Base64 encoded PowerShell commands can often be a quick win for the identification of suspicious activity. Recently, I've come across some notable samples, which after a bit of digging, provide valuable insight into attacker activities and new IOCs.

This article initially looks at Metasploit Framework Shellcode, but similar techniques are also used for frameworks such as Cobalt Strike or PowerShell Empire, which can be analyzed in a similar way.

In most cases, we can use CyberChef to create a recipe to unpeel the payload, and then something like scdbg to understand the shellcode.

CyberChef recepie decoding shellcode and scdbg analysis (overlay)

The recipe for the analysis is at…


BTLO (blueteamlabs.online)

You have been sent a phishing link — It is your task to investigate this website and find out everything you can about the site, the actor responsible, and perform threat intelligence work on the operator(s) of the phishing site.

Phishy V1 requires the use of the Web Browser to explore the phishing website. Navigate to the site in the lab, which looks to be an Office365 login to access an Excel file.


BTLO (blueteamlabs.online)

Recently the networks of a large company named GothamLegend were compromised after an employee opened a phishing email containing malware. The damage caused was critical and resulted in business-wide disruption. GothamLegend had to reach out to a third-party incident response team to assist with the investigation. You are a member of the IR team — all you have is an encoded Powershell script. Can you decode it and identify what malware is responsible for this attack?

Download the .zip and enter the password btlo to access the files.

This challenge requires analysis of a PowerShell script.


BTLO (blueteamlabs.online)

The SOC received an alert in their SIEM for ‘Local to Local Port Scanning’ where an internal private IP began scanning another internal system. Can you investigate and determine if this activity is malicious or not? You have been provided a PCAP, investigate using any tools you wish.

Network Analysis — Web Shell requires analyisis of a PCAP. Wireshark is a great tool to do this.

What is the IP responsible for conducting the port scan activity?

A good place to start in network analysis is to understand what hosts are commuincating within the packet capture. …


Peak (blueteamlabs.online)

Dwight works as a web developer at Mountain Top Solutions, Chicago. He reports unusual activity originating from the private network 10.x.x.x in the logs on the application development server. Dwight also added that the server should only be accessed directly from the console or from his laptop via ssh which is in the network 192.168.1.0/24. Can you investigate this anomaly?

You are provided with the following logs, already ingested into an ELK deployment:

1. apache2 access and error logs
2. auditd logs ( Auditd rules configured with https://github.com/bfuzzy/auditd-attack/blob/master/auditd-attack.rules)
3. auth.log
4. syslog

Peak requires analysis of logs within…


BTLO (blueteamlabs.online)

The Security Operations Center at Defense Superior are monitoring a customer’s email gateway and network traffic (Crimeson LLC). One of the SOC team identified some anomalous traffic from Josh Morrison’s workstation, who works as a Junior Financial Controller. When contacted Josh mentioned he received an email from an internal colleague asking him to download an invoice via a hyperlink and review it. The email read:

There was a rate adjustment for one or more invoices you previously sent to one of our customers. The adjusted invoices can be downloaded via this [link] for your review and payment processing…


BTLO (blueteamlabs.online)

NYC Police received information that a gang of attackers has entered the city and are planning to detonate an explosive device. Law enforcement have begun investigating all leads to determine whether this is true or a hoax.

Persons of interest were taken into custody, and one additional suspect named ‘Zerry’ was detained while officers raided his house. During the search they found one laptop, collected the digital evidence, and sent it to NYC digital forensics division.

Police believe Zerry is directly associated with the gang and are analyzing his device to uncover any information about the potential attack.


Analysis of Shellbags is extremely useful method of determining what file or folder actions have been taken on a host by a specific user.

What are Shellbags?

Shellbags are set of registry keys which contain details about a user’s viewed folder; such as its size, position, and icon. This means that all directory traversal is tracked and maintained in the registry.

The shellbags provide timestamps, contextual information, and show the access of directories and other resources, potentially pointing to evidence that once existed. A shellbag entry is created for every newly explored folder.

Analysis of shellbags is useful as it can aid in the creating a broader picture of an investigation, providing indications of activity, acting as a history of what directory items may have since been…


One of the important aspects of digital forensics and investigation is the identification and classification of potential malicious binaries on a system or in a network.

YARA is an open source tool which utilises a rule based approach to identify malware based upon custom antivirus-like signature detection, such as text or binary patterns. The rules, or descriptions, are built from strings and logic, and match with patterns or characteristics to classify the sample into certain families or variants; a bit like grep but matches more than one pattern.

YARA Rules

YARA operates by utilising a rules file, in a .yar format where…


Taking a deeper looking into Arucer.dll and uncovering what it does and how to use it.

Energizer Duo USB Battery Charger Trojan

UsbCharger_setup_V1_1_1.exe
3F4F10B927677E45A495D0CDD4390AAF

Arucer.dll
1070be3e60a1868d2cd62fc90d76c861

Battery Powered Trojan — Part 1
Battery Powered Trojan — Part 2

After performing Basic Static and Basic Dynamic analysis on UsbCharger_setup_V1_1_1.exe and Arucer.dll we uncovered that there was a malicious backdoor opened (Arucer.dll) as part of the installation of the Energizer UsbCharger.exe. We were unable to obtain any sustained connection to it, however we did identify a set of strings which may hold the keys to activation (Figure 0.1).

Figure 0.1 — Suspicious strings identified in Arucer.dll from Basic Static Analysis

After some investigation into the assembly and some researching, I…

Chris Eastwood

Incident Response, Forensic Investigations, and Threat Hunting professional, writing things to learn them better.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store