Weekly Challenge: Spiny Shell
You receive an alert about a suspicious command execution on a Windows endpoint. Early analysis suggests PowerShell has not locked down appropriately. Can you validate if anything malicious is underway? Now that you have some basic information discovered, dive deeper into the suspicious command to identify the attacker's infrastructure and setup!
How do you triage and analyze a suspicious PowerShell command?
In this weekly challenge, you will operate in a defensive capacity to investigate this exact scenario:
- What is the encoding for the base64 character format?
- What are the three subdomains referenced?
- What is the first “attack string” file that would aid an attacker?
- What does the referenced “attack string” in c.ps1 do?
- What is the $t variable set to?
- What is the referenced attacker domain?
Who is this for?
Early to mid-level practitioners operating in an offensive or defensive capacity (advanced practitioners, if looking for some fun). Individuals new to cybersecurity may struggle to complete this as it involves some advanced security concepts.
What resources are available to help solve this challenge?
Online search, Discord community, colleagues or fellow practitioners.
Are write ups permitted?
Yes, write ups are permitted; however, please do not post answers directly. All write ups should include an appropriate link back to Cybrary and the Cybrary Course.