11

My organization recently discovered malware that was sent to some users via email that managed to get past our email security in a sophisticated, targeted attack. The names of the files vary from user to user but we have collected a list of the common MD5 hashes among the malware files.

Just a shot in the dark -- I was wondering if there's a way to find files based on their MD5 hashes rather than their file names, extensions, etc. via PowerShell....or any method. We are using Windows 2012 R2 for most of the servers in our data center.

Brandon Wetter
  • 211
  • 2
  • 5
  • Do this *after* taking the server off the primary network though - active malware is bad after all. – Thomas Ward Jan 28 '17 at 16:04
  • You've been compromised. Nuking the machines is the only way to be sure. How do you know you've gotten *all* the files necessary to remove them cleanly? I don't think it's worth the risk. – jpmc26 Jan 28 '17 at 20:06

3 Answers3

12

Sure. You'll probably want to do something more useful than the following example though.

$evilHashes = @(
    '4C51A173404C35B2E95E47F94C638D2D001219A0CE3D1583893E3DE3AFFDAFE0',
    'CA1DEE12FB9E7D1B6F4CC6F09137CE788158BCFBB60DED956D9CC081BE3E18B1'
)

Get-ChildItem -Recurse -Path C:\somepath |
    Get-FileHash |
        Where-Object { $_.Hash -in $evilHashes }
jscott
  • 24,204
  • 8
  • 77
  • 99
9
[String]$BadHash = '5073D1CF59126966F4B0D2B1BEA3BEB5'

Foreach ($File In Get-ChildItem C:\ -file -recurse) 
{
    If ((Get-FileHash $File.Fullname -Algorithm MD5).Hash -EQ $BadHash)
    {
        Write-Warning "Oh no, bad file detected: $($File.Fullname)"
    }
}
Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
9

If you have a copy of the file, you should activate AppLocker across the entire domain and add a hash rule for that file to stop its execution. This has the added bonus of identifying computers that are trying to run the program because AppLocker logs block and deny actions by default.

longneck
  • 22,793
  • 4
  • 50
  • 84