Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##############################
- # Disable Net adapter #
- # Updated on 06/09/2016 #
- # #
- # #
- ##############################
- #####################################################################################################
- # Instructions!! #
- # #
- # https://community.spiceworks.com/how_to/100368-cryptolocker-canary-detect-it-early #
- # #
- # In this setup select the option to enable event log. #
- # #
- # Setup a task schedule to kick off this script with the options to run #
- # C:\Windows\system32\Windowspowershell\v1.0\powershell.exe #
- # with arguments #
- # -noprofile -executionpolicy bypass -command c:\disablenetadapter.ps1 #
- # #
- # #
- #####################################################################################################
- ######################################################################################################
- # To Update the Canary List #
- # function update-canary{ #
- # [CmdletBinding()] #
- # Param( #
- # $Export = 'Location to export', #
- # $Backup = 'Backup last list, #
- # $FileGroup = '"CryptoLocker Canary"', #
- # $Server = 'Server', #
- # $NewList = 'Location of list' #
- # #
- # ) #
- # #
- # $VerbosePreference = 'continue' #
- # #" export a copy of the current file for backup #
- # Write-Verbose 'Making copy of current backup and replacing the older one.' #
- # Move-Item $Export $Backup -force #
- # #
- # # Create new backup of the filegroup #
- # Write-Verbose 'Creating a new backup before changes.' #
- # filescrn.exe filegroup export /file:$Export /filegroup:"$FileGroup" /remote:$server #
- # #
- # # Get the content of the updated list #
- # Write-Verbose 'Getting the content of the new list.' #
- # $canaryPipe = (Get-Content "$NewList") -join '|' -replace (' ') -replace ".$" #
- # #
- # #
- # # push the update to the FSRM Group to update the list #
- # Write-Verbose 'Updating the list on the FSRM.' #
- # filescrn.exe filegroup modify /filegroup:"$FileGroup" /members:""$canaryPipe"" /remote:$Server #
- # #
- # #
- # Write-Verbose 'Finished' #
- # #
- # #
- # } #
- # #
- # Update-canary #
- ######################################################################################################
- [cmdletbinding()]
- param(
- $domain = 'Domain\', #includes the '\'
- $ToEmail = 'towho@blah.com',
- $FromEmail = 'fromwho@blah.com',
- $SMTPServer = 'smtp.server',
- $VerbosePreference = 'Continue', # "SilentlyContinue" # default value Use - write-verbose
- $date = (get-date -Format MMddyy),
- $EventLogPC = 'Server',
- $onlinePCtxt = 'C:\onlinepc.txt',
- $QUserlist = 'c:\quser.csv'
- )
- Write-Verbose 'Getting the user from the event log'
- $user = Get-EventLog -ComputerName $EventLogPC -Newest 1 -log application -EntryType warning -source SRMSVC | Select-Object message
- $user = $user.message.Replace($domain,'')
- ###############################################################
- # Email sent to notify that the script is being run. Just one more notification that its happening.
- Write-Verbose 'Sending email to notify of running of script'
- Send-MailMessage -To $ToEmail -From $FromEmail -Subject "$user Crypto Disable Net Adapter!" -Body "disablenetadapter.ps1 is being run against $user" -SmtpServer $SMTPServer
- # The popup message on remote machine
- $message = "Attention $user! Your network connection has been disabled due to a possible virus infection! Do NOT attempt to re-enable it. Contact I.T immediately!"
- ##############################################################
- Write-Verbose 'Running pre-populated list'
- # Run against pre-populated list
- $pc = Import-Csv $QUserlist | Where-Object username -like "$user" | Select-Object -ExpandProperty pscomputername -Unique
- if ($pc -ne $null){
- Invoke-WmiMethod -Class win32_process -ComputerName $pc -Name create -ArgumentList "c:\windows\system32\msg.exe * $message"
- $ip = (Test-Connection $pc -count 1)
- Get-WmiObject -Class win32_networkadapter -computerName $pc -filter 'NetConnectionStatus = 2' | foreach {$_.disable()}
- $test = Test-Connection $pc -quiet
- if($test -eq $false ){
- Send-MailMessage -To "$ToEmail" -From "$FromEmail" -Subject "$user Crypto Disable Net Adapter!" -Body "The Net Adapter has been disabled on $pc using the pre-populated quser.exe information from past logons. The 'Test-connection' returned 'False' so this PC should not be on the network. The script will continue to run and disable any other computers that $user is logged on." -SmtpServer "$SMTPServer"
- }
- }
- Write-Verbose 'The script is still running'
- <#############################################################
- Disable the network adapter of the selected user
- #############################################################>
- # Set the username to disable
- #Get list of online computers
- Write-Verbose 'Getting the list of online pcs'
- clear-content $onlinePCtxt
- Get-ADComputer -Filter * |
- # Test each computer in the AD list for response and Store that list
- ForEach-Object {
- $rtn = Test-Connection -CN $_.dnshostname -Count 1 -BufferSize 16 -Quiet
- IF($rtn -match ‘True’) {$_.dnshostname | Out-File $onlinePCtxt -Append
- }
- }
- $onlinePC = Get-Content $onlinePCtxt
- #Find the users that are logged in on the online pc's
- Write-Verbose 'Running quser.exe to get the logged in users'
- $quser = Invoke-Command $onlinePC {(quser.exe) -replace '\s{2,}', ',' | ConvertFrom-Csv}
- $quser | Export-Csv $QUserlist -NoTypeInformation
- #Get the computer name that the user is logged into
- $pc = $quser | Where-Object USERNAME -Like $user | Select-Object -Unique pscomputername
- #Popup message on the disabled pc
- Write-Verbose 'Sending popup message to the offending machine'
- function Send-Message{
- Invoke-WmiMethod -Class win32_process -ComputerName $pc -Name create -ArgumentList "c:\windows\system32\msg.exe * $message"
- }
- Send-Message
- #Disable any connected net adapter
- Write-Verbose 'Disabeling the net adapter on the offending machine'
- Get-WmiObject -Class win32_networkadapter -computerName $pc -filter 'NetConnectionStatus = 2' | foreach {$_.disable()}
- $test = Test-Connection $pc -quiet
- Write-Verbose 'Sending email to notify the script complete and the results'
- Send-MailMessage -To "$ToEmail" -From "$FromEmail" -Subject "$user Crypto Disable Net Adapter!" -Body "DisableNetAdapter.ps1 was run on user $user on $pc. The final test-connection results came back as $test, If 'False' the disable was Successful. Please take action now to prevent further spread." -SmtpServer "$SMTPServer"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement