Jump to content


Photo

Powershell script & Batch script that make changes files and folder


  • Please log in to reply
4 replies to this topic

#1 williamcheang

williamcheang

    Member

  • Members
  • PipPip
  • 11 posts

Posted 19 July 2018 - 06:32 AM

Hi All,

Customer is asking the question, where files/fodlers changes(permission changed, file or folder added/removed)

that triggered by Powershell script or batch script, can this be capture by Netwrix Auditor ?

 

regards,

William



#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 19 July 2018 - 01:42 PM

Hello William,

 

Any change which results in a different file and attributes will be captured.  Details will also be captured for any change which results in windows audit logs being created as a result of auditing being configured.

 

-Jeff



#3 williamcheang

williamcheang

    Member

  • Members
  • PipPip
  • 11 posts

Posted 20 July 2018 - 06:49 AM

Hi Jeff,

Let said, we have a windows batch script that called "c:\temp\update_file_perm.bat" and  this window batch script changes file permission on a shared folder. Someone executed this batch script and file permission been changed, 
 
Q1. Can Netwrix detect the person who executed this batch script ?
 
Q2. When files been changed by script(Netwrix pickup these file changes) , based on the file changes record/event,
can we trace back to the script that executed this change ?
 
Q3. With normal file permission changes, we can see "Who", "What", "Where" & Details.
Will the Details column will it show file changes is been make by which script ?
 
 
regards,
William


#4 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 20 July 2018 - 01:52 PM

William,

 

To find out who would show up as having made the change please reproduce the scenario and check the windows security event logs.  It would likely be the account which was used to run the script unless the script specifies an account to use.

 

-Jeff



#5 williamcheang

williamcheang

    Member

  • Members
  • PipPip
  • 11 posts

Posted 26 July 2018 - 02:47 AM

Hi Jeff,

Based on my recent testing using batch script & powershell script, when we trigger "mkdir" in command prompt & powershell prompt, Netwirx able to show new folder is added but who=system.  Support told me that Microsoft did not generate any security event for "mkdir" action, so Netwrix not able to who make the change.

 

So not all the command/action happen in command prompt or powershell, can generate event.

 

regards,

William






0 user(s) are reading this topic

0 members, guests, anonymous users