Signature Scanning

sigcheck.exe

Check for code signing characteristics of executes in a directory: 

-a # show extended version info
-v # virus total scan
-u # show file unknown by VT
-c # output as csv 
-e # scan for exe's regardless of extension 
-s # recurse 
sigcheck -a -c -e -h -v <dir-of-exe/s> > sigcheck_results.csv

Lots of malware is not signed and can cause easier detection is a signed malware is identified.

File Entropy:

Sigcheck can also check file entropy: windows system executable average score: 4-6 packed or evasive malware average score: 6-8

Default cobalt strike shellcode normally scores a 7.2-7.4

https://github.com/horsicq/Detect-It-Easy

PreviousScanningNextAV Scanning

Last updated