Environment
Carbon Black Cloud Console: All Supported Versions
- Enterprise EDR (Formerly CB ThreatHunter)
Objective
How to locate a File Hash using EEDR?
Resolution
- Navigate to the Investigate page, Enriched Events Tab, Events.
- Search for EXE or script.
- For Type select "Filemod"
- Open side panel row for matching file.
- Hash "SHA-256" will be listed in the filemod section.
Additional Notes
Filemod will be triggered when the file was copied to the system so you may need to include longer time frame to cover that modification.
Sometime an alert will include the in-memory hash for a file and not the actual hash, this method will provide the actual hash.
Related Content