Alert when Host File is modified

AlaskaMark · ‎02-10-2020

I have been trying to get Lansweeper to alert when the host file is modified but I'm striking out. Has anyone been successful with this?

Thanks
Mark

KrisNelson · ‎02-12-2020

Here is a report I have (it may have been a slightly modified lansweeper default).

Select Top 1000000 tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Username,
  tblFileVersions.FilePathfull,
  tblFileVersions.Filesize,
  tblFileVersions.LastModified
From tblAssets
  Inner Join tblFileVersions On tblAssets.AssetID = tblFileVersions.AssetID
  Inner Join tblOperatingsystem On
    tblAssets.AssetID = tblOperatingsystem.AssetID
Where tblFileVersions.FilePathfull Like '%hosts%' And
  tblFileVersions.LastModified > GetDate() - 30 And tblAssets.Assettype = -1 And
  tblOperatingsystem.InstallDate < GetDate() - 30
Order By tblAssets.AssetName

In theory I could have that email me daily. But to be honest, it has a lot or false positives; I added the OS install data flag to remove some, but still every one I check on is the blank.

Another way to do it would be use RKCar's basis and use the script to write that information as a critical or warning eventlog instead of emailing. You can then configure Lansweeper to email you an alert when it scans that device. This will get you the fastest results while still utilizing lansweeper.

Otherwise if you want the fastest results RKCar has the best solution.

-Kris

grimstar · ‎02-11-2020

What are your requirements?

One or multiple devices?
"Instant" alert?

I don't think you will accomplish anything worthwhile from within Lansweeper unless you are ok with receiving a report like CyberCitizen detailed.

I think you could accomplish something via PowerShell, but you'll need to add a scheduled task to run at whatever interval you are ok with being alerted at. I just created an example of what a script might look like. It essentially takes an initial snapshot of the hash of your hosts file, and then when it is subsequently run, sends you an email if the hash of the hosts file is different than what was written to the file originally.

Testing was minimal and it could technically be circumvented if someone knew the process and modified the file manually. I'm sure there are better ways but I became interested and decided to do this.

#Variable Definition
$directoryPath = 'C:\windows\temp'
$directoryName = 'HostsFileCheck'
$fileName = 'HostsFileCheck.txt'
$directoryExist = Test-Path C:\Windows\temp\HostsFileCheck\
$fileExist = Test-Path C:\Windows\temp\HostsFileCheck\$fileName

#Directory existence check. If it doesn't exist, create it.
if ( $directoryExist -eq $False ) {
    New-Item -Path $directoryPath -Name $directoryName -ItemType Directory
    }

#Check for the existence of our hash check reference file. If it doesn't exist, create it.
if ($fileExist -eq $False ) {
    $hash1 = Get-FileHash 'C:\windows\system32\drivers\etc\Hosts' | Select-Object -ExpandProperty Hash | Out-File $directoryPath\$directoryName\$fileName
    }

#If the file exists, pull the hash value written to it, as well as the hash of the current hosts file.
if ( $fileExist -eq $True ) {
    $content = Get-Content $directoryPath\$directoryName\$fileName
    $hash2 = Get-FileHash 'C:\windows\system32\drivers\etc\Hosts' | Select-Object -ExpandProperty Hash
    }

#If the hash from within the hosts file does not match the current hash, send an email alert.
if ( $content -ne $hash2 ) {
    $Subject = "HOSTS file modified - $env:COMPUTERNAME"
    $Message = "The HOSTS file on $env:COMPUTERNAME has been modified. Please investigate if necessary. If this is intentional, the $fileName file must be deleted from: C:\windows\temp\HostsFileCheck\$filename in order to reset the hash check file."
    $From = "anyemailEmail@Organization.com"
    $To = "yourEmail@Organization.com"
    $SmtpServer = "mailserveraddress.com"
    Send-MailMessage -Subject $Subject -Body $Message -From $From -To $To -SmtpServer $SmtpServer
    }

AlaskaMark · ‎02-12-2020

RKCar wrote:
What are your requirements?

One or multiple devices?
"Instant" alert?

I don't think you will accomplish anything worthwhile from within Lansweeper unless you are ok with receiving a report like CyberCitizen detailed.

I think you could accomplish something via PowerShell, but you'll need to add a scheduled task to run at whatever interval you are ok with being alerted at. I just created an example of what a script might look like. It essentially takes an initial snapshot of the hash of your hosts file, and then when it is subsequently run, sends you an email if the hash of the hosts file is different than what was written to the file originally.

Testing was minimal and it could technically be circumvented if someone knew the process and modified the file manually. I'm sure there are better ways but I became interested and decided to do this.
#Variable Definition
$directoryPath = 'C:\windows\temp'
$directoryName = 'HostsFileCheck'
$fileName = 'HostsFileCheck.txt'
$directoryExist = Test-Path C:\Windows\temp\HostsFileCheck\
$fileExist = Test-Path C:\Windows\temp\HostsFileCheck\$fileName

#Directory existence check. If it doesn't exist, create it.
if ( $directoryExist -eq $False ) {
    New-Item -Path $directoryPath -Name $directoryName -ItemType Directory
    }

#Check for the existence of our hash check reference file. If it doesn't exist, create it.
if ($fileExist -eq $False ) {
    $hash1 = Get-FileHash 'C:\windows\system32\drivers\etc\Hosts' | Select-Object -ExpandProperty Hash | Out-File $directoryPath\$directoryName\$fileName
    }

#If the file exists, pull the hash value written to it, as well as the hash of the current hosts file.
if ( $fileExist -eq $True ) {
    $content = Get-Content $directoryPath\$directoryName\$fileName
    $hash2 = Get-FileHash 'C:\windows\system32\drivers\etc\Hosts' | Select-Object -ExpandProperty Hash
    }

#If the hash from within the hosts file does not match the current hash, send an email alert.
if ( $content -ne $hash2 ) {
    $Subject = "HOSTS file modified - $env:COMPUTERNAME"
    $Message = "The HOSTS file on $env:COMPUTERNAME has been modified. Please investigate if necessary. If this is intentional, the $fileName file must be deleted from: C:\windows\temp\HostsFileCheck\$filename in order to reset the hash check file."
    $From = "anyemailEmail@Organization.com"
    $To = "yourEmail@Organization.com"
    $SmtpServer = "mailserveraddress.com"
    Send-MailMessage -Subject $Subject -Body $Message -From $From -To $To -SmtpServer $SmtpServer
    }

RKCar - thanks for taking time to answer my question. I will test a daily run on some test systems but this will get me started. You are right, there is always someone that will find a way around.

Lansweeper Community Members ROCK! May your Seal slide freely on the artic ice!

CyberCitizen · ‎02-11-2020

You could use custom file scanning to scan details, then have a report that would show last modified time. Then have that report emailed to you on a schedule. But as for the reporting of just the change of date, I am not sure, if you had the report first you could see what date was listed then do a greater than check on that date for the report.

AlaskaMark · ‎02-12-2020

CyberCitizen wrote:
You could use custom file scanning to scan details, then have a report that would show last modified time. Then have that report emailed to you on a schedule. But as for the reporting of just the change of date, I am not sure, if you had the report first you could see what date was listed then do a greater than check on that date for the report.

CyberCitizen - Thank you for taking the time to answer my question. I do appreciate the recommendation. I will test.

Alert when Host File is modified

New to Lansweeper?

Try Lansweeper For Free