Distinguished-Name Condition Check for Nessus Audit file

Objective

  • Target your Nessus Auditfile checks to a specific OU or DC

After Group Policy is applied to a Windows Computer the Distinguished-Name is stored in the following registry key:

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine
Distinguished-Name

You can get the value with the following Powershell command:

get-itemproperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine" | 
Select Distinguished-Name | 
ft -HideTableHeaders

Nessus Auditfile Check

The powershell command can be easily converted to a Nessus Auditfile check and used in a condition check.

<custom_item>
 type : AUDIT_POWERSHELL
 description : "Test Distinguished-Name is OU=Domain Controllers,DC=test,DC=local"
 value_type : POLICY_TEXT
 value_data : "OU=Domain Controllers,DC=test,DC=local"
 powershell_args: 'get-itemproperty \'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group\ Policy\\State\\Machine\' | Select Distinguished-Name | ft -HideTableHeaders '
 check_type : CHECK_REGEX
</custom_item>

A short introduction to Nessus Auditfile conditions can be found here.