# Forensics - Golden Persistence

For this one we started with an NTUSER.DAT file. I went ahead and opened it in MiTeC Windows Registry Recovery which allows me to explore the entire file easily. From looking around briefly we can see there is a startup process being run that executes an encoded powershell script.

![](https://2826773145-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1uhiofTFnZvCKEvs4fJk%2Fuploads%2FQMbd17VPYNeYdTHhbMS0%2FgoldenPersistance1.PNG?alt=media\&token=617de2f7-426c-443a-b489-da6875e20693)

To view the whole command and copy it I headed over to the raw data section and searched for the name.

![](https://2826773145-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1uhiofTFnZvCKEvs4fJk%2Fuploads%2FMlYsnUAedOlG0rN47PhV%2FgoldenPersistance2.PNG?alt=media\&token=a9f8e200-3a50-44c9-85c7-174d00d3e4a4)

Once that popped up I copied the encoded text and plugged it into CyberChef.

![](https://2826773145-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1uhiofTFnZvCKEvs4fJk%2Fuploads%2FRMYXq2gRgUoL2xCLCNUa%2FgoldenPersistance3.PNG?alt=media\&token=f5d5d43c-8873-4744-971a-86419158d6cb)

Towards the bottom it grabs a few other files and uses their data conjoined to load the encrypted data.

```
[Byte[]]$key = $enc.GetBytes("Q0mmpr4B5rvZi3pS")
$encrypted1 = (Get-ItemProperty -Path HKCU:\SOFTWARE\ZYb78P4s).t3RBka5tL
$encrypted2 = (Get-ItemProperty -Path HKCU:\SOFTWARE\BjqAtIen).uLltjjW
$encrypted3 = (Get-ItemProperty -Path HKCU:\SOFTWARE\AppDataLow\t03A1Stq).uY4S39Da
$encrypted4 = (Get-ItemProperty -Path HKCU:\SOFTWARE\Google\Nv50zeG).Kb19fyhl
$encrypted5 = (Get-ItemProperty -Path HKCU:\AppEvents\Jx66ZG0O).jH54NW8C
$encrypted = "$($encrypted1)$($encrypted2)$($encrypted3)$($encrypted4)$($encrypted5)"
$enc = [System.Text.Encoding]::ASCII
[Byte[]]$data = HexToBin $encrypted
$DecryptedBytes = encr $data $key
$DecryptedString = $enc.GetString($DecryptedBytes)
$DecryptedString|iex
```

I went through and found each of these files and grabbed the data from them and plugged it into the powershell script manually.

![](https://2826773145-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1uhiofTFnZvCKEvs4fJk%2Fuploads%2FX8GqugitvIT9nUwGFIhx%2FgoldenPersistance4.PNG?alt=media\&token=79f1969f-5911-4439-816a-bb86ee990d8b)

After doing this I made sure nothing would execute and then I ran it so it would print out the encrypted data in plaintext and there was the flag.

![](https://2826773145-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1uhiofTFnZvCKEvs4fJk%2Fuploads%2F1vZn5Ki9kQuUrSikdTbl%2FgoldenPersistance5.PNG?alt=media\&token=9256308a-3d47-4e7b-a3f3-3bc93d49f476)

PWNED!!