Forum Discussion

-jlo-'s avatar
-jlo-
Icon for Bronze II rankBronze II
9 months ago
Solved

FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs

For this lab I need to rebuild the PowerShell script using the three parts found in the PowerShell operational logs.  Which I am able to do fairly easily but when I am required to obtain the MD5 hash...
defensive cyber
  • RobN's avatar
    RobN
    9 months ago

    I think you have the artifacts right as you posted the same code I did. If you paste it into cyberchef and then look at the right hand side and click on crlf, try changing it to line feed (see screenshot) and then delete all the red marks that show up. This should give the correct hash (if you select md5 from the cyberchef recipe menu).

     

wayl0n's avatar
wayl0n
Icon for Bronze I rankBronze I
3 months ago

 

Hi everyone,

Hope this message finds you well.

The last question on this lab has me pulling my hair out.  I have found the relevant 3 script blocks in Splunk.  As an aside, I am wondering why we couldn't just provide the md5sum of the one that is already assembled.  

Anyhow,

I have tried various methods to "glue" these 3 files together: using cat on the command line like:

cat file1.txt file2.txt file3.txt > file4.txt

, in cyberchef, using text editors, etc all to no avail.

Furthermore, I am not getting:

Message=Creating Scriptblock text (1 of 1):

or

ScriptBlock ID: 329b2213-f10d-4c56-8547-43d8104b0acc

lines, just the relevant text in between.

I paste "file 2" right where "file 1" left off and not on a new line. 

But I can not get the file right.

The end of my file looks like:

+JyTgNj+xzHot87t+V3LZYs5FzmbNPPGvj/YFCbt8TPp4FP5k/2IBNXZfx++z7P4/txuVY/vfGL0mfwHtpjoXOwbh401hPQUac9yPrJqYDv1xN4lLQp8T+JH3oUbya3B3+Hf1CZtM/xxwQ2y29JJ49wFjjmvuY6vId+hTERZVkjID3rY8hnkn93GycfyO/iT3ychgrqXhWWAN1B8YGSb/6HLOh3Sz7rxv9+dxf+JgB+1IyLrrPT2SUz92p2RiD8/kwa5sh+HshjyE/+T+cu3rgE9+I/KPY62u+qTQuvp0Xqu3KPkEovj/867/++Z/+9A9/+oe/jFZbY7757V9/w1+96fpvf3NW78fTJCJRtPP/UfjrvxmT4/Lf//Y3Y3L+x79ML8f54V+6821wXP5VOFcEQfgn+FuDv/CnLnCY/za4HI7zzb9Yp+1xtZn/i7Y9zt93+8H8/WPlQ3Vj8n5YTiKAKe72lxToX4W/prj89aaVHEuOm/g+nxznwyX8mQFuRR38ja3//w==


'@

$Decoded = [System.Convert]::FromBase64String($EncodedCompressedFile)
$MemStream = New-Object System.IO.MemoryStream
$MemStream.Write($Decoded, 0, $Decoded.Length)
$MemStream.Seek(0,0) | Out-Null
$CompressedStream = New-Object System.IO.Compression.DeflateStream($MemStream, [System.IO.Compression.CompressionMode]::Decompress)
$StreamReader = New-Object System.IO.StreamReader($CompressedStream)
$Output = $StreamReader.readtoend()
$Output | IEX

Which I noticed didn't have the same ending lines in base64 others.

Not sure how people are getting the right hash from this.

Thank you