Forum Discussion
FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs
I think you have the artifacts right as you posted the same code I did. If you paste it into cyberchef and then look at the right hand side and click on crlf, try changing it to line feed (see screenshot) and then delete all the red marks that show up. This should give the correct hash (if you select md5 from the cyberchef recipe menu).
AdvocateYeah - it still seems fine from my PoV. You just stick the bits of data in separate files - glue them together - and then edit it to remove the whitespace that has been added by gluing the files together...
AdvocateThe final size of the file you end up with is 26,471 bytes. You need to make sure you only get the bits that should be in the script - not any leading text, nor the trailing "Scriptblock" or "Path" trailing bits of text. You need to make sure you remove any trailing newlines left - the three scriptblock bits should NOT have trailing newlines (so the second one is an extension of the same long single line from the first file - not on a new line!).
