Objective
- Target your Nessus Auditfile checks to a specific OU or DC
After Group Policy is applied to a Windows Computer the Distinguished-Name is stored in the following registry key:
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine Distinguished-Name
You can get the value with the following Powershell command:
get-itemproperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine" | Select Distinguished-Name | ft -HideTableHeaders |
Nessus Auditfile Check
The powershell command can be easily converted to a Nessus Auditfile check and used in a condition check.
<custom_item> type : AUDIT_POWERSHELL description : "Test Distinguished-Name is OU=Domain Controllers,DC=test,DC=local" value_type : POLICY_TEXT value_data : "OU=Domain Controllers,DC=test,DC=local" powershell_args: 'get-itemproperty \'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group\ Policy\\State\\Machine\' | Select Distinguished-Name | ft -HideTableHeaders ' check_type : CHECK_REGEX </custom_item> |
A short introduction to Nessus Auditfile conditions can be found here.