Forum Discussion

-jlo-'s avatar
-jlo-
Icon for Bronze II rankBronze II
8 months ago
Solved

FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs

For this lab I need to rebuild the PowerShell script using the three parts found in the PowerShell operational logs.  Which I am able to do fairly easily but when I am required to obtain the MD5 hash...
defensive cyber
  • RobN's avatar
    RobN
    8 months ago

    I think you have the artifacts right as you posted the same code I did. If you paste it into cyberchef and then look at the right hand side and click on crlf, try changing it to line feed (see screenshot) and then delete all the red marks that show up. This should give the correct hash (if you select md5 from the cyberchef recipe menu).

     

autom8on's avatar
autom8on
Icon for Bronze III rankBronze III
8 months ago

I suspect the lab hasn't changed a great deal since I last did it in 2021. Sadly, my notes aren't amazing for the final question - but I've just checked, and the answer I've got in my notes is still correct ("d12... ...dbc"). The sum total of my notes for that question were "Search for stager.ps1 AND scriptblock to find the bits. Then cut and paste them into a single file."

I'll try and find time to go back and recreate it again, and see if I get the same answer... 

Random thought - there couldn't be some weird DOS/Unix formatting weirdness going on if you're mixing OSes, could there? 

-jlo-'s avatar
-jlo-
Icon for Bronze II rankBronze II
8 months ago

Thanks autom8on for the response.  Appreciate you providing a bit of the MD5, I'll keep plugging away until I find the right hash.  ;)  

At this point, I'm wondering if I am even looking at the right artifacts in SPLUNK but no matter what I am looking at, I'm left with 3x SPLUNK events that have broken up one of the stager.ps1 files.  Clearly in the message block of the SPLUNK events I get 1/3, 2/3, and 3/3.  Just combine the script characters, save them as a .txt file (or .ps1) and get the MD5 hash.   

*** weird, I attempted to post this about 2 hours ago but m instance in "community.immersivelabs.com" disappeared .... refreshing my browser I now see my post.  

  • autom8on's avatar
    autom8on
    Icon for Bronze III rankBronze III
    8 months ago

    Yeah - there seem to be some slightly weird timings going on with the frequency with which responses have been appearing on this page. Since I first looked, responses are now visible which seem to predate when I was looking here initially (so I'm not sure why I didn't see them before?). 

    You can't be far away from the right answer - good luck! :-) 

  • RobN's avatar
    RobN
    Icon for Bronze III rankBronze III
    8 months ago

    I think you have the artifacts right as you posted the same code I did. If you paste it into cyberchef and then look at the right hand side and click on crlf, try changing it to line feed (see screenshot) and then delete all the red marks that show up. This should give the correct hash (if you select md5 from the cyberchef recipe menu).

     

    • -jlo-'s avatar
      -jlo-
      Icon for Bronze II rankBronze II
      8 months ago

      OH ..... MY ....... GAHHHHHHH!  lol .... she worked for me.  Hats off to you and autom8on!!

      • RobN's avatar
        RobN
        Icon for Bronze III rankBronze III
        8 months ago

        Glad it worked, it had been annoying me for a couple of days too!