API tools faq
paste
Advertisement
Guest User

RansomWare Monitor

a guest
Nov 16th, 2018
204
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 6.40 KB | None | 0 0
raw download clone embed print report
  1. ########################################################################################################################
  2. # Start of the script - Description, Requirements & Legal Disclaimer
  3. ########################################################################################################################
  4. # Written by: Joshua Stenhouse joshuastenhouse@gmail.com
  5. ################################################
  6. # Configure the variables below
  7. ################################################
  8. # Step 1. Specify the HoneyPot and Witness File & Folder locations along with the testing interval in seconds
  9. $HoneypotDir =@("C:\","C:\ALL DATA\QB DATA\","C:\ALL DATA\COMPANY DATA\")
  10. $HoneypotFile = "~HoneypotFile.docx"
  11. $HoneypotWitenessDir = "C:\zzRansomTester"
  12. $TestInterval = "5"
  13. # Step 2. Specify the SMTP Email Settings
  14. $EmailTo = "TechSupport@esp-cc.net"
  15. $EmailFrom = "RansomDetected@esp-cc.net"
  16. $SMTPServer = "mail.ebglobal.com"
  17. $SMTPPort = "587"
  18. $SMTPUser =
  19. $SMTPPassword =
  20. $SMTPSSLEnabled = "FALSE"
  21. ################################################################
  22. #After Testing, find & remove 2 Shutdown Safety Guards Below (marked with @@@@@@)
  23. ################################################################
  24. ########################################################################################################################
  25. # DO NOT EDIT BELOW THIS LINE
  26. ########################################################################################################################
  27. $HoneypotWitnessFile = $HoneypotFile
  28. $emailsetting = New-Object System.Net.Mail.MailMessage
  29. $Emailsetting.to.add($EmailTo)
  30. $Emailsetting.from = $EmailFrom
  31. $Emailsetting.IsBodyHTML = "TRUE"
  32. $smtp = New-Object System.Net.Mail.SmtpClient($SMTPServer, $SMTPPort);
  33. if ($SMTPSSLEnabled -eq "TRUE")
  34. {
  35. $smtp.EnableSSL = "TRUE"
  36. }
  37. $smtp.Credentials = New-Object System.Net.NetworkCredential($SMTPUser, $SMTPPassword);
  38. ################################################################################################
  39. # Starting Continuous Loop of Ransomware Check
  40. ################################################################################################
  41. Do {
  42. for($i=0; $i -lt $HoneypotDir.length; $i++){
  43. # Testing to see if file exists first, the extension may of changed or it may have been deleted
  44. $TestHoneypotPath = test-path ($HoneypotDir[$i]+"\$HoneypotFile")
  45. if ($TestHoneypotPath -eq $False)
  46. {
  47. # File not found or renamed from original file
  48. $HoneyPotFileFound = Get-ChildItem $HoneypotDir[$i] | Sort {$_.LastWriteTime} | select Name -expandproperty Name -last 1
  49. $HoneyPotFileLastWriteTime = Get-ChildItem ($HoneypotDir[$i]+"\$HoneyPotFileFound") | select lastwritetime
  50. $HoneyPotFileOwner = get-acl ($HoneypotDir[$i]+"\$HoneyPotFileFound") | select owner
  51. # Configuring email settings
  52. $EmailSubject = "Potential Ransomware Infection Found"
  53. $EmailBody = "Honeypot file "+$HoneypotDir[$i]+"\$HoneypotFile on $env:computername has been deleted or file extension changed.
  54. Found $HoneyPotFileFound instead, modified by $HoneyPotFileOwner @ $HoneyPotFileLastWriteTime indicating a possbile ransomware infection."
