As part of incident response to malicious code outbreak and given the hash value of the malicious artifact, I would like to search across the entire organization for this specific hash value.
Do you know of best practices or solutions that implement such functionality?
You get one of the many endpoint agents out there or Powershell scripts that allow you to search for IoCs in the form of file hashes. You tell the agents (or central script) to look for the file hash.
If you can scale it, searching across a fleet with Yara rules is better than searching for a hash by a lot
Velociraptor is an open-source implementation of the even rougher standard, RE&CT, which has a response labelled find process by executable content pattern
VQL (from Velociraptor) is the rough standard for a query language developed for this purpose. Vendors may have their own version of this, but VQL sets the standard for what can and must be done
For Yara, VQL provides the Windows.Detection.RemoteYara.Process and Windows.Detection.ProcessMemory routines
There are also RE&CTs (e.g., RA1404) and VQL routines associated with searching by a specific hash, but to reiterate -- levering Yara is better in a majority of use cases
