TOC & Recently Viewed

Recently Viewed Topics

AUDIT_FILEHASH_POWERSHELL

This check runs powershell.exe on the remote server along with the information supplied to compare an expected file hash with the hash of the file on the system.

Usage

<custom_item>

type: AUDIT_FILEHASH_POWERSHELL

description: "Powershell FileHash Check"

value_type: POLICY_TEXT

file: "[FILE]"

value_data: "[FILE HASH]"

</custom_item>

Considerations:

  • By default, an MD5 hash of the file is compared, however users can compare hashes generated with SHA1, SHA256, SHA384, SHA512, or RIPEMD160 algorithm.
  • For the check to work, PowerShell must be installed, and WMI be enabled on the target.

Examples

This example compares a supplied MD5 hash against the file hash of C:\test\test2.zip.

<custom_item>

type: AUDIT_FILEHASH_POWERSHELL

description: "Audit FILEHASH - MD5"

value_type: POLICY_TEXT

file: "C:\test\test2.zip"

value_data: "8E653F7040AC4EA8E315E838CEA83A04"

</custom_item>

This example compares a supplied SHA1 hash against the the file hash of C:\test\test3.zip.

<custom_item>

type: AUDIT_FILEHASH_POWERSHELL

description: "Audit FILEHASH - SHA1"

value_type: POLICY_TEXT

file: "C:\test\test3.zip"

value_data: "0C4B0AF91F62ECCED3B16D35DE50F66746D6F48F"

hash_algorithm: SHA1

</custom_item>

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.