add progress so far
This commit is contained in:
aaron
18
forensics/persist/README.md
Normal file
18
forensics/persist/README.md
Normal file
@@ -0,0 +1,18 @@
|
|||||||
|
# Persist
|
||||||
|
|
||||||
|
Although Santa just updated his infra, problems still occur. He keeps
|
||||||
|
complaining about slow boot time and a blue window popping up for a split
|
||||||
|
second during startup. The IT elves support suggested that he should restart
|
||||||
|
his computer. Ah, classic IT support!
|
||||||
|
|
||||||
|
Download Link: http://46.101.25.140/forensics_persist.zip
|
||||||
|
|
||||||
|
## Flag
|
||||||
|
|
||||||
|
## Progress so far
|
||||||
|
|
||||||
|
- The zip file contains ä windows memory dump
|
||||||
|
- As the intro text states the boot time is slow and blue windows pop up. This might be ä Powershell reverse shell.
|
||||||
|
- So it is probably reasonable to check the windows autostart and the accoring registry keys
|
||||||
|
- I was not able to find anything as of yet
|
||||||
|
- Probably the `autostarts` plugin for `volatility2` would help. But I'm using version 3 and the plugin is not compatible.
|
||||||
132392
forensics/persist/test
132392
forensics/persist/test
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user