![]() The value that we're looking for is "positives". Looking at one hash, we'll run an assessment using get-VTFileReport: So before you can do anything, create a VT account and get an API key if you don't already have one (of each). Really you could do this as a simple web request, as documented at, the request (using curl) would look like: We'll use the SHA1 checksums that we've generated in the last two stories to check. We'll use the Get-VTFileReport commandlet, which can take an MD5, SHA1 or a SHA256 Checksum, or a ScanID as input. Now, we can take that next step and check all of the hashes we collected in yesterday's story (or maybe just the "most interesting" ones - the ones-ies and two-sies) against VirusTotal, to see if we're harboring any known malwer. ![]() Let's use the Posh-SSH module from the Powershell Gallery -thanks to Carlos Perez for writing this one (docs are here: ) Let's see how we can automate this process. What to do next? Well, with a pool of suspect file hashes, a logical next step would be to compare them against what's in VirusTotal. Collected all of the running processes in the Domain, and computed the hashes for the executable files.
0 Comments
Leave a Reply. |