Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I search for a HASH list with live discover?

Raul Manteca Fernandez

Hello.

I´m trying to create a query that allows me to check if a HASH from a list (with a comma separated) is located on some device.

The problem I have when consulting the hash table is that it does not show me any value if I do not define a directory first, but I need to search for those hashes in any partition of the device and both in linux and windows.

For example:

define Variable  $$sha_list$$ = hash1,hash2,hash3  (these hashes belong to files located in c:\windows\temp)

WITH split(sha) AS (
SELECT value
FROM
JSON_EACH('["' || REPLACE(REPLACE('$$sha_list$$', ' ', ''), ',', '","') || '"]')
)

SELECT * from hash

INNER JOIN split ON hash.sha256 =split.sha

WHERE hash.directory like 'C:\%%'

this query fails, but if I change the value of hash.directory for the next, the query works fine

WHERE hash.directory like 'C:\W%\T%'

How can I search a list of hash on a devices?



This thread was automatically locked due to age.
  • 0

    Thank you for reaching us, Allow us to have a quick check on this and get back to you.

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
    • +1

      The hash table is more like a function, it doesn't hold a database of checksums of all files and I don't think you can tell it to recurse from a directory.

      osquery | Schema

      If you have a hash variable called
      sha_1_hash_to_find which has the value aa105b0320b14ef0e7b89cbeb738b9f3feae43b7

      If it was in C:\windows\temp\ it will find the file if the hash exists with:

      select path, directory, sha1 from hash where directory = "C:\windows\temp\" and sha1 = '$$sha_1_hash_to_find$$'

      Without knowing the directory, I don't believe you can check all files.  Maybe if you have a list of common directories to search it would work, e.g.

      select path, directory, sha1 from hash where directory in( "C:\windows\temp\", "C:\temp\") and sha1 = '$$sha_1_hash_to_find$$'

      But you still need to hint where to look.  Maybe some recursive query could do it but it would be expensive I would think to check all files on disk

      • 0 in reply to Sophos User930 
        thank you very much!.
        In early versions of XDr there was a "threat Search" option in the menu, which allowed these searches.
        I don't know why they have removed it.
        • 0 in reply to Raul Manteca Fernandez

          I hadn't use the Threat Searches function in a while, and just logged in today and realized it was gone. So how would you go about searching for multiple hashes, simultaneously?

          • 0 in reply to Chris Morris1 
            With this function, Threat Searches, it was not possible, but it depends on the objective we are looking for.
            It is very interesting to be able to search for a hash list,
            but it is also very interesting to be able to search for a Hash in any file system of an endpoint.
            I believe that with your help, I can continue advancing in the searches I wanted to carry out

            Thank you!.