The latest articles on DEV Community by ShadowStrike (@shadowstrike). https://dev.to/shadowstrike https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3874316%2Fc4e8a135-5684-43c9-9334-0d9447bbcb1f.jpeg https://dev.to/shadowstrike en ShadowStrike Sun, 26 Apr 2026 22:11:56 +0000 https://dev.to/shadowstrike/automating-essential-eight-compliance-checks-with-powershell-b9g https://dev.to/shadowstrike/automating-essential-eight-compliance-checks-with-powershell-b9g <p><strong>Version 1.0.0</strong></p> <p>If you work in Australian IT, cybersecurity, or digital forensics, you've encountered the Essential Eight. It's referenced in government procurement requirements, security assessments, incident response frameworks, and organisational policies across both public and private sectors.</p> <p>The Australian Signals Directorate's Essential Eight is a set of eight baseline mitigation strategies designed to protect Windows environments against cyber threats. Checking compliance manually is time-consuming and error-prone. In this tutorial, you'll build a PowerShell script that automates Essential Eight audits, produces colour-coded console output, and writes detailed compliance reports to timestamped files.</p> <h2> What You'll Build </h2> <p>A PowerShell script called <code>essential_eight.ps1</code> that checks a Windows system against all eight ASD mitigation strategies and produces a comprehensive audit report showing PASS/FAIL/WARN/INFO status for each control.</p> <h2> Prerequisites </h2> <ul> <li>PowerShell 5.1 or later (Windows 10+)</li> <li>Administrator privileges recommended (some checks require elevated access)</li> <li>No external modules or dependencies</li> </ul> <h2> Understanding the Essential Eight </h2> <p>Before building the script, it's worth understanding what each strategy actually checks. The ASD publishes detailed guidance, but the practical questions are:</p> <p><strong>1. Application Control</strong> — Is there a mechanism (AppLocker, Windows Defender Application Control) preventing unauthorised executables from running?</p> <p><strong>2. Patch Applications</strong> — Are third-party applications kept up to date? Is Windows Update active?</p> <p><strong>3. Configure Microsoft Office Macro Settings</strong> — Are macros restricted to prevent malicious Office documents from executing code?</p> <p><strong>4. User Application Hardening</strong> — Are legacy and high-risk features (Internet Explorer, Windows Script Host, PowerShell v2) disabled or restricted?</p> <p><strong>5. Restrict Administrative Privileges</strong> — Are admin accounts limited? Is UAC enabled? Are standard users running with least privilege?</p> <p><strong>6. Patch Operating Systems</strong> — Is the OS on a supported and current build?</p> <p><strong>7. Multi-Factor Authentication</strong> — Is MFA enforced, especially for privileged access?</p> <p><strong>8. Regular Backups</strong> — Are backups in place and recent? Are they protected from modification?</p> <p>Each strategy has Maturity Levels (ML1, ML2, ML3) in the full ASD framework. This script focuses on ML1 baseline checks — the foundation that must exist before maturity level progression begins.</p> <h2> The Complete Script </h2> <p>Here's the full implementation (condensed for readability - full version on GitHub):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="c"># Essential Eight Compliance Checker</span><span class="w"> </span><span class="c"># Author: ShadowStrike (Strategos)</span><span class="w"> </span><span class="kr">param</span><span class="p">(</span><span class="w"> </span><span class="p">[</span><span class="n">Parameter</span><span class="p">(</span><span class="n">Mandatory</span><span class="o">=</span><span class="bp">$false</span><span class="p">)]</span><span class="w"> </span><span class="p">[</span><span class="n">string</span><span class="p">]</span><span class="nv">$OutputDir</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"."</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="n">Parameter</span><span class="p">(</span><span class="n">Mandatory</span><span class="o">=</span><span class="bp">$false</span><span class="p">)]</span><span class="w"> </span><span class="p">[</span><span class="n">switch</span><span class="p">]</span><span class="nv">$Verbose</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="c"># Initialise report</span><span class="w"> </span><span class="nv">$timestamp</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-Date</span><span class="w"> </span><span class="nt">-Format</span><span class="w"> </span><span class="s2">"yyyyMMdd_HHmmss"</span><span class="w"> </span><span class="nv">$outputFile</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Join-Path</span><span class="w"> </span><span class="nv">$OutputDir</span><span class="w"> </span><span class="s2">"EssentialEight_Audit_</span><span class="nv">$timestamp</span><span class="s2">.txt"</span><span class="w"> </span><span class="nv">$report</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">@()</span><span class="w"> </span><span class="c"># Track results</span><span class="w"> </span><span class="nv">$passCount</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="nv">$failCount</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="nv">$warnCount</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="kr">function</span><span class="w"> </span><span class="nf">Write-Check</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="kr">param</span><span class="p">([</span><span class="n">string</span><span class="p">]</span><span class="nv">$Strategy</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="n">string</span><span class="p">]</span><span class="nv">$Check</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="n">string</span><span class="p">]</span><span class="nv">$Status</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="n">string</span><span class="p">]</span><span class="nv">$Detail</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">""</span><span class="p">)</span><span class="w"> </span><span class="nv">$color</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kr">switch</span><span class="w"> </span><span class="p">(</span><span class="nv">$Status</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="s2">"PASS"</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="s2">"Green"</span><span class="p">;</span><span class="w"> </span><span class="nv">$</span><span class="nn">script</span><span class="p">:</span><span class="nv">passCount</span><span class="o">++</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="s2">"FAIL"</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="s2">"Red"</span><span class="p">;</span><span class="w"> </span><span class="nv">$</span><span class="nn">script</span><span class="p">:</span><span class="nv">failCount</span><span class="o">++</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="s2">"WARN"</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="s2">"Yellow"</span><span class="p">;</span><span class="w"> </span><span class="nv">$</span><span class="nn">script</span><span class="p">:</span><span class="nv">warnCount</span><span class="o">++</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="s2">"INFO"</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="s2">"Cyan"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="nv">$line</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"[</span><span class="nv">$Status</span><span class="s2">] </span><span class="nv">$Strategy</span><span class="s2"> - </span><span class="nv">$Check</span><span class="s2">"</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$Detail</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$line</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">": </span><span class="nv">$Detail</span><span class="s2">"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="nv">$line</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nv">$color</span><span class="w"> </span><span class="nv">$</span><span class="nn">script</span><span class="p">:</span><span class="nv">report</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="nv">$line</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="c"># STRATEGY 1: APPLICATION CONTROL</span><span class="w"> </span><span class="kr">try</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$appLockerPolicy</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-AppLockerPolicy</span><span class="w"> </span><span class="nt">-Effective</span><span class="w"> </span><span class="nt">-ErrorAction</span><span class="w"> </span><span class="nx">Stop</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$appLockerPolicy</span><span class="o">.</span><span class="nf">RuleCollections</span><span class="o">.</span><span class="nf">Count</span><span class="w"> </span><span class="o">-gt</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"AppControl"</span><span class="w"> </span><span class="s2">"AppLocker Policy"</span><span class="w"> </span><span class="s2">"PASS"</span><span class="w"> </span><span class="s2">"Effective rules configured"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"AppControl"</span><span class="w"> </span><span class="s2">"AppLocker Policy"</span><span class="w"> </span><span class="s2">"FAIL"</span><span class="w"> </span><span class="s2">"No effective rules"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">catch</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"AppControl"</span><span class="w"> </span><span class="s2">"AppLocker Policy"</span><span class="w"> </span><span class="s2">"FAIL"</span><span class="w"> </span><span class="s2">"Not configured"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="c"># STRATEGY 2: PATCH APPLICATIONS</span><span class="w"> </span><span class="nv">$wuService</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-Service</span><span class="w"> </span><span class="nt">-Name</span><span class="w"> </span><span class="nx">wuauserv</span><span class="w"> </span><span class="nt">-ErrorAction</span><span class="w"> </span><span class="nx">SilentlyContinue</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$wuService</span><span class="w"> </span><span class="o">-and</span><span class="w"> </span><span class="nv">$wuService</span><span class="o">.</span><span class="nf">Status</span><span class="w"> </span><span class="o">-eq</span><span class="w"> </span><span class="s2">"Running"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"Patching"</span><span class="w"> </span><span class="s2">"Windows Update Service"</span><span class="w"> </span><span class="s2">"PASS"</span><span class="w"> </span><span class="s2">"Running"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"Patching"</span><span class="w"> </span><span class="s2">"Windows Update Service"</span><span class="w"> </span><span class="s2">"FAIL"</span><span class="w"> </span><span class="s2">"Not running"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="c"># Check last update date</span><span class="w"> </span><span class="nv">$session</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">New-Object</span><span class="w"> </span><span class="nt">-ComObject</span><span class="w"> </span><span class="nx">Microsoft.Update.Session</span><span class="w"> </span><span class="nv">$searcher</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$session</span><span class="o">.</span><span class="nf">CreateUpdateSearcher</span><span class="p">()</span><span class="w"> </span><span class="nv">$history</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$searcher</span><span class="o">.</span><span class="nf">QueryHistory</span><span class="p">(</span><span class="nx">0</span><span class="p">,</span><span class="w"> </span><span class="nx">1</span><span class="p">)</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Select-Object</span><span class="w"> </span><span class="nt">-First</span><span class="w"> </span><span class="nx">1</span><span class="w"> </span><span class="nv">$lastUpdate</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$history</span><span class="o">.</span><span class="nf">Date</span><span class="w"> </span><span class="nv">$daysSince</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">Get-Date</span><span class="p">)</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">$lastUpdate</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$daysSince</span><span class="o">.</span><span class="nf">Days</span><span class="w"> </span><span class="o">-le</span><span class="w"> </span><span class="mi">30</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"Patching"</span><span class="w"> </span><span class="s2">"Last Update"</span><span class="w"> </span><span class="s2">"PASS"</span><span class="w"> </span><span class="s2">"</span><span class="si">$(</span><span class="p">[</span><span class="n">math</span><span class="p">]::</span><span class="n">Round</span><span class="p">(</span><span class="nv">$daysSince</span><span class="o">.</span><span class="nf">TotalDays</span><span class="si">)</span><span class="s2">) days ago"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"Patching"</span><span class="w"> </span><span class="s2">"Last Update"</span><span class="w"> </span><span class="s2">"FAIL"</span><span class="w"> </span><span class="s2">"</span><span class="si">$(</span><span class="p">[</span><span class="n">math</span><span class="p">]::</span><span class="n">Round</span><span class="p">(</span><span class="nv">$daysSince</span><span class="o">.</span><span class="nf">TotalDays</span><span class="si">)</span><span class="s2">) days ago (outdated)"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="c"># STRATEGY 3: OFFICE MACRO SETTINGS</span><span class="w"> </span><span class="nv">$excelPath</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"HKCU:\Software\Microsoft\Office\16.0\Excel\Security"</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="n">Test-Path</span><span class="w"> </span><span class="nv">$excelPath</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$vbaWarnings</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">Get-ItemProperty</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$excelPath</span><span class="w"> </span><span class="nt">-Name</span><span class="w"> </span><span class="nx">VBAWarnings</span><span class="p">)</span><span class="o">.</span><span class="nf">VBAWarnings</span><span class="w"> </span><span class="nx">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$vbaWarnings</span><span class="w"> </span><span class="o">-eq</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="o">-or</span><span class="w"> </span><span class="nv">$vbaWarnings</span><span class="w"> </span><span class="o">-eq</span><span class="w"> </span><span class="mi">4</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"MacroSettings"</span><span class="w"> </span><span class="s2">"Excel VBA"</span><span class="w"> </span><span class="s2">"PASS"</span><span class="w"> </span><span class="s2">"Restricted"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"MacroSettings"</span><span class="w"> </span><span class="s2">"Excel VBA"</span><span class="w"> </span><span class="s2">"FAIL"</span><span class="w"> </span><span class="s2">"Unrestricted"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="c"># STRATEGY 4: USER APPLICATION HARDENING</span><span class="w"> </span><span class="nv">$psv2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-WindowsOptionalFeature</span><span class="w"> </span><span class="nt">-Online</span><span class="w"> </span><span class="nt">-FeatureName</span><span class="w"> </span><span class="nx">MicrosoftWindowsPowerShellV2Root</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$psv2</span><span class="o">.</span><span class="nf">State</span><span class="w"> </span><span class="o">-eq</span><span class="w"> </span><span class="s2">"Disabled"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"Hardening"</span><span class="w"> </span><span class="s2">"PowerShell v2"</span><span class="w"> </span><span class="s2">"PASS"</span><span class="w"> </span><span class="s2">"Disabled"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"Hardening"</span><span class="w"> </span><span class="s2">"PowerShell v2"</span><span class="w"> </span><span class="s2">"FAIL"</span><span class="w"> </span><span class="s2">"Enabled (should be removed)"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="nv">$langMode</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">$ExecutionContext</span><span class="o">.</span><span class="nf">SessionState</span><span class="o">.</span><span class="nf">LanguageMode</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$langMode</span><span class="w"> </span><span class="o">-eq</span><span class="w"> </span><span class="s2">"ConstrainedLanguage"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"Hardening"</span><span class="w"> </span><span class="s2">"PS Language Mode"</span><span class="w"> </span><span class="s2">"PASS"</span><span class="w"> </span><span class="s2">"ConstrainedLanguage"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"Hardening"</span><span class="w"> </span><span class="s2">"PS Language Mode"</span><span class="w"> </span><span class="s2">"WARN"</span><span class="w"> </span><span class="s2">"FullLanguage (unrestricted)"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="c"># STRATEGY 5: RESTRICT ADMIN PRIVILEGES</span><span class="w"> </span><span class="nv">$uacPath</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System"</span><span class="w"> </span><span class="nv">$uacEnabled</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">Get-ItemProperty</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$uacPath</span><span class="w"> </span><span class="nt">-Name</span><span class="w"> </span><span class="nx">EnableLUA</span><span class="p">)</span><span class="o">.