VeeBeeeee: A Microsoft Script Forensics Challenge VeeBeeeee starts with an extensionless file. When attempting to open this file, we get a bunch of random junk. I used PowerShell to display the content of the file and then dropped the output into CyberChef to decode it. Using the “Magic” function on CyberChef told me that it was a Microsoft Script, and CyberChef applied the Microsoft Script Decoder function to the text blob. Copy/Pasting the cleartext code into VSCode lets us use the find and replace function to get rid of some of this junk data. While going through the script and getting rid of the tacked-on strings and characters, we can see that there is an array being built called Request. If we follow the link in this array, we get to a Pastebin file with the flag. Fetch: A Prefetch and WIM File Analysis Challenge Fetch provided an unknown file with no extension. Like previous challenges, we can use the “file” command to determine the file type. Using the “file
Snake Eater: A Malware Analysis Challenge Snake Eater provided an executable file with the comment “I’ve never seen an executable file that looks like this. Can you check it out and see what it’s doing”. The comment is the hint to finding the flag. This challenge requires a Virtual Machine, as the executable is based on live malware and Defender may delete it or prevent it from running. First, we’ll need to get our hands on Sysinternals tools. These can be downloaded from Microsoft. After getting all of the Sysinternals tools, we need to go back to our hint. The line “Can you check it out and see what it’s doing” is a hint that we need to run the malware and see what changes it’s enacting on the system. One way to do this is to use Process Monitor from Sysinternals. We can run the Process Monitor executable and start capturing with no filters enabled. Then, we can execute the snake_eater.exe file and wait for it to close. After it closes, we can stop the Process Monitor captu