horizontal lines
Gigasheet Primary logo
  • Syed Hasan

How to Identify Malicious Files On Your Network Using Hashes

The Russian-attributed HermeticWiper has been the source of a devastating blow to Ukrainian IT infrastructure. Security researchers and firms like ESET have shared great intelligence on these emerging threats, attack groups, and malware. However, what do you do with this intelligence? We laid out the basics a couple weeks ago; this post goes into further detail on the methods we used.

To search your organization against the shared Indicators of Compromise (hashes, IPs, etc.) - you can utilize Gigasheet for quick data analysis, for free. Got Firewall logs? Security logs? Or plain CSVs? Upload them to start your threat hunt!

Not sure how to collect hashes across your network? Here’s a quick guide on how to get hashes using PowerShell or Sysmon logs:

How To Hash Files Quickly?

Using PowerShell, we can quickly generate hashes of files on the system. Here’s a command to do so:

Get-ChildItem -Path C:\ -Recurse -Filter *.exe | Get-FileHash | Export-Csv -Path F:\MalwareHashes.csv -NoTypeInformation

It recursively lists all files in the C drive and filters on executables based on their extensions. All filtered files are then hashed with the SHA256 algorithm and exported to a CSV.

Don’t have SHA256 hashes to compare against? You can specify the algorithm to the Get-FileHash module. Here’s the command to get MD5 hashes from the system:

Get-ChildItem -Path C:\ -Recurse -Filter *.exe | Get-FileHash -Algorithm MD5 | Export-Csv -Path C:\MalwareHashes.csv -NoTypeInformation

Although this is for just one system, you can chain these commands together with Invoke-Command to execute them on remote systems:

Invoke-Command -ComputerName X, Y, Z -ScriptBlock {Get-ChildItem -Path C:\ -Recurse -Filter *.exe | Get-FileHash -Algorithm MD5 | Export-Csv -Path C:\MalwareHashes.csv -NoTypeInformation}

Note: To use Invoke-Command, the servers should be joined in a domain and the WinRM or PS-Remoting should be enabled. You can also execute these commands by means of a local group policy and send the results back to a shared disk.

Let’s upload the CSV sheet to Gigasheet. Log in to your account and head over to the Your Files page. Press ‘Upload’ and drop your file to let Gigasheet parse it for you.

Don’t have an account? It’s completely free! Sign up to Gigasheet by heading over to this link.

Logging Hashes via Sysmon

Windows Security logs don’t store hashes of executed programs or applications. However, you can use Sysmon to collect hashes from the systems in your network.

Now, if you have Sysmon already installed and configured in your environment, you can easily collect hashes on executed binaries from your endpoints. If Sysmon wasn’t installed prior to your activity, you might not be able to retrieve hashes of all suspicious/malicious binaries as they might have executed in the past.

Simply ingest your Sysmon logs to Gigasheet by revisiting the Your Files page and uploading them like before. Open up the file and let’s get to searching.

1. Look for the EventData\Hashes column

2. Press the menu at the right of the column and press ‘Apply Function’. We’ll be splitting the column using a comma as a separator - you’ll see three new columns pop up at the right of the Hashes column.

3. Get the IoCs of the HermeticWipers from this file. Click the View Only button and save a copy of it into your account. It contains MD5 hashes acquired from all reported malware strains of the wiper. To use these against our Sysmon logs, we’ll need to do one small operation. Let’s split the column containing the MD5 hash with the equal (=) operator so the label (MD5) and the hash itself separates.

4. Next, we’ll be using the Cross Lookup function in Gigasheet to see if a hash from our network matches a hash from the IoC file. Select the MD5 hash column from the currently opened sheet, select the IoC file in the second input, and finally select the column from which the IoCs are to be matched. Take a look at my example:

5. Lastly, we’ll be filtering on the newly created Cross-lookup Result column on the value of, True. This will show us if a hash matches between the two files. Luckily, no hash in our dataset matches the hashes from the IoCs shared by the security community. All clear!

Using the same technique, you can compare hashes acquired by the PowerShell command against the IoCs shared by security researchers.

Dealing with True Values

Do the results of the Cross-lookup function return True? A True value means you’re likely affected with the HermeticWiper malware. Since it’s a wiper, if it hasn't been executed yet, you can still take a few actions to defend your network. Here are a few resources to do so:

Need additional help? Contact Gigasheet’s support to quickly get help related to the product or any other general query.

Note: For simplicity’s sake, I’ve renamed some of the columns in my dataset. Column names might differ for you.

What’s Next?

Data analysis can quickly get out of hand as data scales from a single endpoint to hundreds of systems in a network. Luckily, Gigasheet can handle data by the millions within a blink of an eye. Collect hashes from systems in your network, upload the files on Gigasheet, and use the Cross-lookup feature to see if any of your systems contain the malicious files!

Gigasheet is completely free to use! All you have to do? Sign up today!