Searching for SHA256 #4686

mbaki · 2021-07-02T21:55:49Z

mbaki
Jul 2, 2021

Hi all,

I have a list of SHA256 (134 of them) that I need to search for. What's the best way to do that, manually will take forever.

Thanks
Monah

weslambert · 2021-07-06T19:26:42Z

weslambert
Jul 6, 2021

You could use an Elastalert rule and query back since the beginning of your data , you could technically develop a Sigma rule, and have Playbook convert it for you, or you could use a simple bash script to create your ad-hoc query for you with something like the following:

#!/bin/bash
# Create ES query for list of values within a line-delimited text file
# Ex.
#      abc1234
#      bcd4567
#
# Use specific field:
# Ex. ./create_query ./hashlist hash.sha256
#
# Output: hash.sha256:(acbd1234 OR bcd4567)
#
# Don't use field:
# Ex. ./create_query ./hashlist
#
# Output: abc1234 OR bcd4567

FILE=$1
FIELD=$2

list=$FILE
while IFS= read -r line
do
  VALUES+="$line OR "
done < "$list"
CLEANVALUES=${VALUES%????}
echo "Paste the following into the query bar:"
echo
if ! [ -z "$FIELD" ]; then
    echo "$FIELD:($CLEANVALUES)"
else
    echo "$CLEANVALUES"
fi
echo

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Searching for SHA256 #4686

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Searching for SHA256 #4686

Uh oh!

mbaki Jul 2, 2021

Replies: 1 comment

Uh oh!

weslambert Jul 6, 2021

mbaki
Jul 2, 2021

weslambert
Jul 6, 2021