APT29 Threat Hunting with Splunk: Demonstrate Your Skills - Question 10
In relation towards the question : A PowerShell script was initially executed to extract encoded data from an image file. What is the full ParentCommandLine field value used to execute this? I am pretty lost and where I should be looking for, as searching for the zipped file activities did not bring up any notable powershell scripts I also tried inputting: C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1 as well which did not workThreat Actors: Salt Typhoon – SNAPPYBEE Campaign Analysis - Question 7
In relation to What is the device that tcpdump is dumping packets from? For some reason win-host-1.asgard.corp and win-host-1 does not work and NPF_{B1ADE8FD-CC9A-4857-9C50-28078779F038}, I am wondering babout what I am doing wrong in terms of approaching this question, and How I should be redirecting my attention instead. 10.10.10.30 does not work as well
Ethereum: The Blockchain, Transactions, and Explorers
Hi All, I am super stuck on question 9' After completing the previous question, a certain number of ETH was sent to your wallet. Using the blockchain explorer, what is the address that sent you this ETH?' I have input the labs wallet ID into the block explorer but I cant see any transactions to trace where the ETH has come from. Am I being stupid or is something not working?
Threat Actors: Salt Typhoon – SNAPPYBEE Campaign Analysis - Question 3
For the question There is a .bat file that is executed on the victim machine. What is the file path of the .bat file?, for some reason I cant pick up any strings in general with that pattern. I am wondering if I should be parsing for something else such as a .zip, but event then. the "bat" keyword should have been picked up I believeThreat Actors: Mint Sandstorm – Campaign Analysis - Question 9
In relation to the What named local variable holds the IP address from the for loop? I have been checking out the local varaibles but as per the for loop none of the variables typed in were correct. I am basically lost if none of the local variables observed in the for loop was observed to be the answer. I am wondering about what direction I should take in terms of digging deepering into how the IP is stored where even the variable ServIp was showcased to be incorrect and wsaData. <-- leveraged Gemini for aid in parsing and understanding of the compiled code for ease of understanding and if there was anything I missed from the code, that may hint at a more indirect variable as wellAPT43: Malware Analysis - Question 8
In relation to the type of files are they once extracted? After extracting the files, I was basically trying multiple file extensions, from XML type files, to VBA as per the briefing. I am wondering about what the question means by "the Type" of files, so I can pivot my investigation more relevant. I have also tried Microsoft Document and other file application names <-- used Gemini to help me generate possible names, due to how it may have just been my own understanding of what the question meant as wellThreat Actors: APT43 - Question 7
In relation to What Resource Development technique was used to facilitate the hosting of beacons, implants, and file exfiltrators? For some reason Obtain Capabilities is wrong, and I tried multiple other names part of the resource development, I am wondering if I should be pivoting into a different area. I also tried Acquire Infrastructure, and Compromise Infrastructure as well.APT34: PoisonFrog - Question 6
For the What is the name of the file that executes the HTTP and DNS handling scripts?, I am confused on where I should be digging deeper as the powershell script was showcased to be wrong in terms of entering down the name, as well as other parts of the file I also tried parsing for the file name through the decoded script but I cant seem to find any meaningful leads. Basically I am wondering about what the expectation is for the question and where/how I should approach at a different angleAPT34: Glimpse - Question 4
For What is the name of the Visual Basics script that is used to run the malicious PowerShell script?, I am wondering about where should I dig deeper into volatility into extracting the command history of the raw file, as I keep running into errors. I am wondering about where should I be digging deeper to find out what I am doing wrong
