Print Friendly
Comments

Implementing User-Defined Checks

If you have a monitoring requirement which cannot be achieved using the standard task types it may be possible to realise it by scripting your own evaluation. Provided your script can print a result to STDOUT it can also signal an alert condition to the Check a Console Command task.

Where possible it's a good idea to try and ensure your script always returns something and ideally the task should test for a distinguishing text fragment that confirms the script has executed correctly and the output is thus valid. This is especially desirable when evaluating numeric results which might otherwise match a number in an unexpected error message.

IMPORTANT: As the script host will be launched with extensive privilege it's important to locate the script it executes, and any scripts or modules this might in turn call, in a protected location where an unauthorized user may not alter them.

Using a Batch File

The batch file illustrated here performs a binary comparison on two files;

@echo off
if not exist "C:\ProgramData\ACME\Current.cfg" exit
if not exist "C:\ProgramData\ACME\Compare.cfg" exit
echo FILES-EXIST
fc /b "C:\ProgramData\ACME\Current.cfg" "C:\ProgramData\ACME\Compare.cfg" > NUL
if errorlevel 1 exit
echo FILES-MATCH

If both files are found and are identical the console output should be;

FILES-EXIST
FILES-MATCH			
					

A task to execute this test and monitor the outcome might look like;

Check for ACME configuration file changes.

Task Parameters

Task Type: Check a Console Command

Execute: C:\Windows\System32\cmd.exe

Arguments: /c "C:\Program Files\ACMECfg.bat"

CAUTION On: (command) ...runs and its output; does not contain the fragment; FILES-MATCH

FAILURE On: (command) ...does not run or its output; does not contain the fragment; FILES-EXIST


Using VBScript or JScript (Monitoring Registry Values)

The following VB script examines registry startup keys and alerts on new or amended items;

Const HKLM = &H80000002

Set objRegistry = GetObject("WinMgmts:Root\Default:StdRegProv")
Set objApproved = CreateObject("Scripting.Dictionary")

objApproved.Add "WindowsDefender", "%ProgramFiles%\Windows Defender\MSASCuiL.exe"

WScript.Echo "CHECK"

For Each strKey In Array( _
  "Software\Microsoft\Windows\CurrentVersion\Run", _
  "Software\Microsoft\Windows\CurrentVersion\RunOnce", _
  "Software\Microsoft\Windows\CurrentVersion\RunServices", _
  "Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" _
)
  If objRegistry.enumValues(HKLM, strKey, arrValues, arrTypes) = 0 Then
    If IsArray(arrValues) Then
      For Each strName In arrValues
        If Not objApproved.Exists(strName) Then
          WScript.Echo "ALERT: New startup item; " & strName
        ElseIf objRegistry.getStringValue(HKLM, strKey, strName, strValue) <> 0 Then
          WScript.Echo "ALERT: Failed to read; " & strName
        ElseIf objApproved.Item(strName) <> strValue Then
          WScript.Echo "ALERT: Modified entry; " & strName
        End If
      Next
    End If
  End If
Next

And should yield CHECK followed by any detected changes (prefixed with ALERT);

CHECK
ALERT: New startup item; NvBackend
					

The task depicted below might be used to execute this script and monitor the outcome. Note use of the command-line script host (cscript.exe) and the NoLogo parameter which suppresses the host start-up banner;

Check if the system has been restarted in the last 90 days.

Task Parameters

Task Type: Check a Console Command

Execute: C:\Windows\System32\cscript.exe

Arguments: //NoLogo "C:\Program Files\RegRun.vbs"

CAUTION On: (command) ...runs and its output; contains the fragment; ALERT

FAILURE On: (command) ...does not run or its output; does not contain the fragment; CHECK


Using PowerShell (Monitoring SSL Certificate Expiry)

The following PowerShell script enumerates certificates in the Personal store for the Local Computer which will expire within 2 weeks prefixing each result with the number of days until (or since) expiry.

Get-ChildItem -Path cert:\LocalMachine\My | ForEach-Object {
  $ExpiringInDays = (New-TimeSpan -End $_.NotAfter).Days
  If ($ExpiringInDays -lt 14) {
    Write-Host $ExpiringInDays $_.Subject
  }
}

This may return nothing or one or more results in the form;

-3 CN=localhost
11 CN=*.winserverwingman.net
					

The task below will cause a CAUTION if at least one item is returned and a FAILURE if any of those are already expired or will expire in less than 7 days. Note the setting of -ExecutionPolicy on the command line which permits this script to run without requiring a persistent policy change;

Check for expiring SSL certificates.

Task Parameters

Task Type: Check a Console Command

Execute: powershell.exe

Arguments: -ExecutionPolicy ByPass -File "C:\Program Files\SSLExpiry.ps1"

CAUTION On: (command) ...runs and its output; contains the fragment; CN=

FAILURE On: (command) ...runs and its output; is numerically less than; [Min:1st]7


20 September 2016