We are supposedly getting hit with some ransomware, and the FBI supplied us with MD5 hashes/checksums for the 6 different files to look out for. I have the file names, and the MD5 hashes. Is there a way to create a custom inventory rule or something to look for these specific checksums? 

Thanks :)
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Answers

1
for a known location you can use


the results are

Answered 05/11/2016 by: SMal.tmcc
Red Belt

  • I need to work on one for the name only. I plan on using wmic datafile to locate the file name location and save that as a text file then plug in the text file results to the same call as above. I will post that when I it done
Please log in to comment
1
Ok here is a cir to search the drive for a specific file name and then write the md5 hash to the cir.

I want to get the hash for a file name secinit.exe.

shellcommandtextreturn(TYPE nul > c:\programdata\dell\kace\user\secinit.txt & dir /s /b c:\secinit.exe>>c:\programdata\dell\kace\user\secinit.txt & for /f "tokens=*" %g in ('findstr /c:"secinit.exe" c:\programdata\dell\kace\user\secinit.txt') do CertUtil -hashfile %g MD5)





zoomed in - right side chopped


You can then create reports and use the does or does not contain and use the hash they sent you in the comparison.


Answered 05/12/2016 by: SMal.tmcc
Red Belt

  • I used wmic datafile at first but it took 30 minutes to search my drive and that would not be a good thing to have a CIR doing, that would hold up the kace inventory process's till it completed.
Please log in to comment
0
For a CIR, do something like this:  ShellCommandTextReturn(dir /S <filename>)

You could also have a Kscript output to a file and then have a CIR read it.  You could then report off of that CIR.

Something like this:

KScript: dir /S <filename>  > c:\<location>\results.txt
CIR: ShellCommandTextReturn(type c:\<location>\results.txt)

Off the top of my head, I can't think of a way to check a drive against a checksum, but if it's possible from the command line, the K1000 can help you do it.

This looks like it could work: https://support.microsoft.com/en-us/kb/841290
Answered 05/10/2016 by: jknox
Red Belt

  • Can you not use the binary file inventory table from the database and doesn't this also have a MD5 column?
    • I'm not sure what that is, and it doesn't look like that's exactly what I want anyways. The file locations may be random I believe, so I just need to search for all files with the MD5 checksum.
Please log in to comment
0
CertUtil -hashfile yourFileName MD5

if you know the path you can create a cir like

shellcommandtextreturn(cmd /c CertUtil -hashfile C:\DRIVERS\IntelBluetooth\autorun.exe MD5)

Answered 05/11/2016 by: SMal.tmcc
Red Belt

  • MD5 hash of file C:\DRIVERS\IntelBluetooth\autorun.exe:
    ba 16 0c 5f 2a 42 c9 f4 57 9c ae c0 d0 70 2e 79
    CertUtil: -hashfile command completed successfully.
    • How would I go about setting this up in a custom inventory field? I'm assuming files are under the system32 directory, like so:

      C:\Windows\System32\samsam.exe

      How would I set this up in KACE for me to see what machines have that file then? I don't want false positives, which is why I had the MD5.
Please log in to comment
0
I created a VBS script for this today but I haven't tested it in the K1000.

I would create an offline Kscript with the options 'Run once at next interval' and 'Run even with no one logged in'.

For the Kscript don't select 'wait for script to finish'. You also have to run the script with the command line cmd /C cscript md5search.vbs

In the VBS script, you will need to modify the sample md5 variables starting on line 22.

Then create a custom inventory rule that checks for the existence of C:\ProgramData\Dell\KACE\user\md5Found.txt and if found grab the contents.

Then you can create a smart label to identify the PCs.

Then after the next check in you may see results.

