Initial version of DeepWhite
This commit is contained in:
Eric Conrad
58
DeepWhite-checker.ps1
Normal file
58
DeepWhite-checker.ps1
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
# Requires Posh-VirusTotal: https://github.com/darkoperator/Posh-VirusTotal
|
||||||
|
#
|
||||||
|
# Plus a (free) VirusTotal API Key: https://www.virustotal.com/en/documentation/public-api/
|
||||||
|
#
|
||||||
|
$hashdirectory = ".\hashes"
|
||||||
|
$whitelistfile=".\file-whitelist.csv"
|
||||||
|
# Load the whitelist into a hash table
|
||||||
|
if (Test-Path $whitelistfile){
|
||||||
|
$whitelist = Get-Content $whitelistfile | Select-String '^[^#]' | ConvertFrom-Csv
|
||||||
|
$hashes=@{}
|
||||||
|
foreach($entry in $whitelist){
|
||||||
|
$hashes[$entry.sha256]=$entry.path
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Get-ChildItem $hashdirectory | Foreach-Object{
|
||||||
|
if ($_.Name -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings
|
||||||
|
$SHA256=$_.Name
|
||||||
|
if ($hashes.containsKey($SHA256)){
|
||||||
|
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.whitelisted"
|
||||||
|
}
|
||||||
|
Else{
|
||||||
|
try{
|
||||||
|
$VTreport = Get-VTFileReport $SHA256
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
Write-Host "`r`nAttempted to run: Get-VTFileReport $SHA256`r`r"
|
||||||
|
Write-Host "Error: " $_.Exception.Message "`n"
|
||||||
|
Write-Host "Have you installed Posh-VirusTotal and set the VirusTotal API key?"
|
||||||
|
Write-Host " - See: https://github.com/darkoperator/Posh-VirusTotal`r`n"
|
||||||
|
Write-Host "Once you have installed Posh-VirusTotal and have a VirusTotal API key, run the following command:`r`n"
|
||||||
|
Write-Host "Set-VTAPIKey -APIKey <API Key>`r`n"
|
||||||
|
Write-Host "Exiting...`n"
|
||||||
|
exit
|
||||||
|
}
|
||||||
|
if ($VTreport.positives -eq 0){
|
||||||
|
# File is clean
|
||||||
|
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.clean"
|
||||||
|
}
|
||||||
|
ElseIf ($VTreport.positives -gt 0){
|
||||||
|
# File is flagged by Virustotal
|
||||||
|
$positives=$VTreport.positives
|
||||||
|
Write-Host " - Hash was detected by " + $positives + " Virustotal scanners`r`n"
|
||||||
|
if ($positives -eq 1){
|
||||||
|
Write-Host " - Don't Panic (yet)! There is only one positive, which may be a sign of a false positive.`r`n"
|
||||||
|
Write-Host " - Check the VirusTotal report for more information.`r`n"
|
||||||
|
}
|
||||||
|
Write-Host " - See $hashdirectory\$SHA256.Virustotal for the full report"
|
||||||
|
$VTreport | Set-Content "$hashdirectory\$SHA256.Virustotal"
|
||||||
|
# Rename original hash file, add the Virustotal positive count as a numbered extension
|
||||||
|
$SHA256.$positives
|
||||||
|
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.$positives"
|
||||||
|
}
|
||||||
|
# Wait 15 seconds between submissions, for public Virustotal API keys
|
||||||
|
Start-Sleep -s 15
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
38
DeepWhite-collector.ps1
Normal file
38
DeepWhite-collector.ps1
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
$hashdirectory=".\hashes\"
|
||||||
|
$events = get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1,6,7}
|
||||||
|
ForEach ($event in $events) {
|
||||||
|
if ($event.id -eq 1){ # Process creation
|
||||||
|
$path=$event.Properties[3].Value # Full path of the file
|
||||||
|
$hash=$event.Properties[11].Value # Hashes
|
||||||
|
}
|
||||||
|
Else{
|
||||||
|
# Hash and path are part of the message field in Sysmon events 6 and 7. Need to parse the XML
|
||||||
|
$eventXML = [xml]$event.ToXml()
|
||||||
|
If ($event.id -eq 6){ # Driver (.sys) load
|
||||||
|
$path=$eventxml.Event.EventData.Data[1]."#text" # Full path of the file
|
||||||
|
$hash=$eventXML.Event.EventData.Data[2]."#text" # Hashes
|
||||||
|
}
|
||||||
|
ElseIf ($event.id -eq 7){ # Image (.dll) load
|
||||||
|
$path=$eventxml.Event.EventData.Data[4]."#text" # Full path of the file
|
||||||
|
$hash=$eventXML.Event.EventData.Data[5]."#text" # Hashes
|
||||||
|
}
|
||||||
|
Else{
|
||||||
|
Out-Host "Logic error 1, should not reach here..."
|
||||||
|
Exit 1
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# Multiple hashes may be logged, we want SHA256. Remove everything through "SHA256="
|
||||||
|
$SHA256= $hash -Replace "^.*SHA256=",""
|
||||||
|
# Split the string on commas, grab field 0
|
||||||
|
$SHA256=$SHA256.Split(",")[0]
|
||||||
|
if ($SHA256 -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings
|
||||||
|
$hashfile="$hashdirectory\$SHA256"
|
||||||
|
if (-not (Test-Path "$hashfile*")){
|
||||||
|
# Hash file doesn't exist (or any variants with extensions), create it
|
||||||
|
$path | Set-Content $hashfile
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Else{
|
||||||
|
Out-Host "No SHA256 hash found. Ensure Sysmon is creating SHA256 hashes"
|
||||||
|
}
|
||||||
|
}
|
||||||
16471
win10-x64.csv
Normal file
16471
win10-x64.csv
Normal file
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user