Forum Discussion
FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs
- 8 months ago
I think you have the artifacts right as you posted the same code I did. If you paste it into cyberchef and then look at the right hand side and click on crlf, try changing it to line feed (see screenshot) and then delete all the red marks that show up. This should give the correct hash (if you select md5 from the cyberchef recipe menu).
Hi everyone,
Hope this message finds you well.
The last question on this lab has me pulling my hair out. I have found the relevant 3 script blocks in Splunk. As an aside, I am wondering why we couldn't just provide the md5sum of the one that is already assembled.
Anyhow,
I have tried various methods to "glue" these 3 files together: using cat on the command line like:
cat file1.txt file2.txt file3.txt > file4.txt
, in cyberchef, using text editors, etc all to no avail.
Furthermore, I am not getting:
Message=Creating Scriptblock text (1 of 1):
or
ScriptBlock ID: 329b2213-f10d-4c56-8547-43d8104b0acc
lines, just the relevant text in between.
I paste "file 2" right where "file 1" left off and not on a new line.
But I can not get the file right.
The end of my file looks like:
+JyTgNj+xzHot87t+V3LZYs5FzmbNPPGvj/YFCbt8TPp4FP5k/2IBNXZfx++z7P4/txuVY/vfGL0mfwHtpjoXOwbh401hPQUac9yPrJqYDv1xN4lLQp8T+JH3oUbya3B3+Hf1CZtM/xxwQ2y29JJ49wFjjmvuY6vId+hTERZVkjID3rY8hnkn93GycfyO/iT3ychgrqXhWWAN1B8YGSb/6HLOh3Sz7rxv9+dxf+JgB+1IyLrrPT2SUz92p2RiD8/kwa5sh+HshjyE/+T+cu3rgE9+I/KPY62u+qTQuvp0Xqu3KPkEovj/867/++Z/+9A9/+oe/jFZbY7757V9/w1+96fpvf3NW78fTJCJRtPP/UfjrvxmT4/Lf//Y3Y3L+x79ML8f54V+6821wXP5VOFcEQfgn+FuDv/CnLnCY/za4HI7zzb9Yp+1xtZn/i7Y9zt93+8H8/WPlQ3Vj8n5YTiKAKe72lxToX4W/prj89aaVHEuOm/g+nxznwyX8mQFuRR38ja3//w==
'@
$Decoded = [System.Convert]::FromBase64String($EncodedCompressedFile)
$MemStream = New-Object System.IO.MemoryStream
$MemStream.Write($Decoded, 0, $Decoded.Length)
$MemStream.Seek(0,0) | Out-Null
$CompressedStream = New-Object System.IO.Compression.DeflateStream($MemStream, [System.IO.Compression.CompressionMode]::Decompress)
$StreamReader = New-Object System.IO.StreamReader($CompressedStream)
$Output = $StreamReader.readtoend()
$Output | IEX
Which I noticed didn't have the same ending lines in base64 others.
Not sure how people are getting the right hash from this.
Thank you