forked from sans-blue-team/DeepBlueCLI
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDeepWhite-checker.ps1
58 lines (57 loc) · 2.72 KB
/
DeepWhite-checker.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Requires Posh-VirusTotal: https://github.com/darkoperator/Posh-VirusTotal
#
# Plus a (free) VirusTotal API Key: https://www.virustotal.com/en/documentation/public-api/
#
$hashdirectory = ".\hashes"
$whitelistfile=".\file-whitelist.csv"
# Load the whitelist into a hash table
if (Test-Path $whitelistfile){
$whitelist = Get-Content $whitelistfile | Select-String '^[^#]' | ConvertFrom-Csv
$hashes=@{}
foreach($entry in $whitelist){
$hashes[$entry.sha256]=$entry.path
}
}
Get-ChildItem $hashdirectory | Foreach-Object{
if ($_.Name -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings
$SHA256=$_.Name
if ($hashes.containsKey($SHA256)){
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.whitelisted"
}
Else{
try{
$VTreport = Get-VTFileReport $SHA256
}
catch {
Write-Host "`r`nAttempted to run: Get-VTFileReport $SHA256`r`r"
Write-Host "Error: " $_.Exception.Message "`n"
Write-Host "Have you installed Posh-VirusTotal and set the VirusTotal API key?"
Write-Host " - See: https://github.com/darkoperator/Posh-VirusTotal`r`n"
Write-Host "Once you have installed Posh-VirusTotal and have a VirusTotal API key, run the following command:`r`n"
Write-Host "Set-VTAPIKey -APIKey <API Key>`r`n"
Write-Host "Exiting...`n"
exit
}
if ($VTreport.positives -eq 0){
# File is clean
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.clean"
}
ElseIf ($VTreport.positives -gt 0){
# File is flagged by Virustotal
$positives=$VTreport.positives
Write-Host " - Hash was detected by $positives Virustotal scanners"
if ($positives -eq 1){
Write-Host " - Don't Panic (yet)! There is only one positive, which may be a sign of a false positive."
Write-Host " - Check the VirusTotal report for more information."
}
Write-Host " - See $hashdirectory\$SHA256.Virustotal for the full report`r`n"
$VTreport | Set-Content "$hashdirectory\$SHA256.Virustotal"
# Rename original hash file, add the Virustotal positive count as a numbered extension
# $SHA256.$positives
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.$positives"
}
# Wait 15 seconds between submissions, for public Virustotal API keys
Start-Sleep -s 15
}
}
}