FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs
For this lab I need to rebuild the PowerShell script using the three parts found in the PowerShell operational logs. Which I am able to do fairly easily but when I am required to obtain the MD5 hash of the file I am not getting the correct hash. I've removed any trailing white spaces and return characters. Not matter the setup, I just can't seem to find the special sauce on this one. I've tried numerous approaches and still get a no go. Any tips?
PowerShell Deobfuscation: Ep.9
Hello guys I am now on ep 9 on this fantastic collection but been banging my head for couple of days now for this appreciate any help. Able to decode the first layer using frombase64 and raw inflate Then I copied the resulting script and remove some parts to be able to execute it on powershell console I read somewhere that it is a enrypted base64 string given there is a -key on the second layer I found this article which seems related then followed how to decrypt I tried following it with same variable but I am stuck. Not sure how to do this via Cyberchef as well. Appreciate any help in right direction.
Help needed for Threat Hunting: Mining Behaviour
Hey everyone! I need some help with this last question of a lab. I already identified the JSON authentication token and the packet that holds it. But within that packet, I just can't find the authentication key that identifies the miner. Anyone was able to solve and help? Thanks!
APT29 Threat Hunting with Elasticsearch: Ep.11 – Demonstrate Your Skills
Hello! I could rather easily get the answers for the other questions, but Q6 has really taken me aback. The question is: A PowerShell script was executed to assist with further enumeration. What command in this script assists with the reverse shell call back? On attacker side, the reverse shell is just deployed with Metasploit shellcode, in Elasticsearch this is a block of base64 powershell in which binary shellcode will be executed. Directly after, the "Invoke-SeaDuke" stage is called, there is no specific handler for the callback one could ask for, what does "assist" even mean here? Even a slight clue would help me out, maybe I'm too lost now. Thank you for your patience!
