Category: DFIR
Difficulty: medium
Author: 2keebs
An attacker has installed a C2 persistence mechanism on this system.
- When is it scheduled to next execute?
- What C2 IP address is the PowerShell stager configured to connect to?
Flag Format: DUCTF{hh:mm_IP} e.g. DUCTF{15:27_10.0.0.8}
File password: Awt4Wh6dT3by0hXmfFZn