For this lab I need to rebuild the PowerShell script using the three parts found in the PowerShell operational logs. Which I am able to do fairly easily but when I am required to obtain the MD5 hash of the file I am not getting the correct hash. I've removed any trailing white spaces and return characters. Not matter the setup, I just can't seem to find the special sauce on this one. I've tried numerous approaches and still get a no go. Any tips?

I think you have the artifacts right as you posted the same code I did. If you paste it into cyberchef and then look at the right hand side and click on crlf, try changing it to line feed (see screenshot) and then delete all the red marks that show up. This should give the correct hash (if you select md5 from the cyberchef recipe menu).

FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs

28 Replies

CyberSharpe
Bronze III
7 months ago
I used cyber chef for this. Making sure I didn’t have any additional spaces in between. I then created the file using the output save to function. Then ran an MD5SUM against it.
- -jlo-
  Bronze II
  7 months ago
  Thanks CyberSharpe for your response. I have been using cyberchef but unfortunately in the environment that I am in I cannot save an actual file from the website, but I am able to copy/paste in the tools provided. Either way, doing the joining natively on my box or using cyberchef (copy/paste) I am getting the same MD5 hash - which isn't working for the question.
  A question if you have a moment, please. I'm not looking for the answer here, but in your script is your first AND last line, respectively, these (below)?
  $EncodedCompressedFile = @'
  $Output | IEX
  - CyberSharpe
    Bronze III
    7 months ago
    I believe you’re doing everything right, but you might be missing a newline after IEX. Give it a shot, and if it starts with ‘d12fd’, you’re on the right track!
autom8on
Bronze III
7 months ago
I suspect the lab hasn't changed a great deal since I last did it in 2021. Sadly, my notes aren't amazing for the final question - but I've just checked, and the answer I've got in my notes is still correct ("d12... ...dbc"). The sum total of my notes for that question were "Search for stager.ps1 AND scriptblock to find the bits. Then cut and paste them into a single file."
I'll try and find time to go back and recreate it again, and see if I get the same answer...
Random thought - there couldn't be some weird DOS/Unix formatting weirdness going on if you're mixing OSes, could there?
- autom8on
  Bronze III
  7 months ago
  Yeah - it still seems fine from my PoV. You just stick the bits of data in separate files - glue them together - and then edit it to remove the whitespace that has been added by gluing the files together...
  - autom8on
    Bronze III
    7 months ago
    The final size of the file you end up with is 26,471 bytes. You need to make sure you only get the bits that should be in the script - not any leading text, nor the trailing "Scriptblock" or "Path" trailing bits of text. You need to make sure you remove any trailing newlines left - the three scriptblock bits should NOT have trailing newlines (so the second one is an extension of the same long single line from the first file - not on a new line!).
- -jlo-
  Bronze II
  7 months ago
  Thanks autom8on for the response. Appreciate you providing a bit of the MD5, I'll keep plugging away until I find the right hash. ;)
  At this point, I'm wondering if I am even looking at the right artifacts in SPLUNK but no matter what I am looking at, I'm left with 3x SPLUNK events that have broken up one of the stager.ps1 files. Clearly in the message block of the SPLUNK events I get 1/3, 2/3, and 3/3. Just combine the script characters, save them as a .txt file (or .ps1) and get the MD5 hash.
  *** weird, I attempted to post this about 2 hours ago but m instance in "community.immersivelabs.com" disappeared .... refreshing my browser I now see my post.
  - autom8on
    Bronze III
    7 months ago
    Yeah - there seem to be some slightly weird timings going on with the frequency with which responses have been appearing on this page. Since I first looked, responses are now visible which seem to predate when I was looking here initially (so I'm not sure why I didn't see them before?).
    You can't be far away from the right answer - good luck! :-)
-jlo-
Bronze II
7 months ago
Hats off to RobN and autom8on; they both led me to where I needed to go to get the right answer. I wish I could select both their responses as a "solution" as they both helped.
- KieranRowley
  Community Manager
  7 months ago
  Interesting... I think it was our intention that you would be able to mark multiple replies as solutions. Let me check our settings 🤔
-jlo-
Bronze II
7 months ago
Oops - I left CyberSharpe out, my sincere apologies. I wish I could give a "solution" to CyberSharpe as well. Thank you.
TillyCorless
Community Manager
7 months ago
Hi -jlo- welcome to The Human Connection! Thanks for sharing one of the approaches you've taken by removing white spaces and return characters. I will speak with the lab author and come back to you, but in the meantime, can you share some other approaches you've tried and which haven't worked so far?
- -jlo-
  Bronze II
  7 months ago
  Thanks Tilly for your response. I wish I could go into EVERY approach to my problem, I've tried hashing a file modified 100s of times by adding, removing spaces in trying to find the correct sequence.
  From the lab, there are 3 separate parts/logs that need to be combined and created into a script. From there, one must find the MD5 hash of this file but leaving one character in/out will throw the sum/hash up.
  Attached is a screenshot of my SPLUNK pull and the 3 message blocks I need to combine to recreate the script. I'm assuming all I need to combine is the 3x message fields and NOT the other SPLUNK fields. Anyways - not sure if my response was helpful.
  - RobN
    Bronze III
    7 months ago
    I have the same issue with this. I pasted the details into cyberchef and ran md5 from the left hand column. I tried removing spaces manually to clean up the code and and checked the hash afterwards but this didn't work. The lab advises recreating the file by joining the parts to do a md5sum check but windows defender flags it as a virus each time too.
wayl0n
Bronze I
14 days ago

