Free
Challenge: Spiny Shell
You receive an alert about a suspicious command execution on a Windows endpoint. Early analysis suggests PowerShell has not locked down appropriately. Can you validate if anything malicious is underway? Now that you have some basic information discovered, dive deeper into the suspicious command to identify the attacker's infrastructure and setup!
0
H
50
M
Time
intermediate
difficulty
1
ceu/cpe
Course Content
No items found.
Course Description
How do you triage and analyze a suspicious PowerShell command?
In this challenge, you will operate in a defensive capacity to investigate this exact scenario: > - What is the encoding for the base64 character format? > - What are the three subdomains referenced? > - What is the first “attack string” file that would aid an attacker? > - What does the referenced “attack string” in c.ps1 do? > - What is the $t variable set to? > - What is the referenced attacker domain?![CySeeker Peculiar](//images.ctfassets.net/kvf8rpi09wgk/qbEzmd4efRzpA1lBEW8vZ/9fb4bc97f855861107cfa48daf666920/CySeeker_Peculiar.png)