Rogue Inbox
Originally I was looking at this in Timeline Explorer, but decided to switch to Excel.
Swimming and scanning through a sea of log entries, an anomaly showed itself.
For this one I just copied the values out by hand.
Huntress CTF: Week 3 – Forensics: Rogue Inbox, Texas Chainsaw Massacre: Tokyo Drift
The download is Application Logs.evtx
If you open the log with Event Viewer, you may see there’s an entry for a (non-actual) event ID of 1337.
The error content isn’t very helpful.
Let’s take a hint from the title and run the event log through Chainsaw.
Nothing significant when using the stock rules. What if we poke specifically at Event ID 1337.
That looks interesting.
Copy the binary data and bring it over to CyberChef
From unintelligible binary to unintelligible PowerShell.
Copy the output and save it is a .ps1 file. We can run the script through PowerDecode.
PowerCode works down through the obfuscation layers, finally revealing the plain text of the command.
Now that the code has been deobfuscated, time to figure out what it does. I copied the code into PowerShell ISE and start isolating the different command sections.
One of the commands does a DNS lookup and directs the output into a string.
If we run the command on its own we can see the output. The last part of the script checks to see if the output matches the pattern of a Base64 encoded string, and if so, decodes it.
Now what was that about Tokyo?
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
Baker Street Forensics 