Weekly Challenge: Spiny Shell

Course
New

You receive an alert about a suspicious command execution on a Windows endpoint. Early analysis suggests PowerShell has not locked down appropriately. Can you validate if anything malicious is underway? Now that you have some basic information discovered, dive deeper into the suspicious command to identify the attacker's infrastructure and setup!

Time
50 minutes
Difficulty
Intermediate
CEU/CPE
1
Share
NEED TO TRAIN YOUR TEAM? LEARN MORE
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course Content
Module 1: Defense
Investigate A Suspicious Command - Easy
30m
Identify the Attacker's Infrastructure - Hard
20m
Course Description

How do you triage and analyze a suspicious PowerShell command?

In this weekly challenge, you will operate in a defensive capacity to investigate this exact scenario:

  • What is the encoding for the base64 character format?
  • What are the three subdomains referenced?
  • What is the first “attack string” file that would aid an attacker?
  • What does the referenced “attack string” in c.ps1 do?
  • What is the $t variable set to?
  • What is the referenced attacker domain?

Who is this for?

Early to mid-level practitioners operating in an offensive or defensive capacity (advanced practitioners, if looking for some fun). Individuals new to cybersecurity may struggle to complete this as it involves some advanced security concepts.

What resources are available to help solve this challenge?

Online search, Discord community, colleagues or fellow practitioners.

Are write ups permitted?

Yes, write ups are permitted; however, please do not post answers directly. All write ups should include an appropriate link back to Cybrary and the Cybrary Course.

Provider
Cybrary
Certificate of Completion
Certificate Of Completion

Complete this entire course to earn a Weekly Challenge: Spiny Shell Certificate of Completion