https://stream.echo6.co/videos/watch/99e8c740-02f4-45e6-849b-e74ee3be6ece Download Chainsaw: https://github.com/WithSecureLabs/chainsaw00:00 - Introduction, going over the scenario talking about dumping NTDS and why its incredibly bad when an attacker does this 03:00 - Running chainsaw with the hunt operator, not getting much information 06:55 - Looking at what types of events were captured and using ChatGPT to give us event names for each ID 15:20 - Question 1: Looking at Event ID 7036 to see when Volume Shadow Copy Service entered a running state 19:00 - Showing how you could cheese the question by grepping for the word shadow 20:40 - Question 2: Looking at Event ID 4799 to see what groups VSSVC.EXE Enumerated 25:10 - Question 3: Getting the PID of VSSVC.EXE from the above log (event 4799) 25:40 - Question 4: Getting the GUID of the Volume Shadow Copy 33:38 - Question 5: Dumping the MFT Dump with Chainsaw and searching for ntds.dit to see where it exists on disk 36:35 - Question 6: Getting the timestamp the NTDS.DIT file was dumped 37:00 - Question 7: Searching the folder the NTDS.DIT was dumped to in order to find the other file that was dumped Wed, 15 Apr 2026 13:46:31 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://stream.echo6.co https://stream.echo6.co/client/assets/images/icons/icon-512x512.png https://stream.echo6.co/videos/watch/99e8c740-02f4-45e6-849b-e74ee3be6ece All rights reserved, unless otherwise specified in the terms specified at https://stream.echo6.co/about and potential licenses granted by each content's rightholder.