File Integrity Monitoring – With PowerShell – Arnold

File Integrity Monitoring is a process of ensuring files are maintaining their integrity. This is to ensure that they have not been changed or tampered with in an unauthorized way. For example, with FIM, you could have alerts sent to you if critical system files have been changed without your consent. If critical system files have been changed without your consent, that could mean that you have a malware, an attacker, etc.

Why would you want File Integrity Monitoring system/application? Here’s why:

It allows you to detect security breaches or malware early before they cause too much damage
Improves your incident response time
Visibility into changes that have been made to critical files

So today with PowerShell, we are making a basic FIM (File Integrity Monitor.) I will be breaking down the script

This first chunk of code prompts you to select an option, A or B.

This second chunk wait for you to enter one of the options. So for example, if you enter “X”, it will prompt you again to choose A or B

This function takes a file path and uses the Get-FileHash cmdlet to calculate the SHA – 512 hash of the file. It then returns the result hash.

This function checks if a baseline.txt file already exists and deletes if it does.

This if statement checks if the user’s response is A, it will delete the baseline.txt file if it already exists within the folder. It will also then calculate the SHA-512 hash for each file and write each one in baseline.txt. Then finally it will print out to the user “Calculate Hashes, make new baseline.txt.”

This elseif statement begins to run when the user selects ‘B’. An empty dictionary is created to store file paths and matches them to the hash value. Then the Get-Content reads the information stored in baseline.txt and then stores them in the filepathsandhashes array. The for each loop says that for each file in the filePathsAndHashes array the file path will be the key and the hash will be the value.

This is whatthe baseline file lookslike. It hsa the file path as the key and a hash value as the value for that key. Split by a pipe |

This chunk of code will be a continuous loop and will not stop. The Get-ChildItem will get files in the files directory. Then for each file the Calculate-File-Hash function is called to get the hash value of the file, which then is stored into the $hash variable.

If the file path does not exist in the dictionary, it will assume that a new file has been created and it will alert the user that a new file has been created in green text.

If the a file has been changed it will assume the file has been compromised and will notify the user that the file has been changed in yellow text. It does this by constantly checking back every 1 second with the baseline.txt and making sure that the filepath and the corresponding hash values in the files directory matches with the ones in the dictionary we made.

The final chunk of code is responsible for checking if one of the baseline files has been deleted. It checks the fileHashDictionary and makes sure it matches with the values in the baseline.txt. If it sees that one is missing it will alert the user that a file has been deleted in red text.

There are lots of ways to make this script a lot better or more realistic, such as instead of notifying the user in the console, it could send you an email, or send you a text. I tried making it send an email, the script had a few syntax errors that I was able fix but I couldn’t figure out why it wasn’t sending the emails. Maybe a port is blocked? Or a firewall is somehow stopping this action? Not sure.

In conclusion, File Integrity Monitoring is to ensure that important files have not been changed or tampered with in an unauthorized way, and can greatly improve security as your team can lower their incident response time, further lowering the chances of a costly security breach.

Leave a Reply Cancel reply