I need to write some relevance that will compare the hash of a known file against a list of hashes and return true if the file’s hash does not match any hash in the list.
filename = c:\windows\system32\ping.exe
sha = “1234567”
known good hashes = “3453456” “5345635” “345252452”
in the example above, i need relevance that will return as “true” because the file’s hash does not match the hash in the list
I’ve tried the below which I assumed would return false but it still returned true
sha1 of file “c:\windows\system32\ping.exe” != “3453456” or sha1 of file “c:\windows\system32\ping.exe” != “5345635” or sha1 of file “c:\windows\system32\ping.exe” != “1234567”
With a bunch of OR statements you will get TRUE if any of the statements are true.
{ sha1 of file “c:\windows\system32\ping.exe” != “3453456” } is a TRUE statement. Any time that statement is joined via OR with other statements you will always get a TRUE result.
If you use ANDs then if any one of those “not equals” statements is FALSE then the entire result will be FALSE.
no errors that time, but i didn’t get the results I needed. I need the relevance to only be true if the file’s sha1 doesn’t match any one of the known good hashes. See below:
Q: (it != “005AAD8912A62127A2F416AA9FD089000D24851A” OR it != “03C9CD0D8E90DD8754F8488A085359C818A28A90” OR it != “0DB4AB7E18991BF64139E7078249679098C85F2C” OR it != “17257DF49E03DAF2BA1FA286FBE2C14802ACCD2A” OR it != “1B10F5F97E2B7159C872B3576D72B4CF2AD2FFB5” OR it != “236F25115C31DBFEB11D9BF12B620266F46BA041” OR it != “2667D90C7B0CBCC212B8C9143C28C7AD5105BE49” OR it != “2803AD07C1C7A8908BBDB5F7AB32A19C9A724ECC” OR it != “2915AA45C3FAF60137402270F0C915C0F5CA2CD1” OR it != “2C73542A1598AEA03F7927ECF8F7156106037D67” OR it != “2D570F7E8CD9DFED179996AC40F7F7EF7AC99E93” OR it != “2EA3BAFD66A74ADC6B835F31BD4E4A228F666A5D” OR it != “309FF9840F53DFF406EC580063A9975224F626DE” OR it !
= “30AE3FF04C8D486A5BE77ACB0939B06AF626F17D” OR it !
= “328BB23CEF7816035E32B3BF28A9F9606B9FF255” OR it !
= “34F96E4305B6E28B966F15E9845748E44AF35762” OR it !
= “38A8E15E68D64670016E62D6D2150F812CD31298” OR it != “44A4B285C1B27FEB36E0E0C3D0081A63241AE6AF” OR it != “487AA6CDB994E1855B33C1F3B0BE522C36540E56” OR it != “540F94FA630BB64529F656C6EAA4F48A3F87756D” OR it !
= “5690D97E9F9E913431AA9453D0185F2665A713CC” OR it != “583C919DF623E4B8A7B3EFAD6D2E1C792B823D5D” OR it != “58BC35673C8B1F751CD0584A6914740B2F3DCAAE” OR it != “5A658A36EF43147CB3F1DBC4276EA82A239BF8FA” OR it != “5FBA738B9698AA61645CFFE3AD95192C4BACDC49” OR it != “61CBFAB7CB5AB27EED9193F225B77E2EF6BA7321” OR it != “62ABAB09DFD971A90C2030BE44778206991CE2D6” OR it != “6441922698A8CD80A2FC0AE15EFDAF0A0208F50B” OR it != “694BDB08101AD5C18BB5B3425EE01073320B8D8E” OR it != “6BE7E7A20D2AB835C78EB8F3759C304888B86BD4” OR it != “6DB4B4F065610CAE100FBDB850AFC9F16C76AB65” OR it != “6EAEBB4ADCB8B240571D447A1EE9B665F6C181D2” OR it != “752211F65B693C721E27785FCC6C74E9B71997E9” OR it != “7E98241E1B21361CC02DC88EB57C9BB9CF1F4239” OR it != “82B79C07941775B6072D97D5D033E45E8D3C6FDF” OR it != “87230AD4C2646376B819DDA4963DD2C49BC50D7A” OR it != “8FD4C3533D648A14C8183D6F3A3AFEF3D1CC75CE” OR it != “91BD59E2BB7B9ED95B1DF85B314EA8FF0B3B86FD” OR it != “9625698340941EB6D519A219396296E45FDCF7DB” OR it != “97586996280F2A61AE5193DB827C44300BF27FCD” OR it != “9811B4A14E3196AAC93DF7CE2F50C84030AA7D13” OR it != “9BA779EE746DCC5A44B30BDA6436E07997236E52” OR it != “9E1E2EDDA59BDE29226CAD2D5BDA5A954BFCA5DC” OR it != “9F7658F361D9F1398DD90707EDE01F0032991946” OR it != “A09564B76C13C8470A44509A17B4B6023295A361” OR it !
