https://stream.echo6.co/videos/watch/2816c9b3-1495-45e6-9a9d-167219da15a7 00:00 - Introduction 01:15 - Going over the Scenario 02:10 - Running Chainsaw Hunt to get an idea of whats in the log files, seeing a Volume Shadow Copy Mount 04:20 - Running Hayabusa which is another tool that can analyze evtx files, it does a better job out of the box of showing malicious things 07:40 - Question 1: Looking at service start times to find when the latest time a Volume Shadow Copy started 13:10 - Question 2: Looking at the Full Path of the NTDS Dump File, when I say hunt found it was talking about Hayabusa's timeline 19:00 - Looking at how Chainsaw Rules Work so we can create a hunt rule on detecting NTDSUtil Dumping NTDS.DIT 22:00 - Creating the Chainsaw Rule 25:10 - Running the Chainsaw Hunt to detect the NTDSUtil Dumping NTDS.DIT 27:00 - Question 3 and 4: Finding when the dump started and finished 35:10 - Question 5: Getting the Event Source 35:42 - Question 6: Getting the groups NTDSUtil enumerated before running the dump 37:30 - Question 7: Getting the account logon event for the account that started the NTDSUtil Dump Mon, 13 Apr 2026 22:55:39 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/2816c9b3-1495-45e6-9a9d-167219da15a7 All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.