add progress so far
This commit is contained in:
aaron
18
forensics/persist/README.md
Normal file
18
forensics/persist/README.md
Normal file
@@ -0,0 +1,18 @@
|
||||
# Persist
|
||||
|
||||
Although Santa just updated his infra, problems still occur. He keeps
|
||||
complaining about slow boot time and a blue window popping up for a split
|
||||
second during startup. The IT elves support suggested that he should restart
|
||||
his computer. Ah, classic IT support!
|
||||
|
||||
Download Link: http://46.101.25.140/forensics_persist.zip
|
||||
|
||||
## Flag
|
||||
|
||||
## Progress so far
|
||||
|
||||
- The zip file contains ä windows memory dump
|
||||
- As the intro text states the boot time is slow and blue windows pop up. This might be ä Powershell reverse shell.
|
||||
- So it is probably reasonable to check the windows autostart and the accoring registry keys
|
||||
- I was not able to find anything as of yet
|
||||
- Probably the `autostarts` plugin for `volatility2` would help. But I'm using version 3 and the plugin is not compatible.
|
||||
132392
forensics/persist/test
132392
forensics/persist/test
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user