- What command was executed as Elf McNealy to add a new user to the machine?
ANS: Invoke-Nightmare
EXPLANATION:
Step 1: Open FullViewLogEvent
Step 2: Open Advanced Options , Fill this details
Step 3: Check for each file, [Hint: It`s in Record ID: 707 ]
2. What user executed the PowerShell file to send the password.txt file from the administrator's desktop to a remote server?
ANS: adm1n
EXPLANATION:
Step 1: It`s in Record ID: 707 Log file, Check for the answers
3. What was the IP address of the remote server? What was the port used for the remote connection? (format: IP,Port)
ANS: 10.10.148.96,4321
EXPLANATION:
Step 1: Check for each file, [Hint: It`s in Record ID: 703 ]
4. What was the encryption key used to encrypt the contents of the text file sent to the remote server?
ANS: j3pn50vkw21hhurbqmxjlpmo9doiukyb
EXPLANATION:
Step 1: It`s in Record ID: 703 Log file, Check for the answers [Hint : start with $key]
5. What application was used to delete the password.txt file?
ANS: sdelete.exe
EXPLANATION:
Step 1: It`s in Record ID: 748 Log file, Check for the answers [Hint : Check any .exe file relate to delete]
6. What is the date and timestamp the logs show that password.txt was deleted? (format: MM/DD/YYYY H:MM:SS PM)
ANS: 11/11/2021 7:29:27 PM
EXPLANATION:
Step 1: Open Advanced Options , Fill this details
Step 2: Check each file for Event Time
7. What were the contents of the deleted password.txt file?
ANS: Mission Control: letitsnowletitsnowletitsnow
EXPLANATION:
Step 1: Open Advanced Options , Fill this details
Step 2: It`s in Record ID: 753 Log file, Check for the answers [Hint : Copy the value strings ]
Step 3: Right-Click -> Edit on decryptor -> Paste the code
Step 4: Paste the Question 4 Code in the GetBytes Column
Step 5: Run the Script
*****************THANK YOU****KEEP LEARNING ******************
HOPE GUYS, THIS WALKTHROUGH MIGHT HELP YOU,IF SO LIKE THE WRITE UP ,LIKE & FOLLOW TO THE BLOG AND PROFILE WILL BE MUCH APPRECIATED
FOLLOW MY PROFILE FOR MORE WRITE-UPS
****************************PEACE********************************