Find machines with specific MD5 checksums?
We are supposedly getting hit with some ransomware, and the FBI supplied us with MD5 hashes/checksums for the 6 different files to look out for. I have the file names, and the MD5 hashes. Is there a way to create a custom inventory rule or something to look for these specific checksums?
Thanks :)
0 Comments
[ + ] Show comments
Answers (5)
Please log in to answer
Posted by:
SMal.tmcc
8 years ago
for a known location you can use
the results are
the results are
Comments:
-
I need to work on one for the name only. I plan on using wmic datafile to locate the file name location and save that as a text file then plug in the text file results to the same call as above. I will post that when I it done - SMal.tmcc 8 years ago
Posted by:
SMal.tmcc
8 years ago
Ok here is a cir to search the drive for a specific file name and then write the md5 hash to the cir.
I want to get the hash for a file name secinit.exe.
zoomed in - right side chopped
You can then create reports and use the does or does not contain and use the hash they sent you in the comparison.
I want to get the hash for a file name secinit.exe.
shellcommandtextreturn(TYPE nul > c:\programdata\dell\kace\user\secinit.txt & dir /s /b c:\secinit.exe>>c:\programdata\dell\kace\user\secinit.txt & for /f "tokens=*" %g in ('findstr /c:"secinit.exe" c:\programdata\dell\kace\user\secinit.txt') do CertUtil -hashfile %g MD5)
zoomed in - right side chopped
You can then create reports and use the does or does not contain and use the hash they sent you in the comparison.
Comments:
-
I used wmic datafile at first but it took 30 minutes to search my drive and that would not be a good thing to have a CIR doing, that would hold up the kace inventory process's till it completed. - SMal.tmcc 8 years ago
Posted by:
jknox
8 years ago
For a CIR, do something like this: ShellCommandTextReturn(dir /S <filename>)
You could also have a Kscript output to a file and then have a CIR read it. You could then report off of that CIR.
Something like this:
KScript: dir /S <filename> > c:\<location>\results.txt
CIR: ShellCommandTextReturn(type c:\<location>\results.txt)
Off the top of my head, I can't think of a way to check a drive against a checksum, but if it's possible from the command line, the K1000 can help you do it.
This looks like it could work: https://support.microsoft.com/en-us/kb/841290
Comments:
-
Can you not use the binary file inventory table from the database and doesn't this also have a MD5 column? - dedenker 8 years ago
-
I'm not sure what that is, and it doesn't look like that's exactly what I want anyways. The file locations may be random I believe, so I just need to search for all files with the MD5 checksum. - sfigg 8 years ago
Posted by:
SMal.tmcc
8 years ago
CertUtil -hashfile yourFileName MD5
if you know the path you can create a cir like
shellcommandtextreturn(cmd /c CertUtil -hashfile C:\DRIVERS\IntelBluetooth\autorun.exe MD5)
Comments:
-
MD5 hash of file C:\DRIVERS\IntelBluetooth\autorun.exe:
ba 16 0c 5f 2a 42 c9 f4 57 9c ae c0 d0 70 2e 79
CertUtil: -hashfile command completed successfully. - SMal.tmcc 8 years ago-
How would I go about setting this up in a custom inventory field? I'm assuming files are under the system32 directory, like so:
C:\Windows\System32\samsam.exe
How would I set this up in KACE for me to see what machines have that file then? I don't want false positives, which is why I had the MD5. - sfigg 8 years ago
Posted by:
flip1001
8 years ago
I created a VBS script for this today but I haven't tested it in the K1000.
I would create an offline Kscript with the options 'Run once at next interval' and 'Run even with no one logged in'.
For the Kscript don't select 'wait for script to finish'. You also have to run the script with the command line cmd /C cscript md5search.vbs
In the VBS script, you will need to modify the sample md5 variables starting on line 22.
Then create a custom inventory rule that checks for the existence of C:\ProgramData\Dell\KACE\user\md5Found.txt and if found grab the contents.
Then you can create a smart label to identify the PCs.
Then after the next check in you may see results.
Here is the VBS script
I would create an offline Kscript with the options 'Run once at next interval' and 'Run even with no one logged in'.
For the Kscript don't select 'wait for script to finish'. You also have to run the script with the command line cmd /C cscript md5search.vbs
In the VBS script, you will need to modify the sample md5 variables starting on line 22.
Then create a custom inventory rule that checks for the existence of C:\ProgramData\Dell\KACE\user\md5Found.txt and if found grab the contents.
Then you can create a smart label to identify the PCs.
