Windows 2012 R2 - Search for Files using MD5 Hash?

windows malware search hash md5

Solution 1:

Sure. You'll probably want to do something more useful than the following example though.

$evilHashes = @(
    '4C51A173404C35B2E95E47F94C638D2D001219A0CE3D1583893E3DE3AFFDAFE0',
    'CA1DEE12FB9E7D1B6F4CC6F09137CE788158BCFBB60DED956D9CC081BE3E18B1'
)

Get-ChildItem -Recurse -Path C:\somepath |
    Get-FileHash |
        Where-Object { $_.Hash -in $evilHashes }

Solution 2:

[String]$BadHash = '5073D1CF59126966F4B0D2B1BEA3BEB5'

Foreach ($File In Get-ChildItem C:\ -file -recurse) 
{
    If ((Get-FileHash $File.Fullname -Algorithm MD5).Hash -EQ $BadHash)
    {
        Write-Warning "Oh no, bad file detected: $($File.Fullname)"
    }
}

Solution 3:

If you have a copy of the file, you should activate AppLocker across the entire domain and add a hash rule for that file to stop its execution. This has the added bonus of identifying computers that are trying to run the program because AppLocker logs block and deny actions by default.

Related

Why does logging out of an SSH session hang when using port-forwarding?
How is disk speed measured and what is fast? How long should a copy of 1500 GB take?
What is the correct find -exec syntax
System updates for many servers
How to change a physical partition system to LVM?
puppet only exec when file does NOT exist
reboot multiple machines remotely
Do Araknis switches support IPv6?
What is the difference between LVM and LUN
Is there an easy command line tool for packet sniffing a single command on linux?
The difference between desktop-series HDD drives and server-series
How to make my boss understand that a server fault is a bad thing?