  55. # Outputting to screen
  56. write-host $EmailBody
  57. # Stopping loop of script
  58. $StopScript ="Y"
  59. # Disabling File share service
  60. #--------------------Stop-Service "LanmanServer" -force –PassThru
  61. # Building email Subject & Body
  62. $Emailsetting.subject = $EmailSubject
  63. $Emailsetting.body = $EmailBody
  64. # Sending Email
  65. Try
  66. {
  67. $smtp.send($Emailsetting)
  68. }
  69. Catch [system.exception]
  70.  {
  71.  # Trying to send email again if first attempt fails
  72. sleep 10
  73. $smtp.send($Emailsetting)
  74.  }
  75. Finally
  76.  {
  77.  }
  78. # Finished sending email
  79.  
  80.  
  81. write-host "SHUTDOWN HIT"
  82. <#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  83. Set-Service RansomMonitor -StartupType Disabled
  84. stop-computer -Force
  85. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#>
  86.  
  87. }
  88. ################################################
  89. # If the Honeypot file does exist running a comparison of the Honeypot and test files
  90. ################################################
  91. if ($TestHoneypotPath -eq $True)
  92. {
  93. # File found so comparing files
  94. try
  95. {
  96. # If file is currently being encrypted the get-content can fail, so adding try command with a wait
  97. $ReadHoneypotFile = Get-Content ($HoneypotDir[$i]+"\$HoneypotFile")
  98. }
  99. catch
  100. {
  101. sleep 60
  102. $ReadHoneypotFile = Get-Content ($HoneypotDir[$i]+"\$HoneypotFile")
  103. }
  104. # Reading test file
  105. $ReadHoneypotWitenessFile = Get-Content "$HoneypotWitenessDir\$HoneypotWitnessFile"
  106. # Comparing files to check for modifications
  107. if (Compare-Object $ReadHoneypotFile $ReadHoneypotWitenessFile)
  108. {
  109. $HoneypotFileMatch = "FALSE"
  110. }
  111. else
  112. {
  113. $HoneypotFileMatch = "TRUE"
  114. }
  115. ################################################
  116. # If the Honeypot and test files do not match
  117. ################################################
  118. if ($HoneypotFileMatch -eq "FALSE")
  119. {
  120. $HoneyPotFileLastWriteTime = Get-ChildItem ($HoneypotDir[$i]+"\$HoneypotFile") | select lastwritetime
  121. $HoneyPotFileOwner = get-acl ($HoneypotDir[$i]+"\$HoneypotFile") | select owner
  122. # Configuring email settings
  123. $EmailSubject = "Potential Ransomware Infection Found"
  124. $EmailBody = "Honeypot file "+$HoneypotDir[$i]+"\$HoneypotFile on $env:computername has been modified by $HoneyPotFileOwner @ $HoneyPotFileLastWriteTime.
  125. Indicative of a potential ransomware infection."
  126. # Outputting to screen
  127. write-host $EmailBody
  128. # Stopping loop of script
  129. $StopScript ="Y"
  130. # Sending email
  131. Try
  132. {
  133. $smtp.send($Emailsetting)
  134. }
  135. Catch [system.exception]
  136.  {
  137.  # Trying to send email again if first attempt fails
  138. sleep 10
  139. $smtp.send($Emailsetting)
  140.  }
  141. Finally
  142.  {
  143.  }
  144. # Finished sending email
  145.  
  146.  
  147. write-host "SHUTDOWN HIT"
  148. <#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  149. Set-Service RansomMonitor -StartupType Disabled
  150. stop-computer -Force
  151. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#>
  152.  
  153.  
  154. }
  155. ################################################
  156. # If the Honeypot and witness files MATCH then no ransomware infection detected and script loops to the start where it sleeps for the $TestInterval
  157. ################################################
  158. # if the files were found and do match
  159. if ($HoneypotFileMatch -eq "TRUE")
  160. {
  161. # Files do match, repeating test in
  162. $Message = "No infection detected, repeating in $testinterval seconds"
  163. write-host $Message
  164. $StopScript = "N"
  165. }
  166. # End of Honeypot File does exist below
  167. }
  168. # End of Honeypot File does exist above
  169. sleep $TestInterval
  170. #
  171. }
  172. }# End of Do Loop
  173. Until ($StopScript -eq "Y")
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!