APT29 Threat Hunting with Splunk: Ep.4 – Clean-up & Reconnaissance
I need help with Q6. Any hint please The attacker launches a PowerScript useful for reconnaissance activities. What is the full file path of the executed script? I searched (EventCode=4103 OR EventCode=4104) combined with powershell.
Active Directory Basics: Demonstrate Your Skills
Hey team, i am working on the lab in the title and quite sure there's an issue with the answer for one of the questions. 12. What is the full name of the user on COMP-SIREN that begins with L? I am pretty sure it is Larry Young as you can see from the screenshot. Could i check whether there is an error with the question? Or am i missing something
Radare2 Reverse Engineering: Ep.1 – Windows Binary Part 1
I have managed to find the answers to all of the questions within this lab except for question 6. I can not seem to figure out the appropriate step(s) or action(s) to take find the correct answer for this question. Any insight or guidance on what I'm missing / doing incorrectly and how to correct it would be greatly appreciated. I have provided a few screenshots for reference. Thanks in advance.Active Directory Basics: Demonstrate Your Skills
Hey team, i am working on the lab in the title and quite sure there's an issue with the answer for one of the questions. 12. What is the full name of the user on COMP-SIREN that begins with L? I am pretty sure it is Larry Young as you can see from the screenshot. Could i check whether there is an error with the question? Or am i missing somethingFIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs
For this lab I need to rebuild the PowerShell script using the three parts found in the PowerShell operational logs. Which I am able to do fairly easily but when I am required to obtain the MD5 hash of the file I am not getting the correct hash. I've removed any trailing white spaces and return characters. Not matter the setup, I just can't seem to find the special sauce on this one. I've tried numerous approaches and still get a no go. Any tips?
Introduction to Elastic: Ep.9 - ES|QL
I’m stuck on question 18 i need this to complete the lab. The question says ‘Perform a final query using all of the techniques used in the previous questions. What is the average speed per hour for ALL trips that start in the borough of “Brooklyn” and end in the borough of “Manhattan”? Provide your answer to at least three decimal places. any ideas?Powershell Deobsfuscation Ep.7
I was working on this and got stuck with Ep.7. Appreciate if anyone can assist with this Powershell de-obfuscation. Step 1: I removed the splits accordingly and converted from hexadecimal Step 2: Next, there was another set of splits to perform and ascii conversion. Ended up with the small snip of string at the bottom with a lot of (spaces and tabs) at the beginning. Basically empty spaces before coming to this short scripts. I am not sure on how to move from here. Anyone can assist with this pls?
PowerShell Deobfuscation: Ep 8 help
I have been stuck on this EP for a week and haven't been able to progress. I am hoping someone can give me a hint to help me get through this one. Here is what I have done so far. I take the original encoded message and apply "FromBase64" and then "Raw Inflate" and I get the following data: You can see it outputs another command that also needs to decoded using the same steps above. That output gives you this... It outputs a string of characters but no obvious way to get this readable. I have tried bit-shifting, rotating characters, and a bunch of other tests and nothing has shown me anything that is remotely readable. I assume I am missing something simple but every time I read it back through, I don't see what I missed. Any help you can provide would be greatly appreciated.
