Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # removed odd 40-space indent of entire script
- # replaced curly open/close double quotes with normal double quotes
- #Second Delay
- sleep -Seconds 1
- #Looks in event log.
- $RansomwareEvents = Get-Winevent -FilterHashtable @{logname='Application';ProviderName="SRMSVC"; ID=8215}
- $username = ($RansomwareEvents.message).split()[1]
- $username = $username -replace ".*\\"
- #Blocks SMB shares access for user but not network
- Get-SmbShare | Where-Object currentusers -gt 0 | Block-SmbShareAccess -AccountName $username -force
- #get name of computer and domain name for email message
- $computername = Hostname
- $domain = (Get-WmiObject win32_computersystem).domain
- #Send Email Report
- $SMTPPort= "25"
- $SMTPUsername = "test"
- $SMTPPassword= "test"
- $SMTPServer= "192.168.3.150"
- $SMTPFrom = "test@mydomain"
- $SMTPto = "test@mydomain"
- $client = hostname
- $messageSubject = "SERVER $computername on the domain $domain IS INFECTED AND BEING ATTACKED BY RANSOMEWARE"
- $messagebody= "The User $username has infected the server. They have been denied access to all file shares. CALL USER NOW TURN OFF COMPUTER OR SERVER NOW! AFTER DAMAGE CONTROL. Once they have been disinfected, run the following powershell command on the server $computername to unblock the user from file shares: get-smbshare | where-object Name -notlike *$ | unblock-smbshareaccess -account $username -force "
- $message = New-Object System.Net.Mail.MailMessage $smtpfrom, $smtpto
- $message.Subject = $messageSubject
- $message.IsBodyHTML = $true
- $message.Body = $messagebody
- $smtp = New-Object Net.Mail.SmtpClient($SMTPServer, $SMTPPort)
- $SMTP.EnableSsl= $false
- $smtpCreds = New-Object System.Net.NetworkCredential($SMTPUsername, $SMTPPassword)
- $smtp.Send($message)
- # Restart FSRM services to allow script to re-trigger.
- restart-service "File Server Resource Manager" -force
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement