This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I search for a HASH list with live discover?

Hello.

I´m trying to create a query that allows me to check if a HASH from a list (with a comma separated) is located on some device.

The problem I have when consulting the hash table is that it does not show me any value if I do not define a directory first, but I need to search for those hashes in any partition of the device and both in linux and windows.

For example:

define Variable  $$sha_list$$ = hash1,hash2,hash3  (these hashes belong to files located in c:\windows\temp)

WITH split(sha) AS (
SELECT value
FROM
JSON_EACH('["' || REPLACE(REPLACE('$$sha_list$$', ' ', ''), ',', '","') || '"]')
)

SELECT * from hash

INNER JOIN split ON hash.sha256 =split.sha

WHERE hash.directory like 'C:\%%'

this query fails, but if I change the value of hash.directory for the next, the query works fine

WHERE hash.directory like 'C:\W%\T%'

How can I search a list of hash on a devices?



This thread was automatically locked due to age.
  • Thank you for reaching us, Allow us to have a quick check on this and get back to you.

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • The hash table is more like a function, it doesn't hold a database of checksums of all files and I don't think you can tell it to recurse from a directory.

    osquery | Schema

    If you have a hash variable called
    sha_1_hash_to_find which has the value aa105b0320b14ef0e7b89cbeb738b9f3feae43b7

    If it was in C:\windows\temp\ it will find the file if the hash exists with:

    select path, directory, sha1 from hash where directory = "C:\windows\temp\" and sha1 = '$$sha_1_hash_to_find$$'

    Without knowing the directory, I don't believe you can check all files.  Maybe if you have a list of common directories to search it would work, e.g.

    select path, directory, sha1 from hash where directory in( "C:\windows\temp\", "C:\temp\") and sha1 = '$$sha_1_hash_to_find$$'

    But you still need to hint where to look.  Maybe some recursive query could do it but it would be expensive I would think to check all files on disk

  • thank you very much!.
    In early versions of XDr there was a "threat Search" option in the menu, which allowed these searches.
    I don't know why they have removed it.


  • I hadn't use the Threat Searches function in a while, and just logged in today and realized it was gone. So how would you go about searching for multiple hashes, simultaneously?

  • With this function, Threat Searches, it was not possible, but it depends on the objective we are looking for.
    It is very interesting to be able to search for a hash list,
    but it is also very interesting to be able to search for a Hash in any file system of an endpoint.
    I believe that with your help, I can continue advancing in the searches I wanted to carry out

    Thank you!.