Forum Discussion
FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs
- 8 months ago
I think you have the artifacts right as you posted the same code I did. If you paste it into cyberchef and then look at the right hand side and click on crlf, try changing it to line feed (see screenshot) and then delete all the red marks that show up. This should give the correct hash (if you select md5 from the cyberchef recipe menu).
I suspect the lab hasn't changed a great deal since I last did it in 2021. Sadly, my notes aren't amazing for the final question - but I've just checked, and the answer I've got in my notes is still correct ("d12... ...dbc"). The sum total of my notes for that question were "Search for stager.ps1 AND scriptblock to find the bits. Then cut and paste them into a single file."
I'll try and find time to go back and recreate it again, and see if I get the same answer...
Random thought - there couldn't be some weird DOS/Unix formatting weirdness going on if you're mixing OSes, could there?
Thanks autom8on for the response. Appreciate you providing a bit of the MD5, I'll keep plugging away until I find the right hash. ;)
At this point, I'm wondering if I am even looking at the right artifacts in SPLUNK but no matter what I am looking at, I'm left with 3x SPLUNK events that have broken up one of the stager.ps1 files. Clearly in the message block of the SPLUNK events I get 1/3, 2/3, and 3/3. Just combine the script characters, save them as a .txt file (or .ps1) and get the MD5 hash.
*** weird, I attempted to post this about 2 hours ago but m instance in "community.immersivelabs.com" disappeared .... refreshing my browser I now see my post.
- autom8on8 months ago
Bronze III
Yeah - there seem to be some slightly weird timings going on with the frequency with which responses have been appearing on this page. Since I first looked, responses are now visible which seem to predate when I was looking here initially (so I'm not sure why I didn't see them before?).
You can't be far away from the right answer - good luck! :-)
- RobN8 months ago
Bronze III
I think you have the artifacts right as you posted the same code I did. If you paste it into cyberchef and then look at the right hand side and click on crlf, try changing it to line feed (see screenshot) and then delete all the red marks that show up. This should give the correct hash (if you select md5 from the cyberchef recipe menu).