Finding a file Hash Natively in Windows with CertUtil

A hash function is any function that can be used to map data of arbitrary size to fixed-size values, though there are some hash functions that support variable length output. The values returned by a hash function are called hash values, hash codes, hash digests, digests, or simply hashes. The values are usually used to index a fixed-size table called a hash table. Use of a hash function to index a hash table is called hashing or scatter storage addressing.

In Windows, we can natively perform a hash check on a file using "CertUtil". CertUtil is actually used for manage certificates, but it also can perform hash checks. We would want to has a file for the purpose of verifiying a file integrity. 

We can use the command certutil -hashfile -? to see a list of all available options. 

CertUtil supports the following hash algorithms:

MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512

We can run the command on a file to get a filehash: certutil -hashfile filename SHA256

Once we have the file hash we can compare that against an original to see if changes have occured, or upload the hash to a service like VirusTotal to see if the hash belongs to a file that is malicious.

Like my work? Donate here: https://buymeacoffee.com/forensicnoobsecurity

How to use XPath to query Windows Event Logs

Windows Event logs under the format EVTX are actually recorded with XML. You can use XPATH to query XML. I deally, you would never need to do this, as you can export Windows Event Logs to a SIEM. However, you may need to query the Event Log Directly, and the bui;t in search is pretty terrible. If you get used to the XPATH Sytanx, you can make it a lot easier to query the Windows Event Log. 

First, Open the Windows Event Log. In our examples, we will be querying the Security Event Log. In the Right panel, press "Filter Current Log..."

Click the XML Tab at the top right, then select at the bottom "Edit Query Manually"

Specific Account logging on:

For whatever reason, The "User" field in the Filter does not actually work post Windows 2003, which is very frustrating. we can actually search for users via XPATH. In this example I am looking for a specific Windows Event IDs 4648 and 4624. 

<QueryList>

  <Query Id="0" Path="Security">

    <Select Path="Security">*[System[(EventID=4648 or EventID=4624)] and EventData[Data[@Name="TargetUserName"]="accountname"]]</Select>

  </Query>

</QueryList>

Checking a user login to a specific process:

In this example, we have multiple Sites in IIS that AD users can authenticate to. We want to look at just one of those web apps, as to not have to sift through all the sign ins. The ProcessName field can be filtered down to the name of any process, in this case, IIS. 

<QueryList>

  <Query Id="0" Path="Security">

    <Select Path="Security">*[System[(EventID=4648)] and EventData[Data[@Name="TargetUserName"]="bob"] and EventData[Data[@Name="ProcessName"]="C:\inetpub\sites\ecommerce\ecommerceweb\Bank.Web.exe"]]</Select>

  </Query>

</QueryList>

Query for NTLM v1

As part of auditing, you may be looking to eliminate NTLMv1 usage. This can be quieried with XPATH like such:

<QueryList>

  <Query Id="0" Path="Security">

    <Select Path="Security">*[System[(EventID=4624)] and EventData[Data[@Name="LmPackageName"]="NTLM V1"]]</Select>

  </Query>

</QueryList>

Like my work? Donate here: https://buymeacoffee.com/forensicnoobsecurity