Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Detecting file changes on Microsoft systems with FCIV

Published: 2015-08-31
Last Updated: 2015-08-31 11:19:31 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

Microsoft releases often interesting tools to help system administrators and incident handlers to investigate suspicious activities on Windows systems. In 2012, they released a free tool called FCIV (“File Checksum Integrity Verifier”)(1). It is a stand alone executable which does not require any DLL or other resources. Just launch it from any location. Its goal is to browse a file system or some directories recursively and to generate MD5/SHA1 hashes of all the files found. The results are saved in a XML database. FCIV is used in proactive and reactive ways. The first step is to build a database of hashes on a clean computer (proactive). Then the generated database is re-used to verify a potentially compromised system (reactive)

Most big organizations work today with system images. The idea is to scan an unused clean system (but which will of course receives patches and software updates with a system like WSUS) and to generate a baseline of hashes. Example:

PS: C:\> d:\bin\fciv.exe -both -xml d:\hashdb.xml -r c:\ -type *.dll -type *.vxd -type *.ocx -type *.inf -type *.sys -type *.drv -type *.reg -type *.386 -type *.job -type *.jar

This command will search recursively for specified file types on  the C: drive and store both hashes in the specificed XML file. A small PowerShell script(2) will do the job: it generates a database unique name (based on the current date - yyyymmdd) and, at the end, compute also the SHA1 hash of this database. FCIV offers multiple command line switches to fine tune the scan. Once you have a trusted database, you can compare a potentially malicious system against it. The command below will scan a system against a database stored on the D: drive:

PS D:\bin> fciv.exe -xml d:\hashdb-20150830.xml -v -bp C:\

The database being a XML file, it’s tempting to have a look at it and reuse the content with other investigation or monitoring tools. However it’s unusable in its default format because Microsoft writes all the data on a single line and the hashes are stored in raw Base64. So, they must be first Base64 decoded then encoded in hex to be recognized as regular MD5 or SHA1 hashes. They can be achieved very easily with a few lines of Python. Here is a small script(3) that will parse a FCIV database and generate a CVS file with 3 columns: the full path of the file, the MD5 and SHA1 hashes. 

A last tip: execute a scheduled task every night on a standard computer image from a USB stick and store the generated XML database (and its .sha1sum) to a remote system. You'll have a good starting point to investigate a compromised computer.

(1) http://www.microsoft.com/en-us/download/details.aspx?id=11533
(2) https://github.com/xme/powershell_scripts/blob/master/fciv.ps1
(3) https://github.com/xme/powershell_scripts/blob/master/hashparser.py

Keywords: Hash Microsoft Tool
1 comment(s)
ISC StormCast for Monday, August 31st 2015 http://isc.sans.edu/podcastdetail.html?id=4635

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Automating Metrics using RTIR REST API
2 days ago by Tom (0 comments)

Test File: PDF With Embedded DOC Dropping EICAR
2 days ago by DidierStevens (4 comments)

PDF + maldoc1 = maldoc2
4 days ago by DidierStevens (2 comments)

Actor that tried Neutrino exploit kit now back to Angler
5 days ago by Brad Duncan (2 comments)

Dropbox Phishing via Compromised Wordpress Site
5 days ago by Johannes (1 comment)

Are You Protecting your Backdoor ?
6 days ago by Johannes (4 comments)

View All Diaries →

Latest Discussions

dshield blocklist poisoning
created 21 hours ago by ktsaou (0 replies)

Which dshield block list should I be using?
created 6 days ago by Anonymous (0 replies)

Encryption at rest, what am I missing?
created 2 weeks ago by CT (5 replies)

MS-ISAC ADVISORY NUMBER:2015-088 Mac OSX zero day
created 3 weeks ago by GeorgeMarkham (1 reply)

Archived .vbe attachments in malspam
created 3 weeks ago by Brad Duncan (0 replies)

View All Forums →

Latest News

View All News →