Obtain hash of all running executables in Win OS using “CertUtil” while conducting Live Forensics.

Talfor
Jul 24
1 min read

CertUtil in windows is mostly related to managing and viewing certificates, but very useful for getting hash value of any file using -hashfile subcommand.

Here’s the command. Try this out.

FOR /F %i IN (‘wmic process where “ExecutablePath is not null” get ExecutablePath’) DO certutil -hashfile %i SHA256 | findstr -v : >> output.txt

Recent Posts

See All

Cybersecurity Threat Hunting

RITA - An open source framework for network traffic analysis.

The framework ingests Zeek Logs in TSV or JSON format, and currently supports the following major features: Beaconing Detection: Search for signs of beaconing behavior in and out of your network. Lo

Untitled Goose Tool

Much useful Incident Response (IR) tool released by CISA to run a full investigation against a customer’s Azure Active Directory...