Carbon Black Cloud: How to locate a File Hash using EEDR?
book
Article ID: 284995
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
How to locate a File Hash using EEDR?
Environment
Carbon Black Cloud Console: All Supported Versions
Enterprise EDR (Formerly CB ThreatHunter)
Resolution
Navigate to the Investigate page, Enriched Events Tab, Events.
Search for EXE or script.
For Type select "Filemod"
Open side panel row for matching file.
Hash "SHA-256" will be listed in the filemod section.
Additional Information
Filemod will be triggered when the file was copied to the system so you may need to include longer time frame to cover that modification. Sometime an alert will include the in-memory hash for a file and not the actual hash, this method will provide the actual hash.