TOC & Recently Viewed

Recently Viewed Topics

AUDIT_FILEHASH_POWERSHELL

This check runs powershell.exe on the remote server along with the information supplied to compare an expected file hash with the hash of the file on the system.

Usage

<custom_item>

type: AUDIT_FILEHASH_POWERSHELL

description: "Powershell FileHash Check"

value_type: POLICY_TEXT

file: "[FILE]"

value_data: "[FILE HASH]"

</custom_item>

Considerations:

  • By default, an MD5 hash of the file is compared, however users can compare hashes generated with SHA1, SHA256, SHA384, SHA512, or RIPEMD160 algorithm.
  • For the check to work, PowerShell must be installed, and WMI be enabled on the target.

Examples

This example compares a supplied MD5 hash against the file hash of C:\test\test2.zip.

<custom_item>

type: AUDIT_FILEHASH_POWERSHELL

description: "Audit FILEHASH - MD5"

value_type: POLICY_TEXT

file: "C:\test\test2.zip"

value_data: "8E653F7040AC4EA8E315E838CEA83A04"

</custom_item>

This example compares a supplied SHA1 hash against the file hash of C:\test\test3.zip.

<custom_item>

type: AUDIT_FILEHASH_POWERSHELL

description: "Audit FILEHASH - SHA1"

value_type: POLICY_TEXT

file: "C:\test\test3.zip"

value_data: "0C4B0AF91F62ECCED3B16D35DE50F66746D6F48F"

hash_algorithm: SHA1

</custom_item>

Copyright 2017 - 2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.