Hunt Threats¶
Filter known-good, flag known-bad, scan YARA rules, check VirusTotal, spot encrypted/packed files. Triage a suspect system down to the files that matter.
The triage pipeline¶
blazehash -r /mnt/suspect -c sha256 \
--nsrl NSRL.db --nsrl-exclude \
--hashdb-bad malware-hashes.txt \
--yara rules.yar \
--entropy \
-o triage.hash
This single command:
- Hashes every file with SHA-256
- Removes known-good files (NSRL)
- Flags known-bad files
[BAD](HashDB) - Runs YARA rules against every file
- Computes Shannon entropy (encrypted/packed files score >7.2)
Output contains only files worth investigating.
NSRL: Remove known-good files¶
The NIST NSRL contains hashes of known OS and application files. Remove them from your output to focus on what matters.
Annotate known-good (mark but keep in output):
Known-good files get a [K] prefix.
Exclude known-good entirely:
Using NIST flat hashset instead of SQLite:
Bloom filter for speed
Build a bloom filter for faster lookups on large NSRL databases:
blazehash nsrl build-bloom NSRL.db --output nsrl.bloom
blazehash -r /mnt/suspect -c sha256 --nsrl nsrl.bloom --nsrl-exclude
~0.1% false positive rate. Use the SQLite database when excluding files in production.
HashDB: Flag known-bad files¶
Supply a newline-delimited file of known-bad SHA-256 or SHA-1 hashes. Matching files are flagged [BAD] in the manifest.
Combine with NSRL to see only unknowns and known-bad:
blazehash -r /mnt/suspect -c sha256 \
--nsrl NSRL.db --nsrl-exclude \
--hashdb-bad known_malware.txt
YARA: Scan with rules¶
Run YARA rules against every file during the hash walk:
YARA matches appear in the output alongside hash entries. Combine with other flags freely:
blazehash -r /mnt/suspect -c sha256 \
--nsrl NSRL.db --nsrl-exclude \
--yara apt_rules.yar \
-o triage.hash
Note
Requires --features yara at compile time.
VirusTotal: Batch lookup¶
Check all hashes in a manifest against VirusTotal:
Or pass the key directly:
Rate limits apply per your VT API tier. Run this after NSRL exclusion to minimize API calls.
Entropy: Spot encrypted and packed files¶
Shannon entropy scores range 0.0-8.0. Files scoring above 7.2 are likely encrypted, compressed, or packed.
The entropy value appears as an additional column in the output. Useful for spotting:
- Encrypted containers and volumes
- Packed/obfuscated malware
- Steganography payloads
- Ransomware-encrypted files
Fuzzy hashing: Find malware variants¶
Cryptographic hashes miss near-matches. A recompiled binary with minor changes has a completely different SHA-256. Fuzzy hashing catches the similarity.
Hash known malware samples:
Scan a target for variants:
Files with 70%+ similarity to known samples appear as fuzzy matches:
[~] payload.exe FUZZY MATCH sim=87% <- malware/variant_a.exe
[~] dropper.dll FUZZY MATCH sim=73% <- malware/loader.dll
Use ssdeep for file fragments and near-duplicate documents. Use tlsh for larger files where locality sensitivity matters.
Combine everything¶
The full threat hunting workflow:
# Step 1: Triage with all intelligence sources
blazehash -r /mnt/suspect -c sha256,ssdeep \
--nsrl NSRL.db --nsrl-exclude \
--hashdb-bad malware-hashes.txt \
--yara apt_rules.yar \
--entropy \
-o triage.hash --progress
# Step 2: Check unknowns against VirusTotal
VT_API_KEY="..." blazehash vt triage.hash
# Step 3: Find variants of known samples
blazehash -r /mnt/suspect -a -k known-malware.hash \
-c ssdeep --fuzzy-threshold 60 --fuzzy-top 5
# Step 4: Find duplicates (lateral movement indicator)
blazehash dedup /mnt/suspect