</span><span class="nf">EnableLUA</span><span class="w"> </span><span class="nx">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$uacEnabled</span><span class="w"> </span><span class="o">-eq</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"Privileges"</span><span class="w"> </span><span class="s2">"UAC"</span><span class="w"> </span><span class="s2">"PASS"</span><span class="w"> </span><span class="s2">"Enabled"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"Privileges"</span><span class="w"> </span><span class="s2">"UAC"</span><span class="w"> </span><span class="s2">"FAIL"</span><span class="w"> </span><span class="s2">"Disabled"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="c"># STRATEGY 6: PATCH OPERATING SYSTEMS</span><span class="w"> </span><span class="nv">$os</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-CimInstance</span><span class="w"> </span><span class="nx">Win32_OperatingSystem</span><span class="w"> </span><span class="nv">$osBuild</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$os</span><span class="o">.</span><span class="nf">BuildNumber</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">([</span><span class="n">int</span><span class="p">]</span><span class="nv">$osBuild</span><span class="w"> </span><span class="o">-ge</span><span class="w"> </span><span class="mi">19041</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"OS Patching"</span><span class="w"> </span><span class="s2">"OS Support"</span><span class="w"> </span><span class="s2">"PASS"</span><span class="w"> </span><span class="s2">"Supported build"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"OS Patching"</span><span class="w"> </span><span class="s2">"OS Support"</span><span class="w"> </span><span class="s2">"FAIL"</span><span class="w"> </span><span class="s2">"Legacy build"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="c"># STRATEGY 7: MULTI-FACTOR AUTHENTICATION</span><span class="w"> </span><span class="c"># Note: Full MFA assessment requires Azure AD audit</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"MFA"</span><span class="w"> </span><span class="s2">"Assessment"</span><span class="w"> </span><span class="s2">"INFO"</span><span class="w"> </span><span class="s2">"Requires directory-level audit"</span><span class="w"> </span><span class="c"># STRATEGY 8: REGULAR BACKUPS</span><span class="w"> </span><span class="nv">$vssService</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-Service</span><span class="w"> </span><span class="nt">-Name</span><span class="w"> </span><span class="nx">VSS</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$vssService</span><span class="o">.</span><span class="nf">Status</span><span class="w"> </span><span class="o">-eq</span><span class="w"> </span><span class="s2">"Running"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"Backups"</span><span class="w"> </span><span class="s2">"Volume Shadow Copy"</span><span class="w"> </span><span class="s2">"PASS"</span><span class="w"> </span><span class="s2">"Running"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"Backups"</span><span class="w"> </span><span class="s2">"Volume Shadow Copy"</span><span class="w"> </span><span class="s2">"WARN"</span><span class="w"> </span><span class="s2">"Not running"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="c"># Write summary</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"</span><span class="se">`n</span><span class="s2">[AUDIT SUMMARY]"</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">" PASS: </span><span class="nv">$passCount</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Green</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">" FAIL: </span><span class="nv">$failCount</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Red</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">" WARN: </span><span class="nv">$warnCount</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Yellow</span><span class="w"> </span><span class="nv">$report</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Out-File</span><span class="w"> </span><span class="nt">-FilePath</span><span class="w"> </span><span class="nv">$outputFile</span><span class="w"> </span><span class="nt">-Encoding</span><span class="w"> </span><span class="nx">UTF8</span><span class="w"> </span></code></pre> </div> <h2> How to Use It </h2> <h3> Troubleshooting: Execution Policy </h3> <p>If you see an error about scripts being disabled or not digitally signed:</p> <p><strong>Step 1: Set execution policy</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Set-ExecutionPolicy</span><span class="w"> </span><span class="nt">-ExecutionPolicy</span><span class="w"> </span><span class="nx">RemoteSigned</span><span class="w"> </span><span class="nt">-Scope</span><span class="w"> </span><span class="nx">CurrentUser</span><span class="w"> </span></code></pre> </div> <p><strong>Step 2: Unblock the file if downloaded</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Unblock-File</span><span class="w"> </span><span class="o">.</span><span class="nx">\essential_eight.ps1</span><span class="w"> </span></code></pre> </div> <p>Windows marks files downloaded from GitHub with Zone.Identifier metadata. Even with RemoteSigned policy, these files are blocked unless digitally signed or explicitly unblocked.</p> <p>Check your current policy with <code>Get-ExecutionPolicy -List</code>.</p> <h3> Security Note: Read the Code Before You Run It </h3> <p>This script is not digitally signed. Code signing certificates cost $200-500/year and are unnecessary for open-source scripts where you can read the source code yourself.</p> <p><strong>Before running this or any PowerShell script:</strong></p> <ol> <li> <strong>Read it completely</strong> — every line, every function, every registry path</li> <li> <strong>Understand what it does</strong> — does it match the stated purpose?</li> <li> <strong>Check for risks</strong> — network calls, file deletions, credential access</li> </ol> <p>Apply the <strong>ABC principle</strong>:</p> <ul> <li><strong>Assume nothing</strong></li> <li><strong>Believe nothing</strong></li> <li><strong>Check everything</strong></li> </ul> <p>A digital signature tells you WHO wrote code, not WHETHER it's safe. You are the final security control. Never execute code you haven't personally reviewed and understood.</p> <h3> Basic Audit </h3> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="o">.</span><span class="n">\essential_eight.ps1</span><span class="w"> </span></code></pre> </div> <p>Runs the audit and writes report to <code>EssentialEight_Audit_[timestamp].txt</code> in the current directory.</p> <h3> Specify Output Directory </h3> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="o">.</span><span class="n">\essential_eight.ps1</span><span class="w"> </span><span class="nt">-OutputDir</span><span class="w"> </span><span class="s2">"C:\Compliance\Reports"</span><span class="w"> </span></code></pre> </div> <h3> Run as Administrator </h3> <p>Some checks require elevated privileges. Right-click PowerShell → "Run as Administrator", then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="o">.</span><span class="n">\essential_eight.ps1</span><span class="w"> </span></code></pre> </div> <h2> Understanding the Output </h2> <p>The script produces colour-coded console output:</p> <ul> <li> <strong>[PASS]</strong> (green) - Control meets baseline requirements</li> <li> <strong>[FAIL]</strong> (red) - Control does not meet requirements</li> <li> <strong>[WARN]</strong> (yellow) - Partial compliance or requires manual review</li> <li> <strong>[INFO]</strong> (cyan) - Informational finding, not a compliance check</li> </ul> <p><strong>Sample output (example system for demonstration - not real audit data):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[ESSENTIAL EIGHT COMPLIANCE AUDIT] System: WORKSTATION-01 [STRATEGY 1: APPLICATION CONTROL] [PASS] AppControl - AppLocker Policy: Effective rules configured [INFO] AppControl - WDAC Policy: Not deployed (AppLocker in use) [STRATEGY 2: PATCH APPLICATIONS] [PASS] Patching - Windows Update Service: Running [PASS] Patching - Last Update: 2026-04-18 - 6 days ago [STRATEGY 3: OFFICE MACRO SETTINGS] [PASS] MacroSettings - Excel VBA Warnings: Macros disabled (Value: 3) [PASS] MacroSettings - Word VBA Warnings: Notification enabled (Value: 4) [STRATEGY 4: USER APPLICATION HARDENING] [PASS] Hardening - PowerShell v2: Disabled [PASS] Hardening - PowerShell Version: v5.1 [WARN] Hardening - PowerShell Language Mode: FullLanguage (unrestricted) [PASS] Hardening - Script Block Logging: Enabled [STRATEGY 5: RESTRICT ADMINISTRATIVE PRIVILEGES] [PASS] Privileges - Current User Role: Running as standard user [PASS] Privileges - UAC Status: Enabled [PASS] Privileges - Local Administrators: 2 account(s) - acceptable range [STRATEGY 6: PATCH OPERATING SYSTEMS] [INFO] OS Patching - Operating System: Microsoft Windows 10 Pro (Build 19045) [PASS] OS Patching - OS Support Status: Windows 10 version 2004+ (supported) [STRATEGY 7: MULTI-FACTOR AUTHENTICATION] [INFO] MFA - Windows Hello: Credential provider detected [INFO] MFA - Credential Providers: 3 provider(s) registered [INFO] MFA - Note: Full MFA assessment requires Azure AD / Active Directory audit [STRATEGY 8: REGULAR BACKUPS] [INFO] Backups - Windows Backup Service: Not active (may use third-party) [PASS] Backups - Volume Shadow Copy: Running [PASS] Backups - Latest Shadow Copy: 2026-04-23 - 1 days ago [AUDIT SUMMARY] PASS: 15 FAIL: 0 WARN: 1 </code></pre> </div> <p>The timestamped report file contains the same information in plain text format for archiving.</p> <h2> Code Walkthrough </h2> <h3> Strategy 1: Application Control </h3> <p>Checks for AppLocker or Windows Defender Application Control (WDAC):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$appLockerPolicy</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-AppLockerPolicy</span><span class="w"> </span><span class="nt">-Effective</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$appLockerPolicy</span><span class="o">.</span><span class="nf">RuleCollections</span><span class="o">.</span><span class="nf">Count</span><span class="w"> </span><span class="o">-gt</span><span class="w"> </span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"AppControl"</span><span class="w"> </span><span class="s2">"AppLocker Policy"</span><span class="w"> </span><span class="s2">"PASS"</span><span class="w"> </span><span class="s2">"Effective rules configured"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>AppLocker policies can be deployed via Group Policy or locally. The <code>-Effective</code> parameter returns the combined result of all policies affecting the system.</p> <p>For WDAC, the script checks for policy files in <code>C:\Windows\System32\CodeIntegrity\CiPolicies\Active\</code>.</p> <h3> Strategy 2: Patch Applications </h3> <p>Verifies Windows Update service is running and checks last update date:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$session</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">New-Object</span><span class="w"> </span><span class="nt">-ComObject</span><span class="w"> </span><span class="nx">Microsoft.Update.Session</span><span class="w"> </span><span class="nv">$searcher</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$session</span><span class="o">.</span><span class="nf">CreateUpdateSearcher</span><span class="p">()</span><span class="w"> </span><span class="nv">$history</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$searcher</span><span class="o">.</span><span class="nf">QueryHistory</span><span class="p">(</span><span class="nx">0</span><span class="p">,</span><span class="w"> </span><span class="nx">1</span><span class="p">)</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Select-Object</span><span class="w"> </span><span class="nt">-First</span><span class="w"> </span><span class="nx">1</span><span class="w"> </span><span class="nv">$lastUpdate</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$history</span><span class="o">.</span><span class="nf">Date</span><span class="w"> </span><span class="nv">$daysSince</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">Get-Date</span><span class="p">)</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">$lastUpdate</span><span class="w"> </span></code></pre> </div> <p>The Windows Update COM API provides detailed patch history. This check flags systems where the last update was &gt;30 days ago as outdated.</p> <h3> Strategy 3: Office Macro Settings </h3> <p>Checks registry settings for Excel and Word macro behaviour:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$excelPath</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"HKCU:\Software\Microsoft\Office\16.0\Excel\Security"</span><span class="w"> </span><span class="nv">$vbaWarnings</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">Get-ItemProperty</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$excelPath</span><span class="w"> </span><span class="nt">-Name</span><span class="w"> </span><span class="nx">VBAWarnings</span><span class="p">)</span><span class="o">.</span><span class="nf">VBAWarnings</span><span class="w"> </span></code></pre> </div> <p>VBAWarnings values:</p> <ul> <li> <code>1</code> = Enable all macros (dangerous)</li> <li> <code>2</code> = Disable all with notification</li> <li> <code>3</code> = Disable all except digitally signed</li> <li> <code>4</code> = Disable all without notification (most secure)</li> </ul> <p>Values 3 and 4 meet Essential Eight ML1 baseline.</p> <h3> Strategy 4: User Application Hardening </h3> <p>Multiple checks including PowerShell v2 removal and script block logging:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$psv2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-WindowsOptionalFeature</span><span class="w"> </span><span class="nt">-Online</span><span class="w"> </span><span class="nt">-FeatureName</span><span class="w"> </span><span class="nx">MicrosoftWindowsPowerShellV2Root</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$psv2</span><span class="o">.</span><span class="nf">State</span><span class="w"> </span><span class="o">-eq</span><span class="w"> </span><span class="s2">"Disabled"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"Hardening"</span><span class="w"> </span><span class="s2">"PowerShell v2"</span><span class="w"> </span><span class="s2">"PASS"</span><span class="w"> </span><span class="s2">"Disabled"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>PowerShell v2 lacks modern security features (script block logging, Constrained Language Mode support) and should be removed from all systems.</p> <p>Script block logging check:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$scriptBlockPath</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"</span><span class="w"> </span><span class="nv">$scriptBlockEnabled</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">Get-ItemProperty</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$scriptBlockPath</span><span class="w"> </span><span class="nt">-Name</span><span class="w"> </span><span class="nx">EnableScriptBlockLogging</span><span class="p">)</span><span class="o">.</span><span class="nf">EnableScriptBlockLogging</span><span class="w"> </span></code></pre> </div> <p>When enabled (value = 1), all PowerShell script execution is logged to Windows Event Log, providing audit trails for forensic investigation.</p> <h3> Strategy 5: Restrict Administrative Privileges </h3> <p>Checks UAC status and local administrator count:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$uacPath</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System"</span><span class="w"> </span><span class="nv">$uacEnabled</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">Get-ItemProperty</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$uacPath</span><span class="w"> </span><span class="nt">-Name</span><span class="w"> </span><span class="nx">EnableLUA</span><span class="p">)</span><span class="o">.</span><span class="nf">EnableLUA</span><span class="w"> </span><span class="nv">$admins</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-LocalGroupMember</span><span class="w"> </span><span class="nt">-Group</span><span class="w"> </span><span class="s2">"Administrators"</span><span class="w"> </span></code></pre> </div> <p>UAC (User Account Control) prompts for elevation when administrative actions are attempted. Disabling UAC is a common misconfiguration that violates Essential Eight requirements.</p> <p>The administrator count check flags systems with excessive admin accounts. Typically, only built-in Administrator and one domain admin account should exist on workstations.</p> <h3> Strategy 6: Patch Operating Systems </h3> <p>Verifies OS is on a supported build:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$os</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-CimInstance</span><span class="w"> </span><span class="nx">Win32_OperatingSystem</span><span class="w"> </span><span class="nv">$osBuild</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$os</span><span class="o">.</span><span class="nf">BuildNumber</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">([</span><span class="n">int</span><span class="p">]</span><span class="nv">$osBuild</span><span class="w"> </span><span class="o">-ge</span><span class="w"> </span><span class="mi">19041</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Check</span><span class="w"> </span><span class="s2">"OS Patching"</span><span class="w"> </span><span class="s2">"OS Support"</span><span class="w"> </span><span class="s2">"PASS"</span><span class="w"> </span><span class="s2">"Supported build"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Build 19041 = Windows 10 version 2004, the minimum currently-supported consumer version. Enterprise LTSC versions may have different support timelines.</p> <h3> Strategy 7: Multi-Factor Authentication </h3> <p>MFA assessment requires directory-level audit (Azure AD, Active Directory):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$credProviders</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-ChildItem</span><span class="w"> </span><span class="s2">"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers"</span><span class="w"> </span></code></pre> </div> <p>The script checks for Windows Hello and registered credential providers, but full MFA enforcement validation requires checking conditional access policies in Azure AD or examining GPO settings for smart card requirements.</p> <h3> Strategy 8: Regular Backups </h3> <p>Checks Volume Shadow Copy Service and recent shadow copies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="nv">$shadows</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-CimInstance</span><span class="w"> </span><span class="nx">Win32_ShadowCopy</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Where-Object</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="bp">$_</span><span class="o">.</span><span class="nf">VolumeName</span><span class="w"> </span><span class="o">-like</span><span class="w"> </span><span class="s2">"*C:*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="nv">$latestShadow</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$shadows</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Sort-Object</span><span class="w"> </span><span class="nx">InstallDate</span><span class="w"> </span><span class="nt">-Descending</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Select-Object</span><span class="w"> </span><span class="nt">-First</span><span class="w"> </span><span class="nx">1</span><span class="w"> </span><span class="nv">$daysSince</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">Get-Date</span><span class="p">)</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nv">$latestShadow</span><span class="o">.</span><span class="nf">InstallDate</span><span class="w"> </span></code></pre> </div> <p>Shadow copies are point-in-time snapshots used for System Restore and file recovery. The script flags systems where the latest shadow copy is &gt;7 days old.</p> <h2> Real-World Use Cases </h2> <p><strong>Pre-audit preparation:</strong> Run this script on sample systems before formal compliance assessments to identify gaps early.</p> <p><strong>Continuous monitoring:</strong> Schedule the script as a daily task and email the report to security teams. Track compliance drift over time.</p> <p><strong>Incident response baseline:</strong> After a security incident, run the script on affected systems to document Essential Eight posture at the time of compromise.</p> <p><strong>Procurement verification:</strong> When deploying new workstations, run the audit to verify vendor configuration meets baseline requirements before acceptance.</p> <p><strong>Maturity level progression:</strong> Use the baseline audit results to identify systems ready for ML2/ML3 implementation.</p> <h2> Extending the Script </h2> <p><strong>HTML report generation:</strong> Replace the plain-text output with an HTML file including coloured tables and charts.</p> <p><strong>Email integration:</strong> Add <code>Send-MailMessage</code> to automatically email reports to compliance teams.</p> <p><strong>Remote execution:</strong> Wrap the script in <code>Invoke-Command</code> to audit multiple systems from a central management workstation.</p> <p><strong>SIEM integration:</strong> Parse the output and send findings to a SIEM platform for centralised compliance monitoring.</p> <p><strong>Remediation actions:</strong> Add a <code>-Remediate</code> switch that automatically fixes common failures (enable UAC, remove PowerShell v2, enable script block logging).</p> <h2> Maturity Levels Beyond ML1 </h2> <p>This script focuses on ML1 (baseline) checks. The ASD Essential Eight Maturity Model has three levels:</p> <p><strong>Maturity Level 1:</strong> Partly aligned with intent. Baseline controls exist but may not be comprehensive.</p> <p><strong>Maturity Level 2:</strong> Mostly aligned with intent. Controls cover most assets and attack vectors.</p> <p><strong>Maturity Level 3:</strong> Fully aligned with intent. Comprehensive controls across all assets with robust monitoring.</p> <p>Progression from ML1 → ML2 → ML3 requires increasingly stringent technical controls and centralised management. For example:</p> <ul> <li> <strong>Application Control ML1:</strong> AppLocker with basic rules</li> <li> <strong>Application Control ML2:</strong> Centralised AppLocker or WDAC with allow-listing</li> <li> <strong>Application Control ML3:</strong> WDAC with cryptographic verification of all executables</li> </ul> <p>This script provides the ML1 foundation. Assessing ML2/ML3 compliance requires additional checks beyond what local PowerShell can determine (requires SCCM, Intune, or GPO reporting).</p> <h2> GitHub Repository </h2> <p>The complete script, sample reports, and this tutorial are available on GitHub:</p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/ShadowStrike-CTF" rel="noopener noreferrer"> ShadowStrike-CTF </a> / <a href="https://github.com/ShadowStrike-CTF/essential-eight-checklist" rel="noopener noreferrer"> essential-eight-checklist </a> </h2> <h3> PowerShell scripts for practical Essential Eight compliance checking on Windows systems. </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">essential-eight-checklist</h1> </div> <p>PowerShell scripts for practical Essential Eight compliance checking on Windows systems.</p> </div> <br> <br> </div> <br> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/ShadowStrike-CTF/essential-eight-checklist" rel="noopener noreferrer">View on GitHub</a></div> <br> </div> <br> <h2> Conclusion </h2> <p>Essential Eight compliance doesn't require expensive enterprise tools. PowerShell provides native cmdlets for checking application control, patching status, user hardening, privilege restrictions, and backup configurations.</p> <p>This script packages those checks into a practical audit workflow that runs on any Windows 10/11 system without dependencies. For IT security professionals, compliance teams, and system administrators working in Australian government or enterprise environments, automated Essential Eight auditing is a fundamental operational requirement.</p> <p>The value isn't just in the compliance report — it's in the velocity. Running this audit manually would take an experienced admin 30-60 minutes per system. The script completes it in seconds and produces consistent, auditable results.</p> <p><em>Built by ShadowStrike (Strategos) — where we build actual security tools instead of theatre 🎃.</em></p> powershell security compliance australia ShadowStrike Sun, 26 Apr 2026 11:32:30 +0000 https://dev.to/shadowstrike/how-to-build-a-haveibeenpwned-breach-auditor-in-python-241g https://dev.to/shadowstrike/how-to-build-a-haveibeenpwned-breach-auditor-in-python-241g <p><strong>Version 1.0.0</strong></p> <p>Data breaches happen constantly. When credentials from one breach get reused in credential-stuffing attacks against other services, the ripple effect can last years. That's why checking whether an email address or password has appeared in a known breach is a routine first step in any security assessment.</p> <p>HaveIBeenPwned (HIBP) maintains one of the most comprehensive breach databases available, with over 12 billion compromised accounts indexed. In this tutorial, you'll build a Python CLI tool that checks email addresses and passwords against that database using the HIBP API, with proper k-anonymity implementation to protect privacy.</p> <h2> What You'll Build </h2> <p>A command-line Python tool called <code>hibp_auditor.py</code> that:</p> <ul> <li> <strong>Checks passwords using k-anonymity</strong> (your password never leaves your machine) — <strong>works without any API key</strong> </li> <li>Checks email addresses against the HIBP breach database (requires paid API subscription)</li> <li>Handles API rate limiting gracefully</li> <li>Outputs results to console and optionally to a timestamped report file</li> </ul> <p><strong>Note:</strong> Password checking is free and works immediately. Email breach checking requires a paid HIBP API subscription (pricing started ~2024).</p> <h2> Prerequisites </h2> <ul> <li>Python 3.6 or later</li> <li> <code>requests</code> library (<code>pip install requests</code>)</li> <li> <strong>No API key needed</strong> for password checking (uses k-anonymity)</li> <li>Optional: Paid HIBP API subscription for email breach checking (<a href="https://haveibeenpwned.com/API/Key" rel="noopener noreferrer">haveibeenpwned.com/API/Key</a>)</li> </ul> <h2> Understanding K-Anonymity </h2> <p>Before diving into code, it's worth understanding why password checking with HIBP is safe - because the implementation uses k-anonymity.</p> <p><strong>The problem:</strong> If you send your password to an API to check if it's compromised, you're... sending your password to an API. That's not great.</p> <p><strong>The solution:</strong> Instead of sending the full password, HIBP's Pwned Passwords API uses a clever technique:</p> <ol> <li>You hash your password locally using SHA-1</li> <li>You send <strong>only the first 5 characters</strong> of that hash to the API</li> <li>The API returns <strong>all</strong> pwned password hashes that start with those 5 characters</li> <li>You check locally whether your full hash is in that list</li> </ol> <p>This means the API never sees your actual password or even your full hash. The first 5 characters of a SHA-1 hash match thousands of different passwords, so the API can't determine which specific password you're checking.</p> <p>This is k-anonymity: your query is indistinguishable from k other possible queries, where k is large enough to preserve privacy.</p> <h2> The Complete Script </h2> <p>Here's the full implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span><span class="sh">"""</span><span class="s"> HaveIBeenPwned Breach Auditor Purpose: Check email addresses and passwords against the HIBP breach database Author: ShadowStrike (Strategos) License: MIT </span><span class="sh">"""</span> <span class="kn">import</span> <span class="n">argparse</span> <span class="kn">import</span> <span class="n">hashlib</span> <span class="kn">import</span> <span class="n">requests</span> <span class="kn">import</span> <span class="n">sys</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="c1"># HIBP API endpoints </span><span class="n">HIBP_BREACH_API</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://haveibeenpwned.com/api/v3/breachedaccount/{}</span><span class="sh">"</span> <span class="n">HIBP_PASSWORD_API</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://api.pwnedpasswords.com/range/{}</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">check_email_breaches</span><span class="p">(</span><span class="n">email</span><span class="p">,</span> <span class="n">api_key</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Check if an email address appears in known data breaches. Args: email: Email address to check api_key: HIBP API key (required for email checks) Returns: List of breach dictionaries or None if error </span><span class="sh">"""</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">api_key</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[ERROR] Email breach checking requires an HIBP API key</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[INFO] Get a free key at: https://haveibeenpwned.com/API/Key</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">None</span> <span class="n">url</span> <span class="o">=</span> <span class="n">HIBP_BREACH_API</span><span class="p">.</span><span class="nf">format</span><span class="p">(</span><span class="n">email</span><span class="p">)</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">hibp-api-key</span><span class="sh">'</span><span class="p">:</span> <span class="n">api_key</span><span class="p">,</span> <span class="sh">'</span><span class="s">user-agent</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">HIBP-Breach-Auditor</span><span class="sh">'</span> <span class="p">}</span> <span class="k">try</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span><span class="p">:</span> <span class="k">return</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">elif</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">404</span><span class="p">:</span> <span class="k">return</span> <span class="p">[]</span> <span class="c1"># No breaches found (good news!) </span> <span class="k">elif</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">429</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[ERROR] Rate limit exceeded - wait and try again</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[ERROR] API returned status code: </span><span class="si">{</span><span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">except</span> <span class="n">requests</span><span class="p">.</span><span class="n">exceptions</span><span class="p">.</span><span class="n">RequestException</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[ERROR] Network error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">def</span> <span class="nf">check_password_pwned</span><span class="p">(</span><span class="n">password</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Check if a password appears in known breaches using k-anonymity. This uses the Pwned Passwords API with k-anonymity - only the first 5 characters of the SHA-1 hash are sent to the API, protecting privacy. Args: password: Password to check (never sent to API in plain text) Returns: Tuple of (is_pwned: bool, count: int) or (None, None) if error </span><span class="sh">"""</span> <span class="c1"># Hash the password locally </span> <span class="n">sha1_hash</span> <span class="o">=</span> <span class="n">hashlib</span><span class="p">.</span><span class="nf">sha1</span><span class="p">(</span><span class="n">password</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)).</span><span class="nf">hexdigest</span><span class="p">().</span><span class="nf">upper</span><span class="p">()</span> <span class="c1"># Send only the first 5 characters </span> <span class="n">prefix</span> <span class="o">=</span> <span class="n">sha1_hash</span><span class="p">[:</span><span class="mi">5</span><span class="p">]</span> <span class="n">suffix</span> <span class="o">=</span> <span class="n">sha1_hash</span><span class="p">[</span><span class="mi">5</span><span class="p">:]</span> <span class="n">url</span> <span class="o">=</span> <span class="n">HIBP_PASSWORD_API</span><span class="p">.</span><span class="nf">format</span><span class="p">(</span><span class="n">prefix</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span><span class="p">:</span> <span class="c1"># Parse the response - each line is "suffix:count" </span> <span class="n">hashes</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="n">text</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="se">\r\n</span><span class="sh">'</span><span class="p">)</span> <span class="k">for</span> <span class="n">hash_line</span> <span class="ow">in</span> <span class="n">hashes</span><span class="p">:</span> <span class="k">if</span> <span class="sh">'</span><span class="s">:</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">hash_line</span><span class="p">:</span> <span class="n">hash_suffix</span><span class="p">,</span> <span class="n">count</span> <span class="o">=</span> <span class="n">hash_line</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">:</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">hash_suffix</span> <span class="o">==</span> <span class="n">suffix</span><span class="p">:</span> <span class="nf">return </span><span class="p">(</span><span class="bp">True</span><span class="p">,</span> <span class="nf">int</span><span class="p">(</span><span class="n">count</span><span class="p">))</span> <span class="c1"># Hash not found in response = password not pwned </span> <span class="nf">return </span><span class="p">(</span><span class="bp">False</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="k">elif</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">429</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[ERROR] Rate limit exceeded</span><span class="sh">"</span><span class="p">)</span> <span class="nf">return </span><span class="p">(</span><span class="bp">None</span><span class="p">,</span> <span class="bp">None</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[ERROR] API returned status code: </span><span class="si">{</span><span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">return </span><span class="p">(</span><span class="bp">None</span><span class="p">,</span> <span class="bp">None</span><span class="p">)</span> <span class="k">except</span> <span class="n">requests</span><span class="p">.</span><span class="n">exceptions</span><span class="p">.