Artifacts of Dangerous Sightings

Pandora has been using her computer to uncover the secrets of the elusive relic. She has been relentlessly scouring through all the reports of its sightings. However, upon returning from a quick coffee break, her heart races as she notices the Windows Event Viewer tab open on the Security log. This is so strange! Immediately taking control of the situation she pulls out the network cable, takes a snapshot of her machine and shuts it down. She is determined to uncover who could be trying to sabotage her research, and the only way to do that is by diving deep down and following all traces …

Mount 2023-03-09T132449_PANDORA.vhdx

2023-03-09T13_24_49_2142105_CopyLog.csv
2023-03-09T13_24_49_2142105_SkipLog.csv.csv

Note:

C\Users\Pandora\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

type finpayload > C:\Windows\Tasks\ActiveSyncProvider.dll:hidden.ps1

Alternate Data Stream: https://www.nirsoft.net/utils/alternate_data_streams.html

https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)Decode_text('UTF-16LE%20(1200)')

“Deobfuscate” with script block logging enabled:

$TopSecretCodeToDisableScript = "HTB{Y0U_C4nt_St0p_Th3_Alli4nc3}"

Nice.