Windows 2012 R2 – Search for Files using MD5 Hash

hashmalwaremd5searchwindows

My organization recently discovered malware that was sent to some users via email that managed to get past our email security in a sophisticated, targeted attack. The names of the files vary from user to user but we have collected a list of the common MD5 hashes among the malware files.

Just a shot in the dark — I was wondering if there's a way to find files based on their MD5 hashes rather than their file names, extensions, etc. via PowerShell….or any method. We are using Windows 2012 R2 for most of the servers in our data center.

Best Answer

Sure. You'll probably want to do something more useful than the following example though.

$evilHashes = @(
    '4C51A173404C35B2E95E47F94C638D2D001219A0CE3D1583893E3DE3AFFDAFE0',
    'CA1DEE12FB9E7D1B6F4CC6F09137CE788158BCFBB60DED956D9CC081BE3E18B1'
)

Get-ChildItem -Recurse -Path C:\somepath |
    Get-FileHash |
        Where-Object { $_.Hash -in $evilHashes }
Related Topic