</span><span class="n">RequestException</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[ERROR] Network error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">return </span><span class="p">(</span><span class="bp">None</span><span class="p">,</span> <span class="bp">None</span><span class="p">)</span> <span class="k">def</span> <span class="nf">format_breach_info</span><span class="p">(</span><span class="n">breach</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Format a breach dictionary into readable output</span><span class="sh">"""</span> <span class="n">name</span> <span class="o">=</span> <span class="n">breach</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Name</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Unknown</span><span class="sh">'</span><span class="p">)</span> <span class="n">domain</span> <span class="o">=</span> <span class="n">breach</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Domain</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">N/A</span><span class="sh">'</span><span class="p">)</span> <span class="n">breach_date</span> <span class="o">=</span> <span class="n">breach</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">BreachDate</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Unknown</span><span class="sh">'</span><span class="p">)</span> <span class="n">pwn_count</span> <span class="o">=</span> <span class="n">breach</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">PwnCount</span><span class="sh">'</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="n">data_classes</span> <span class="o">=</span> <span class="sh">'</span><span class="s">, </span><span class="sh">'</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">breach</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">DataClasses</span><span class="sh">'</span><span class="p">,</span> <span class="p">[]))</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"""</span><span class="s"> Breach: </span><span class="si">{</span><span class="n">name</span><span class="si">}</span><span class="s"> Domain: </span><span class="si">{</span><span class="n">domain</span><span class="si">}</span><span class="s"> Date: </span><span class="si">{</span><span class="n">breach_date</span><span class="si">}</span><span class="s"> Accounts: </span><span class="si">{</span><span class="n">pwn_count</span><span class="si">:</span><span class="p">,</span><span class="si">}</span><span class="s"> Data: </span><span class="si">{</span><span class="n">data_classes</span><span class="si">}</span><span class="s"> </span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">main</span><span class="p">():</span> <span class="n">parser</span> <span class="o">=</span> <span class="n">argparse</span><span class="p">.</span><span class="nc">ArgumentParser</span><span class="p">(</span> <span class="n">description</span><span class="o">=</span><span class="sh">'</span><span class="s">Check email addresses and passwords against HaveIBeenPwned database</span><span class="sh">'</span><span class="p">,</span> <span class="n">epilog</span><span class="o">=</span><span class="sh">'</span><span class="s">Example: python hibp_auditor.py --email test@example.com --api-key YOUR_KEY</span><span class="sh">'</span> <span class="p">)</span> <span class="n">parser</span><span class="p">.</span><span class="nf">add_argument</span><span class="p">(</span><span class="sh">'</span><span class="s">--email</span><span class="sh">'</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="nb">str</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="sh">'</span><span class="s">Email address to check for breaches</span><span class="sh">'</span><span class="p">)</span> <span class="n">parser</span><span class="p">.</span><span class="nf">add_argument</span><span class="p">(</span><span class="sh">'</span><span class="s">--password</span><span class="sh">'</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="nb">str</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="sh">'</span><span class="s">Password to check (uses k-anonymity - safe)</span><span class="sh">'</span><span class="p">)</span> <span class="n">parser</span><span class="p">.</span><span class="nf">add_argument</span><span class="p">(</span><span class="sh">'</span><span class="s">--api-key</span><span class="sh">'</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="nb">str</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="sh">'</span><span class="s">HIBP API key (required for email checks)</span><span class="sh">'</span><span class="p">)</span> <span class="n">parser</span><span class="p">.</span><span class="nf">add_argument</span><span class="p">(</span><span class="sh">'</span><span class="s">--output</span><span class="sh">'</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="nb">str</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="sh">'</span><span class="s">Write results to file (default: console only)</span><span class="sh">'</span><span class="p">)</span> <span class="n">args</span> <span class="o">=</span> <span class="n">parser</span><span class="p">.</span><span class="nf">parse_args</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">args</span><span class="p">.</span><span class="n">email</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">args</span><span class="p">.</span><span class="n">password</span><span class="p">:</span> <span class="n">parser</span><span class="p">.</span><span class="nf">print_help</span><span class="p">()</span> <span class="n">sys</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">timestamp</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">"</span><span class="s">%Y-%m-%d %H:%M:%S</span><span class="sh">"</span><span class="p">)</span> <span class="n">results</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">HIBP Breach Audit Report - </span><span class="si">{</span><span class="n">timestamp</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sh">"</span><span class="s">=</span><span class="sh">"</span> <span class="o">*</span> <span class="mi">60</span><span class="p">)</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sh">""</span><span class="p">)</span> <span class="c1"># Check email if provided </span> <span class="k">if</span> <span class="n">args</span><span class="p">.</span><span class="n">email</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="se">\n</span><span class="s">[*] Checking email: </span><span class="si">{</span><span class="n">args</span><span class="p">.</span><span class="n">email</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Email: </span><span class="si">{</span><span class="n">args</span><span class="p">.</span><span class="n">email</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">breaches</span> <span class="o">=</span> <span class="nf">check_email_breaches</span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">email</span><span class="p">,</span> <span class="n">args</span><span class="p">.</span><span class="n">api_key</span><span class="p">)</span> <span class="k">if</span> <span class="n">breaches</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sh">"</span><span class="s"> Status: ERROR - Could not complete check</span><span class="sh">"</span><span class="p">)</span> <span class="k">elif</span> <span class="nf">len</span><span class="p">(</span><span class="n">breaches</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[OK] No breaches found - this email is clean!</span><span class="sh">"</span><span class="p">)</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sh">"</span><span class="s"> Status: CLEAN - No breaches found</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[WARNING] Found in </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">breaches</span><span class="p">)</span><span class="si">}</span><span class="s"> breach(es):</span><span class="sh">"</span><span class="p">)</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Status: COMPROMISED - Found in </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">breaches</span><span class="p">)</span><span class="si">}</span><span class="s"> breach(es)</span><span class="sh">"</span><span class="p">)</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sh">""</span><span class="p">)</span> <span class="k">for</span> <span class="n">breach</span> <span class="ow">in</span> <span class="n">breaches</span><span class="p">:</span> <span class="n">breach_info</span> <span class="o">=</span> <span class="nf">format_breach_info</span><span class="p">(</span><span class="n">breach</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">breach_info</span><span class="p">)</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">breach_info</span><span class="p">)</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sh">""</span><span class="p">)</span> <span class="c1"># Rate limiting courtesy </span> <span class="k">if</span> <span class="n">args</span><span class="p">.</span><span class="n">password</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">1.5</span><span class="p">)</span> <span class="c1"># Check password if provided </span> <span class="k">if</span> <span class="n">args</span><span class="p">.</span><span class="n">password</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="se">\n</span><span class="s">[*] Checking password (using k-anonymity)...</span><span class="sh">"</span><span class="p">)</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sh">"</span><span class="s">Password: [REDACTED]</span><span class="sh">"</span><span class="p">)</span> <span class="n">is_pwned</span><span class="p">,</span> <span class="n">count</span> <span class="o">=</span> <span class="nf">check_password_pwned</span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">password</span><span class="p">)</span> <span class="k">if</span> <span class="n">is_pwned</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sh">"</span><span class="s"> Status: ERROR - Could not complete check</span><span class="sh">"</span><span class="p">)</span> <span class="k">elif</span> <span class="n">is_pwned</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[WARNING] Password found in </span><span class="si">{</span><span class="n">count</span><span class="si">:</span><span class="p">,</span><span class="si">}</span><span class="s"> breaches!</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[ADVICE] This password is compromised - change it immediately</span><span class="sh">"</span><span class="p">)</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> Status: PWNED - Found in </span><span class="si">{</span><span class="n">count</span><span class="si">:</span><span class="p">,</span><span class="si">}</span><span class="s"> breaches</span><span class="sh">"</span><span class="p">)</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sh">"</span><span class="s"> Advice: Change this password immediately</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">[OK] Password not found in known breaches</span><span class="sh">"</span><span class="p">)</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sh">"</span><span class="s"> Status: CLEAN - Not found in known breaches</span><span class="sh">"</span><span class="p">)</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sh">""</span><span class="p">)</span> <span class="c1"># Write to file if requested </span> <span class="k">if</span> <span class="n">args</span><span class="p">.</span><span class="n">output</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">args</span><span class="p">.</span><span class="n">output</span><span class="p">,</span> <span class="sh">'</span><span class="s">w</span><span class="sh">'</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="sh">'</span><span class="se">\n</span><span class="sh">'</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">results</span><span class="p">))</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="se">\n</span><span class="s">[*] Report written to: </span><span class="si">{</span><span class="n">args</span><span class="p">.</span><span class="n">output</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">IOError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="se">\n</span><span class="s">[ERROR] Could not write to file: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">[*] Audit complete</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">main</span><span class="p">()</span> </code></pre> </div> <h2> How to Use It </h2> <h3> Installation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install dependencies</span> pip <span class="nb">install </span>requests <span class="c"># Download the script</span> <span class="c"># (or clone from GitHub - link at end of tutorial)</span> <span class="c"># Linux/Mac only - make executable</span> <span class="nb">chmod</span> +x hibp_auditor.py <span class="c"># Windows - no chmod needed, just run with python</span> python hibp_auditor.py <span class="nt">--help</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flggnj1gaza7phnkt2m8d.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flggnj1gaza7phnkt2m8d.jpg"></a></p> <h3> Security Note: Read the Code Before Running It </h3> <p>Before executing this or any Python script from the internet:</p> <ol> <li> <strong>Read the source code completely</strong> — every function, every API call, every file operation</li> <li> <strong>Verify the logic</strong> — does it do what it claims and nothing else?</li> <li> <strong>Check for risks</strong> — unexpected network calls, file access, credential storage</li> </ol> <p>Apply the <strong>ABC principle</strong>:</p> <ul> <li><strong>Assume nothing</strong></li> <li><strong>Believe nothing</strong></li> <li><strong>Check everything</strong></li> </ul> <p>Never execute code you haven't personally reviewed and understood, regardless of where it came from. You are the final security control.</p> <h3> Check a Password (No API Key Required) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python hibp_auditor.py <span class="nt">--password</span> <span class="s2">"password123"</span> </code></pre> </div> <p><strong>Sample output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[*] Checking password (using k-anonymity)... [WARNING] Password found in 2,254,650 breaches! [ADVICE] This password is compromised - change it immediately [*] Audit complete </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpxefqg7ua5ppu443njwx.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpxefqg7ua5ppu443njwx.jpg"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5g8078hjvgbzbd279vp0.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5g8078hjvgbzbd279vp0.jpg"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff3e877wbqpqwoy542zxb.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff3e877wbqpqwoy542zxb.jpg"></a></p> <p>Or with a strong password:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[*] Checking password (using k-anonymity)... [OK] Password not found in known breaches [*] Audit complete </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fja72z5udo7v8bkgy9vth.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fja72z5udo7v8bkgy9vth.jpg"></a></p> <h3> Save Results to File </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python hibp_auditor.py <span class="nt">--email</span> <span class="nb">test</span>@example.com <span class="nt">--api-key</span> YOUR_KEY <span class="nt">--output</span> report.txt </code></pre> </div> <h3> Check an Email Address (Requires Paid API Key) </h3> <p><strong>Note:</strong> Email breach checking requires a paid HIBP API subscription. If you don't have an API key, the tool will show an error and direct you to the HIBP website.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python hibp_auditor.py <span class="nt">--email</span> <span class="nb">test</span>@example.com <span class="nt">--api-key</span> YOUR_API_KEY </code></pre> </div> <p><strong>Sample output (with valid API key):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[*] Checking email: test@example.com [WARNING] Found in 3 breach(es): Breach: Adobe Domain: adobe.com Date: 2013-10-04 Accounts: 152,445,165 Data: Email addresses, Password hints, Passwords, Usernames Breach: LinkedIn Domain: linkedin.com Date: 2012-05-05 Accounts: 164,611,595 Data: Email addresses, Passwords </code></pre> </div> <h2> Code Walkthrough </h2> <h3> Email Breach Checking </h3> <p>The <code>check_email_breaches()</code> function hits the HIBP API v3 endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">url</span> <span class="o">=</span> <span class="n">HIBP_BREACH_API</span><span class="p">.</span><span class="nf">format</span><span class="p">(</span><span class="n">email</span><span class="p">)</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">hibp-api-key</span><span class="sh">'</span><span class="p">:</span> <span class="n">api_key</span><span class="p">,</span> <span class="sh">'</span><span class="s">user-agent</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">HIBP-Breach-Auditor</span><span class="sh">'</span> <span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> </code></pre> </div> <p><strong>Key points:</strong></p> <ul> <li>Requires an API key (free for reasonable use)</li> <li>Returns HTTP 404 if no breaches found (which we treat as good news)</li> <li>Returns HTTP 429 if rate-limited (wait and retry)</li> <li>Returns JSON array of breach objects if compromised</li> </ul> <h3> Password Checking with K-Anonymity </h3> <p>The <code>check_password_pwned()</code> function implements the k-anonymity protocol:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Hash locally </span><span class="n">sha1_hash</span> <span class="o">=</span> <span class="n">hashlib</span><span class="p">.</span><span class="nf">sha1</span><span class="p">(</span><span class="n">password</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)).</span><span class="nf">hexdigest</span><span class="p">().</span><span class="nf">upper</span><span class="p">()</span> <span class="c1"># Send only first 5 chars </span><span class="n">prefix</span> <span class="o">=</span> <span class="n">sha1_hash</span><span class="p">[:</span><span class="mi">5</span><span class="p">]</span> <span class="n">suffix</span> <span class="o">=</span> <span class="n">sha1_hash</span><span class="p">[</span><span class="mi">5</span><span class="p">:]</span> <span class="n">url</span> <span class="o">=</span> <span class="n">HIBP_PASSWORD_API</span><span class="p">.