scan-hash and url seem not working #1
Description
Pretty cool idea. However it looks like there are some bugs.
url scanning seems to fail in general, at least i would expect for a mimikatz zip to trigger a warning.
$ ./maps_scanner --no-verify url https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip
Checking URL: https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip
Endpoint: https://wdcp.microsoft.com
HTTP Status: 200
Latency: 2581.3 ms
Schema: Microsoft.ProtectionServices.Entities.Raw.SubmitSpynetReportResult
VERDICT: CLEAN (no threats detected)
Revision: 5
Sample Rate: 1
scan-hash also fails. Steps:
- Download a mimikatz binary
- sha256sum
- scan-hash <-- CLEAN
- scan x64/mimikatz.exe <-- MALICIOUS
The hash submitted is the same.
$ ./maps_scanner --no-verify scan-hash 61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1
Querying hash: 61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1
Endpoint: https://wdcp.microsoft.com
HTTP Status: 200
Latency: 7859.0 ms
Schema: Microsoft.ProtectionServices.Entities.Raw.SubmitSpynetReportResult
VERDICT: CLEAN (no threats detected)
Revision: 5
Sample Rate: 1
$ ./maps_scanner --no-verify scan x64/mimikatz.exe
Analyzing file: x64/mimikatz.exe
SHA-256: 61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1
Size: 1355264 bytes
Sending to MAPS cloud (https://wdcp.microsoft.com)...
HTTP Status: 200
Latency: 2587.4 ms
Schema: Microsoft.ProtectionServices.Entities.Raw.SubmitSpynetReportResult
VERDICT: MALICIOUS
Threat: HackTool:Win64/Mimikatz!MSR
Threat ID: 2147787822
Sig Data: 387 bytes (FASTPATH)
FASTPATH Signature (VDM TLV):
[0xEC ENVELOPE] 256B (encrypted detection logic)
[0xAA FASTPATH_DATA] 20B Compiled=2026-02-20 13:05:04 UTC
[0x5C THREAT_BEGIN] 49B ThreatID=2147787822 "HackTool:Win64/Mimikatz!MSR"
[0x67 STATIC] 38B SHA1=e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69
[0x5D THREAT_END] 4B
Revision: 5
Sample Rate: 1