= “A310EF2F35A8670F6C4B7872073F94764C23FA08” OR it !
= “A3E367F7F30A9BF9064DEFBF94C36F4EB7CA4C0A” OR it != “ABB417B6F06F8C18F92DCD62D9BC9F2284F468E9” OR it != “B194BB244FF0FD101DCDA79CD8FFC8D33C392D13” OR it != “C6CD44574CC0F5BAC24DE85B0933A132B3A0D684” OR it != “C97875A6819A3F675ABE42C8BB870E191102C94C” OR it != “C98D1FF5D9E1D8366CF130899BC210EBE54E77F8” OR it != “CA58E7CA1EE50FB8EB7428064DFE84381EEDB453” OR it != “CD3B8E1C9C1096C635AA7B37D545C9B0CA241F70” OR it != “CF2DA46516BE3FC6312C2F05DF33C6A05F8562D7” OR it != “D6ED920D3D0ACEB52930A753256A21D43AE1899E” OR it != “D7E22080BF67CA6AE29BB12A51E865C22DDA48F7” OR it != “DA27CBA986161938C5086BB5C94FBBAB523B1F37” OR it != “DF025689B1E2E3C813969828AF26573BA4E2F23A” OR it != “E42C0D9D4669D41F8AB45F31F12B405489F39AFD” OR it != “E5EDDC4EF26EED5A64E4B4C509F01E224238D3C6” OR it != “E634C31114AE87D026812748E791402D69C6D996” OR it != “E667F70144423A645C6BC67CE01424F720594320” OR it != “E79A39606A2067120AEF63431F2C073B4B9298DC” OR it != “E9B9F0A53ED36C9464E4C4C154878742F1CA6EC6” OR it != “EAF20A3BC180FFE0AD59FF7AC786A5FC27DB0C3B” OR it != “EB60EEFA1AD57FA27E661032329AD9AF5FD243DA” OR it != “ED9E18A7E5EE245B77CFB4FC560013849072C943” OR it != “EF7A63AC6A45FA3BD6DD7390CA60462F61A6FCB2” OR it != “F3AF84FA7D5536E54F6A5357F3AC5AEDFA7EE52A” OR it != “FA0E76E509A8DF67B36B20BCBD0F6E4406DF32BA” OR it != “FAEFB399B9FFEBA156D31E2A0DE4195793300343” OR it != “FBDD32ED13D27E4102621E1067FDF3634F33B2C3” OR it !
= “FBFFF74687F608887E277068ED0390BD04CCF506” OR it != “FEDDBA02158D0425E5895439663C0481CA3911E6”) of sha1 of file “c:\windows\system32\sqlsodbc.chm”
A: True
Because the sha1 of the file I am using the debugger on is “87230AD4C2646376B819DDA4963DD2C49BC50D7A”, I would have expected the answer to be false.
