My next class:

Detecting file changes on Microsoft systems with FCIV

Published: 2015-08-31. Last Updated: 2015-08-31 11:19:31 UTC
by Xavier Mertens (Version: 1)
14 comment(s)

Microsoft releases often interesting tools to help system administrators and incident handlers to investigate suspicious activities on Windows systems. In 2012, they released a free tool called FCIV (“File Checksum Integrity Verifier”)(1). It is a stand alone executable which does not require any DLL or other resources. Just launch it from any location. Its goal is to browse a file system or some directories recursively and to generate MD5/SHA1 hashes of all the files found. The results are saved in a XML database. FCIV is used in proactive and reactive ways. The first step is to build a database of hashes on a clean computer (proactive). Then the generated database is re-used to verify a potentially compromised system (reactive)

Most big organizations work today with system images. The idea is to scan an unused clean system (but which will of course receives patches and software updates with a system like WSUS) and to generate a baseline of hashes. Example:

PS: C:\> d:\bin\fciv.exe -both -xml d:\hashdb.xml -r c:\ -type *.dll -type *.vxd -type *.ocx -type *.inf -type *.sys -type *.drv -type *.reg -type *.386 -type *.job -type *.jar

This command will search recursively for specified file types on  the C: drive and store both hashes in the specificed XML file. A small PowerShell script(2) will do the job: it generates a database unique name (based on the current date - yyyymmdd) and, at the end, compute also the SHA1 hash of this database. FCIV offers multiple command line switches to fine tune the scan. Once you have a trusted database, you can compare a potentially malicious system against it. The command below will scan a system against a database stored on the D: drive:

PS D:\bin> fciv.exe -xml d:\hashdb-20150830.xml -v -bp C:\

The database being a XML file, it’s tempting to have a look at it and reuse the content with other investigation or monitoring tools. However it’s unusable in its default format because Microsoft writes all the data on a single line and the hashes are stored in raw Base64. So, they must be first Base64 decoded then encoded in hex to be recognized as regular MD5 or SHA1 hashes. They can be achieved very easily with a few lines of Python. Here is a small script(3) that will parse a FCIV database and generate a CVS file with 3 columns: the full path of the file, the MD5 and SHA1 hashes. 

A last tip: execute a scheduled task every night on a standard computer image from a USB stick and store the generated XML database (and its .sha1sum) to a remote system. You'll have a good starting point to investigate a compromised computer.

(1) http://www.microsoft.com/en-us/download/details.aspx?id=11533
(2) https://github.com/xme/powershell_scripts/blob/master/fciv.ps1
(3) https://github.com/xme/powershell_scripts/blob/master/hashparser.py

Keywords: Hash Microsoft Tool
14 comment(s)
My next class:

Comments

fciv.exe was relesed in May 17, 2004 according to https://support.microsoft.com/en-us/kb/841290.
Its has been updated and rereleased because of code signing issues in 2012.
Thank you for the clarification Emin!
What is the (minimum) required PS version? I ran this & got error about "get-filehash" not recognized as a cmdlet.
Get-FileHash is available since PowerShell V4.
There are ways to generate a hash with older versions but it requires more code.
So considering all the PS v4 requirements (OS, .NET, etc.), this won't help with older Windows systems; e.g. Windows 2008 Server (non-R2), 2003, or XP.
I'm using PS to generate the database name and its hash at the end in a convenient way. fciv.exe is fully usable on all versions of the OS and does not need PS.
You can use something like this to generate a dynamic XML database filename:

fciv.exe -xml e:\hashdb-%date:/=%.xml ... (but this command does not work with internationalized date format)

To generate the SHA1 hash, there are sha1sum.exe binaries available online (ex: https://code.google.com/p/toolkits/downloads/detail?name=sha1sum.exe&can=2&q=)
I've been using SlavaSoft's fsum.exe for similar reasons for many years. Has the advantage that its output is readable and supports other types of hashing, but doesn't have the exclusion feature.
Microsoft sysinternal tool sigcheck (https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx) can also be used for generating hashsums.
You can get the code of the Get-FileHash function from PowerShell version 4.0 and backport it to PowerShell version 2.0.

Have a look at https://p0w3rsh3ll.wordpress.com/2015/02/05/backporting-the-get-filehash-function/
How to distinguish between legitimately updated files from the potentially attacked files?
Every month some of these files will be updated thanks to Windows Update, and soon it will be even updated on a more frequent basis. So we need automated help in sorting the updated files signatures, otherwise the ratio signal-to-noise will not be good, and we already have more noise than we can deal with...
Thanks

Diary Archives