PowerShell Security: Detecting File Tampering


With PowerShell 5.1, two new cmdlets have been added to the Microsoft.PowerShell.Security module which  allow to generate and validate Windows catalog files.

  • New-FileCatalog
  • Test-FileCatalog

A Windows catalog file contains hashes for all files in a specified path and can be used to validate whether any changes were made to those files (after the catalog was created).
Typically, the catalog file is digitally signed to guarantee authenticity.

Users can distribute the set of files and folders along with corresponding the catalog file and the recipient can to validate whether any changes were made to the folders after the catalog was created.

Windows catalog files exist in 2 versions:

  • Version 1 uses the SHA1 hashing algorithm to create file hashes.
  • Version 2 uses the SHA256 hashing algorithm to create file hashes.

NOTE: Catalog version 2 is not supported on Windows Server 2008 R2 or Windows 7 and below.
Catalog version 2 should be used on Windows 8, Windows Server 2012 and later operating systems.

Let’s run through these 2 new cmdlets.

New-FileCatalog

This cmdlet creates a Windows catalog file for a set of folders and files. This catalog file contains hashes for all files in the specified path.
This allows you to distribute a set of files/folders with a corresponding catalog file representing those files/folders.
This information is useful to validate whether any changes have been made to the folders since catalog creation time.

To create the file catalog of the defined path ‘c:\Tools’, type

$FileCatalog = New-FileCatalog –CatalogFilePath ‘myCatalog.cat’ -Path ‘C:\Tools’ -CatalogVersion 2

To retrieve the (code signing) certificate to sign the catalog with, type

$Certificate = Get-ChildItem -Path Cert:\CurrentUser\My –CodeSigningCert

To sign the catalog with the retrieved certificate, type

Set-AuthenticodeSignature -Certificate $Certificate -FilePath $FileCatalog

Now, we have a catalog file.

image image
Unsigned catalog. Signed catalog.

To validate the catalog file, let’s have a look at the cmdlet ‘Test-FileCatalog’.

Test-FileCatalog

This cmdlet validates the catalog file by comparing the hashes of all files (found in the catalog file) with the files saved to disk.
If it detects any mismatch between file hashes and paths it returns a status of ValidationFailed else it returns Valid.

To verify the integrity of the catalog file, type

Test-FileCatalog –CatalogFilePath ‘myCatalog.cat’ –Path ‘c:\Tools’

image

Users can retrieve more detailed information using the -Detailed switch.
This will display the catalog items versus the ‘Path Items’, the hashing algorithm (SHA1-v1 or SHA256-v2) and  the digital signature.
The signing status of the catalog which is displayed in the ‘Signature’ property is the same as calling the Get-AuthenticodeSignature cmdlet on the catalog file.

For more detailed validation information, type

Test-FileCatalog –CatalogFilePath ‘myCatalog.cat’ –Path ‘c:\Tools’ –Detailed

SNAGHTML88ca7131

Hope this helps…
Kurt Roggen [BE]

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s