Using Sigcheck to perform a simple IOC check

If you have been around IT for some time, you may be familiar with SysInternals. Mark Russinovich is practically a legend in the world of Microsoft based networks. His tool Sigcheck is quite useful for many tasks that would take a bit of time which you probably don’t have.

You can use this simple but feature rich tool to empower your service desk to search for indications of compromise on Windows endpoints.

This article can give you some command references to help you scan executables files or simply unsigned executable files on your windows based endpoints to compute the hash and send the results to virustotal and return a posture of the file. This can help you decide if you want to reimage the computer or simple remove the offending files.

Sigcheck Graphical User Interface

let’s face it, sometimes you can do things faster with a GUI. This simple interface allows for performing searches for users that are not skilled with Excel or other tools. Feel free to check this out and let me know your thoughts.

Running Sigcheck Offline

Performing an Offline Sigcheck scan is possible on a computer that does not have internet access. It can be used to calculate file hashes on offline computer + save them to CSV and then validate the CSV against VirusTotal on computer connected to internet.

Statistically speaking the number of signed malware samples is low due to complexity of stealing certificate and using it later undetected. Meaning, you can save time by scanning only unsigned files.

1. Download SysInternals Sigcheck and copy it to the computer without internet.
2.a. Exporting whole “System32” folder to CSV in Sigcheck format with File Hashes:

sigcheck64.exe -accepteula -h -c -w C:\out.csv C:\Windows\System32

2.b. OR if you want to export only unsigned file hashes:

sigcheck64.exe -accepteula -u -h -c -w C:\out.csv C:\Windows\System32

2.c. OR if you want unsigned files and include all the folders inside System32 recursively:

sigcheck64.exe -accepteula -s -u -h -c -w C:\out.csv C:\Windows\System32

2.d. OR include only executable files regardless of their extension if you want to save time even more (that contain MZ magic number at the beginning of the file):

sigcheck64.exe -accepteula -e -s -u -h -c -w C:\out.csv C:\Windows\System32

* You can redirect CMD output in a regular way and save it to CSV, without using the “-w” option – several times there was an error on import back to Sigcheck. Though the content of the file looks similar. Example:

sigcheck64.exe -accepteula -e -s -u -h -c C:\Windows\System32 > C:\out.csv

Switches explanations:
-accepteula: Silently accept the EULA message at the beginning.
-s: Scan subfolders recursively of the chosen path.
-u: In this case show only unsigned files. Official Description:

If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files.

-h: Show several types of hashes.
-c: Show results in CSV format comma delimited.
-w C:\out.csv: Write the output of the CMD console to specified file in Sigcheck format.
C:\Windows\System32: The path that Sigcheck will scan – will always be at the end of the command.

3. Regardless of what you will choose to scan in previous step, take the CSV file to the computer that has internet connection, and execute in CMD:

sigcheck64.exe -accepteula -vt -o C:\out.csv > C:\VTout.csv

Switches explanation:
-vt: Omits the VirusTotal terms of service prompt. You must accept them before use though. The regular VT switch with Terms prompt is -v.
-o C:\out.csv: Perform VirusTotal lookup of the CSV file that was captured by Sigcheck before using the -h switch.
> C:\VTout.csv: Redirect CMD output to a file.

4. If you get an error on execution of step 3:

Path,Verified,Date,Publisher,Company,Description,Product,Product Version,File Version,Machine Type,MD5,SHA1,PESHA1,PESHA256,SHA256,IMP,VT detection,VT link
Error parsing this line of the file:
<The line itself>

It is probably because a description field of some files contain double quotes around then. For example:

"Description of executable"

This will result in double-double quoted cell in the CSV:

""Description of executable""

In this case open the CSV file in Notepad and follow the steps:

[Edit] => [Replace...   CTRL+H]
    Find what: ""
    Replace with: "
    [Replace All]

All the double-double quoted characters will be replaced with single double quoted character. And then you can retry the 3rd step. If you want to know exactly how many replacements were made, better use “Notepad++” for this step.

Notes and Observations

* Unlike VT API free Public Key, Sigcheck can send to VT more than 500 files a day. We checked the System32 folder with ~4000 files and all of them returned scores in less than an hour.

* Sigcheck uses CSV that is not standard CSV (when using the “-w” switch to export and then reuse it to validate against VirusTotal). There are “commas” between the “cells”, but the major difference is the “double quotes” (“). The header cells are not double quoted, while all the regular cells are. Meaning that standard applications like Microsoft Excel do not see the cells, though you can extract them as cells (there is a feature in Excel to do that). But if you save the file after you edited it in Excel it will result in standard CSV without double quotes on regular cells, and you will get errors on parsing the file by sigcheck on VT verification. The best way is to edit with notepad / notepad++ or another CSV reader that can save cells with double quotes.

* Removing any of the header cells will return an error:

CSV file does not have correct column headers.

Removing any of the file Hash headers will return an error:

CSV file does not contain hash values.
Credit to this site for the offline scan.