courses
Free

Challenge: Spiny Shell

You receive an alert about a suspicious command execution on a Windows endpoint. Early analysis suggests PowerShell has not locked down appropriately. Can you validate if anything malicious is underway? Now that you have some basic information discovered, dive deeper into the suspicious command to identify the attacker's infrastructure and setup!
5
Share
Start CourseSubscribe for UpdatesNeed to train your team? Learn more
Create Free AccountNeed to train your team? Learn more
0
50
M
Time
intermediate
difficulty
1
ceu/cpe

Course Content

Defense
Investigate A Suspicious Command - Easy

30m

Defense
Identify the Attacker's Infrastructure - Hard

20m

Defense
Course Description

How do you triage and analyze a suspicious PowerShell command?

In this challenge, you will operate in a defensive capacity to investigate this exact scenario: > - What is the encoding for the base64 character format? > - What are the three subdomains referenced? > - What is the first “attack string” file that would aid an attacker? > - What does the referenced “attack string” in c.ps1 do? > - What is the $t variable set to? > - What is the referenced attacker domain?

![CySeeker Peculiar](//images.ctfassets.net/kvf8rpi09wgk/qbEzmd4efRzpA1lBEW8vZ/9fb4bc97f855861107cfa48daf666920/CySeeker_Peculiar.png)

Who is this for?

> Early to mid-level practitioners operating in an offensive or defensive capacity (advanced practitioners, if looking for some fun). Individuals new to cybersecurity may struggle to complete this as it involves some advanced security concepts.

What resources are available to help solve this challenge?

> Online search, Discord community, colleagues or fellow practitioners.

Are write ups permitted?

> Yes, write ups are permitted; however, please do not post answers directly. All write ups should include an appropriate link back to Cybrary and the Cybrary Course.

This course is part of a Career Path:
No items found.

Instructed by

Senior Instructor
Matthew Mullins

Matt has led multiple Red Team engagements, ranging from a few weeks to a year and covering multiple security domains. Outside of Red Teaming, Matt is also a seasoned penetration tester with interests in: AppSec, OSINT, Hardware, Wifi, Social Engineering, and Physical Security. Matt has a Master's degree in Information Assurance and an exhaustive number of certifications ranging from frameworks, management, and hands-on hacking. Matt is a Technical SME at Cybrary, focusing on Adversarial Emulation and Red Teaming for course content.

Provider
Cybrary Logo
Certification Body
Certificate of Completion

Complete this entire course to earn a Challenge: Spiny Shell Certificate of Completion