The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Search for a Specific Hash

Description: Searches for a specific hash.

What The Data Shows: Looks for specific hash in the Users directories for files that are less than 50MB (osquery files size limitation.)

SQL: 

SELECT path,sha256 
FROM hash
WHERE path in
 (SELECT path
 FROM file
 WHERE size < 50000000
  AND path LIKE "\Users\%\Documents\%%")
  AND sha256 = "16d28cd1d78b823c4f961a6da78d67a8975d66cde68581798778ed1f98a56d75"; 
5 Comments
Query_Admin
Community Manager
Community Manager
Status changed to: Approved
 
LS
New Contributor II

Can this be modified to search for multiple hashes in multiple locations? If so, how?

jnelson
Carbon Black Employee

@LS is this what you are looking for?

SELECT path,sha256

FROM hash
WHERE path IN 
  (SELECT path
   FROM file
   WHERE size < 50000000
     AND (path LIKE "\Users\%\Documents\%%" OR
          path LIKE "\Windows\temp\%%"))
  AND sha256 IN ("6ccce5cc1f03c8ad928cb49aaa2276e11fa4b8756700ebcccb3dd36dbeeaa881",
                 "fc3cf37f6476130e77cf9392ad68fa86f54f0b00c259429401a72c1e36cc02d1",
                 "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855");
mailboxpickup1
New Contributor II

@jnelson  Can this be modified for looking for a specific hash anywhere on the windows asset? Not just the user directory?

 

Also is there a more universal query to look for a list of hashes present on any asset, Linux/Mac/Windows?  

jnelson
Carbon Black Employee

@mailboxpickup1 trying to run a query like that can be very problematic. Due to the fact that it would have to hash every file on the file system it could cause a performance impact, take a long time to run, and potentially time out. Therefore, it is highly suggested that you only search for hashes in strategic locations using Live Query.

If you have the Carbon Black NGAV or EDR solutions and are searching for a binary hash, you can easily search for that across the entire asset.