When a security incident occurs on your network, one of the most important steps of the response process is the identification of all assets involved by the attack.
Once a subset of filesystem Indicator of Compromise (IoC) has been compiled, a best practice is to search this indicators on all servers, in order to define boundaries of the attack.
A basic list of filesystem IoC can be composed by a filepath, a filename and (most important) the hash of the file: a widespread practice is replace well known system files with other tools, and a hash based search is mandatory.
So, on linux system the process can be accomplished with a simple bash script, while on windows systems a PowerShell script can be useful.
But, if on your network are still present old legacy systems with Windows 2000? (Yes, i can confirm that’s possible!)
In this case, the powershell solution is not applicable (powershell is not officially supported), and a simple BAT script can laks the important hashing features.
Recently, i’ve solved this problem using VBScript, an Active Scripting language initially developed by Microsoft to allows system administrators to generate administrative script more complex than simple BAT files.
VBScript is modeled on Visual Basic and allows the creation of scripts with error handling, subroutines, and other advanced programming constructs.
And (most important) is fully working on Windows 2000!
So, using this useful code, published by Igor Krupitsky on StackOverflow (as usual!) i’ve assembled a simple script that accept as command line paramater a filename containing the IoC list, performs the search on filesystem and exports results on a CSV file.
The structure of Input and Output files is pretty simple:
Hostname, FullName, CreationTime, LastAccessTime, LastWriteTime, Length, Attributes TESTHOST;C:\temp\net.exe;11/21/2018 3:47:19 PM;11/21/2018 3:47:19 PM;7/16/2016 12:42:23 PM;55808;32
And below the full script:
I hope it will be useful!