Initial version of DeepWhite

2017-09-07 16:03:48 -04:00
parent 5da2bdc20b
commit 7ecc8532b6
3 changed files with 16567 additions and 0 deletions
--- a/DeepWhite-checker.ps1
+++ b/DeepWhite-checker.ps1
@ -0,0 +1,58 @@
+# Requires Posh-VirusTotal: https://github.com/darkoperator/Posh-VirusTotal
+#
+# Plus a (free) VirusTotal API Key: https://www.virustotal.com/en/documentation/public-api/
+#
+$hashdirectory = ".\hashes"
+$whitelistfile=".\file-whitelist.csv"
+# Load the whitelist into a hash table
+if (Test-Path $whitelistfile){
+    $whitelist = Get-Content $whitelistfile | Select-String '^[^#]' | ConvertFrom-Csv
+    $hashes=@{}
+    foreach($entry in $whitelist){
+        $hashes[$entry.sha256]=$entry.path
+    }
+}
+
+Get-ChildItem $hashdirectory | Foreach-Object{
+    if ($_.Name -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings
+        $SHA256=$_.Name
+        if ($hashes.containsKey($SHA256)){
+           Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.whitelisted"
+        }
+        Else{
+            try{
+                $VTreport = Get-VTFileReport $SHA256
+            }
+            catch {
+                Write-Host "`r`nAttempted to run: Get-VTFileReport $SHA256`r`r"
+    	        Write-Host "Error: " $_.Exception.Message "`n"
+                Write-Host "Have you installed Posh-VirusTotal and set the VirusTotal API key?"
+                Write-Host " - See: https://github.com/darkoperator/Posh-VirusTotal`r`n"
+                Write-Host "Once you have installed Posh-VirusTotal and have a VirusTotal API key, run the following command:`r`n"
+                Write-Host "Set-VTAPIKey -APIKey <API Key>`r`n"
+                Write-Host "Exiting...`n"
+                exit
+            }
+            if ($VTreport.positives -eq 0){
+                # File is clean
+                Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.clean"
+            }
+            ElseIf ($VTreport.positives -gt 0){
+                # File is flagged by Virustotal
+                $positives=$VTreport.positives
+                Write-Host " - Hash was detected by " + $positives + " Virustotal scanners`r`n"
+                if ($positives -eq 1){
+                    Write-Host " - Don't Panic (yet)! There is only one positive, which may be a sign of a false positive.`r`n"
+                    Write-Host " - Check the VirusTotal report for more information.`r`n"
+                }
+                Write-Host " - See $hashdirectory\$SHA256.Virustotal for the full report"
+                $VTreport | Set-Content "$hashdirectory\$SHA256.Virustotal"
+                # Rename original hash file, add the Virustotal positive count as a numbered extension
+                $SHA256.$positives
+                Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.$positives"
+             }
+             # Wait 15 seconds between submissions, for public Virustotal API keys
+             Start-Sleep -s 15
+        }
+    }
+}
--- a/DeepWhite-collector.ps1
+++ b/DeepWhite-collector.ps1
@ -0,0 +1,38 @@
+$hashdirectory=".\hashes\"
+$events = get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1,6,7} 
+ForEach ($event in $events) {
+    if ($event.id -eq 1){ # Process creation
+        $path=$event.Properties[3].Value   # Full path of the file
+        $hash=$event.Properties[11].Value  # Hashes
+    }
+    Else{
+        # Hash and path are part of the message field in Sysmon events 6 and 7. Need to parse the XML
+        $eventXML = [xml]$event.ToXml()
+        If ($event.id -eq 6){ # Driver (.sys) load    
+            $path=$eventxml.Event.EventData.Data[1]."#text" # Full path of the file
+            $hash=$eventXML.Event.EventData.Data[2]."#text" # Hashes
+        }
+        ElseIf ($event.id -eq 7){ # Image (.dll) load
+            $path=$eventxml.Event.EventData.Data[4]."#text" # Full path of the file
+            $hash=$eventXML.Event.EventData.Data[5]."#text" # Hashes   
+        }
+        Else{
+            Out-Host "Logic error 1, should not reach here..."
+            Exit 1
+        }
+    }
+    # Multiple hashes may be logged, we want SHA256. Remove everything through "SHA256="
+    $SHA256= $hash -Replace "^.*SHA256=",""
+    # Split the string on commas, grab field 0
+    $SHA256=$SHA256.Split(",")[0]        
+    if ($SHA256 -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings
+        $hashfile="$hashdirectory\$SHA256"
+        if (-not (Test-Path "$hashfile*")){  
+            # Hash file doesn't exist (or any variants with extensions), create it
+            $path | Set-Content $hashfile
+        }
+    }
+    Else{
+        Out-Host "No SHA256 hash found. Ensure Sysmon is creating SHA256 hashes"
+    }
+}
--- a/win10-x64.csv
+++ b/win10-x64.csv