Added new script to fetch windows binary hashes and add them to warninglist #323
+688,667
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| #!/usr/bin/env python3 | ||
| # -*- coding: utf-8 -*- | ||
|
|
||
| import json |
Check notice
Code scanning / CodeQL
Unused import Note
Member
|
Thanks a lot. This looks like a great idea and contribution. I'll review it. I'm curious about the matches between this dataset and hashlookup.io ;-) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds a new warning list for Windows binary hashes using data from the winbindex project. This helps prevent false positives when Windows system file hashes are flagged in threat intelligence feeds.
Changes
In threat intelligence and incident response, file hashes (particularly SHA256) are commonly used as Indicators of Compromise (IoCs). However, legitimate Windows system files frequently appear in threat feeds, causing false positives that waste analyst time and reduce trust in automated detections.
The winbindex project by m417z is a comprehensive, continuously updated database that tracks Windows binaries across all major Windows versions and builds.
By implementing this warning list, organizations using MISP for threat intelligence can significantly improve their signal-to-noise ratio, making their security operations more efficient and effective.
@adulau would love to hear your thoughts and feedback on this!