$body = "Witness file $witnesspath\$witnessfile on $env:computername has been modified." $result = $watcher.WaitForChanged(::Changed ` $watcher.NotifyFilter = ::LastWrite -bor ::FileName $watcher = New-Object System.IO.FileSystemWatcher $email -s $email -to CREATE WATCHER ON DIRECTORY $body = "The original file does not match the witness file. $subject = "Error logged on $witnesspath\$witnessfile by $env:username on $env:computername" $email -s $email -to If files don't match, then Send messaged and quit $body = "The original or witness file has not been found. $subject = "Error logged on $Witnesspath\$Witnessfile by $env:username on $env:computername" $witness = Get-Content "$witnesspath\$witnessfile" $origin = Get-Content "$originalpath\$originalfile" $message = New-Object $smtpfrom, $smtpto The trip-wire.ps1 script: $ErrorActionPreference = "Stop"
Powershell crypto locker code#
We make sure both are not identical, we kill the LanmanServer service and send out an email warning.Īdd the following to Task manager on auto start - Note I had to use Set-ExecutionPolicy RemoteSigned for my task to work - not the best idea - setup code signing to keep the server safe: powershell.exe -command C:\share\trip-wire.ps1 -ExecutionPolicy Bypass We setup a watcher routine using System.IO.FileSystemWatcher to trigger an event on a modification in our root file share. On start we make sure both files are identical. We setup a witness file at the root of our main share with its twin in a read-only area for reference. A bit drastic, but I prefer a few irate users to having to restore many thousands of files.
This kills any open shares on the server. Once an event is triggered, LanmanServer service is stopped. Basically we place a witness file in any appropriate place and monitor it for modifications or deletion. This is a follow-up to Rethinking Cryptolocker: over time, infection is likely Here's a simple Powershell script inspired by SysAd666 original script.
0 kommentar(er)
