' Loop through the array and see if our file hash matches any known good hash For Each Hash in HashesArray ' Split the comma seperated hashlist parameter into an array HashesArray = split (paramHashes, ", " ) If Instr (strHashLine, " SHA " ) Then ' skip ElseIf Instr (strHashLine, " CertUtil " ) Then ' skip ElseĮnd If Loop ' Remove spaces from the hash strHash = Replace (strHashOut, " ", "" ) ' Parse the output of CertUtil and output only on the line with the hash Do While Not ' Create the Wscript Shell object and execute the command Set oShell = WScript.CreateObject( " WScript.Shell " ) ' build the command to run for CertUtil strCommand = " %windir%\system32\certutil.exe -hashfile " & filepath ' Log script event that we are starting task Call oAPI.LogScriptEvent( " filehashcheck.vbs ", 3322, 0, " Starting hashfile script with filepath: " & filepath & " with known good hashes: " & paramHashes) ' Load MOMScript API and PropertyBag function Set oAPI = CreateObject ( " MOM.ScriptAPI " ) ' Accept arguments for the file path, and known good hashes in comma delimited format Set oArgs = wscript.arguments Option Explicit dim oArgs, filepath, paramHashes, oAPI, oBag, strCommand, oShellĭim strHashCmd, strHashLine, strHashOut, strHash, HashesArray, Hash, strMatch ' File Hash monitoring script ' Kevin Holman ' 5/2016 ' The script accepts two arguments, the filepath location, and the comma separated list of known good hashes. Then the scripts compares this file hash to a list of “known good” hashes. The script calls CertUtil.exe, which will generate the hash for any file. I started by writing a script using VBScript, so it will work on Server 2003, 2008, 2008R2, 2012, and 2012R2. In this case – the customer wanted to monitor for any changes to this file.
#VBSCRIPT PROCESS MONITOR HOW TO#
There are several articles out there on how to create a “back door” to change this file out with cmd.exe, and open a command prompt without logging into a system, if you have access to the console. This is the “Sticky Keys” UI that pops up when you press shift key 5 times. In this case – there is a file located at %windir%\system32\sethc.exe
You can use this as a simple example of a two-state timed script monitor (using vbscript) which demonstrates script arguments, logging, alerting, propertybag outputs, etc. I had an interesting customer request recently – to monitor for a specific system file, and make SURE it is not a modified/threat file.
0 kommentar(er)
