-
Notifications
You must be signed in to change notification settings - Fork 84
Usage ‐ Windows
This feature aims to scan all Windows filesystems for specified executable extensions then calculates their file hashes and matches it to a database of malicious file hashes.
Because this process can take a while, a flag has been added to invoke it. Also, a basic executable list has been added to the Forensicator's config.json file.
"executables_extensions": [
"*.exe",
"*.dll",
"*.bat",
"*.cmd",
"*.ps1"
],
You can include additional executables:
*.wash, *.wsf, *.ws, *.vbscript, *.vbs, *.vbe, *.vb, *.u3p, *.shs, *.shb, *.sct, *.scr, *.rgs, *.reg, *.ps1, *.pif, *.paf, *.mst, *.msp, *.msi, *.msc, *.lnk, *.jse, *.job, *.isu, *.inx, *.ins, *.inf, *.gadget, *.exe, *.ex, *.cpl, *.com, *.cmd, *.cab, *.bin, *.bat, *.js
Performing Malware static analysis:
.\Forensicator.ps1 -HASHCHECK HASHCHECK
If this Flag is supplied the script will download the latest malware hash from https://bazaar.abuse.ch/export/txt/md5/recent/
the resulting download will be saved in the forensicator-share folder.
If you prefer yo supply your own hash source you can declare it in the config.json file.
"hash_source": [
"https://bazaar.abuse.ch/export/txt/md5/recent/"
],
Just be sure md5 hashes saved in new lines can be downloaded directly from the source as text file.
Also, you can supply the malware hashes to the Forensicator by placing the text file in the Forensicator-share folder. naming it as md5hashes.txt
e.g Result:
DetectedFile OriginalFileHash MatchingMD5
------------ ---------------- -----------
C:\Users\User\Desktop\PsExec64.exe db89ec570e6281934a5c5fcf7f4c8967 DB89EC570E6281934A5C5FCF7F4C8967
Forensicator extracts Browsing History from Chrome, Mozilla Firefox, Edge, and IE. These visited URLs are further matched to a list of reported malicious URLs to determine if any user visited any well-known malicious URL.
The URL list is obtained from https://urlhaus.abuse.ch/downloads/text_recent/ and resides in the Forensicator-Share folder.
We will keep updating this list regularly.
Below is an extract of a user's Chrome Browsing History that has visited a malicious URL.
Name Value
---- -----
Browser Firefox
DataType History
URL http://van.swpushroller.eu/ajai/wave.txt
IsMalicious True
User C:\Users\STOCKHOLM
LastVisitTime 2024-07-07 23:40:55
Note: An extra text file is also created with a list of the malicious URLs only, for easy identification.
Live-Forensicator (c) A Black Widow Tool