Then after the next check in you may see results.
Here is the VBS script
' Find files that match the array of checksum
' and output the results to a text file at
' C:\ProgramData\Dell\KACE\user\md5Found.txt
' Change the checksum array to search for, the size of the array,
' and also the objStartFolder variable
Option Explicit
On Error Resume Next
Dim objStartFolder, objFolder, colFiles, objFile
Dim objFSO : Set objFSO = CreateObject("Scripting.FileSystemObject")
Dim WshShell : Set WshShell = CreateObject("WScript.Shell")
' Hold the filenames and hashes for matching hash comparisons
Dim objDictionary : Set objDictionary = CreateObject("Scripting.Dictionary")
objDictionary.CompareMode = vbTextCompare
' Sample MD5 hashes for the files to look for
Dim arrMd5(6)
arrMd5(0) = "dd29517ff3e9e4322d3e47dcf1093d26"
arrMd5(1) = "0fb897a493ad3267339d246e18f4f0a5"
arrMd5(2) = "d06592c7d0ddd9fecbfb53ee09aca2dc"
arrMd5(3) = "169ba77300269a28a58c44f7c0cfbb5d"
arrMd5(4) = "d727d2c01f61f5d4d4d5a8e931c1b118"
arrMd5(5) = "93a87b6c049c42592270bd67804fb83f"
' Start searching the filesytem from this folder
objStartFolder = "C:\Windows\System32"
If Not (objFSO.FolderExists(objStartFolder)) Then
' WScript.Echo "Start folder does not exist."
WScript.Quit 1
End If
' Get list of files through cmd dir
Set ObjExec = WshShell.Exec("cmd /q /c dir /a /b /s " & Chr(34) & objStartFolder & Chr(34))
' http://ss64.com/vb/stdoutread.html
Do
Dim strFilePath, strFileHash, i, ObjExec, strFromProc
strFromProc = ObjExec.StdOut.ReadLine()
strFilePath = strFromProc
strFileHash = LCase(bytesToHex(md5hashBytes(GetBytes(strFilePath))))
For i=0 to UBound(arrMd5) - 1
If strFileHash = arrMd5(i) Then
objDictionary.Add strFilePath, strFileHash
End If
Next
Loop While Not ObjExec.Stdout.atEndOfStream
If objDictionary.Count > 0 Then
Dim a, x, outFile
Set outFile = objFso.CreateTextFile("C:\ProgramData\Dell\KACE\user\md5Found.txt", True)
a = objDictionary.Keys
For x=0 to objDictionary.Count - 1
outFile.WriteLine "Filename: " & a(x)
outFile.WriteLine "Hash: " & objDictionary.Item(a(x))
outFile.Write vbCrLf
Next
outFile.Close
End If
WScript.Quit
' All these functions are from
' http://stackoverflow.com/questions/10198690/how-to-generate-md5-using-vb-in-classic-asp
function md5hashBytes(aBytes)
On Error Resume Next
Dim MD5
set MD5 = CreateObject("System.Security.Cryptography.MD5CryptoServiceProvider")
MD5.Initialize()
'Note you MUST use computehash_2 to get the correct version of this method, and the bytes MUST be double wrapped in brackets to ensure they get passed in correctly.
md5hashBytes = MD5.ComputeHash_2( (aBytes) )
end function
function stringToUTFBytes(aString)
On Error Resume Next
Dim UTF8
Set UTF8 = CreateObject("System.Text.UTF8Encoding")
stringToUTFBytes = UTF8.GetBytes_4(aString)
end function
function bytesToHex(aBytes)
On Error Resume Next
dim hexStr, x
for x=1 to lenb(aBytes)
hexStr= hex(ascb(midb( (aBytes),x,1)))
if len(hexStr)=1 then hexStr="0" & hexStr
bytesToHex=bytesToHex & hexStr
next
end function
Function BytesToBase64(varBytes)
On Error Resume Next
With CreateObject("MSXML2.DomDocument").CreateElement("b64")
.dataType = "bin.base64"
.nodeTypedValue = varBytes
BytesToBase64 = .Text
End With
End Function
Function GetBytes(sPath)
On Error Resume Next
With CreateObject("Adodb.Stream")
.Type = 1 ' adTypeBinary
.Open
.LoadFromFile sPath
.Position = 0
GetBytes = .Read
.Close
End With
End Function
Comments:
-
Awesome! Thanks. I'll have to test it out this week. Had a bunch of servers go down this weekend, so I won't have time to play with this until later in the week. - sfigg 8 years ago
