here are some hints for the questions you’re stuck on:
Question 5
- Hint: Check for any unusual user activity or account creations during the RDP sessions. This might be in the form of new accounts that were created or altered settings.
Question 7
- Hint: Look for any remote desktop connections that were made outside of normal hours. This could indicate unauthorized access. Review the security logs for timestamps.
Question 8
- Hint: Analyze the network traffic if you have access to packet captures. Look for any anomalies that might suggest data exfiltration or unusual commands executed during the RDP sessions.
Question 9
- Hint: You might need Desicinema to check system events or application logs for errors or unusual shutdowns/reboots that could provide clues about what happened during the session.
Question 10
- Hint: If logs were deleted, consider looking into Windows Event Forwarding or third-party log retention solutions if they exist in your environment. They might have captured some of the missing data.
Question 11
- Hint: Think about any forensic tools that can help you recover deleted logs. Tools like FTK Imager or Autopsy could be useful if you have disk images available.
If you have specific details about what you’ve tried or what you’re seeing in the logs, feel free to share, and I can provide more targeted help!
i used prefecth but it just isnt the right time, can you help me please?
I am having a problem with analyzing the file, which program can map out the ad1? have tried ftk imager and autopsy with no luck.
I understand that i need to convert that am I right?
thanks in advance.
Can anyone give me a small hint regarding question 8 (regarding the duration of the penultimate RDP session)? I completed all other questions, but somehow I’m stuck at number 8. I would suspect that I find the answer in the user’s artifacts, but I seem to be missing something important.