Here is the VBS script

' Find files that match the array of checksum
' and output the results to a text file at
' C:\ProgramData\Dell\KACE\user\md5Found.txt

' Change the checksum array to search for, the size of the array,
' and also the objStartFolder variable

Option Explicit
On Error Resume Next

Dim objStartFolder, objFolder, colFiles, objFile

Dim objFSO : Set objFSO = CreateObject("Scripting.FileSystemObject")
Dim WshShell : Set WshShell = CreateObject("WScript.Shell")

' Hold the filenames and hashes for matching hash comparisons
Dim objDictionary : Set objDictionary = CreateObject("Scripting.Dictionary")
objDictionary.CompareMode = vbTextCompare

' Sample MD5 hashes for the files to look for
Dim arrMd5(6)
arrMd5(0) = "dd29517ff3e9e4322d3e47dcf1093d26"
arrMd5(1) = "0fb897a493ad3267339d246e18f4f0a5"
arrMd5(2) = "d06592c7d0ddd9fecbfb53ee09aca2dc"
arrMd5(3) = "169ba77300269a28a58c44f7c0cfbb5d"
arrMd5(4) = "d727d2c01f61f5d4d4d5a8e931c1b118"
arrMd5(5) = "93a87b6c049c42592270bd67804fb83f"

' Start searching the filesytem from this folder
objStartFolder = "C:\Windows\System32"

If Not (objFSO.FolderExists(objStartFolder)) Then
' WScript.Echo "Start folder does not exist."
WScript.Quit 1
End If

' Get list of files through cmd dir
Set ObjExec = WshShell.Exec("cmd /q /c dir /a /b /s " & Chr(34) & objStartFolder & Chr(34))

' http://ss64.com/vb/stdoutread.html
Do
Dim strFilePath, strFileHash, i, ObjExec, strFromProc
strFromProc = ObjExec.StdOut.ReadLine()
strFilePath = strFromProc
strFileHash = LCase(bytesToHex(md5hashBytes(GetBytes(strFilePath))))
For i=0 to UBound(arrMd5) - 1
If strFileHash = arrMd5(i) Then
objDictionary.Add strFilePath, strFileHash
End If
Next
Loop While Not ObjExec.Stdout.atEndOfStream

If objDictionary.Count > 0 Then
Dim a, x, outFile

Set outFile = objFso.CreateTextFile("C:\ProgramData\Dell\KACE\user\md5Found.txt", True)

a = objDictionary.Keys
For x=0 to objDictionary.Count - 1
outFile.WriteLine "Filename: " & a(x)
outFile.WriteLine "Hash: " & objDictionary.Item(a(x))
outFile.Write vbCrLf
Next
outFile.Close
End If

WScript.Quit

' All these functions are from
' http://stackoverflow.com/questions/10198690/how-to-generate-md5-using-vb-in-classic-asp
function md5hashBytes(aBytes)
On Error Resume Next
Dim MD5
set MD5 = CreateObject("System.Security.Cryptography.MD5CryptoServiceProvider")

MD5.Initialize()
'Note you MUST use computehash_2 to get the correct version of this method, and the bytes MUST be double wrapped in brackets to ensure they get passed in correctly.
md5hashBytes = MD5.ComputeHash_2( (aBytes) )
end function

function stringToUTFBytes(aString)
On Error Resume Next
Dim UTF8
Set UTF8 = CreateObject("System.Text.UTF8Encoding")
stringToUTFBytes = UTF8.GetBytes_4(aString)
end function

function bytesToHex(aBytes)
On Error Resume Next
dim hexStr, x
for x=1 to lenb(aBytes)
hexStr= hex(ascb(midb( (aBytes),x,1)))
if len(hexStr)=1 then hexStr="0" & hexStr
bytesToHex=bytesToHex & hexStr
next
end function

Function BytesToBase64(varBytes)
On Error Resume Next
With CreateObject("MSXML2.DomDocument").CreateElement("b64")
.dataType = "bin.base64"
.nodeTypedValue = varBytes
BytesToBase64 = .Text
End With
End Function

Function GetBytes(sPath)
On Error Resume Next
With CreateObject("Adodb.Stream")
.Type = 1 ' adTypeBinary
.Open
.LoadFromFile sPath
.Position = 0
GetBytes = .Read
.Close
End With
End Function

Answered 05/13/2016 by: flip1001
Fourth Degree Green Belt

  • Awesome! Thanks. I'll have to test it out this week. Had a bunch of servers go down this weekend, so I won't have time to play with this until later in the week.
Please log in to comment
Answer this question or Comment on this question for clarity
Admin Script Editor
Admin Script Editor is an integrated scripting environment available free here at ITNinja

Share