Forum Discussion

-jlo-'s avatar
-jlo-
Icon for Bronze II rankBronze II
28 days ago

FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs

For this lab I need to rebuild the PowerShell script using the three parts found in the PowerShell operational logs.  Which I am able to do fairly easily but when I am required to obtain the MD5 hash of the file I am not getting the correct hash.  I've removed any trailing white spaces and return characters.  Not matter the setup, I just can't seem to find the special sauce on this one.  I've tried numerous approaches and still get a no go.  Any tips?

 

  • I think you have the artifacts right as you posted the same code I did. If you paste it into cyberchef and then look at the right hand side and click on crlf, try changing it to line feed (see screenshot) and then delete all the red marks that show up. This should give the correct hash (if you select md5 from the cyberchef recipe menu).

     

  • I used cyber chef for this. Making sure I didn’t have any additional spaces in between. I then created the file using the output save to function. Then ran an MD5SUM against it. 

    • -jlo-'s avatar
      -jlo-
      Icon for Bronze II rankBronze II

      Thanks CyberSharpe for your response.  I have been using cyberchef but unfortunately in the environment that I am in I cannot save an actual file from the website, but I am able to copy/paste in the tools provided.  Either way, doing the joining natively on my box or using cyberchef (copy/paste) I am getting the same MD5 hash - which isn't working for the question. 

      A question if you have a moment, please.   I'm not looking for the answer here, but in your script is your first AND last line, respectively, these (below)?

      $EncodedCompressedFile = @'
      $Output | IEX

      • CyberSharpe's avatar
        CyberSharpe
        Icon for Bronze III rankBronze III

        I believe you’re doing everything right, but you might be missing a newline after IEX. Give it a shot, and if it starts with ‘d12fd’, you’re on the right track!

  • I suspect the lab hasn't changed a great deal since I last did it in 2021. Sadly, my notes aren't amazing for the final question - but I've just checked, and the answer I've got in my notes is still correct ("d12... ...dbc"). The sum total of my notes for that question were "Search for stager.ps1 AND scriptblock to find the bits. Then cut and paste them into a single file."

    I'll try and find time to go back and recreate it again, and see if I get the same answer... 

    Random thought - there couldn't be some weird DOS/Unix formatting weirdness going on if you're mixing OSes, could there? 

    • autom8on's avatar
      autom8on
      Icon for Bronze III rankBronze III

      Yeah - it still seems fine from my PoV. You just stick the bits of data in separate files - glue them together - and then edit it to remove the whitespace that has been added by gluing the files together...

      • autom8on's avatar
        autom8on
        Icon for Bronze III rankBronze III

        The final size of the file you end up with is 26,471 bytes. You need to make sure you only get the bits that should be in the script - not any leading text, nor the trailing "Scriptblock" or "Path" trailing bits of text. You need to make sure you remove any trailing newlines left - the three scriptblock bits should NOT have trailing newlines (so the second one is an extension of the same long single line from the first file - not on a new line!). 

    • -jlo-'s avatar
      -jlo-
      Icon for Bronze II rankBronze II

      Thanks autom8on for the response.  Appreciate you providing a bit of the MD5, I'll keep plugging away until I find the right hash.  ;)  

      At this point, I'm wondering if I am even looking at the right artifacts in SPLUNK but no matter what I am looking at, I'm left with 3x SPLUNK events that have broken up one of the stager.ps1 files.  Clearly in the message block of the SPLUNK events I get 1/3, 2/3, and 3/3.  Just combine the script characters, save them as a .txt file (or .ps1) and get the MD5 hash.   

      *** weird, I attempted to post this about 2 hours ago but m instance in "community.immersivelabs.com" disappeared .... refreshing my browser I now see my post.  

      • autom8on's avatar
        autom8on
        Icon for Bronze III rankBronze III

        Yeah - there seem to be some slightly weird timings going on with the frequency with which responses have been appearing on this page. Since I first looked, responses are now visible which seem to predate when I was looking here initially (so I'm not sure why I didn't see them before?). 

        You can't be far away from the right answer - good luck! :-) 

  • Hats off to RobN and autom8on; they both led me to where I needed to go to get the right answer.  I wish I could select both their responses as a "solution" as they both helped. 

    • KieranRowley's avatar
      KieranRowley
      Icon for Community Manager rankCommunity Manager

      Interesting... I think it was our intention that you would be able to mark multiple replies as solutions. Let me check our settings 🤔

  • Oops - I left CyberSharpe out, my sincere apologies.  I wish I could give a "solution" to CyberSharpe as well.  Thank you.  

  • TillyCorless's avatar
    TillyCorless
    Icon for Community Manager rankCommunity Manager

    Hi -jlo- welcome to The Human Connection! Thanks for sharing one of the approaches you've taken by removing white spaces and return characters. I will speak with the lab author and come back to you, but in the meantime, can you share some other approaches you've tried and which haven't worked so far? 


    • -jlo-'s avatar
      -jlo-
      Icon for Bronze II rankBronze II

      Thanks Tilly for your response.  I wish I could go into EVERY approach to my problem, I've tried hashing a file modified 100s of times by adding, removing spaces in trying to find the correct sequence.  

      From the lab, there are 3 separate parts/logs that need to be combined and created into a script.  From there, one must find the MD5 hash of this file but leaving one character in/out will throw the sum/hash up.   

      Attached is a screenshot of my SPLUNK pull and the 3 message blocks I need to combine to recreate the script.  I'm assuming all I need to combine is the 3x message fields and NOT the other SPLUNK fields.  Anyways - not sure if my response was helpful.  

       

      • RobN's avatar
        RobN
        Icon for Bronze II rankBronze II

        I have the same issue with this. I pasted the details into cyberchef and ran md5 from the left hand column. I tried removing spaces manually to clean up the code and and checked the hash afterwards but this didn't work. The lab advises recreating the file by joining the parts to do a md5sum check but windows defender flags it as a virus each time too.