Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Detecting file changes on Microsoft systems with FCIV - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Detecting file changes on Microsoft systems with FCIV

Microsoft releases often interesting tools to help system administrators and incident handlers to investigate suspicious activities on Windows systems. In 2012, they released a free tool called FCIV (“File Checksum Integrity Verifier”)(1). It is a stand alone executable which does not require any DLL or other resources. Just launch it from any location. Its goal is to browse a file system or some directories recursively and to generate MD5/SHA1 hashes of all the files found. The results are saved in a XML database. FCIV is used in proactive and reactive ways. The first step is to build a database of hashes on a clean computer (proactive). Then the generated database is re-used to verify a potentially compromised system (reactive)

Most big organizations work today with system images. The idea is to scan an unused clean system (but which will of course receives patches and software updates with a system like WSUS) and to generate a baseline of hashes. Example:

PS: C:\> d:\bin\fciv.exe -both -xml d:\hashdb.xml -r c:\ -type *.dll -type *.vxd -type *.ocx -type *.inf -type *.sys -type *.drv -type *.reg -type *.386 -type *.job -type *.jar

This command will search recursively for specified file types on  the C: drive and store both hashes in the specificed XML file. A small PowerShell script(2) will do the job: it generates a database unique name (based on the current date - yyyymmdd) and, at the end, compute also the SHA1 hash of this database. FCIV offers multiple command line switches to fine tune the scan. Once you have a trusted database, you can compare a potentially malicious system against it. The command below will scan a system against a database stored on the D: drive:

PS D:\bin> fciv.exe -xml d:\hashdb-20150830.xml -v -bp C:\

The database being a XML file, it’s tempting to have a look at it and reuse the content with other investigation or monitoring tools. However it’s unusable in its default format because Microsoft writes all the data on a single line and the hashes are stored in raw Base64. So, they must be first Base64 decoded then encoded in hex to be recognized as regular MD5 or SHA1 hashes. They can be achieved very easily with a few lines of Python. Here is a small script(3) that will parse a FCIV database and generate a CVS file with 3 columns: the full path of the file, the MD5 and SHA1 hashes. 

A last tip: execute a scheduled task every night on a standard computer image from a USB stick and store the generated XML database (and its .sha1sum) to a remote system. You'll have a good starting point to investigate a compromised computer.

(1) http://www.microsoft.com/en-us/download/details.aspx?id=11533
(2) https://github.com/xme/powershell_scripts/blob/master/fciv.ps1
(3) https://github.com/xme/powershell_scripts/blob/master/hashparser.py

Xme

337 Posts
ISC Handler
fciv.exe was relesed in May 17, 2004 according to https://support.microsoft.com/en-us/kb/841290.
Its has been updated and rereleased because of code signing issues in 2012.
Emin

5 Posts Posts
Thank you for the clarification Emin!
Xme

337 Posts Posts
ISC Handler
What is the (minimum) required PS version? I ran this & got error about "get-filehash" not recognized as a cmdlet.
AAInfoSec

46 Posts Posts
Get-FileHash is available since PowerShell V4.
There are ways to generate a hash with older versions but it requires more code.
Xme

337 Posts Posts
ISC Handler
So considering all the PS v4 requirements (OS, .NET, etc.), this won't help with older Windows systems; e.g. Windows 2008 Server (non-R2), 2003, or XP.
AAInfoSec

46 Posts Posts
I'm using PS to generate the database name and its hash at the end in a convenient way. fciv.exe is fully usable on all versions of the OS and does not need PS.
You can use something like this to generate a dynamic XML database filename:

fciv.exe -xml e:\hashdb-%/… ... (but this command does not work with internationalized date format)

To generate the SHA1 hash, there are sha1sum.exe binaries available online (ex: code.google.com/p/toolkits/downloads/…=)
Xme

337 Posts Posts
ISC Handler
I've been using SlavaSoft's fsum.exe for similar reasons for many years. Has the advantage that its output is readable and supports other types of hashing, but doesn't have the exclusion feature.
Adam

3 Posts Posts
Microsoft sysinternal tool sigcheck (https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx) can also be used for generating hashsums.
DG

1 Posts Posts
You can get the code of the Get-FileHash function from PowerShell version 4.0 and backport it to PowerShell version 2.0.

Have a look at https://p0w3rsh3ll.wordpress.com/2015/02/05/backporting-the-get-filehash-function/
Emin

5 Posts Posts
How to distinguish between legitimately updated files from the potentially attacked files?
Every month some of these files will be updated thanks to Windows Update, and soon it will be even updated on a more frequent basis. So we need automated help in sorting the updated files signatures, otherwise the ratio signal-to-noise will not be good, and we already have more noise than we can deal with...
Thanks
Daniel

2 Posts Posts
We have to work with a baseline. The unused computer is a good starting point. You can also correlate the hashes with another source.
Have a look at today Didier Stevens's blogpost: blog.didierstevens.com/2015/09/01/nsrl-py-using-the-reference-data-set-of-the-national-software-reference-library/
You can use NSRL to compare your hashes against a trusted source.
Xme

337 Posts Posts
ISC Handler
I installed PS4 & ran the first script, but got the following error:
"The term 'd:\hashdb-$date.xml' is not recognized as the name of a cmdlet, function, script file, or operable program...
ObjectNotFound: (d:\hashdb-$date.xml:String) [], CommandNotFoundException

Is $dbname is a user-defined or built-in variable name?
AAInfoSec

46 Posts Posts
I replaced all the references to $dbname with actual file name & ran the script. It ran ok, created an xml file and a sha1sum file.
FCIV did generate errors though. FCIV.err contains lot of "Access Denied"/Error Code:5 and "The process cannot access the file because it is being used by another process."/Error Code:20.
AAInfoSec

46 Posts Posts
Sounds logical... Files can be locked by other processes... Be also sure to run it with administrator rights.
Xme

337 Posts Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!