For details on cookie usage on our site, read our Privacy Policy
Import hashes: File Format?
- LIVEcommunity
- Discussions
- Cloud Delivered Security Services
- Endpoint (Traps) Discussions
- Re: Import hashes: File Format?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-23-2017 04:55 AM
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-27-2017 11:32 AM
We use the XML format so that we can force the malware verdict. When we deployed Traps we had the assistance of a Traps PSE. He wrote a short powershell script that will take a txt file of SHA256 hashes and convert them into an XML file that you can then import. This works in 3.4.X and 4.0.X.
# This script reads a text file of SHA256 hashes and creates an XML for importing
# into the Traps ESM Policies > Hash Control page. If these are imported
# 'with verdict', they will appear as "Hash Control" verdicts of "Malware"
# -------- VARIABLES -----------
# Process name to apply to each hash import
$ImportAsName = "ImportedProcessHash.exe"
# Text file/path of SHA256 hashes to build XML from
$HashStringsFile = ($PSScriptRoot) + "\Hashes.txt"
# File name/path for resulting import XML file
$TrapsImportFile = ($PSScriptRoot) + "\TrapsHashImports.xml"
Write-Host "Creating $TrapsImportFile"
# get an XMLTextWriter to create the XML
$XmlWriter = New-Object System.XMl.XmlTextWriter($TrapsImportFile,$Null)
# choose a pretty formatting:
$xmlWriter.Formatting = 'Indented'
$xmlWriter.Indentation = 1
$XmlWriter.IndentChar = "`t"
# write the header
$xmlWriter.WriteStartDocument()
# create root element "machines" and add some attributes to it
$XmlWriter.WriteComment('Hashes to Import')
$xmlWriter.WriteStartElement('ArrayOfHashProcessItem')
$XmlWriter.WriteAttributeString('xmlns', 'http://schemas.datacontract.org/2004/07/Cyvera.Common.Interfaces.Policy')
$XmlWriter.WriteAttributeString('xmlns:i', 'http://www.w3.org/2001/XMLSchema-instance')
# Read hashes text file and add XML data for each
$Hashes = ((get-content $HashStringsFile) | Sort-Object)
$Hashes | ForEach-Object {
# Create element HashProcessItem node
$xmlWriter.WriteStartElement('HashProcessItem')
#$XmlWriter.WriteAttributeString('test', 'something')
# Add pieces of information:
$xmlWriter.WriteElementString('FileSizeMb','0')
$xmlWriter.WriteElementString('Hash',$_)
$xmlWriter.WriteElementString('ProcessName',$ImportAsName)
$xmlWriter.WriteElementString('Result','Malware')
$xmlWriter.WriteElementString('Type','Unprotected')
# Close HashProcessItem node
$xmlWriter.WriteEndElement()
}
# Close ArrayOfHashProcessItem node
$xmlWriter.WriteEndElement()
# finalize the document:
$xmlWriter.WriteEndDocument()
$xmlWriter.Flush()
$xmlWriter.Close()
notepad $TrapsImportFile
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-27-2017 11:32 AM
We use the XML format so that we can force the malware verdict. When we deployed Traps we had the assistance of a Traps PSE. He wrote a short powershell script that will take a txt file of SHA256 hashes and convert them into an XML file that you can then import. This works in 3.4.X and 4.0.X.
# This script reads a text file of SHA256 hashes and creates an XML for importing
# into the Traps ESM Policies > Hash Control page. If these are imported
# 'with verdict', they will appear as "Hash Control" verdicts of "Malware"
# -------- VARIABLES -----------
# Process name to apply to each hash import
$ImportAsName = "ImportedProcessHash.exe"
# Text file/path of SHA256 hashes to build XML from
$HashStringsFile = ($PSScriptRoot) + "\Hashes.txt"
# File name/path for resulting import XML file
$TrapsImportFile = ($PSScriptRoot) + "\TrapsHashImports.xml"
Write-Host "Creating $TrapsImportFile"
# get an XMLTextWriter to create the XML
$XmlWriter = New-Object System.XMl.XmlTextWriter($TrapsImportFile,$Null)
# choose a pretty formatting:
$xmlWriter.Formatting = 'Indented'
$xmlWriter.Indentation = 1
$XmlWriter.IndentChar = "`t"
# write the header
$xmlWriter.WriteStartDocument()
# create root element "machines" and add some attributes to it
$XmlWriter.WriteComment('Hashes to Import')
$xmlWriter.WriteStartElement('ArrayOfHashProcessItem')
$XmlWriter.WriteAttributeString('xmlns', 'http://schemas.datacontract.org/2004/07/Cyvera.Common.Interfaces.Policy')
$XmlWriter.WriteAttributeString('xmlns:i', 'http://www.w3.org/2001/XMLSchema-instance')
# Read hashes text file and add XML data for each
$Hashes = ((get-content $HashStringsFile) | Sort-Object)
$Hashes | ForEach-Object {
# Create element HashProcessItem node
$xmlWriter.WriteStartElement('HashProcessItem')
#$XmlWriter.WriteAttributeString('test', 'something')
# Add pieces of information:
$xmlWriter.WriteElementString('FileSizeMb','0')
$xmlWriter.WriteElementString('Hash',$_)
$xmlWriter.WriteElementString('ProcessName',$ImportAsName)
$xmlWriter.WriteElementString('Result','Malware')
$xmlWriter.WriteElementString('Type','Unprotected')
# Close HashProcessItem node
$xmlWriter.WriteEndElement()
}
# Close ArrayOfHashProcessItem node
$xmlWriter.WriteEndElement()
# finalize the document:
$xmlWriter.WriteEndDocument()
$xmlWriter.Flush()
$xmlWriter.Close()
notepad $TrapsImportFile
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-28-2017 02:01 AM
Thank you, works like a charm with 4.1.1
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