</span><span class="nf">format</span><span class="p">(</span><span class="n">prefix</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="c1"># Check if our full hash is in the response </span><span class="k">for</span> <span class="n">hash_line</span> <span class="ow">in</span> <span class="n">hashes</span><span class="p">:</span> <span class="n">hash_suffix</span><span class="p">,</span> <span class="n">count</span> <span class="o">=</span> <span class="n">hash_line</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">:</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">hash_suffix</span> <span class="o">==</span> <span class="n">suffix</span><span class="p">:</span> <span class="nf">return </span><span class="p">(</span><span class="bp">True</span><span class="p">,</span> <span class="nf">int</span><span class="p">(</span><span class="n">count</span><span class="p">))</span> </code></pre> </div> <p><strong>Why this is safe:</strong></p> <ol> <li>Password is hashed locally with SHA-1</li> <li>Only the first 5 characters of the hash are sent</li> <li>API returns ~500-1000 hash suffixes matching that prefix</li> <li>We check locally if our full hash is in that list</li> <li>The API never learns which specific hash we're checking</li> </ol> <h3> Rate Limiting Courtesy </h3> <p>The HIBP API has rate limits. The script implements courtesy delays:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">args</span><span class="p">.</span><span class="n">password</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">1.5</span><span class="p">)</span> <span class="c1"># Wait between email and password checks </span></code></pre> </div> <p>For production use checking multiple emails, implement exponential backoff when hitting 429 responses.</p> <h2> Real-World Use Cases </h2> <p><strong>Small team audit:</strong> Check all company email addresses to see who's been compromised:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">for </span>email <span class="k">in </span>alice@company.com bob@company.com charlie@company.com<span class="p">;</span> <span class="k">do </span>python hibp_auditor.py <span class="nt">--email</span> <span class="nv">$email</span> <span class="nt">--api-key</span> YOUR_KEY <span class="nt">--output</span> report_<span class="nv">$email</span>.txt <span class="nb">sleep </span>2 <span class="c"># Rate limiting courtesy</span> <span class="k">done</span> </code></pre> </div> <p><strong>Password policy enforcement:</strong> Check common weak passwords against HIBP before allowing them in your system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">is_pwned</span><span class="p">,</span> <span class="n">count</span> <span class="o">=</span> <span class="nf">check_password_pwned</span><span class="p">(</span><span class="n">user_password</span><span class="p">)</span> <span class="k">if</span> <span class="n">is_pwned</span> <span class="ow">and</span> <span class="n">count</span> <span class="o">&gt;</span> <span class="mi">100</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">This password appears in known breaches - choose another</span><span class="sh">"</span> </code></pre> </div> <p><strong>Incident response:</strong> When investigating a suspected breach, check if credentials have appeared in public dumps:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python hibp_auditor.py <span class="nt">--email</span> suspicious@victim.com <span class="nt">--api-key</span> YOUR_KEY </code></pre> </div> <p><strong>Security awareness training:</strong> Demonstrate to users how common their passwords are:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python hibp_auditor.py <span class="nt">--password</span> <span class="s2">"password123"</span> <span class="c"># Shows: "Found in 9,238,454 breaches!"</span> </code></pre> </div> <h2> Extending the Script </h2> <p><strong>Bulk email checking:</strong><br> Add a <code>--email-list</code> parameter that reads from a CSV file and checks multiple addresses with proper rate limiting.</p> <p><strong>Domain-wide audit:</strong><br> Integrate with your company directory (LDAP, Azure AD) to audit all @yourcompany.com addresses automatically.</p> <p><strong>Slack/Teams notifications:</strong><br> Add webhook integration to alert security teams when compromised accounts are detected.</p> <p><strong>Password strength scoring:</strong><br> Combine HIBP checking with zxcvbn or similar libraries to provide holistic password strength assessment.</p> <p><strong>MFA enforcement triggers:</strong><br> Automatically enforce MFA for accounts found in breaches as part of your identity management workflow.</p> <h2> Security Considerations </h2> <p><strong>Never log passwords:</strong> The script outputs <code>[REDACTED]</code> instead of the actual password in reports. Maintain this practice.</p> <p><strong>API key protection:</strong> Store your HIBP API key in environment variables, not hardcoded in scripts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">HIBP_API_KEY</span><span class="o">=</span><span class="s2">"your-key-here"</span> python hibp_auditor.py <span class="nt">--email</span> <span class="nb">test</span>@example.com <span class="nt">--api-key</span> <span class="nv">$HIBP_API_KEY</span> </code></pre> </div> <p><strong>TLS verification:</strong> The <code>requests</code> library verifies TLS certificates by default. Don't disable this.</p> <p><strong>Rate limits:</strong> Respect HIBP's rate limits. They provide this service for free — don't abuse it.</p> <h2> GitHub Repository </h2> <p>The complete script, requirements.txt, and this tutorial are available on GitHub:</p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/ShadowStrike-CTF" rel="noopener noreferrer"> ShadowStrike-CTF </a> / <a href="https://github.com/ShadowStrike-CTF/hibp-breach-auditor" rel="noopener noreferrer"> hibp-breach-auditor </a> </h2> <h3> A Python CLI tool to check email addresses against the HaveIBeenPwned breach database. </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">hibp-breach-auditor</h1> </div> <p>A Python CLI tool to check email addresses against the HaveIBeenPwned breach database.</p> </div> <br> <br> </div> <br> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/ShadowStrike-CTF/hibp-breach-auditor" rel="noopener noreferrer">View on GitHub</a></div> <br> </div> <br> <h2> Conclusion </h2> <p>Password reuse and credential stuffing remain among the most effective attack vectors in 2026. Building a simple Python CLI tool that checks against HaveIBeenPwned's database gives you a practical way to assess exposure for individuals or small teams.</p> <p>The k-anonymity implementation means you can check passwords safely without ever transmitting them, and the email breach checking provides immediate visibility into which accounts need attention.</p> <p>For security teams, incident responders, and IT administrators working with small-to-medium organisations, this is a foundational tool that costs nothing to run and provides immediate actionable intelligence.</p> <p><em>Built by ShadowStrike (Strategos) — where we build actual security tools instead of theatre 🎃.</em></p> python security cli tutorial ShadowStrike Sun, 26 Apr 2026 11:05:53 +0000 https://dev.to/shadowstrike/why-diff-tools-lie-detecting-hidden-file-changes-with-powershell-hash-verification-10ak https://dev.to/shadowstrike/why-diff-tools-lie-detecting-hidden-file-changes-with-powershell-hash-verification-10ak <p><strong>Version 1.0.0</strong></p> <p>File modification detection sounds simple until you realise that timestamps can be forged, file sizes can stay identical while content changes, and simple <code>diff</code> tools often miss what matters most: the actual bytes.</p> <p>If you work in IT security, digital forensics, compliance, or system administration, you need a way to verify file integrity that goes deeper than metadata. In this tutorial, you'll build a PowerShell script that creates cryptographic hash baselines of directories and detects modifications that other tools miss.</p> <h2> The Problem with Simple File Comparison </h2> <p>Most file comparison tools check three things:</p> <ul> <li>File name</li> <li>File size </li> <li>Timestamp (created/modified)</li> </ul> <p>An attacker with filesystem access can modify all three. A legitimate user editing a document might change content while the file size stays identical. A script running with admin privileges can alter files and reset timestamps to cover its tracks.</p> <p><strong>What doesn't lie:</strong> the cryptographic hash. Change a single bit in a multi-gigabyte file, and the SHA-256 hash changes completely.</p> <h2> What You'll Build </h2> <p>A PowerShell script called <code>hash_verifier.ps1</code> with two modes:</p> <p><strong>Generate mode:</strong> Scans a directory, computes SHA-256 hashes for every file, and writes a baseline manifest to a timestamped <code>.txt</code> file.</p> <p><strong>Verify mode:</strong> Re-scans the same directory, compares current hashes against the baseline, and flags any files that have been modified, deleted, or added.</p> <h2> Prerequisites </h2> <ul> <li>PowerShell 5.1 or later (built into Windows 10 and above)</li> <li>No external modules required - uses built-in <code>Get-FileHash</code> cmdlet</li> <li>Read access to the directory you want to monitor</li> </ul> <h2> How It Works </h2> <p>The script uses PowerShell's <code>Get-FileHash</code> cmdlet, which computes cryptographic hashes using the SHA-256 algorithm. For each file in the target directory, it calculates a 256-bit hash value that uniquely represents that file's content.</p> <p><strong>Generate mode workflow:</strong></p> <ol> <li>Scan the directory (optionally recursing into subdirectories)</li> <li>Compute SHA-256 hash for each file</li> <li>Write hashes + file paths to a baseline manifest file</li> <li>Store the manifest somewhere safe</li> </ol> <p><strong>Verify mode workflow:</strong></p> <ol> <li>Load the baseline manifest</li> <li>Re-scan the directory and compute current hashes</li> <li>Compare current hashes against baseline hashes</li> <li>Report four categories: OK (unchanged), MISMATCH (modified), MISSING (deleted), NEW (added)</li> </ol> <h2> The Complete Script </h2> <p>Here's the full implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="c"># PowerShell File Hash Verifier</span><span class="w"> </span><span class="c"># Purpose: Generate hash baselines and detect file modifications</span><span class="w"> </span><span class="c"># Author: ShadowStrike (Strategos)</span><span class="w"> </span><span class="c"># License: MIT</span><span class="w"> </span><span class="kr">param</span><span class="p">(</span><span class="w"> </span><span class="p">[</span><span class="n">Parameter</span><span class="p">(</span><span class="n">Mandatory</span><span class="o">=</span><span class="bp">$true</span><span class="p">)]</span><span class="w"> </span><span class="p">[</span><span class="n">string</span><span class="p">]</span><span class="nv">$Path</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="n">Parameter</span><span class="p">(</span><span class="n">Mandatory</span><span class="o">=</span><span class="bp">$true</span><span class="p">)]</span><span class="w"> </span><span class="p">[</span><span class="n">ValidateSet</span><span class="p">(</span><span class="s2">"Generate"</span><span class="p">,</span><span class="s2">"Verify"</span><span class="p">)]</span><span class="w"> </span><span class="p">[</span><span class="n">string</span><span class="p">]</span><span class="nv">$Mode</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="n">Parameter</span><span class="p">(</span><span class="n">Mandatory</span><span class="o">=</span><span class="bp">$false</span><span class="p">)]</span><span class="w"> </span><span class="p">[</span><span class="n">string</span><span class="p">]</span><span class="nv">$Manifest</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="n">Parameter</span><span class="p">(</span><span class="n">Mandatory</span><span class="o">=</span><span class="bp">$false</span><span class="p">)]</span><span class="w"> </span><span class="p">[</span><span class="n">string</span><span class="p">]</span><span class="nv">$OutputDir</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"."</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="n">Parameter</span><span class="p">(</span><span class="n">Mandatory</span><span class="o">=</span><span class="bp">$false</span><span class="p">)]</span><span class="w"> </span><span class="p">[</span><span class="n">switch</span><span class="p">]</span><span class="nv">$Recurse</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="c"># Ensure output directory exists</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="o">-not</span><span class="w"> </span><span class="p">(</span><span class="n">Test-Path</span><span class="w"> </span><span class="nv">$OutputDir</span><span class="p">))</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">New-Item</span><span class="w"> </span><span class="nt">-ItemType</span><span class="w"> </span><span class="nx">Directory</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$OutputDir</span><span class="w"> </span><span class="nt">-Force</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Out-Null</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="nv">$timestamp</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-Date</span><span class="w"> </span><span class="nt">-Format</span><span class="w"> </span><span class="s2">"yyyyMMdd_HHmmss"</span><span class="w"> </span><span class="kr">function</span><span class="w"> </span><span class="nf">Get-FileHashMap</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="kr">param</span><span class="p">([</span><span class="n">string</span><span class="p">]</span><span class="nv">$DirectoryPath</span><span class="p">,</span><span class="w"> </span><span class="p">[</span><span class="n">bool</span><span class="p">]</span><span class="nv">$RecurseSubdirs</span><span class="p">)</span><span class="w"> </span><span class="nv">$hashMap</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">@{}</span><span class="w"> </span><span class="nv">$files</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$RecurseSubdirs</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Get-ChildItem</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$DirectoryPath</span><span class="w"> </span><span class="nt">-File</span><span class="w"> </span><span class="nt">-Recurse</span><span class="w"> </span><span class="nt">-ErrorAction</span><span class="w"> </span><span class="nx">SilentlyContinue</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Get-ChildItem</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$DirectoryPath</span><span class="w"> </span><span class="nt">-File</span><span class="w"> </span><span class="nt">-ErrorAction</span><span class="w"> </span><span class="nx">SilentlyContinue</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">foreach</span><span class="w"> </span><span class="p">(</span><span class="nv">$file</span><span class="w"> </span><span class="kr">in</span><span class="w"> </span><span class="nv">$files</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="kr">try</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$hash</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-FileHash</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="nv">$file</span><span class="o">.</span><span class="nf">FullName</span><span class="w"> </span><span class="nt">-Algorithm</span><span class="w"> </span><span class="nx">SHA256</span><span class="w"> </span><span class="nt">-ErrorAction</span><span class="w"> </span><span class="nx">Stop</span><span class="w"> </span><span class="nv">$hashMap</span><span class="p">[</span><span class="nv">$file</span><span class="o">.</span><span class="nf">FullName</span><span class="p">]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$hash</span><span class="o">.</span><span class="nf">Hash</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">catch</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Warning</span><span class="w"> </span><span class="s2">"Could not hash file: </span><span class="si">$(</span><span class="nv">$file</span><span class="o">.</span><span class="nf">FullName</span><span class="si">)</span><span class="s2">"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">return</span><span class="w"> </span><span class="nv">$hashMap</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$Mode</span><span class="w"> </span><span class="o">-eq</span><span class="w"> </span><span class="s2">"Generate"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"[GENERATE MODE] Hashing files in: </span><span class="nv">$Path</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Cyan</span><span class="w"> </span><span class="nv">$hashMap</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-FileHashMap</span><span class="w"> </span><span class="nt">-DirectoryPath</span><span class="w"> </span><span class="nv">$Path</span><span class="w"> </span><span class="nt">-RecurseSubdirs</span><span class="w"> </span><span class="nv">$Recurse</span><span class="w"> </span><span class="nv">$outputFile</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Join-Path</span><span class="w"> </span><span class="nv">$OutputDir</span><span class="w"> </span><span class="s2">"HashVerifier_Generate_</span><span class="nv">$timestamp</span><span class="s2">.txt"</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">@()</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">"# Hash Baseline Generated: </span><span class="si">$(</span><span class="n">Get-Date</span><span class="p">)</span><span class="s2">"</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">"# Path: </span><span class="nv">$Path</span><span class="s2">"</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">"# Recurse: </span><span class="nv">$Recurse</span><span class="s2">"</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">"# Total Files: </span><span class="si">$(</span><span class="nv">$hashMap</span><span class="o">.