Forum Discussion
FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs
- 8 months ago
I think you have the artifacts right as you posted the same code I did. If you paste it into cyberchef and then look at the right hand side and click on crlf, try changing it to line feed (see screenshot) and then delete all the red marks that show up. This should give the correct hash (if you select md5 from the cyberchef recipe menu).
Thanks Tilly for your response. I wish I could go into EVERY approach to my problem, I've tried hashing a file modified 100s of times by adding, removing spaces in trying to find the correct sequence.
From the lab, there are 3 separate parts/logs that need to be combined and created into a script. From there, one must find the MD5 hash of this file but leaving one character in/out will throw the sum/hash up.
Attached is a screenshot of my SPLUNK pull and the 3 message blocks I need to combine to recreate the script. I'm assuming all I need to combine is the 3x message fields and NOT the other SPLUNK fields. Anyways - not sure if my response was helpful.
I have the same issue with this. I pasted the details into cyberchef and ran md5 from the left hand column. I tried removing spaces manually to clean up the code and and checked the hash afterwards but this didn't work. The lab advises recreating the file by joining the parts to do a md5sum check but windows defender flags it as a virus each time too.