Hi everyone,
Hope this message finds you well.
The last question on this lab has me pulling my hair out. I have found the relevant 3 script blocks in Splunk. As an aside, I am wondering why we couldn't just provide the md5sum of the one that is already assembled.
Anyhow,
I have tried various methods to "glue" these 3 files together: using cat on the command line like:
cat file1.txt file2.txt file3.txt > file4.txt
, in cyberchef, using text editors, etc all to no avail.
Furthermore, I am not getting:
Message=Creating Scriptblock text (1 of 1):
or
ScriptBlock ID: 329b2213-f10d-4c56-8547-43d8104b0acc
lines, just the relevant text in between.
I paste "file 2" right where "file 1" left off and not on a new line.
But I can not get the file right.
The end of my file looks like:
+JyTgNj+xzHot87t+V3LZYs5FzmbNPPGvj/YFCbt8TPp4FP5k/2IBNXZfx++z7P4/txuVY/vfGL0mfwHtpjoXOwbh401hPQUac9yPrJqYDv1xN4lLQp8T+JH3oUbya3B3+Hf1CZtM/xxwQ2y29JJ49wFjjmvuY6vId+hTERZVkjID3rY8hnkn93GycfyO/iT3ychgrqXhWWAN1B8YGSb/6HLOh3Sz7rxv9+dxf+JgB+1IyLrrPT2SUz92p2RiD8/kwa5sh+HshjyE/+T+cu3rgE9+I/KPY62u+qTQuvp0Xqu3KPkEovj/867/++Z/+9A9/+oe/jFZbY7757V9/w1+96fpvf3NW78fTJCJRtPP/UfjrvxmT4/Lf//Y3Y3L+x79ML8f54V+6821wXP5VOFcEQfgn+FuDv/CnLnCY/za4HI7zzb9Yp+1xtZn/i7Y9zt93+8H8/WPlQ3Vj8n5YTiKAKe72lxToX4W/prj89aaVHEuOm/g+nxznwyX8mQFuRR38ja3//w==

'@
$Decoded = [System.Convert]::FromBase64String($EncodedCompressedFile)
$MemStream = New-Object System.IO.MemoryStream
$MemStream.Write($Decoded, 0, $Decoded.Length)
$MemStream.Seek(0,0) | Out-Null
$CompressedStream = New-Object System.IO.Compression.DeflateStream($MemStream, [System.IO.Compression.CompressionMode]::Decompress)
$StreamReader = New-Object System.IO.StreamReader($CompressedStream)
$Output = $StreamReader.readtoend()
$Output | IEX
Which I noticed didn't have the same ending lines in base64 others.
Not sure how people are getting the right hash from this.
Thank you