Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Sigcheck and virustotal-search SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sigcheck and virustotal-search

In my last diary entry I mentioned offline use of Sysinternal tools with my tool virustotal-search.

So you want to use sigcheck but you can't connect the machine to the Internet. Then you can use sigcheck's option -h to calculate cryptographic hashes of the files it checks, and option -c to produce a CSV output (-ct for CSV with a tab separator). If you want, you can limit sigcheck's scanning to executable files only with option -e.

To extract a unique list of MD5 hashes, you can use this pipe of awk, tail, sed and sort (for a tab separated CSV file):

awk -F '\t' '{print $10}' sigcheck-system32.csv | tail -n +2 | sed 's/"//g' | sort -u

And then you can use virustotal-search to submit the hashes.

If you suspect the machine is infected with malware that has rootkit features, then don't boot from the suspect disk, but mount the disk on another machine or boot from a Live CD and use sigcheck to scan the disk.

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

398 Posts
ISC Handler
cool, I like the sysinternals tools, but if available i'll always try to get it done without extra tools. Since Powershell 4 you can also calc hashes with a cmdlet. Easy oneliner to print hashes for a file, or all files in a folder: Get-FileHash [file or folder/*] -Algorithm MD5 | ForEach-Object {echo $_.Hash}

thought i'd share it :)
Reapz

1 Posts
Thanks for the share. There are many methods to obtain file hashes. I mentioned sigcheck because it can limit files to executables, thereby significantly reducing the number of hashes to submit to VirusTotal.
DidierStevens

398 Posts
ISC Handler
Well, you didn't ask, but you will receive. :)

Certainly sigcheck is a great little tool, but for those wanting to keep it all powershell all the time, here's something that can augment checking executables:

This link:
https://etechgoodness.wordpress.com/2014/12/11/powershell-determine-if-an-exe-is-32-or-64-bit-and-other-tricks/

Describes this Gallery download:
https://gallery.technet.microsoft.com/scriptcenter/Identify-16-bit-32-bit-and-522eae75

That, combined with "get-childitem -file -recurse" and get-filehash should yield what's wanted.

I'll have to see if I can generalize this to simply detecting whether or not a file is an executable.

Kurt
Anonymous

Sign Up for Free or Log In to start participating in the conversation!