Listen to this Post
2025-01-02
In the world of cybersecurity, hashes are an essential tool. A hash is a unique mathematical fingerprint generated by a special algorithm when applied to a piece of data, like a file or text. This fingerprint, often called a hash value, digest, or checksum, serves as a one-way verification method to confirm a file’s integrity. Hashes come in various forms, with SHA-256 being the current popular choice due to the vulnerability of older algorithms like MD5.
Traditionally, hashes are used to identify malicious files such as malware samples, suspicious payloads, etc. Security professionals can leverage these hashes to search for concerning files within their systems. Publicly available collections of malware hashes, like those on Malware Bazaar, aid in this process.
However, the concept of hash sets extends beyond just malware detection. There’s value in using sets containing hashes for known good files. Here, the approach flips – instead of searching for malicious files, you verify that existing ones on your system are legitimate.
Exacorn recently released a valuable resource: a ZIP archive containing “goodware” hashes, essentially the opposite of malware. This archive, clocking in at 2GB, offers 12 million hashes and corresponding filenames.
It’s important to note that some antivirus solutions might flag certain files within this archive. For instance, a search for “putty.exe” yielded a hash that triggered a flag.
This highlights the importance of considering alternative resources alongside goodware hash sets. Here are some additional options the author recommends:
The National Software Reference Library (NSRL) project
The CIRCL.lu Hash Lookup API
Hashsets.com (partially free)
The author finds
Overall, goodware hash sets provide another layer of security in the threat hunting toolbox. By incorporating them alongside traditional methods, security professionals can enhance their ability to identify and eliminate threats.
What Undercode Says:
This article offers a valuable perspective on cybersecurity. It highlights the importance of not just looking for bad actors, but also verifying the legitimacy of existing files. Goodware hash sets provide a powerful tool for achieving this and can be a valuable addition to any security professional’s toolkit.
Here are some additional points to consider:
Maintaining Hash Sets: Just like malware collections, goodware hash sets need to be updated regularly to stay effective. New software releases and updates will generate new hashes, so it’s crucial to incorporate these changes into the hash sets.
Automation Potential: The article mentions the possibility of automating the process of checking files against goodware hash sets. This automation can significantly improve efficiency, especially when dealing with large deployments.
Integration with Threat Hunting Tools: Security professionals can integrate goodware hash lookups into their existing threat hunting workflows. This can help streamline the process of identifying and investigating potential threats.
By leveraging goodware hash sets strategically, security teams can strengthen their defenses and improve their overall threat hunting posture.
References:
Reported By: Isc.sans.edu
https://www.linkedin.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
