AUDIT_FILEHASH_POWERSHELL

This check runs powershell.exe on the remote server along with the information supplied to compare an expected file hash with the hash of the file on the system.

Usage

<custom_item>

type: AUDIT_FILEHASH_POWERSHELL

description: "Powershell FileHash Check"

value_type: POLICY_TEXT

file: "[FILE]"

value_data: "[FILE HASH]"

</custom_item>

Considerations:

By default, an MD5 hash of the file is compared, however users can compare hashes generated with SHA1, SHA256, SHA384, SHA512, or RIPEMD160 algorithm.
For the check to work, PowerShell must be installed, and WMI be enabled on the target.

Examples

This example compares a supplied MD5 hash against the file hash of C:\test\test2.zip.

<custom_item>

type: AUDIT_FILEHASH_POWERSHELL

description: "Audit FILEHASH - MD5"

value_type: POLICY_TEXT

file: "C:\test\test2.zip"

value_data: "8E653F7040AC4EA8E315E838CEA83A04"

</custom_item>

This example compares a supplied SHA1 hash against the file hash of C:\test\test3.zip.

<custom_item>

type: AUDIT_FILEHASH_POWERSHELL

description: "Audit FILEHASH - SHA1"

value_type: POLICY_TEXT

file: "C:\test\test3.zip"

value_data: "0C4B0AF91F62ECCED3B16D35DE50F66746D6F48F"

hash_algorithm: SHA1

</custom_item>