Q: (it != “005AAD8912A62127A2F416AA9FD089000D24851A” as lowercase AND it != “03C9CD0D8E90DD8754F8488A085359C818A28A90” as lowercase AND it != “0DB4AB7E18991BF64139E7078249679098C85F2C” as lowercase AND it != “17257DF49E03DAF2BA1FA286FBE2C14802ACCD2A” as lowercase AND it != “1B10F5F97E2B7159C872B3576D72B4CF2AD2FFB5” as lowercase AND it != “236F25115C31DBFEB11D9BF12B620266F46BA041” as lowercase AND it != “2667D90C7B0CBCC212B8C9143C28C7AD5105BE49” as lowercase AND it != “2803AD07C1C7A8908BBDB5F7AB32A19C9A724ECC” as lowercase AND it != “2915AA45C3FAF60137402270F0C915C0F5CA2CD1” as lowercase AND it != “2C73542A1598AEA03F7927ECF8F7156106037D67” as lowercase AND it != “2D570F7E8CD9DFED179996AC40F7F7EF7AC99E93” as lowercase AND it != “2EA3BAFD66A74ADC6B835F31BD4E4A228F666A5D” as lowercase AND it != “309FF9840F53DFF406EC580063A9975224F626DE” as lowercase AND it != “30AE3FF04C8D486A5BE77ACB0939B06AF626F17D” as lowercase AND it != “328BB23CEF7816035E32B3BF28A9F9606B9FF255” as lowercase AND it != “34F96E4305B6E28B966F15E9845748E44AF35762” as lowercase AND it != “38A8E15E68D64670016E62D6D2150F812CD31298” as lowercase AND it != “44A4B285C1B27FEB36E0E0C3D0081A63241AE6AF” as lowercase AND it != “487AA6CDB994E1855B33C1F3B0BE522C36540E56” as lowercase AND it != “540F94FA630BB64529F656C6EAA4F48A3F87756D” as lowercase AND it != “5690D97E9F9E913431AA9453D0185F2665A713CC” as lowercase AND it != “583C919DF623E4B8A7B3EFAD6D2E1C792B823D5D” as lowercase AND it != “58BC35673C8B1F751CD0584A6914740B2F3DCAAE” as lowercase AND it != “5A658A36EF43147CB3F1DBC4276EA82A239BF8FA” as lowercase AND it != “5FBA738B9698AA61645CFFE3AD95192C4BACDC49” as lowercase AND it != “61CBFAB7CB5AB27EED9193F225B77E2EF6BA7321” as lowercase AND it != “62ABAB09DFD971A90C2030BE44778206991CE2D6” as lowercase AND it != “6441922698A8CD80A2FC0AE15EFDAF0A0208F50B” as lowercase AND it != “694BDB08101AD5C18BB5B3425EE01073320B8D8E” as lowercase AND it != “6BE7E7A20D2AB835C78EB8F3759C304888B86BD4” as lowercase AND it != “6DB4B4F065610CAE100FBDB850AFC9F16C76AB65” as lowercase AND it != “6EAEBB4ADCB8B240571D447A1EE9B665F6C181D2” as lowercase AND it != “752211F65B693C721E27785FCC6C74E9B71997E9” as lowercase AND it != “7E98241E1B21361CC02DC88EB57C9BB9CF1F4239” as lowercase AND it != “82B79C07941775B6072D97D5D033E45E8D3C6FDF” as lowercase AND it != “87230AD4C2646376B819DDA4963DD2C49BC50D7A” as lowercase AND it != “8FD4C3533D648A14C8183D6F3A3AFEF3D1CC75CE” as lowercase AND it != “91BD59E2BB7B9ED95B1DF85B314EA8FF0B3B86FD” as lowercase AND it != “9625698340941EB6D519A219396296E45FDCF7DB” as lowercase AND it != “97586996280F2A61AE5193DB827C44300BF27FCD” as lowercase AND it != “9811B4A14E3196AAC93DF7CE2F50C84030AA7D13” as lowercase AND it != “9BA779EE746DCC5A44B30BDA6436E07997236E52” as lowercase AND it != “9E1E2EDDA59BDE29226CAD2D5BDA5A954BFCA5DC” as lowercase AND it != “9F7658F361D9F1398DD90707EDE01F0032991946” as lowercase AND it != “A09564B76C13C8470A44509A17B4B6023295A361” as lowercase AND it != “A310EF2F35A8670F6C4B7872073F94764C23FA08” as lowercase AND it != “A3E367F7F30A9BF9064DEFBF94C36F4EB7CA4C0A” as lowercase AND it != “ABB417B6F06F8C18F92DCD62D9BC9F2284F468E9” as lowercase AND it != “B194BB244FF0FD101DCDA79CD8FFC8D33C392D13” as lowercase AND it != “C6CD44574CC0F5BAC24DE85B0933A132B3A0D684” as lowercase AND it != “C97875A6819A3F675ABE42C8BB870E191102C94C” as lowercase AND it != “C98D1FF5D9E1D8366CF130899BC210EBE54E77F8” as lowercase AND it != “CA58E7CA1EE50FB8EB7428064DFE84381EEDB453” as lowercase AND it != “CD3B8E1C9C1096C635AA7B37D545C9B0CA241F70” as lowercase AND it != “CF2DA46516BE3FC6312C2F05DF33C6A05F8562D7” as lowercase AND it != “D6ED920D3D0ACEB52930A753256A21D43AE1899E” as lowercase AND it != “D7E22080BF67CA6AE29BB12A51E865C22DDA48F7” as lowercase AND it != “DA27CBA986161938C5086BB5C94FBBAB523B1F37” as lowercase AND it != “DF025689B1E2E3C813969828AF26573BA4E2F23A” as lowercase AND it != “E42C0D9D4669D41F8AB45F31F12B405489F39AFD” as lowercase AND it != “E5EDDC4EF26EED5A64E4B4C509F01E224238D3C6” as lowercase AND it != “E634C31114AE87D026812748E791402D69C6D996” as lowercase AND it != “E667F70144423A645C6BC67CE01424F720594320” as lowercase AND it != “E79A39606A2067120AEF63431F2C073B4B9298DC” as lowercase AND it != “E9B9F0A53ED36C9464E4C4C154878742F1CA6EC6” as lowercase AND it != “EAF20A3BC180FFE0AD59FF7AC786A5FC27DB0C3B” as lowercase AND it != “EB60EEFA1AD57FA27E661032329AD9AF5FD243DA” as lowercase AND it != “ED9E18A7E5EE245B77CFB4FC560013849072C943” as lowercase AND it != “EF7A63AC6A45FA3BD6DD7390CA60462F61A6FCB2” as lowercase AND it != “F3AF84FA7D5536E54F6A5357F3AC5AEDFA7EE52A” as lowercase AND it != “FA0E76E509A8DF67B36B20BCBD0F6E4406DF32BA” as lowercase AND it != “FAEFB399B9FFEBA156D31E2A0DE4195793300343” as lowercase AND it != “FBDD32ED13D27E4102621E1067FDF3634F33B2C3” as lowercase AND it != “FBFFF74687F608887E277068ED0390BD04CCF506” as lowercase AND it != “FEDDBA02158D0425E5895439663C0481CA3911E6”) of sha1 of file “c:\windows\system32\sqlsodbc.chm”
Please be careful with the expression above. Sha1 calculations are relatively expensive so we try not to put sha1 checks in Fixlet relevance. If you absolutely have to check the sha1, it’s a good idea to create a property with the check and set the evaluation interval on the property to something like once every couple of hours.
Then if you need to remediate machines that don’t have the correct sha1, you can use the property to target an action.
THANK YOU!!! - the company published a link to a service which was comprimised by Gumblar and the Analysis above saved me a ton of effort…
BRAVO!!!
I also used this to document proof of no infections
sha1 of file “c:\windows\system32\sqlsodbc.chm”
And
size of file “c:\windows\system32\sqlsodbc.chm”
Is There a way to combine the 2 statements and bring back both pieces of info in one analysis?
Also we have some older PCs which were upgraded from Win 2000, so the windows directory is c:\winnt, Is there a way to put in DOS variables such as %WINDIR% so the check works for both directories?