</span><span class="nf">Count</span><span class="si">)</span><span class="s2">"</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">""</span><span class="w"> </span><span class="kr">foreach</span><span class="w"> </span><span class="p">(</span><span class="nv">$key</span><span class="w"> </span><span class="kr">in</span><span class="w"> </span><span class="p">(</span><span class="nv">$hashMap</span><span class="o">.</span><span class="nf">Keys</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Sort-Object</span><span class="p">))</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$line</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"</span><span class="si">$(</span><span class="nv">$hashMap</span><span class="p">[</span><span class="nv">$key</span><span class="p">]</span><span class="si">)</span><span class="s2"> </span><span class="nv">$key</span><span class="s2">"</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="nv">$line</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"[GENERATE] </span><span class="nv">$key</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Green</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Out-File</span><span class="w"> </span><span class="nt">-FilePath</span><span class="w"> </span><span class="nv">$outputFile</span><span class="w"> </span><span class="nt">-Encoding</span><span class="w"> </span><span class="nx">UTF8</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"</span><span class="se">`n</span><span class="s2">[COMPLETE] Manifest written to: </span><span class="nv">$outputFile</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Green</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"[INFO] Use this file as -Manifest parameter in Verify mode"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Yellow</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">elseif</span><span class="w"> </span><span class="p">(</span><span class="nv">$Mode</span><span class="w"> </span><span class="o">-eq</span><span class="w"> </span><span class="s2">"Verify"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="o">-not</span><span class="w"> </span><span class="nv">$Manifest</span><span class="w"> </span><span class="o">-or</span><span class="w"> </span><span class="o">-not</span><span class="w"> </span><span class="p">(</span><span class="n">Test-Path</span><span class="w"> </span><span class="nv">$Manifest</span><span class="p">))</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Error</span><span class="w"> </span><span class="s2">"Verify mode requires a valid -Manifest file path"</span><span class="w"> </span><span class="kr">exit</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"[VERIFY MODE] Comparing current state against: </span><span class="nv">$Manifest</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Cyan</span><span class="w"> </span><span class="c"># Load baseline hashes</span><span class="w"> </span><span class="nv">$baselineMap</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">@{}</span><span class="w"> </span><span class="nv">$manifestLines</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-Content</span><span class="w"> </span><span class="nv">$Manifest</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Where-Object</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="bp">$_</span><span class="w"> </span><span class="o">-notmatch</span><span class="w"> </span><span class="s1">'^#'</span><span class="w"> </span><span class="o">-and</span><span class="w"> </span><span class="bp">$_</span><span class="o">.</span><span class="nf">Trim</span><span class="p">()</span><span class="w"> </span><span class="o">-ne</span><span class="w"> </span><span class="s1">''</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">foreach</span><span class="w"> </span><span class="p">(</span><span class="nv">$line</span><span class="w"> </span><span class="kr">in</span><span class="w"> </span><span class="nv">$manifestLines</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$line</span><span class="w"> </span><span class="o">-match</span><span class="w"> </span><span class="s1">'^([A-F0-9]{64})\s{2}(.+)$'</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$baselineMap</span><span class="p">[</span><span class="nv">$matches</span><span class="p">[</span><span class="mi">2</span><span class="p">]]</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nv">$matches</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"[INFO] Baseline contains </span><span class="si">$(</span><span class="nv">$baselineMap</span><span class="o">.</span><span class="nf">Count</span><span class="si">)</span><span class="s2"> files"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Yellow</span><span class="w"> </span><span class="c"># Get current hashes</span><span class="w"> </span><span class="nv">$currentMap</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Get-FileHashMap</span><span class="w"> </span><span class="nt">-DirectoryPath</span><span class="w"> </span><span class="nv">$Path</span><span class="w"> </span><span class="nt">-RecurseSubdirs</span><span class="w"> </span><span class="nv">$Recurse</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"[INFO] Current directory contains </span><span class="si">$(</span><span class="nv">$currentMap</span><span class="o">.</span><span class="nf">Count</span><span class="si">)</span><span class="s2"> files</span><span class="se">`n</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Yellow</span><span class="w"> </span><span class="nv">$outputFile</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Join-Path</span><span class="w"> </span><span class="nv">$OutputDir</span><span class="w"> </span><span class="s2">"HashVerifier_Verify_</span><span class="nv">$timestamp</span><span class="s2">.txt"</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">@()</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">"# Hash Verification Run: </span><span class="si">$(</span><span class="n">Get-Date</span><span class="p">)</span><span class="s2">"</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">"# Baseline: </span><span class="nv">$Manifest</span><span class="s2">"</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">"# Path: </span><span class="nv">$Path</span><span class="s2">"</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">""</span><span class="w"> </span><span class="nv">$okCount</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="nv">$mismatchCount</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="nv">$missingCount</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="nv">$newCount</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="c"># Check for matches and mismatches</span><span class="w"> </span><span class="kr">foreach</span><span class="w"> </span><span class="p">(</span><span class="nv">$filePath</span><span class="w"> </span><span class="kr">in</span><span class="w"> </span><span class="p">(</span><span class="nv">$baselineMap</span><span class="o">.</span><span class="nf">Keys</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Sort-Object</span><span class="p">))</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$currentMap</span><span class="o">.</span><span class="nf">ContainsKey</span><span class="p">(</span><span class="nv">$filePath</span><span class="p">))</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="nv">$currentMap</span><span class="p">[</span><span class="nv">$filePath</span><span class="p">]</span><span class="w"> </span><span class="o">-eq</span><span class="w"> </span><span class="nv">$baselineMap</span><span class="p">[</span><span class="nv">$filePath</span><span class="p">])</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"[OK] </span><span class="nv">$filePath</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Green</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">"[OK] </span><span class="nv">$filePath</span><span class="s2">"</span><span class="w"> </span><span class="nv">$okCount</span><span class="o">++</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"[MISMATCH] </span><span class="nv">$filePath</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Red</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">" Expected : </span><span class="si">$(</span><span class="nv">$baselineMap</span><span class="p">[</span><span class="nv">$filePath</span><span class="p">]</span><span class="si">)</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Gray</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">" Found : </span><span class="si">$(</span><span class="nv">$currentMap</span><span class="p">[</span><span class="nv">$filePath</span><span class="p">]</span><span class="si">)</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Gray</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">"[MISMATCH] </span><span class="nv">$filePath</span><span class="s2">"</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">" Expected : </span><span class="si">$(</span><span class="nv">$baselineMap</span><span class="p">[</span><span class="nv">$filePath</span><span class="p">]</span><span class="si">)</span><span class="s2">"</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">" Found : </span><span class="si">$(</span><span class="nv">$currentMap</span><span class="p">[</span><span class="nv">$filePath</span><span class="p">]</span><span class="si">)</span><span class="s2">"</span><span class="w"> </span><span class="nv">$mismatchCount</span><span class="o">++</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">else</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"[MISSING] </span><span class="nv">$filePath</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Magenta</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">"[MISSING] </span><span class="nv">$filePath</span><span class="s2">"</span><span class="w"> </span><span class="nv">$missingCount</span><span class="o">++</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="c"># Check for new files</span><span class="w"> </span><span class="kr">foreach</span><span class="w"> </span><span class="p">(</span><span class="nv">$filePath</span><span class="w"> </span><span class="kr">in</span><span class="w"> </span><span class="p">(</span><span class="nv">$currentMap</span><span class="o">.</span><span class="nf">Keys</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Sort-Object</span><span class="p">))</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="o">-not</span><span class="w"> </span><span class="nv">$baselineMap</span><span class="o">.</span><span class="nf">ContainsKey</span><span class="p">(</span><span class="nv">$filePath</span><span class="p">))</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"[NEW] </span><span class="nv">$filePath</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Yellow</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">"[NEW] </span><span class="nv">$filePath</span><span class="s2">"</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">" Hash: </span><span class="si">$(</span><span class="nv">$currentMap</span><span class="p">[</span><span class="nv">$filePath</span><span class="p">]</span><span class="si">)</span><span class="s2">"</span><span class="w"> </span><span class="nv">$newCount</span><span class="o">++</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">""</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">"# Summary"</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">"# OK: </span><span class="nv">$okCount</span><span class="s2">"</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">"# MISMATCH: </span><span class="nv">$mismatchCount</span><span class="s2">"</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">"# MISSING: </span><span class="nv">$missingCount</span><span class="s2">"</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">+=</span><span class="w"> </span><span class="s2">"# NEW: </span><span class="nv">$newCount</span><span class="s2">"</span><span class="w"> </span><span class="nv">$output</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Out-File</span><span class="w"> </span><span class="nt">-FilePath</span><span class="w"> </span><span class="nv">$outputFile</span><span class="w"> </span><span class="nt">-Encoding</span><span class="w"> </span><span class="nx">UTF8</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"</span><span class="se">`n</span><span class="s2">[SUMMARY]"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Cyan</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">" OK: </span><span class="nv">$okCount</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Green</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">" MISMATCH: </span><span class="nv">$mismatchCount</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Red</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">" MISSING: </span><span class="nv">$missingCount</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Magenta</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">" NEW: </span><span class="nv">$newCount</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Yellow</span><span class="w"> </span><span class="n">Write-Host</span><span class="w"> </span><span class="s2">"</span><span class="se">`n</span><span class="s2">[COMPLETE] Report written to: </span><span class="nv">$outputFile</span><span class="s2">"</span><span class="w"> </span><span class="nt">-ForegroundColor</span><span class="w"> </span><span class="nx">Green</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Troubleshooting: Execution Policy </h2> <p>If you see this error when first running the script:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fld4fp2brt78ftoxxun63.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fld4fp2brt78ftoxxun63.jpg"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">.\hash_verifier.ps1 : File D:\hash_verifier.ps1 cannot be loaded. The file D:\hash_verifier.ps1 is not digitally signed. You cannot run this script on the current system. </span></code></pre> </div> <p>This is PowerShell's execution policy blocking unsigned scripts. Fix it with these steps:</p> <h3> Step 1: Set RemoteSigned Policy </h3> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Set-ExecutionPolicy</span><span class="w"> </span><span class="nt">-ExecutionPolicy</span><span class="w"> </span><span class="nx">RemoteSigned</span><span class="w"> </span><span class="nt">-Scope</span><span class="w"> </span><span class="nx">CurrentUser</span><span class="w"> </span></code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymkq3lunhek8edrgd2gs.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymkq3lunhek8edrgd2gs.jpg"></a></p> <p>This allows locally-created scripts to run without digital signatures, while still requiring signatures for scripts downloaded from the internet.</p> <p><strong>Check your current policy:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Get-ExecutionPolicy</span><span class="w"> </span><span class="nt">-List</span><span class="w"> </span></code></pre> </div> <p>You should see <code>CurrentUser</code> showing <code>RemoteSigned</code>.</p> <h3> Step 2: Unblock the File (If Still Blocked) </h3> <p>If you still get the error even with RemoteSigned policy set, the file has been marked as "downloaded from the internet" by Windows. This happens when you download scripts from GitHub, copy files from certain locations, or create them with some text editors.</p> <p><strong>Unblock the file:</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpc5ze76k2p2upeb52g0n.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpc5ze76k2p2upeb52g0n.jpg"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">Unblock-File</span><span class="w"> </span><span class="o">.</span><span class="nx">\hash_verifier.ps1</span><span class="w"> </span></code></pre> </div> <p><strong>Why this happens:</strong> Windows tags downloaded files with Zone.Identifier metadata. Even with RemoteSigned policy, Windows blocks these files unless they're digitally signed OR explicitly unblocked. The <code>Unblock-File</code> cmdlet removes this metadata flag.</p> <h3> Alternative: Bypass for Single Run (No Permanent Changes) </h3> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">powershell</span><span class="w"> </span><span class="nt">-ExecutionPolicy</span><span class="w"> </span><span class="nx">Bypass</span><span class="w"> </span><span class="nt">-File</span><span class="w"> </span><span class="o">.</span><span class="nx">\hash_verifier.ps1</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="s2">"C:\ImportantFiles"</span><span class="w"> </span><span class="nt">-Mode</span><span class="w"> </span><span class="nx">Generate</span><span class="w"> </span><span class="nt">-OutputDir</span><span class="w"> </span><span class="s2">"C:\Baselines"</span><span class="w"> </span></code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzbtt4ei3hjgqssspi1v4.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzbtt4ei3hjgqssspi1v4.jpg"></a><br> Good for one-off testing without changing system settings or unblocking files.</p> <h3> Security Note: Why This Script Isn't Digitally Signed </h3> <p>This script is deliberately <strong>not</strong> digitally signed. Here's why:</p> <p>Code signing certificates cost $200-500/year from Certificate Authorities and require annual renewal. For open-source scripts where <strong>you can read the source code</strong>, transparency is more valuable than blind trust in a signature.</p> <p><strong>Before running ANY PowerShell script (including this one), you should:</strong></p> <ol> <li> <strong>Read the entire script</strong> — understand what it does, line by line</li> <li> <strong>Verify the logic</strong> — does it do what it claims and nothing else?