Now that we have the hashes for all the running processes in the AD Domain, and also have the VT Score for each hash in the system, how can we use this information? Incident Response comes immediately to mind for me. If you’ve ever been in a medium-to-large-scale “incident”, the situation that you often find is 'we know everything seems to be infected, but out of thousands of machines, which ones are actually infected right now? Not only that, but “our AV doesn’t detect this exact malware yet, or if it does, it detects it but doesn’t kill it or delete it”. The methods we’ve looked at these last few days allow us to enumerate an up to the minute list of infected stations, outputting a “punch list” for the responders fixing those stations. Not only that, but we can tack on a “kill switch” command that will terminate (and even delete) the running malware if the AV product isn’t doing that.
Article Link: https://isc.sans.edu/diary/rss/25088