Forum Discussion
Bronze IIFIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs
I think you have the artifacts right as you posted the same code I did. If you paste it into cyberchef and then look at the right hand side and click on crlf, try changing it to line feed (see screenshot) and then delete all the red marks that show up. This should give the correct hash (if you select md5 from the cyberchef recipe menu).
Silver II used cyber chef for this. Making sure I didn’t have any additional spaces in between. I then created the file using the output save to function. Then ran an MD5SUM against it.
Bronze IIThanks CyberSharpe for your response. I have been using cyberchef but unfortunately in the environment that I am in I cannot save an actual file from the website, but I am able to copy/paste in the tools provided. Either way, doing the joining natively on my box or using cyberchef (copy/paste) I am getting the same MD5 hash - which isn't working for the question.
A question if you have a moment, please. I'm not looking for the answer here, but in your script is your first AND last line, respectively, these (below)?
$EncodedCompressedFile = @'
$Output | IEX
- CyberSharpe
I believe you’re doing everything right, but you might be missing a newline after IEX. Give it a shot, and if it starts with ‘d12fd’, you’re on the right track!
RobNBronze III
I just left the script in as you displayed it but changed the crlf on the right hand side to line feed and removed all the red cr's from the text. This gave me the correct number of bytes and the hash beginning 250e4 which worked. I'd been presuming the space between the two @' & '@ and the base 64 was also meant to be removed hence the incorrect hash.
- RobN
Thank you btw!
