Home / server / Questions / 829061
In Process
Brandon Wetter
Asked: 2017-01-28 09:55:44 +0800 CST

Windows 2012 R2 - Search for Files using MD5 Hash?

  • 772

My organization recently discovered malware that was sent to some users via email that managed to get past our email security in a sophisticated, targeted attack. The names of the files vary from user to user but we have collected a list of the common MD5 hashes among the malware files.

Just a shot in the dark -- I was wondering if there's a way to find files based on their MD5 hashes rather than their file names, extensions, etc. via PowerShell....or any method. We are using Windows 2012 R2 for most of the servers in our data center.

windows malware search hash md5

3 Answers

  1. Sure. You'll probably want to do something more useful than the following example though.

    $evilHashes = @(
    '4C51A173404C35B2E95E47F94C638D2D001219A0CE3D1583893E3DE3AFFDAFE0',
    'CA1DEE12FB9E7D1B6F4CC6F09137CE788158BCFBB60DED956D9CC081BE3E18B1'
)

Get-ChildItem -Recurse -Path C:\somepath |
    Get-FileHash |
        Where-Object { $_.Hash -in $evilHashes }
    • 12 
  2. [String]$BadHash = '5073D1CF59126966F4B0D2B1BEA3BEB5'

Foreach ($File In Get-ChildItem C:\ -file -recurse) 
{
    If ((Get-FileHash $File.Fullname -Algorithm MD5).Hash -EQ $BadHash)
    {
        Write-Warning "Oh no, bad file detected: $($File.Fullname)"
    }
}
    • 9

  3. If you have a copy of the file, you should activate AppLocker across the entire domain and add a hash rule for that file to stop its execution. This has the added bonus of identifying computers that are trying to run the program because AppLocker logs block and deny actions by default.

    • 9