current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Server Fault is a question and answer site for system and network administrators. Join them; it only takes a minute:

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 6 down vote favorite
1

My organization recently discovered malware that was sent to some users via email that managed to get past our email security in a sophisticated, targeted attack. The names of the files vary from user to user but we have collected a list of the common MD5 hashes among the malware files.

Just a shot in the dark -- I was wondering if there's a way to find files based on their MD5 hashes rather than their file names, extensions, etc. via PowerShell....or any method. We are using Windows 2012 R2 for most of the servers in our data center.

share|improve this question
up vote 7 down vote 
[String]$BadHash = '5073D1CF59126966F4B0D2B1BEA3BEB5'

Foreach ($File In Get-ChildItem C:\ -file -recurse) 
{
    If ((Get-FileHash $File.Fullname -Algorithm MD5).Hash -EQ $BadHash)
    {
        Write-Warning "Oh no, bad file detected: $($File.Fullname)"
    }
}
share|improve this answer
up vote 7 down vote

Sure. You'll probably want to do something more useful than the following example though.

$evilHashes = @(
    '4C51A173404C35B2E95E47F94C638D2D001219A0CE3D1583893E3DE3AFFDAFE0',
    'CA1DEE12FB9E7D1B6F4CC6F09137CE788158BCFBB60DED956D9CC081BE3E18B1'
)

Get-ChildItem -Recurse -Path C:\somepath |
    Get-FileHash |
        Where-Object { $_.Hash -in $evilHashes }
share|improve this answer
up vote 3 down vote

If you have a copy of the file, you should activate AppLocker across the entire domain and add a hash rule for that file to stop its execution. This has the added bonus of identifying computers that are trying to run the program because AppLocker logs block and deny actions by default.

share|improve this answer
    
This is, without any doubt, The Real Answer. – jscott 6 hours ago

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.