|
@mattifestation | |||||
|
These are the hashes you implicitly trust on a stock Win10 build: gist.github.com/mattifestation… Here is the code I used to obtain the hashes: gist.github.com/mattifestation…
|
||||||
|
||||||
|
|
Matt Graeber
@mattifestation
|
Dec 16 |
|
Try to have some fun with this. For example, did you know that a file with a single null byte is "signed" by Microsoft? SHA256 Hash: 6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D pic.twitter.com/nQPWTIZluZ
|
||
|
||
|
|
Matt Graeber
@mattifestation
|
Dec 16 |
|
How many of these hashes are present in VT that would return a pos AV hit count > 1 (excluding Cylance because they flag everything)? If you want to try this, note that hashes for PEs in that list will be Authenticode hashes, not file hashes. VT refers to this as "Authentihash".
|
||
|
|
||
|
|
Matt Graeber
@mattifestation
|
Dec 16 |
|
Also, note that there's a bunch of SHA1 hashes in there...
|
||
|
|
||
|
secabstraction
@secabstraction
|
Dec 17 |
|
I feel like you’re intentionally going against posh best practices to annoy... =P
|
||
|
|
||
|
|
Matt Graeber
@mattifestation
|
Dec 17 |
|
Please point me to best practices for quick and dirty PoCs.
|
||
|
|
||
|
|
secabstraction
@secabstraction
|
Dec 17 |
|
via @Giphy gph.is/XGyxEx
|
||
|
|
||
|
Hacker Hurricane
@HackerHurricane
|
Dec 18 |
|
Do they ever change on updates, or always the same?
|
||
|
|
||
|
|
Matt Graeber
@mattifestation
|
Dec 18 |
|
They change on updates.
|
||
|
|
||
|
|
Hacker Hurricane
@HackerHurricane
|
Dec 18 |
|
Figured as much
|
||
|
|
||