Check File integrity with Nessus (on Windows with Get-FileHash and AUDIT_FILEHASH_POWERSHELL)

Objective

  • Monitor file integrity by generating a hash and verify it with Nessus

Generating file hash

You can create a file hash with the Powershell cmdlet get-filehash

C:\Program Files (x86)\Notepad++> Get-FileHash -Algorithm SHA256 .\notepad++.exe
 
Algorithm Hash Path 
--------- ---- ---- 
SHA256 909414AE2B17407EABBD26E89862F230757B2D84E0EB91FE42D05B80764D4181 C:\Program Files (x86)\Notepad++\notepad++.exe

To do this recursively on a folder

C:\Program Files (x86)\Notepad++> Get-ChildItem $directory -File -Recurse | select pspath |Get-FileHash
 
Algorithm Hash Path 
--------- ---- ---- 
SHA256 7E5CE8864BBEB2FAAB7617C9C87ED26268FFEB67D624529D67CBA968E6F8165F C:\Program Files (x86)\Notepad++\change.log 
SHA256 5CF968F202DB417D3EDB7A120FC878BE303AD4EE018D2B8E049A5E22D9AF32AD C:\Program Files (x86)\Notepad++\config.model.xml 
SHA256 1EB58D72EE0D7C5E1D51CF7EE98E31B31F545383E2842E4E6184675F341A9BA1 C:\Program Files (x86)\Notepad++\contextMenu.xml 
SHA256 767F1FB0BFAA1EED831F152B91C1C0D9A5D9416FD36580DDF3F86560D263E1F8 C:\Program Files (x86)\Notepad++\functionList.xml 
SHA256 E5F5CABF66660B46814F38F35F7695E35F3B7BD0798F2371E08D5966FD1C3F26 C:\Program Files (x86)\Notepad++\langs.model.xml 
SHA256 B2A74140769DC8BD34CB72BD2D177E58522E69427F39651B738011F244F835BD C:\Program Files (x86)\Notepad++\LICENSE 
SHA256 909414AE2B17407EABBD26E89862F230757B2D84E0EB91FE42D05B80764D4181 C:\Program Files (x86)\Notepad++\notepad++.exe

Nessus Auditfile Check

You can verify the hash of files with Nessus via a Nessus auditfile.
Example:

<custom_item>
 type : AUDIT_FILEHASH_POWERSHELL
 description : "File Hash Check C:\Program Files (x86)\Notepad++\notepad++.exe"
 value_type : POLICY_TEXT
 file: "C:\Program Files (x86)\Notepad++\notepad++.exe"
 value_data : "909414AE2B17407EABBD26E89862F230757B2D84E0EB91FE42D05B80764D4181"
 hash_algorithm : SHA256
</custom_item>

Generating an auditfile for a folder with powershell

The following powershell script will generate an auditfile for the given directory

$auditfile = "C:\temp\filehash.audit"
$directory = "C:\Program Files (x86)\Notepad++"
$files = @(Get-ChildItem $directory -File -Recurse | select pspath |Get-FileHash )
$header = write-output '<check_type: "Windows" version:"2">' '<group_policy: "MS Windows Server">'`r 
$footer = write-output '</group_policy>' '</check_type>'
 
$checks = $files | Foreach {
 
write-output '<custom_item>'
 write-output ' type : AUDIT_FILEHASH_POWERSHELL' 
 $Description = ' description : "File Hash Check ' + $_.Path + '"'
 write-output $Description
 write-output ' value_type : POLICY_TEXT'
 $File = ' file: "' + $_.Path + '"'
 write-output $File
 $Value = ' value_data : "' + $($_.Hash.normalize()) + '"' 
 write-output $Value
 write-output " hash_algorithm : SHA256"
 write-output '</custom_item>'`r 
 }
 
$header | Out-File -Encoding "UTF8" $auditfile 
$checks | Out-File -Encoding "UTF8" $auditfile -append 
$footer | Out-File -Encoding "UTF8" $auditfile -append
 
# Powershell saves file with a Byte-Order Mark (BOM)
# Nessus will not process the auditfile
# So we convert the file here
$MyFile = Get-Content $auditfile 
$Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
[System.IO.File]::WriteAllLines($auditfile , $MyFile, $Utf8NoBomEncoding)