Announcing CelesTLSH CLI: A Lightweight Tool for TLSH Hash Analysis
I'm excited to announce the release of CelesTLSH CLI, a lightweight command-line interface tool for calculating, comparing, and analyzing TLSH (Trend Micro Locality Sensitive Hash) hashes. This tool is designed to help security professionals quickly identify potentially malicious files by comparing them against a database of known attack tools.
Fuzzy hashing is something that is incredibly underused in cybersecurity, typically because most tools that calculate the hash don't provide what makes it useful: the ability to compare its distance against known malicious hashes.
To top it off - it can be difficult to find a reliable set of TLSH hashes. Because of this, I wanted to create a tool and database of TLSH hashes that can be utilized by the public.
Check out our FOSS TLSH hashes of known attack tools!
What is CelesTLSH CLI?
CelesTLSH CLI is a statically compiled Go application that serves as the command-line counterpart to the CelesTLSH extension for the LimaCharlie platform. The name "CelesTLSH" (pronounced "Celestial-S-H") reflects its purpose as a celestial guide through the universe of TLSH hashes, helping you navigate the stars of your security landscape.
Why TLSH?
TLSH (Trend Micro Locality Sensitive Hash) is a fuzzy matching algorithm that generates hash values based on file content. Unlike cryptographic hashes like SHA-256, which change completely with even a single bit modification, TLSH hashes remain similar for files with similar content. This makes TLSH particularly valuable for malware detection, as it can identify variants of known malicious files even after they've been slightly modified.
Key Features
CelesTLSH CLI offers four main functionalities:
- Hash Calculation: Generate TLSH hashes from any file
- Distance Comparison: Calculate the similarity distance between two TLSH hashes
- Database Download: Download a curated database of TLSH hashes from known attack tools
- Hash Checking: Check a file's TLSH hash against the database to identify potential matches
Usage Examples
Calculate a TLSH hash
celestlsh-cli -h suspicious_file.exe
Compare two TLSH hashes
celestlsh-cli -d "T1A0D20FFA9687AD314535F049C3FAB22077B9ECFA1B97BCE818B0E1A16FA2AC3F70532" "T1B1922FC960B84D15453CE09903C9A22077BEEFFA1997EFE918B0E1A16FA1BC3E71632"
Download the TLSH hash database
celestlsh-cli -dl
Check a hash against the database
celestlsh-cli -c "T1A0D20FFA9687AD314535F049C3FAB22077B9ECFA1B97BCE818B0E1A16FA2AC3F70532"
Tracked Attack Tools
CelesTLSH CLI comes with a database that tracks TLSH hashes from over 80 common attack tools, including:
- Mimikatz
- Empire
- PowerUpSQL
- SharpHound
- Sliver
- Havoc
- Impacket
- And many more
This allows security teams to quickly identify if a suspicious file bears similarities to known offensive security tools.
Technical Implementation
CelesTLSH CLI is built in Go, making it cross-platform and easy to distribute. The statically compiled binary and has no external dependencies, making deployment simple across various environments.
It has CLI arguments to make utilizing it for automation easier as well such as the --quiet argument.
The tool leverages the glaslos/tlsh Go library for TLSH hash calculation and comparison, providing accurate and efficient similarity matching.
Getting Started
Download
You can download the latest release of CelesTLSH CLI from our GitHub repository.
Quick Start
- Download the appropriate binary for your platform
- Make it executable (on Unix-based systems):
chmod +x celestlsh-cli - Download the hash database:
./celestlsh-cli -dl - Start analyzing files!
Conclusion
CelesTLSH CLI brings the power of TLSH hash analysis to your command line, making it easier than ever to identify potentially malicious files through similarity matching. Whether you're a security researcher, incident responder, or SOC analyst, this lightweight tool can help streamline your malware analysis workflows.
I'm excited to see how the community uses CelesTLSH CLI and welcome any feedback or contributions to make it even better!