Detecting file changes on Microsoft systems with FCIV
Microsoft releases often interesting tools to help system administrators and incident handlers to investigate suspicious activities on Windows systems. In 2012, they released a free tool called FCIV (“File Checksum Integrity Verifier”)(1). It is a stand alone executable which does not require any DLL or other resources. Just launch it from any location. Its goal is to browse a file system or some directories recursively and to generate MD5/SHA1 hashes of all the files found. The results are saved in a XML database. FCIV is used in proactive and reactive ways. The first step is to build a database of hashes on a clean computer (proactive). Then the generated database is re-used to verify a potentially compromised system (reactive)
Most big organizations work today with system images. The idea is to scan an unused clean system (but which will of course receives patches and software updates with a system like WSUS) and to generate a baseline of hashes. Example:
This command will search recursively for specified file types on the C: drive and store both hashes in the specificed XML file. A small PowerShell script(2) will do the job: it generates a database unique name (based on the current date - yyyymmdd) and, at the end, compute also the SHA1 hash of this database. FCIV offers multiple command line switches to fine tune the scan. Once you have a trusted database, you can compare a potentially malicious system against it. The command below will scan a system against a database stored on the D: drive:
The database being a XML file, it’s tempting to have a look at it and reuse the content with other investigation or monitoring tools. However it’s unusable in its default format because Microsoft writes all the data on a single line and the hashes are stored in raw Base64. So, they must be first Base64 decoded then encoded in hex to be recognized as regular MD5 or SHA1 hashes. They can be achieved very easily with a few lines of Python. Here is a small script(3) that will parse a FCIV database and generate a CVS file with 3 columns: the full path of the file, the MD5 and SHA1 hashes.
A last tip: execute a scheduled task every night on a standard computer image from a USB stick and store the generated XML database (and its .sha1sum) to a remote system. You'll have a good starting point to investigate a compromised computer.
(1) http://www.microsoft.com/en-us/download/details.aspx?id=11533
(2) https://github.com/xme/powershell_scripts/blob/master/fciv.ps1
(3) https://github.com/xme/powershell_scripts/blob/master/hashparser.py
Reverse-Engineering Malware: Advanced Code Analysis | Singapore | Nov 18th - Nov 22nd 2024 |
Comments
Its has been updated and rereleased because of code signing issues in 2012.
Anonymous
Aug 31st 2015
9 years ago
Anonymous
Aug 31st 2015
9 years ago
Anonymous
Aug 31st 2015
9 years ago
There are ways to generate a hash with older versions but it requires more code.
Anonymous
Aug 31st 2015
9 years ago
Anonymous
Aug 31st 2015
9 years ago
You can use something like this to generate a dynamic XML database filename:
fciv.exe -xml e:\hashdb-%date:/=%.xml ... (but this command does not work with internationalized date format)
To generate the SHA1 hash, there are sha1sum.exe binaries available online (ex: https://code.google.com/p/toolkits/downloads/detail?name=sha1sum.exe&can=2&q=)
Anonymous
Aug 31st 2015
9 years ago
Anonymous
Sep 1st 2015
9 years ago
Anonymous
Sep 1st 2015
9 years ago
Have a look at https://p0w3rsh3ll.wordpress.com/2015/02/05/backporting-the-get-filehash-function/
Anonymous
Sep 1st 2015
9 years ago
Every month some of these files will be updated thanks to Windows Update, and soon it will be even updated on a more frequent basis. So we need automated help in sorting the updated files signatures, otherwise the ratio signal-to-noise will not be good, and we already have more noise than we can deal with...
Thanks
Anonymous
Sep 1st 2015
9 years ago