</li> <li> <strong>Check for suspicious behaviour</strong> — network calls, registry modifications, file deletions outside stated scope</li> </ol> <p>This is the ABC principle from British policing and serious crime investigation — formally codified in the <em>ACPO Murder Investigation Manual (1998)</em>:</p> <ul> <li><strong>Assume nothing</strong></li> <li> <strong>Believe nothing</strong> </li> <li><strong>Check everything</strong></li> </ul> <p>A digital signature only tells you WHO wrote the code, not WHETHER the code is safe. You are the final verification step. Never execute code you haven't read and understood, regardless of where it came from or who signed it.</p> <h2> How to Use It </h2> <h3> Step 1: Generate a Baseline </h3> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="o">.</span><span class="n">\hash_verifier.ps1</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="s2">"C:\ImportantFiles"</span><span class="w"> </span><span class="nt">-Mode</span><span class="w"> </span><span class="nx">Generate</span><span class="w"> </span><span class="nt">-OutputDir</span><span class="w"> </span><span class="s2">"C:\Baselines"</span><span class="w"> </span></code></pre> </div> <p>This scans <code>C:\ImportantFiles</code>, computes SHA-256 hashes for every file, and writes the baseline to something like <code>C:\Baselines\HashVerifier_Generate_20260424_153045.txt</code>.</p> <p><strong>With recursion:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="o">.</span><span class="n">\hash_verifier.ps1</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="s2">"C:\ImportantFiles"</span><span class="w"> </span><span class="nt">-Mode</span><span class="w"> </span><span class="nx">Generate</span><span class="w"> </span><span class="nt">-OutputDir</span><span class="w"> </span><span class="s2">"C:\Baselines"</span><span class="w"> </span><span class="nt">-Recurse</span><span class="w"> </span></code></pre> </div> <p>The <code>-Recurse</code> switch includes all subdirectories.</p> <h3> Step 2: Verify Against the Baseline </h3> <p>Wait some time (hours, days, weeks), then re-run in Verify mode:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="o">.</span><span class="n">\hash_verifier.ps1</span><span class="w"> </span><span class="nt">-Path</span><span class="w"> </span><span class="s2">"C:\ImportantFiles"</span><span class="w"> </span><span class="nt">-Mode</span><span class="w"> </span><span class="nx">Verify</span><span class="w"> </span><span class="nt">-Manifest</span><span class="w"> </span><span class="s2">"C:\Baselines\HashVerifier_Generate_20260424_153045.txt"</span><span class="w"> </span><span class="nt">-OutputDir</span><span class="w"> </span><span class="s2">"C:\Reports"</span><span class="w"> </span></code></pre> </div> <p>The script compares the current state against the baseline and writes a verification report to <code>C:\Reports\HashVerifier_Verify_[timestamp].txt</code>.</p> <h2> Understanding the Output </h2> <p><strong>Generate mode</strong> writes a baseline file like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Hash Baseline Generated: 24/04/2026 15:30:45 # Path: C:\ImportantFiles # Recurse: False # Total Files: 15 A1B2C3D4E5F6... C:\ImportantFiles\document.docx FF00AA11BB22... C:\ImportantFiles\spreadsheet.xlsx </code></pre> </div> <p>Each line contains a 64-character SHA-256 hash followed by the full file path.</p> <p><strong>Verify mode</strong> produces colour-coded console output:</p> <ul> <li> <code>[OK]</code> (green) - File unchanged</li> <li> <code>[MISMATCH]</code> (red) - Hash doesn't match baseline (file modified)</li> <li> <code>[MISSING]</code> (magenta) - File was in baseline but no longer exists</li> <li> <code>[NEW]</code> (yellow) - File exists now but wasn't in baseline</li> </ul> <p>The verification report file contains the same information plus a summary count of each category.</p> <h2> Real-World Use Cases </h2> <p><strong>Configuration management:</strong> Baseline critical system configuration files (<code>C:\Windows\System32\drivers\etc\hosts</code>, registry exports, GPO backups) and detect unauthorised changes.</p> <p><strong>Compliance auditing:</strong> Demonstrate to auditors that controlled documents haven't been altered between assessments.</p> <p><strong>Incident response:</strong> Establish known-good baselines for investigation machines, then verify they haven't been tampered with during analysis.</p> <p><strong>Change detection on network shares:</strong> Monitor shared directories for modifications, especially useful for detecting ransomware encryption in progress (files changing rapidly en masse).</p> <p><strong>Software deployment verification:</strong> After deploying application updates, verify that only expected files changed and nothing else was modified.</p> <h2> What This Detects That Other Tools Miss </h2> <p>Traditional file comparison tools check metadata. This script checks <strong>content</strong>.</p> <p><strong>Scenario 1: Timestamp forgery</strong><br> An attacker modifies <code>important.docx</code> but resets the "Date Modified" timestamp to the original value using <code>Set-ItemProperty</code>. Windows Explorer shows no change. <code>hash_verifier.ps1</code> detects the modification immediately because the content hash changed.</p> <p><strong>Scenario 2: Size-preserving edits</strong><br> Someone edits a text file, deleting one character and adding another elsewhere. File size stays identical. <code>hash_verifier.ps1</code> flags it as <code>[MISMATCH]</code> because even a single-bit change produces a completely different SHA-256 hash.</p> <p><strong>Scenario 3: File replacement</strong><br> An executable is replaced with a different executable of the exact same size. Metadata looks normal. Hash verification catches it.</p> <h2> Performance Considerations </h2> <p>Hashing is CPU-intensive. On modern hardware:</p> <ul> <li>Small files (&lt; 1 MB): Nearly instant</li> <li>Medium files (10-100 MB): 1-5 seconds each</li> <li>Large files (1+ GB): Several seconds to minutes</li> </ul> <p>For directories with thousands of files, generation takes time. Run it as a scheduled task during off-hours if monitoring production systems.</p> <p>The verification step is typically faster than generation because PowerShell can skip re-hashing files if their metadata hasn't changed (though the script doesn't implement this optimisation for simplicity — it re-hashes everything to ensure accuracy).</p> <h2> Extending the Script </h2> <p><strong>Email alerts on mismatch:</strong><br> Add an <code>if ($mismatchCount -gt 0)</code> block that calls <code>Send-MailMessage</code> to alert administrators.</p> <p><strong>Scheduled task integration:</strong><br> Create a Windows Scheduled Task that runs Verify mode daily and logs results to a central location.</p> <p><strong>SIEM integration:</strong><br> Parse the output <code>.txt</code> file with a log ingestion tool and feed mismatch events into your security monitoring system.</p> <p><strong>Multi-algorithm verification:</strong><br> Add MD5 or SHA-1 alongside SHA-256 for legacy compatibility or additional assurance (though SHA-256 alone is sufficient for integrity verification).</p> <h2> GitHub Repository </h2> <p>The complete script, sample baseline files, and this tutorial are available on GitHub:</p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/ShadowStrike-CTF" rel="noopener noreferrer"> ShadowStrike-CTF </a> / <a href="https://github.com/ShadowStrike-CTF/powershell-hash-verifier" rel="noopener noreferrer"> powershell-hash-verifier </a> </h2> <h3> Automate file hash verification and mismatch detection with PowerShell. </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">powershell-hash-verifier</h1> </div> <p>Automate file hash verification and mismatch detection with PowerShell.</p> </div> <br> <br> </div> <br> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/ShadowStrike-CTF/powershell-hash-verifier" rel="noopener noreferrer">View on GitHub</a></div> <br> </div> <br> <h2> Conclusion </h2> <p>File integrity verification doesn't require expensive enterprise tools. PowerShell's built-in <code>Get-FileHash</code> cmdlet provides cryptographic-strength assurance that files haven't changed. This script packages it into a practical baseline-and-verify workflow that works on any Windows system without dependencies.</p> <p>For IT security professionals, system administrators, and compliance teams working in Windows environments, hash-based file verification is a fundamental technique that catches modifications other tools miss.</p> <p><em>Built by ShadowStrike (Strategos) — where we build actual security tools instead of theatre 🎃.</em></p> powershell security devops tutorial ShadowStrike Sat, 25 Apr 2026 02:23:32 +0000 https://dev.to/shadowstrike/the-22-second-problem-what-google-cloud-next-26s-agentic-defense-means-for-essential-eight-2nci https://dev.to/shadowstrike/the-22-second-problem-what-google-cloud-next-26s-agentic-defense-means-for-essential-eight-2nci <p><em>This is a submission for the <a href="https://dev.to/challenges/google-cloud-next-2026-04-22">Google Cloud NEXT Writing Challenge</a></em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo5ust05mgjsrb0dcb2dr.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo5ust05mgjsrb0dcb2dr.jpg" width="800" height="394"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz6z3fxkqqaibijf062l0.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz6z3fxkqqaibijf062l0.jpg" width="800" height="394"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F37cv2tq017p85ffykkin.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F37cv2tq017p85ffykkin.jpg" width="600" height="295"></a></p> <p>When Mandiant's M-Trends 2026 report revealed that the average time from initial intrusion to handoff to a secondary threat actor had collapsed from 8 hours to 22 seconds over three years, it confirmed what many security practitioners already suspected: traditional security operations aren't built for the speed of modern attacks.</p> <p>Google Cloud NEXT '26's headline announcements—Agentic Defense, three new autonomous Security Operations agents, and the Wiz partnership—represent more than just another product launch. They signal a fundamental architectural shift in how organisations defend against threats. For Australian enterprises operating under the Australian Signals Directorate's Essential Eight framework, this shift raises an important question: does agentic security strengthen Essential Eight compliance, or does it create new gaps?</p> <h2> What Google Actually Announced </h2> <p>The core of Google's security story at NEXT '26 centres on <strong>Agentic Defense</strong> — the integration of Google Threat Intelligence, Security Operations, and Wiz's Cloud/AI Security Platform into a unified autonomous defence system.</p> <p>Three new Security Operations agents entered preview:</p> <p>-<strong>Threat Hunting Agent:</strong> Continuously analyses telemetry for anomalies and suspicious patterns</p> <p>-<strong>Detection Engineering Agent:</strong> Automatically creates and refines detection rules based on emerging threats</p> <p>-<strong>Third-Party Context Agent:</strong> Enriches alerts with external intelligence from vendor advisories and threat feeds</p> <p>Alongside these, Wiz introduced <strong>red, blue, and green agents</strong> for continuous attack simulation, detection validation, and automated remediation across Google Cloud, AWS, Azure, and Oracle environments. The <strong>AI Application Protection Platform (AI-APP)</strong> extends code-to-cloud-to-runtime protection specifically for AI workloads.</p> <p>The partnership also delivered <strong>Dark Web Intelligence</strong> (98% accuracy claimed in internal testing), <strong>AI-BOM</strong> (AI Bill of Materials for model transparency), and remote MCP server support for Google Security Operations.</p> <p>The technical architecture is impressive. The strategic implications for compliance frameworks like Essential Eight are less obvious.</p> <h2> The Essential Eight Reality Check </h2> <p>Australia's Essential Eight mitigation strategies were designed around a simple principle: reduce the attack surface and contain damage when prevention fails. The framework mandates eight specific controls across three maturity levels (ML1, ML2, ML3), each with measurable technical requirements.</p> <p>Let's examine how agentic security intersects with each:</p> <h3> Application Control (Mitigation Strategy 1) </h3> <p>Essential Eight ML3 requires that applications can only be executed from approved locations, all executables are validated against an approved list, and Microsoft's recommended application control policies are implemented.</p> <p><strong>Agentic security impact:</strong> Detection Engineering agents can identify unauthorised application execution patterns faster than human analysts, but they don't enforce allowlisting—that remains a GPO/Intune policy decision. Autonomous agents can alert on policy violations with sub-second latency; they cannot retroactively prevent execution that already occurred in those critical 22 seconds.</p> <p><strong>Compliance gap:</strong> Application control is preventative. Agentic detection is reactive, albeit extremely fast reactive. The two are complementary, not substitutional.</p> <h3> Patch Applications (Mitigation Strategy 2) &amp; Patch Operating Systems (Mitigation Strategy 3) </h3> <p>ML3 mandates patching within 48 hours of release for internet-facing services and two weeks for other systems, with vulnerability scanning at least daily.</p> <p><strong>Agentic security impact:</strong> Wiz's green agent (automated remediation) can theoretically patch at machine speed, but Essential Eight compliance isn't measured by deployment speed—it's measured by patch coverage and risk prioritisation. An agent that patches every CVE indiscriminately creates operational risk; an agent that triages using threat intelligence aligns better with the framework's intent.<br> Google's Cloud Asset Inventory combined with Security Command Center's continuous vulnerability assessment does provide the "daily scanning" ML3 requires, and agent-assisted prioritisation could help meet the 48-hour window for critical patches.</p> <p><strong>Compliance opportunity:</strong> This is where agentic security genuinely strengthens Essential Eight posture—if organisations configure remediation agents to respect change management windows and business-critical system dependencies.</p> <h3> Multi-Factor Authentication (Mitigation Strategy 4) </h3> <p>ML3 requires phishing-resistant MFA (FIDO2, smart cards, Windows Hello for Business) for all users.</p> <p><strong>Agentic security impact:</strong> Minimal direct impact. MFA is an identity control; Security Operations agents operate in the detection/response layer. However, the Third-Party Context Agent can enrich MFA-related alerts (impossible travel, repeated failures) with threat intelligence that helps security teams identify credential compromise faster.</p> <p><strong>Compliance status:</strong> Unchanged. Essential Eight MFA requirements remain a policy and technology deployment challenge, not a detection problem.</p> <h3> Restrict Administrative Privileges (Mitigation Strategy 5) </h3> <p>ML3 requires privileged access workstations, just-in-time administration, separate privileged accounts, and strict segmentation.</p> <p><strong>Agentic security impact:</strong> Threat Hunting agents can detect privilege escalation attempts and lateral movement patterns that indicate compromised admin credentials, but they don't enforce least-privilege policies. Google Cloud's Agent Identity and Agent Gateway features (announced at NEXT '26) do provide governance for agent-to-agent communication and MCP server access—this is relevant because autonomous agents themselves represent a new privileged entity class.</p> <p><strong>Compliance consideration:</strong> Organisations need to treat Security Operations agents as privileged accounts. If an agent has read/write access to Security Command Center policies or can trigger automated remediation, it must be governed under Mitigation Strategy 5.</p> <h3> Regular Backups (Mitigation Strategy 6) </h3> <p>ML3 mandates daily backups, weekly testing of restoration, and offline/immutable storage.</p> <p><strong>Agentic security impact:</strong> None. Backups are an operational resilience control. Detection agents don't back up data; they detect ransomware encryption patterns. The green remediation agent could theoretically automate restoration workflows, but Essential Eight explicitly requires tested restoration—automated restore without validation doesn't satisfy ML3.</p> <p><strong>Compliance status:</strong> Unchanged.</p> <h3> Restrict Microsoft Office Macros (Mitigation Strategy 7) </h3> <p>ML3 requires that macros can only execute from trusted locations, all macros are digitally signed, and Microsoft's recommended macro security settings are enforced.</p> <p><strong>Agentic security impact:</strong> Detection Engineering agents can identify malicious macro execution (e.g., spawning PowerShell, making network connections), but macro execution restrictions are enforced by GPO, not by Security Operations tooling.</p> <p><strong>Compliance gap:</strong> Same pattern as Application Control—detection is reactive, policy is preventative.</p> <h3> User Application Hardening (Mitigation Strategy 8) </h3> <p>ML3 mandates web browser isolation, blocking ads/untrusted content, disabling Flash/Java, blocking web content from Office, and implementing DMARC/SPF/DKIM.</p> <p><strong>Agentic security impact:</strong> Browser isolation and content filtering are network/endpoint controls. Security Operations agents can detect policy violations (e.g., Flash execution, unvalidated email senders) but don't enforce the restrictions themselves.</p> <p>Google's partnership with Wiz does provide Cloud/AI Security Platform capabilities that can monitor cloud-hosted applications for hardening policy drift, which is relevant for SaaS applications governed under Essential Eight.