# Forensics - Puppeteer

To start we were given a large number of event log files (.evtx). To view these you can open them in Event Viewer on Windows. After looking through them a bit I drifted toward the powershell logs and thats when I found the first part in "...Powershell%40Operational".

![](https://2826773145-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1uhiofTFnZvCKEvs4fJk%2Fuploads%2FsSw1jkeT1FaUoPXPHGGo%2Fpuppeteer1.PNG?alt=media\&token=13bbfcbc-2f83-4957-ab12-90d7ed946c76)

As you can see above there is an obfuscated powershell script being created. This is most likely something malicious so lets go look into it in Powershell ISE.

![](https://2826773145-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1uhiofTFnZvCKEvs4fJk%2Fuploads%2FnL8ojKZISt3tWg4GjKas%2Fpuppeteer2.PNG?alt=media\&token=fbb845d8-5218-4447-95e9-a953cc58f7eb)

After pasting in the script I made sure it wouldnt execute anything and added an echo statement to print out the variable $stage3. This printed out a bunch of numbers which I immediately knew were representing characters so I plugged them into CyberChef and cha ching...

![](https://2826773145-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1uhiofTFnZvCKEvs4fJk%2Fuploads%2FpapcRPJmGKtWNPKwQ5eU%2Fpuppeteer3.PNG?alt=media\&token=02392231-48be-471f-964e-52f5a46e55f7)

PWNED!!