GCIH · Question #809
An administrator runs the following command. What should be their next step based on the output shown?
The correct answer is B. Decode the Base-64 value. When a command's output reveals a Base-64 encoded value, the immediate next step is to decode it to understand what payload or command is being obfuscated.
Question
An administrator runs the following command. What should be their next step based on the output shown?
Exhibit
Options
- AExamine child processes
- BDecode the Base-64 value
- CHalt the running process
- DVerify the SHA256 hash
How the community answered
(17 responses)- A6% (1)
- B82% (14)
- D12% (2)
Why each option
When a command's output reveals a Base-64 encoded value, the immediate next step is to decode it to understand what payload or command is being obfuscated.
Examining child processes is a valid investigation step, but it is premature before decoding the encoded payload, which may reveal whether the process is malicious at all.
Attackers frequently use Base-64 encoding to obfuscate malicious commands, scripts, or payloads so they evade signature-based detection. Decoding the value is the highest-priority next step because it reveals the actual intent of the command and determines whether further containment or remediation actions are necessary before examining process trees or performing hash verification.
Halting the running process should only follow a determination of malicious intent - stopping it before decoding the Base-64 value could prematurely disrupt a legitimate process or destroy volatile forensic evidence.
Verifying a SHA256 hash is used for file integrity checking against known-good or known-malicious hashes, but it does not help interpret an obfuscated command string embedded in process output.
Concept tested: Investigating Base-64 obfuscated command execution
Source: https://attack.mitre.org/techniques/T1027/
Topics
Community Discussion
No community discussion yet for this question.