</p> <p><strong>Compliance status:</strong> Detection improves; enforcement remains a separate implementation concern.</p> <h2> The Real Question: Speed vs. Governance </h2> <p>The 22-second attacker handoff window is real. The idea that autonomous agents can respond faster than human analysts is also real. But Essential Eight compliance isn't measured by response time—it's measured by control implementation, coverage, and maturity level consistency.</p> <p>Agentic security doesn't replace Essential Eight. It accelerates <strong>detection</strong> and <strong>response</strong> for Mitigation Strategies 1, 2, 3, 5, 7, and 8—but only if the underlying controls are already implemented. An organisation with no application control policies gains nothing from a Detection Engineering agent that can identify unauthorised execution in 22 seconds if the execution was never blocked in the first place.</p> <p>The real value proposition is for organisations already at <strong>ML2 or ML3</strong> maturity. These are the environments where:</p> <p>Application control policies exist but drift occurs<br> Patch cycles are defined but threat prioritisation is manual<br> Privileged access is segmented but lateral movement detection is slow<br> Macro restrictions are enforced but evasion techniques evolve</p> <p>For these organisations, Google's Agentic Defense becomes a <strong>force multiplier</strong> for existing controls. The Threat Hunting agent doesn't replace your application allowlist—it identifies when an attacker finds a bypass. The Detection Engineering agent doesn't replace your patch management workflow—it helps you prioritise which vulnerabilities are being actively exploited in the wild.</p> <h2> What Australian Enterprises Should Actually Do </h2> <p>If you're responsible for Essential Eight compliance in an organisation considering Google Cloud's security stack, here's the practical playbook:</p> <p><strong>1. Audit your current maturity level honestly.</strong><br> If you're not at ML2 across all eight strategies, agentic security won't fix the gap. Implement the foundational controls first—application control, MFA, privilege restriction—then layer on autonomous detection and response.</p> <p><strong>2. Treat Security Operations agents as privileged accounts.</strong><br> The Detection Engineering agent that can create custom detection rules has write access to your security posture. The green remediation agent that can auto-patch systems has administrative privileges. Both must be governed under Mitigation Strategy 5 (Restrict Administrative Privileges). Implement least-privilege principles, audit agent actions, and require multi-party authorisation for high-impact remediation workflows.</p> <ol> <li>Map agent capabilities to Essential Eight evidence requirements. ASD's Essential Eight Maturity Model includes specific evidence requirements for each control. Can your Security Operations agents generate the logs, audit trails, and compliance reports ASD assessors expect? If not, manual evidence collection still applies—automation doesn't eliminate the compliance burden, it just shifts where the work happens.</li> </ol> <p><strong>4. Test autonomous remediation in non-production first.</strong><br> Wiz's green agent can patch at machine speed. That's powerful. It's also dangerous if misconfigured. Essential Eight ML3 requires tested backups and change management processes. Autonomous remediation that breaks business-critical systems faster than humans can intervene creates operational risk that outweighs the 22-second response benefit.</p> <p><strong>5. Use Sydney-based Google Cloud regions for data sovereignty.</strong><br> Google Cloud's Sydney and Melbourne regions have been operational since 2021. If you're subject to Australian data residency requirements (common in government and critical infrastructure), ensure Security Operations telemetry, Threat Intelligence data, and agent logs stay within Australian geography. The Google Cloud / Wiz partnership explicitly supports multicloud—verify that cross-cloud telemetry flows respect your jurisdiction requirements.</p> <h2> The Bigger Picture </h2> <p>Google Cloud NEXT '26's security announcements reflect a broader industry shift: security operations are moving from human-led, tool-assisted workflows to agent-led, human-supervised architectures. This isn't speculative—75% of Google's codebase is now AI-generated according to Sundar Pichai's keynote, and that same automation is coming to security operations.</p> <p>For Essential Eight compliance, the question isn't whether to adopt agentic security. The question is how to adopt it without creating new compliance gaps.</p> <p>The 22-second attacker handoff window is real, but so is the Essential Eight requirement for tested backups, validated patches, and auditable controls. Autonomous agents that respond in sub-second timeframes are impressive. Autonomous agents that can generate the evidence trail ASD assessors expect are essential.</p> <p>The organisations that will succeed in this transition are those that treat agentic security as a <strong>compliance accelerant</strong>, not a compliance replacement. Implement the controls, deploy the agents to monitor and enforce them, audit the agents as privileged entities, and test everything before trusting automation in production.</p> <p>And if you're still running Essential Eight at ML1, focus on the fundamentals first. No amount of autonomous threat hunting will compensate for missing application control policies or untested backups.</p> <p>The 22-second problem is real. But the solution isn't just faster agents—it's faster agents operating within a mature security framework that treats speed and governance as complementary requirements, not competing priorities.</p> <p><em>Have you implemented Essential Eight in your organisation? How are you thinking about autonomous security agents in a compliance-heavy environment? Let's discuss in the comments.</em></p> devchallenge cloudnextchallenge googlecloud compliance ShadowStrike Sat, 18 Apr 2026 05:19:33 +0000 https://dev.to/shadowstrike/e-waste-aware-sanitise-first-then-recycle-35hd https://dev.to/shadowstrike/e-waste-aware-sanitise-first-then-recycle-35hd <p><em>This is a submission for <a href="https://dev.to/challenges/weekend-2026-04-16">Weekend Challenge: Earth Day Edition</a></em></p> <h2> What I Built </h2> <p>E-Waste Aware is a Flask web app that guides you through the responsible disposal of old tech — before it ends up in landfill leaching lead, mercury, and cadmium into the soil for decades.</p> <p>The tool has two parts that work together. First, a device-specific data sanitisation checklist — because handing over a device that still has your accounts, passwords, and personal files on it is a security problem as much as an environmental one. Second, a curated guide to Australian recycling programs for that device type, with direct links to drop-off locations.</p> <p>Six device types are covered: laptops, smartphones, hard drives and SSDs, tablets, printers, and monitors. Each has its own sanitisation steps and relevant programs like TechCollect, MobileMuster, and Cartridges 4 Planet Ark.</p> <p>The checklist is interactive — tick off each step as you go, watch the progress bar fill, and get a confirmation banner when your device is ready for recycling. Clean, no account required, no data collected.</p> <h2> Demo </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flp9cq0lyltvmu7q2uz74.jpeg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flp9cq0lyltvmu7q2uz74.jpeg" alt="The home page — select your device from six categories to get your personalised disposal guide" width="800" height="694"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6gxlfbk0e45m3r1gcuwm.jpeg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6gxlfbk0e45m3r1gcuwm.jpeg" alt="The smartphone disposal guide — step-by-step sanitisation checklist with Australian recycling programs and direct links" width="800" height="980"></a></p> <h2> Code </h2> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/ShadowStrike-CTF" rel="noopener noreferrer"> ShadowStrike-CTF </a> / <a href="https://github.com/ShadowStrike-CTF/ewaste-aware" rel="noopener noreferrer"> ewaste-aware </a> </h2> <h3> A Flask web app for responsible e-waste disposal — sanitise your device first, then find the right Australian recycling program. </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">E-Waste Aware 🌏</h1> </div> <p>A Flask web app that guides you through responsible disposal of old tech — sanitise first, then recycle.</p> <p>Built for the DEV Community Weekend Challenge: Earth Day Edition 2026 by ShadowStrike (Strategos).</p> <div class="markdown-heading"> <h2 class="heading-element">What This Does</h2> </div> <p>Most e-waste guides jump straight to "here's where to drop it off." This tool does the step before that — because a device with your accounts still active, your files still intact, and your passwords still saved is not ready to hand to a stranger.</p> <p>E-Waste Aware covers two things for each device type:</p> <ol> <li> <strong>Sanitisation checklist</strong> — step-by-step data wiping instructions specific to your device, with an interactive tick-off and progress tracker</li> <li> <strong>Australian recycling programs</strong> — curated drop-off options with direct links</li> </ol> <div class="markdown-heading"> <h2 class="heading-element">Devices Covered</h2> </div> <ul> <li>💻 Laptop</li> <li>📱 Smartphone</li> <li>💾 Hard Drive / SSD</li> <li>📲 Tablet</li> <li>🖨️ Printer</li> <li>🖥️ Monitor / TV</li> </ul> <div class="markdown-heading"> <h2 class="heading-element">Installation</h2> </div> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto js-code-highlight"> <pre>pip install flask python app.py</pre> </div> <p>Then open <code>http://127.0.0.1:5000</code> in your…</p> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/ShadowStrike-CTF/ewaste-aware" rel="noopener noreferrer">View on GitHub</a></div> </div> <h2> How I Built It </h2> <p>The stack is deliberately minimal — this is a tool, not a framework showcase.</p> <ul> <li> <strong>Python 3 + Flask</strong> for routing and template rendering</li> <li> <strong>Jinja2 templates</strong> for the two-page flow (device selection → disposal guide)</li> <li> <strong>Vanilla JavaScript</strong> for the interactive checklist state (no dependencies)</li> <li> <strong>Google Fonts</strong> (Syne + DM Mono) for the UI typography</li> <li>Single <code>requirements.txt</code> with one dependency: <code>flask&gt;=3.0.0</code> </li> </ul> <p>The device data lives in a Python dictionary in <code>app.py</code> — sanitisation steps, environmental impact stats, and recycling program details all keyed by device type. Keeping it in one place makes it easy to update as programs change or new devices are added.</p> <p>The design leans into an earthy, organic aesthetic that feels appropriate for an Earth Day tool without being generic. Dark soil tones, forest green accents, and a noise texture overlay give it atmosphere without weighing down the load time.</p> <p>The sanitisation-first angle was a deliberate decision. Most e-waste tools jump straight to "here's where to drop it off" — but a device with your Apple ID still active, your Google account still signed in, or your files still intact is not ready to hand to a stranger. The security layer is the differentiator here, and it's something every person who's worked in IT or digital forensics will immediately appreciate.</p> devchallenge weekendchallenge ShadowStrike Sun, 12 Apr 2026 04:07:28 +0000 https://dev.to/shadowstrike/i-built-a-security-tool-that-does-absolutely-nothing-and-its-terrifyingly-realistic-ihk https://dev.to/shadowstrike/i-built-a-security-tool-that-does-absolutely-nothing-and-its-terrifyingly-realistic-ihk <p><em>This is a submission for the <a href="https://dev.to/challenges/aprilfools-2026">DEV April Fools Challenge</a></em></p> <p>What I Built:<br> I built the IT Security Theatre Simulator - a Python command-line tool that perfectly replicates enterprise security software by doing all the impressive-looking theatre with none of the actual security. It scans for "residual quantum entanglement in TCP packets," generates CRITICAL findings like "CEO's password is strong (this breaks our revenue model)," recommends you "implement zero-trust architecture for your office printer network," and produces final reports showing you prevented exactly zero threats while generating substantial vendor revenue.<br> If you have ever sat through a security vendor demo, you will recognise every single pattern in this tool. The unnecessarily long progress bars, the suspiciously precise statistics, the CRITICAL alerts about nothing, the useless recommendations - all of it is brutally accurate satire.</p> <p>Demo:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa9ano16jcezcqdrl42zy.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa9ano16jcezcqdrl42zy.jpg" alt="Tool Initialisation" width="800" height="518"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvcjjow5crv2mytet3553.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvcjjow5crv2mytet3553.jpg" alt="Phase 1" width="800" height="388"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5vlsoi82r83u4cwgefww.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5vlsoi82r83u4cwgefww.jpg" alt="Phases 2 &amp; 3" width="800" height="429"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuwu2olmvdy7hf2vi86ck.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuwu2olmvdy7hf2vi86ck.jpg" alt="Phase 3 &amp; Exec Summary" width="800" height="385"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F67y8uh6rnb4k1xpoz1pi.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F67y8uh6rnb4k1xpoz1pi.jpg" alt="Exec Summary and Recommendation" width="800" height="365"></a></p> <p>Code:<br> </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/ShadowStrike-CTF" rel="noopener noreferrer"> ShadowStrike-CTF </a> / <a href="https://github.com/ShadowStrike-CTF/security-theatre-simulator" rel="noopener noreferrer"> security-theatre-simulator </a> </h2> <h3> IT Security Theatre Simulator - A devastating satire of enterprise security tools built for DEV April Fools Challenge 2026 </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">IT Security Theatre Simulator 🎭</h1> </div> <p>A devastating satire of enterprise security tools that generate impressive reports with zero actual value.</p> <p>Built for the DEV Community April Fools Challenge 2026 by ShadowStrike (Strategos).</p> <div class="markdown-heading"> <h2 class="heading-element">What This Does</h2> </div> <p>This tool perfectly simulates enterprise security software by:</p> <ul> <li>Taking way too long to do absolutely nothing</li> <li>Displaying impressive progress bars that measure fictional work</li> <li>Generating CRITICAL findings about non-existent threats</li> <li>Providing completely useless recommendations</li> <li>Creating reports with suspiciously precise but meaningless statistics</li> <li>Looking professional enough that executives might actually buy it</li> </ul> <div class="markdown-heading"> <h2 class="heading-element">Installation</h2> </div> <p><strong>Option 1: With pretty colours (recommended)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto js-code-highlight"> <pre>pip install colorama python security_theatre.py</pre> </div> <p><strong>Option 2: Without colours (it still works, just less theatrical)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto js-code-highlight"> <pre>python security_theatre.py</pre> </div> <div class="markdown-heading"> <h2 class="heading-element">Usage</h2> </div> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto js-code-highlight"> <pre>python security_theatre.py</pre> </div> <p>Then sit back and enjoy the show. Press ENTER when prompted to begin the security theatre performance.</p> <div class="markdown-heading"> <h2 class="heading-element">Sample Output</h2> </div> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"> <pre class="notranslate"><code>CRITICAL: Detected 47 instances of employees understanding security policy CRITICAL: Security team found implementing practical solutions SEVERE: CEO's</code></pre>…</div> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/ShadowStrike-CTF/security-theatre-simulator" rel="noopener noreferrer">View on GitHub</a></div> </div> <p>How I Built It:<br> The entire tool is about 350 lines of Python built in roughly 2 hours. The technical stack is deliberately simple because the whole point is that this does nothing complicated:</p> <p>-Python 3 for the core logic<br> -colorama for terminal colours that make it look impressively official<br> -time.sleep() for dramatic pauses that simulate "work" being done<br> -random module to select different combinations of fake threats and scans each run</p> <p>The architecture consists of collections of absurd security scans, CRITICAL threats, and useless recommendations that get randomly selected and displayed with realistic-looking progress bars and timing. Every element is designed to mirror real enterprise security tools - the slow scanning, the precise but meaningless statistics, the urgent language around non-existent problems.</p> <p>The funniest part of building this was realising that the fake scans I wrote ("analysing deprecated legacy future-proofing configurations") sound exactly like real security tool marketing copy. The line between satire and reality is uncomfortably thin.</p> <p>Prize Category:<br> Community Favourite - I am targeting this one because every single person who works in IT or cybersecurity will instantly recognise these patterns and laugh at how accurate the satire is. Security theatre is a universal experience in our industry, and this tool captures it perfectly.</p> devchallenge 418challenge showdev