Forum Discussion
Bronze IIFIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs
I think you have the artifacts right as you posted the same code I did. If you paste it into cyberchef and then look at the right hand side and click on crlf, try changing it to line feed (see screenshot) and then delete all the red marks that show up. This should give the correct hash (if you select md5 from the cyberchef recipe menu).
Bronze IIThanks autom8on for the response. Appreciate you providing a bit of the MD5, I'll keep plugging away until I find the right hash. ;)
At this point, I'm wondering if I am even looking at the right artifacts in SPLUNK but no matter what I am looking at, I'm left with 3x SPLUNK events that have broken up one of the stager.ps1 files. Clearly in the message block of the SPLUNK events I get 1/3, 2/3, and 3/3. Just combine the script characters, save them as a .txt file (or .ps1) and get the MD5 hash.
*** weird, I attempted to post this about 2 hours ago but m instance in "community.immersivelabs.com" disappeared .... refreshing my browser I now see my post.
Bronze IIII think you have the artifacts right as you posted the same code I did. If you paste it into cyberchef and then look at the right hand side and click on crlf, try changing it to line feed (see screenshot) and then delete all the red marks that show up. This should give the correct hash (if you select md5 from the cyberchef recipe menu).
