APT29 Threat Hunting with Splunk: Demonstrate Your Skills - Question 10

Question

In relation towards the question :A PowerShell script was initially executed to extract encoded data from an image file. What is the full ParentCommandLine field value used to execute this?I am pretty lost and where I should be looking for, as searching for the zipped file activities did not bring up any notable powershell scriptsI also tried inputting:&nbsp;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1 as well which did not work

kevinh · Accepted Answer

nevermind, I just had to parse for powershell commands with image file extensions, with the help of Gemini

Forum Discussion

APT29 Threat Hunting with Splunk: Demonstrate Your Skills - Question 10

1 Reply

Featured Places

Help

Related Content

APT29 Threat Hunting with Splunk: Ep.11 – Demonstrate Your Skills - Question to Q9

Threat Hunting Mining Behaviour - Question 1

APT29 Threat Hunting with Elasticsearch: Ep.11 – Demonstrate Your Skills

Threat Hunting: Cowrie Honeypot - Question on Panama

PowerShell Basics: Demonstrate Your Skills question 11/12

Recent Discussions

Microsoft Sentinel SOAR: Demonstrate Your Skills Question 11

APT29 Threat Hunting with Splunk: Demonstrate Your Skills - Question 10

Microsoft Sentinel SOAR: Demonstrate Your Skills

Threat Actors: Salt Typhoon – SNAPPYBEE Campaign Analysis - Question 7

Ethereum: The Blockchain, Transactions, and Explorers