nerdexam
GIAC

GCIH · Question #809

An administrator runs the following command. What should be their next step based on the output shown?

The correct answer is B. Decode the Base-64 value. When a command's output reveals a Base-64 encoded value, the immediate next step is to decode it to understand what payload or command is being obfuscated.

Malware Analysis & Advanced Persistent Threats

Question

An administrator runs the following command. What should be their next step based on the output shown?

Exhibit

GCIH question #809 exhibit

Options

  • AExamine child processes
  • BDecode the Base-64 value
  • CHalt the running process
  • DVerify the SHA256 hash

How the community answered

(17 responses)
  • A
    6% (1)
  • B
    82% (14)
  • D
    12% (2)

Why each option

When a command's output reveals a Base-64 encoded value, the immediate next step is to decode it to understand what payload or command is being obfuscated.

AExamine child processes

Examining child processes is a valid investigation step, but it is premature before decoding the encoded payload, which may reveal whether the process is malicious at all.

BDecode the Base-64 valueCorrect

Attackers frequently use Base-64 encoding to obfuscate malicious commands, scripts, or payloads so they evade signature-based detection. Decoding the value is the highest-priority next step because it reveals the actual intent of the command and determines whether further containment or remediation actions are necessary before examining process trees or performing hash verification.

CHalt the running process

Halting the running process should only follow a determination of malicious intent - stopping it before decoding the Base-64 value could prematurely disrupt a legitimate process or destroy volatile forensic evidence.

DVerify the SHA256 hash

Verifying a SHA256 hash is used for file integrity checking against known-good or known-malicious hashes, but it does not help interpret an obfuscated command string embedded in process output.

Concept tested: Investigating Base-64 obfuscated command execution

Source: https://attack.mitre.org/techniques/T1027/

Topics

#Base64 encoding#process analysis#PowerShell obfuscation#malware triage

Community Discussion

No community discussion yet for this question.

Full GCIH Practice