Hashed and rehashed a tale of Goodware hashes
I was looking for a service that offered goodware hashes for a project related to SOAR automation, but I couldn’t find one. So, I decided to create my own service using PostgreSQL, NIST RDS, and custom scripts.
tl;dr — Couldn’t find a free and regularly updated Goodware REST API endpoint, so I created one for anyone to use at goodware.io.
What are goodware hashes?
Goodware hashes are digital fingerprints of legitimate software programs. They are created by taking a mathematical function of the program’s code and converting it into a unique string of numbers and letters.
This hash can then be used to identify the program, even if it has been renamed or compressed once back to its original form.
How can Goodware hashes benefit SOAR automation workflows?
Goodware hashes can be used by SOAR platforms to identify known good files, which can help to speed up the response to security alerts.
For example, if an AV/EDR vendor sends an alert for any kind of file written event, the SOAR platform can quickly identify if the file is known good and can therefore skip the push to your sandbox environment.
There are a lot of other use-cases as well, play around to find out how it can be implemented and enrich your views for analysts.
How does this Goodware API work?
The goodware hashes service uses PostgreSQL to store the hash data. The data is fed into the database from two sources:
- NIST rds: The National Institute of Standards and Technology (NIST) provides a database of known Goodware hashes.
- Custom scripts: Custom scripts that harvest hashes from all current versions of Microsoft Windows.
Once the hash data is in PostgreSQL, the service makes it available to SOAR platforms and other security tools through a simple API pull.
How do I utilize the API endpoint?
To use the goodware hash API, for now, you can utilize it without an API key. The endpoint is open, but rate limits based on various factors set at Cloudflare. I’ll look into allowing custom API keys in the future depending on usage.
The API endpoints resides at https://api.goodware.io
To get the goodware hash for the reg.exe file, you would send the following API request:
GET /goodware?file_name=eq.reg.exe
If you’d like to pull the md5 or sha256, you would access the following endpoints:
GET /goodware?md5=eq.227f63e1d9008b36bdbcc4b397780be4
GET /goodware?sha256=eq.c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d
From there you should then return something similar to this depending on which value you access.
Wrap up
The database currently has 550,000 hashes and counting!
Hopefully this service will be helpful for your various needs to enrich and utilize in various aspects of your analyst pipelines. Feel free to reach out any time