APT29 Threat Hunting with Splunk: Ep.4 – Clean-up & Reconnaissance
I need help with Q6. Any hint please The attacker launches a PowerScript useful for reconnaissance activities. What is the full file path of the executed script? I searched (EventCode=4103 OR EventCode=4104) combined with powershell.36Views2likes3CommentsActive Directory Basics: Demonstrate Your Skills
Hey team, i am working on the lab in the title and quite sure there's an issue with the answer for one of the questions. 12. What is the full name of the user on COMP-SIREN that begins with L? I am pretty sure it is Larry Young as you can see from the screenshot. Could i check whether there is an error with the question? Or am i missing somethingSolved35Views1like2CommentsCVE-2020-11651 (SaltStack RCE) – Defensive
Using the PCAP file located on the Desktop, what are the last five characters of the root_key that was sent to the attacker? I am stuck with question number 5. Any Hint? I tried tcp.payload matches "_send_pub" and just tcp.port == 4506Solved41Views1like3CommentsRadare2 Reverse Engineering: Ep.1 – Windows Binary Part 1
I have managed to find the answers to all of the questions within this lab except for question 6. I can not seem to figure out the appropriate step(s) or action(s) to take find the correct answer for this question. Any insight or guidance on what I'm missing / doing incorrectly and how to correct it would be greatly appreciated. I have provided a few screenshots for reference. Thanks in advance.104Views2likes8CommentsActive Directory Basics: Demonstrate Your Skills
Hey team, i am working on the lab in the title and quite sure there's an issue with the answer for one of the questions. 12. What is the full name of the user on COMP-SIREN that begins with L? I am pretty sure it is Larry Young as you can see from the screenshot. Could i check whether there is an error with the question? Or am i missing something34Views0likes1CommentFIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs
For this lab I need to rebuild the PowerShell script using the three parts found in the PowerShell operational logs. Which I am able to do fairly easily but when I am required to obtain the MD5 hash of the file I am not getting the correct hash. I've removed any trailing white spaces and return characters. Not matter the setup, I just can't seem to find the special sauce on this one. I've tried numerous approaches and still get a no go. Any tips?Solved443Views1like28CommentsIntroduction to Elastic: Ep.9 - ES|QL
I’m stuck on question 18 i need this to complete the lab. The question says ‘Perform a final query using all of the techniques used in the previous questions. What is the average speed per hour for ALL trips that start in the borough of “Brooklyn” and end in the borough of “Manhattan”? Provide your answer to at least three decimal places. any ideas?37Views1like1CommentPowershell Deobsfuscation Ep.7
I was working on this and got stuck with Ep.7. Appreciate if anyone can assist with this Powershell de-obfuscation. Step 1: I removed the splits accordingly and converted from hexadecimal Step 2: Next, there was another set of splits to perform and ascii conversion. Ended up with the small snip of string at the bottom with a lot of (spaces and tabs) at the beginning. Basically empty spaces before coming to this short scripts. I am not sure on how to move from here. Anyone can assist with this pls?Solved100Views2likes7CommentsPowerShell Deobfuscation: Ep 8 help
I have been stuck on this EP for a week and haven't been able to progress. I am hoping someone can give me a hint to help me get through this one. Here is what I have done so far. I take the original encoded message and apply "FromBase64" and then "Raw Inflate" and I get the following data: You can see it outputs another command that also needs to decoded using the same steps above. That output gives you this... It outputs a string of characters but no obvious way to get this readable. I have tried bit-shifting, rotating characters, and a bunch of other tests and nothing has shown me anything that is remotely readable. I assume I am missing something simple but every time I read it back through, I don't see what I missed. Any help you can provide would be greatly appreciated.95Views1like5Comments