Need help in the lab - APT29 Threat Hunting with Splunk: Ep.11 – Demonstrate Your Skills
I am currently working through the APT29 Threat Hunting with Splunk: Ep.11 – Demonstrate Your Skills lab and would appreciate your assistance in reviewing or clarifying a few specific questions. Despite thorough log analysis and validation via Splunk queries, the following questions are not accepting what I believe to be correct answers: Q10. A PowerShell script was initially executed to extract encoded data from an image file. What is the full ParentCommandLine field value used to execute this? Q11. This PowerShell script was added to a registry key that was used to bypass user access control. What other value was set on the same key to facilitate this? Q15. what was the name of the service created to obtain a means of persistence? Q23. What is the name of the executable that's executed by the persistence mechanism placed in the Windows Startup folder?
Introduction to Active Directory Attacks: Local Passwords
Briefing says to use poweup.ps1 but i dont see the powershell script in the tools folder. additionally tried powershell command mentioned but producing so many result. any thoughts or suggestion to find the password stored in some where in files.
Credential Access - NTDS
Got down to the last two questions and I felt like I've tried all suggestions in the briefing. Can anyone help out with the last two question? Also, the "secretsdump.py -ntds <ntds.dit path> -system <SYSTEM hive path> LOCAL" isn't working but tried "impacket.examples.secretsdump" and it doesn't throw an error, but also doesn't throw any output.
