Created
February 20, 2020 12:08
-
-
Save scudette/dc5f142adc628d5f21f5e56d500d7935 to your computer and use it in GitHub Desktop.
Hash Run Key Binaries
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: HashRunKeys | |
| description: | | |
| Iterate over all the run keys and locate their binary then hash it. | |
| parameters: | |
| - name: runKeys | |
| default: | | |
| HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Run\* | |
| - name: pathRegex | |
| type: hidden | |
| # Pick the first part - either quoted or not. | |
| default: >- | |
| (^"(?P<quoted_path>[^"]+)"|(?P<unquoted_path>^[^ ]+)) | |
| sources: | |
| - precondition: | |
| SELECT OS From info() where OS = 'windows' | |
| queries: | |
| - LET paths = SELECT FullPath,Name, Data.value AS Value, | |
| parse_string_with_regex(string=Data.value, | |
| regex=pathRegex) as regData | |
| FROM glob(globs=split(string=runKeys, sep="[, \\n]+"), | |
| accessor="reg") | |
| WHERE Data.value | |
| # Handle some variations we see in the value: | |
| # system32\drivers\XXX.sys -> %systemRoot%\System32\ | |
| # \SystemRoot\ -> %SystemRoot%\ | |
| - LET normalized = SELECT *, | |
| expand(path= | |
| regex_replace(re='(?i)^system32\\\\', | |
| replace="%SystemRoot%\\system32\\", | |
| source=regex_replace( | |
| source=regData.quoted_path + regData.unquoted_path, | |
| re="^\\\\SystemRoot\\\\", | |
| replace="%SystemRoot%\\"))) AS RealPath | |
| FROM paths | |
| - SELECT FullPath, Name, Value, RealPath, | |
| hash(path=expand(path=RealPath)).SHA256 AS Hash | |
| FROM normalized |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment