help & support
311 TopicsPowershell Deobsfuscation Ep.7
I first collected the .ps1 script and noticed that it is from hex after decoding from hex I noticed that it converts from decimals This led me to use the from the from decimal recipe from Cyberchef However, this led me towards only the decoded eding of the script itself. with the main obfuscated payload being empty. I am wondering about where I am going wrong in my thought process.12Views0likes1CommentCTI First Principles: Threat actors and attribution Q9
In doing all of these questions most of them are fine. Q9 isn't accepting any form of answer I input. There is nothing definitive on the PDF that gives an exact quote-able answer and anything that would logically be the answer comes up as incorrect, even asking the AI tool and all the advice it gives is no good as still returns as incorrect, ironically the tool even admitted to the questions being unfortunately specific in the answers and couldnt get it correct itself. Is this a bug or just really poor question design that expects an open ended answer that you just have to guess is the correct variation of the truth? I feel the same focus on a lot of questions in other modules isn't on getting the correct answer, but answering correctly which leads to a lot of frustration and a massive waste of time.19Views0likes1CommentAPT29 Threat Hunting with Splunk: Demonstrate Your Skills - Question 10
In relation towards the question : A PowerShell script was initially executed to extract encoded data from an image file. What is the full ParentCommandLine field value used to execute this? I am pretty lost and where I should be looking for, as searching for the zipped file activities did not bring up any notable powershell scripts I also tried inputting: C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1 as well which did not workSolved44Views0likes1CommentThreat Actors: Salt Typhoon – SNAPPYBEE Campaign Analysis - Question 7
In relation to What is the device that tcpdump is dumping packets from? For some reason win-host-1.asgard.corp and win-host-1 does not work and NPF_{B1ADE8FD-CC9A-4857-9C50-28078779F038}, I am wondering babout what I am doing wrong in terms of approaching this question, and How I should be redirecting my attention instead. 10.10.10.30 does not work as wellSolved44Views0likes1CommentEthereum: The Blockchain, Transactions, and Explorers
Hi All, I am super stuck on question 9' After completing the previous question, a certain number of ETH was sent to your wallet. Using the blockchain explorer, what is the address that sent you this ETH?' I have input the labs wallet ID into the block explorer but I cant see any transactions to trace where the ETH has come from. Am I being stupid or is something not working?30Views0likes1CommentCannot seem to connect to Snaplabs via VPN
Hello, I’ve spun up a Snaplabs range - it’s a templated range based on shirts. I seem to be having trouble connecting to it though: I’ve added a VPN and tried to connect to it from several endpoints (including a cloud instance with no filtering) and the connection is never made on port 1194 I’ve tried adding an admin machine as it is necessary to connect to different machines via guacamole but I can’t seem to find it anymore. Perhaps I’m looking in the wrong place. Any push in the right direction would be highly appreciated. Thanks!Solved489Views2likes12CommentsThreat Actors: Salt Typhoon – SNAPPYBEE Campaign Analysis - Question 3
For the question There is a .bat file that is executed on the victim machine. What is the file path of the .bat file?, for some reason I cant pick up any strings in general with that pattern. I am wondering if I should be parsing for something else such as a .zip, but event then. the "bat" keyword should have been picked up I believe54Views0likes2CommentsThreat Actors: Mint Sandstorm – Campaign Analysis - Question 9
In relation to the What named local variable holds the IP address from the for loop? I have been checking out the local varaibles but as per the for loop none of the variables typed in were correct. I am basically lost if none of the local variables observed in the for loop was observed to be the answer. I am wondering about what direction I should take in terms of digging deepering into how the IP is stored where even the variable ServIp was showcased to be incorrect and wsaData. <-- leveraged Gemini for aid in parsing and understanding of the compiled code for ease of understanding and if there was anything I missed from the code, that may hint at a more indirect variable as wellSolved50Views0likes1Comment