Forum Discussion
Bronze IIFIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs
I think you have the artifacts right as you posted the same code I did. If you paste it into cyberchef and then look at the right hand side and click on crlf, try changing it to line feed (see screenshot) and then delete all the red marks that show up. This should give the correct hash (if you select md5 from the cyberchef recipe menu).
Bronze IIISo, for example, the actual bit you need to get from part 3 is only the text I've highlighted here - not anything before/after it...
... and, obviously, that needs to join up with the end of the "$Output = $StreamRead" line from the end of part 2 - no newline...
Bronze IICopy - ok, we are in a Windows environment, but I like how you joined the files. Let me muck with this a bit more. I think you are right, I most likely have trailing lines or text hanging around.
- autom8on
Heh - as a [very] old ex Unix sys admin - I'm very grateful to have the Windows Subsystem for Linux installed on all my Windoze boxes these days (no need for CygWin any more! ;-p) - saves me having to fire up my Linux or Mac desktop machines I have when I need to do some proper command line messing about (sadly I no longer have any of my old Solaris machines :-( ). I did try to first copy them together using a Windows command prompt, but couldn't remember the correct syntax. ;-p As an aside, "Shift-J" then "x" will join the following line to the current line in vi and remove the space that has been added - so even though the first couple of file contents are horrendously long, you can very quickly join them up and remove the space without having to deal with graphical editors... :-)
RobNI was going to try this but had read that WSL isn't sandboxed and presumed that defender would still class it as a virus.
- autom8on
Defender is definitely running on my end - but there were no warnings or alerts that I was aware of (and I've not had the SOC phone me up to complain ;-p). YMMV. ;-)
