From dc4af74e9beafa5746cb9893c8356ba05c8037fd Mon Sep 17 00:00:00 2001
From: Eric Conrad <git@zez.me>
Date: Tue, 19 Sep 2017 08:45:28 -0400
Subject: [PATCH] Update DeepWhite.md

---
 DeepWhite.md | 17 +----------------
 1 file changed, 1 insertion(+), 16 deletions(-)

diff --git a/DeepWhite.md b/DeepWhite.md
index f612e19..3cd8b73 100644
--- a/DeepWhite.md
+++ b/DeepWhite.md
@@ -61,23 +61,8 @@ Also see @swiftonsecurity's awesome Sysmon config here: https://github.com/Swift
 
 ## Generating a Whitelist
 
-Install hashdeep: https://github.com/jessek/hashdeep/releases
-
 Generate a custom whitelist on Windows (note: this is optional):
 
 ```
-C:\> hashdeep.exe -r / -c md5,sha1,sha56 > raw-hashes.csv
+PS> Get-ChildItem c:\windows\system32 -Include '*.exe','*.dll','*.sys','*.com' -Recurse | Get-FileHash| Export-Csv -Path whitelist.csv
 ```
-Note that hashdeep, etc., has a dumb recursive design (from the manpage):
-
-> Enables recursive mode. All subdirectories are traversed. Please note that recursive mode cannot be used to examine all files of a given file extension. For example, calling hashdeep -r *.txt will examine all files in directories that end in .txt. 
-
-On Linux/Unix: create a new CSV with the proper header (required by PowerShell's ConvertFrom-Csv), take the raw CSV, remove the carriage returns, select DLLs, EXEs and SYS files, grab the 2nd field to the end, and append to the new CSV:
-
-```shell
-$ echo "md5,sha1,sha256,path" > file-whitelist.csv
-$ cat raw-hashes.csv | tr -d '\r' | egrep "\.dll$|\.exe$|\.sys$" | cut -d, -f2- >> file-whitelist.csv
-```
-
-Todo: add PowerShell instructions to do this on Windows. Contributions welcome! 
-