Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update DeepBlueHash-checker.ps1

Browse Source 
Updated for Virustotal API key v3
This commit is contained in:
Eric Conrad
2023-06-28 13:23:02 -04:00
committed by GitHub
parent cd3e304f27
commit 3c8fa15e28
1 changed files with 14 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
DeepBlueHash-checker.ps1
View File

@ -1,9 +1,14 @@
# Requires Posh-VirusTotal: https://github.com/darkoperator/Posh-VirusTotal # Requires VirusTotalAnalyzer: https://github.com/darkoperator/Posh-VirusTotal
# #
# Plus a (free) VirusTotal API Key: https://www.virustotal.com/en/documentation/public-api/ # Plus a (free) VirusTotal API Key: https://www.virustotal.com/en/documentation/public-api/
# #
Import-Module VirusTotalAnalyzer -Force
# API KEY can be found once you register to Virus Total service (it's free)
$VTApi = '<Your API Key>'
$hashdirectory = ".\hashes" $hashdirectory = ".\hashes"
$safelistfile=".\file-safelist.csv" $safelistfile=".\safelists\win10-x64.csv"
# Load the safelist into a hash table # Load the safelist into a hash table
if (Test-Path $safelistfile){ if (Test-Path $safelistfile){
$safelist = Get-Content $safelistfile | Select-String '^[^#]' | ConvertFrom-Csv $safelist = Get-Content $safelistfile | Select-String '^[^#]' | ConvertFrom-Csv
@ -21,32 +26,30 @@ Get-ChildItem $hashdirectory | Foreach-Object{
} }
Else{ Else{
try{ try{
$VTreport = Get-VTFileReport $SHA256 $VTreport = Get-VirusReport -ApiKey $VTApi -Hash "$SHA256"
} }
catch { catch {
Write-Host "`r`nAttempted to run: Get-VTFileReport $SHA256`r`r" Write-Host "`r`nAttempted to run: Get-Virusreport $SHA256`r`r"
Write-Host "Error: " $_.Exception.Message "`n" Write-Host "Error: " $_.Exception.Message "`n"
Write-Host "Have you installed Posh-VirusTotal and set the VirusTotal API key?" Write-Host "Have you installed VirusTotalAnalyzer and set the VirusTotal API key?"
Write-Host " - See: https://github.com/darkoperator/Posh-VirusTotal`r`n" Write-Host " - See: https://github.com/darkoperator/Posh-VirusTotal`r`n"
Write-Host "Once you have installed Posh-VirusTotal and have a VirusTotal API key, run the following command:`r`n"
Write-Host "Set-VTAPIKey -APIKey <API Key>`r`n"
Write-Host "Exiting...`n" Write-Host "Exiting...`n"
exit exit
} }
if ($VTreport.positives -eq 0){ $positives=$VTreport.Data.attributes.last_analysis_stats.malicious
if ($positives -eq 0){
# File is clean # File is clean
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.clean" Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.clean"
} }
ElseIf ($VTreport.positives -gt 0){ ElseIf ($positives -gt 0){
# File is flagged by Virustotal # File is flagged by Virustotal
$positives=$VTreport.positives
Write-Host " - Hash was detected by $positives Virustotal scanners" Write-Host " - Hash was detected by $positives Virustotal scanners"
if ($positives -eq 1){ if ($positives -eq 1){
Write-Host " - Don't Panic (yet)! There is only one positive, which may be a sign of a false positive." Write-Host " - Don't Panic (yet)! There is only one positive, which may be a sign of a false positive."
Write-Host " - Check the VirusTotal report for more information." Write-Host " - Check the VirusTotal report for more information."
} }
Write-Host " - See $hashdirectory\$SHA256.Virustotal for the full report`r`n" Write-Host " - See $hashdirectory\$SHA256.Virustotal for the full report`r`n"
$VTreport | Set-Content "$hashdirectory\$SHA256.Virustotal" $VTreport.Data.attributes | Set-Content "$hashdirectory\$SHA256.Virustotal"
# Rename original hash file, add the Virustotal positive count as a numbered extension # Rename original hash file, add the Virustotal positive count as a numbered extension
# $SHA256.$positives # $SHA256.$positives
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.$positives" Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.$positives"