Forum Discussion
Bronze IIFIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs
I think you have the artifacts right as you posted the same code I did. If you paste it into cyberchef and then look at the right hand side and click on crlf, try changing it to line feed (see screenshot) and then delete all the red marks that show up. This should give the correct hash (if you select md5 from the cyberchef recipe menu).
Bronze IIIYeah - it still seems fine from my PoV. You just stick the bits of data in separate files - glue them together - and then edit it to remove the whitespace that has been added by gluing the files together...
Bronze IIIThe final size of the file you end up with is 26,471 bytes. You need to make sure you only get the bits that should be in the script - not any leading text, nor the trailing "Scriptblock" or "Path" trailing bits of text. You need to make sure you remove any trailing newlines left - the three scriptblock bits should NOT have trailing newlines (so the second one is an extension of the same long single line from the first file - not on a new line!).
- autom8on
So, for example, the actual bit you need to get from part 3 is only the text I've highlighted here - not anything before/after it...
... and, obviously, that needs to join up with the end of the "$Output = $StreamRead" line from the end of part 2 - no newline...
- -jlo-
Copy - ok, we are in a Windows environment, but I like how you joined the files. Let me muck with this a bit more. I think you are right, I most likely have trailing lines or text hanging around.
- autom8on
Heh - as a [very] old ex Unix sys admin - I'm very grateful to have the Windows Subsystem for Linux installed on all my Windoze boxes these days (no need for CygWin any more! ;-p) - saves me having to fire up my Linux or Mac desktop machines I have when I need to do some proper command line messing about (sadly I no longer have any of my old Solaris machines :-( ). I did try to first copy them together using a Windows command prompt, but couldn't remember the correct syntax. ;-p As an aside, "Shift-J" then "x" will join the following line to the current line in vi and remove the space that has been added - so even though the first couple of file contents are horrendously long, you can very quickly join them up and remove the space without having to deal with graphical editors... :-)
