Hi!
Someone is doing this Sherlock?
I’m little stucked with questions 7,12,14 and 15.
i have the rest if someone need help but i’m super stucked 
Hi, @DeepBlueBT90
I am stucked with exactly the same questions, except 15.
You should have a look at the lsass.DMP file in the Desktop of the created user.
It’s not human readable, but there is a python script in the github similar to mimikatz that makes the content readable. Then, NT hash needs to be cracked with hashcat.
What do you have in your mind with regards to the privilege escalation question? I didn’t see any other tool than Powerup and mimikatz that can be used to escalate privileges.
I taked all the flags, i need to resolve only 7 and 12, the rest was more or less easy.
Yes i saw only powerup and mimikatz, but nothing more, only the app to do the downgrande in the windows version to go to 22H2… but… nothing more.
Did you find the NT hash of the administrator inside the lsass.DMP or somewhere else? Could you give me an idea with question 14?
I used only the SYSTEM, SECURITY and SAM of the victim. I never used the lsass.dmp
Can you give me a hint of 7 or 12? because these are my last flags
I am sorry but I couldn’t find the flags of question 7 and 12.
Are you already trying this yet?
Actually I am trying to solve all the OpSalwarKameez questions simultaneously. Do you have any tips for the others such as Bling-Bling, Salsa-Dance?
Hey, Some help in starting out? which tools did you use to find the answers?
Interesting Sherlock, no event logs and nothing.
In fact… there is logs and the usual artifacts more or less
thank you for pointing it out.
I have no idea why but it didn’t log in Autopsy for me.
just cracked my head
Don’t use autopsy in this sherlock
did you find something?
Nope. I am working on the other OpoSalwarKameez questions. Have you ever looked at them?
nope
I don’t know if i’m the only one with problems with this Sherlock, but there is not memory dump and i have problems with the way of formulate the questions, in fact i resolved the question 5:
At what time did the threat actor first attempt to bypass a feature of Windows Defender? (UTC)
And the question is wrong, because the real question must be like this:
At what time did the threat actor attempt to run the first malicious executable? (UTC)
Because is more accurated with the flag. The quality of this Sherlock is super poor.
Hi all!
I got all the flags but question 14, has anyone gotten it? I’m able to extract a hash from cached credentials in system and security hives of the victim, but the administrator hash I’m getting seems not to be the answer. Anyone any hints?
I have been stuck on this question for days.
I’ve found all the flags, but I still can’t figure out this question.
For question 14, you guys should dump cache hash from SECURITY hive.Then crack it with hashcat, john,… Once you have plaintext password, yoy can recover NT hash from it. Hope this help.
I was stuck in questions 5 and 7. Anyone can give some hints ?