Forum Discussion
5 Replies
- netcat
Silver II
Well, in this case you should narrow down the search, next step:
(EventCode=4103 OR EventCode=4104) powershell .ps1
Narrow down further, removing non relevant scripts:
(EventCode=4103 OR EventCode=4104) powershell .ps1 NOT sample.ps1 - beejar
Bronze I
How did you find the answer to the first question.
I solved all of them except the "The attacker uploads additional tools via a compressed archive. What is the full path of this folder? Look for IOCs in the event logs to find the correct answer." I am quite sure the file is an image extension with the name of an animal, but tried all the combinations with full path, path without file name... and nothing is working :( Any help?
- netcat
Silver II
At some point the archive will be decompressed.
Anyway, the original question was answered, so you'd better start a new thread.