Forum Discussion

Palaract's avatar
Palaract
Icon for Bronze I rankBronze I
6 days ago

APT29 Threat Hunting with Elasticsearch: Ep.11 – Demonstrate Your Skills

Hello! I could rather easily get the answers for the other questions, but Q6 has really taken me aback.
The question is:
A PowerShell script was executed to assist with further enumeration. What command in this script assists with the reverse shell call back?

On attacker side, the reverse shell is just deployed with Metasploit shellcode, in Elasticsearch this is a block of base64 powershell in which binary shellcode will be executed. Directly after, the "Invoke-SeaDuke" stage is called, there is no specific handler for the callback one could ask for, what does "assist" even mean here?

Even a slight clue would help me out, maybe I'm too lost now.
Thank you for your patience!

defensive cyber
  • RobN's avatar
    RobN
    Icon for Bronze II rankBronze II
    6 days ago

    As far as I remember on these labs I searched for the powershell codes within elasticsearch and then looked at what it was passing alongside powershell.exe

  • KieranRowley's avatar
    KieranRowley
    Icon for Community Manager rankCommunity Manager
    6 days ago

    Hi Palaract - welcome to the Human Connection 👋

    Demonstrate Labs are technically challenging labs that offer very limited information and guidance, they are supposed to be challenging and consolidate your learning from all of the other labs in the collection (in this case, the other 10 labs in the APT29: Threat Hunting with Elasticsearch Collection).

    As a result, the level of detail of the hints and tips that the community are able to share here is limited.

    If you haven't already, I recommend that you complete all of the labs in the collection, and if it's been a while since you did, you might want to refresh your memory.

    With that said, I can see that RobN was the most recent community member to complete the lab, maybe they can give you a hint 😉