Improvement to SHA collection part

sjwe · Oct 7, 2020 · 0e4026a · 0e4026a
1 parent 89367b0
commit 0e4026a
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/Command and Control/T1105-WIN-001.md b/Command and Control/T1105-WIN-001.md
@@ -58,8 +58,8 @@ let Timeframe = 30d;
 // set the HashTimeframe for the hash lookup, longer makes more accurate but obviously also more resource intensive
 let HashTimeframe = 30d;
 // Get all known SHA1 hashes for certutil executions or renamed files formerly named certutil
-let CertUtilPESha1=DeviceProcessEvents | where Timestamp > ago(HashTimeframe)| where FileName contains "certutil" | summarize sha1=make_set(SHA1);
-let CertUtilFESha1=DeviceFileEvents | where Timestamp > ago(HashTimeframe)| where PreviousFileName contains "certutil" or FileName contains "certutil" | summarize sha1=make_set(SHA1);
+let CertUtilPESha1=DeviceProcessEvents | where Timestamp > ago(HashTimeframe)| where FileName contains "certutil"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1);
+let CertUtilFESha1=DeviceFileEvents | where Timestamp > ago(HashTimeframe)| where PreviousFileName contains "certutil" or FileName contains "certutil"  | where isnotempty(SHA1) | summarize sha1=make_set(SHA1);
 DeviceProcessEvents
 | where Timestamp > ago(Timeframe)
 // get all executions by processes with a SHA1 hash that is or was named certutil
@@ -87,4 +87,4 @@ DeviceProcessEvents
 ## References
 
 * https://lolbas-project.github.io/lolbas/Binaries/Certutil/
-* https://medium.com/r/?url=https%3A%2F%2Fwww.fireeye.com%2Fblog%2Fthreat-research%2F2018%2F03%2Fdosfuscation-exploring-obfuscation-and-detection-techniques.html
+* https://medium.com/r/?url=https%3A%2F%2Fwww.fireeye.com%2Fblog%2Fthreat-research%2F2018%2F03%2Fdosfuscation-exploring-obfuscation-and-detection-techniques.html