AUDIT_FILEHASH_POWERSHELL

This check runs powershell.exe on the remote server along with the information supplied to compare an expected file hash with the hash of the file on the system.

Usage

<custom_item>

type: AUDIT_FILEHASH_POWERSHELL

description: "Powershell FileHash Check"

value_type: POLICY_TEXT

file: "[FILE]"

value_data: "[FILE HASH]"

</custom_item>

Considerations:

  • By default, an MD5 hash of the file is compared, however users can compare hashes generated with SHA1, SHA256, SHA384, SHA512, or RIPEMD160 algorithm.
  • For the check to work, PowerShell must be installed, and WMI be enabled on the target.

Examples

This example compares a supplied MD5 hash against the file hash of C:\test\test2.zip.

<custom_item>

type: AUDIT_FILEHASH_POWERSHELL

description: "Audit FILEHASH - MD5"

value_type: POLICY_TEXT

file: "C:\test\test2.zip"

value_data: "8E653F7040AC4EA8E315E838CEA83A04"

</custom_item>

This example compares a supplied SHA1 hash against the file hash of C:\test\test3.zip.

<custom_item>

type: AUDIT_FILEHASH_POWERSHELL

description: "Audit FILEHASH - SHA1"

value_type: POLICY_TEXT

file: "C:\test\test3.zip"

value_data: "0C4B0AF91F62ECCED3B16D35DE50F66746D6F48F"

hash_algorithm: SHA1

</custom_item>