Forum Widgets
Recent Discussions
APT29 Threat Hunting with Splunk: Demonstrate Your Skills - Question 10
In relation towards the question : A PowerShell script was initially executed to extract encoded data from an image file. What is the full ParentCommandLine field value used to execute this? I am pretty lost and where I should be looking for, as searching for the zipped file activities did not bring up any notable powershell scripts I also tried inputting: C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1 as well which did not workThreat Actors: Salt Typhoon – SNAPPYBEE Campaign Analysis - Question 7
In relation to What is the device that tcpdump is dumping packets from? For some reason win-host-1.asgard.corp and win-host-1 does not work and NPF_{B1ADE8FD-CC9A-4857-9C50-28078779F038}, I am wondering babout what I am doing wrong in terms of approaching this question, and How I should be redirecting my attention instead. 10.10.10.30 does not work as wellThreat Actors: Mint Sandstorm – Campaign Analysis - Question 9
In relation to the What named local variable holds the IP address from the for loop? I have been checking out the local varaibles but as per the for loop none of the variables typed in were correct. I am basically lost if none of the local variables observed in the for loop was observed to be the answer. I am wondering about what direction I should take in terms of digging deepering into how the IP is stored where even the variable ServIp was showcased to be incorrect and wsaData. <-- leveraged Gemini for aid in parsing and understanding of the compiled code for ease of understanding and if there was anything I missed from the code, that may hint at a more indirect variable as wellThreat Actors: APT43 - Question 7
In relation to What Resource Development technique was used to facilitate the hosting of beacons, implants, and file exfiltrators? For some reason Obtain Capabilities is wrong, and I tried multiple other names part of the resource development, I am wondering if I should be pivoting into a different area. I also tried Acquire Infrastructure, and Compromise Infrastructure as well.APT34: PoisonFrog - Question 6
For the What is the name of the file that executes the HTTP and DNS handling scripts?, I am confused on where I should be digging deeper as the powershell script was showcased to be wrong in terms of entering down the name, as well as other parts of the file I also tried parsing for the file name through the decoded script but I cant seem to find any meaningful leads. Basically I am wondering about what the expectation is for the question and where/how I should approach at a different angleAPT34: Glimpse - Question 4
For What is the name of the Visual Basics script that is used to run the malicious PowerShell script?, I am wondering about where should I dig deeper into volatility into extracting the command history of the raw file, as I keep running into errors. I am wondering about where should I be digging deeper to find out what I am doing wrongHafnium: ProxyLogon (Offensive) - Question 3
For the FQDN, I am wondering about where I am going wrong as I am basically using the command expected of this lab. However, there wasn't any shell code provided nor any expecations of what the shell powershell script should contain. I am wondering if you could provide directions into where I should be digging deeper into, to be able to obtain the FQDNHafnium: ProxyLogon (Offensive) - Question 3
For the FQDN, I am wondering about where I am going wrong as I am basically using the command expected of this lab. However, there wasn't any shell code provided nor any expecations of what the shell powershell script should contain. I am wondering if you could provide directions into where I should be digging deeper into, to be able to obtain the FQDNHafnium: Detection of IoCs - Question 5
For the Which web shell in the auth folder matches those detected in the Microsoft report? What does the question mean by Microsoft Report? is it talking about the PowerShell ISE output? even then, based on the output I cant seem to find the files that was referenced in the auth folder. Summary: I am wondering about what the question means by Microsoft Report and where I can find it. Or if I am simply looking in the wrong direction
If your question has been answered, help others by clicking:
