Powershell Cryptolocker蜜罐文件系统监视程序
我是一个新手,当谈到脚本,所以请容忍我。我正在尝试创建一个脚本来监视添加到服务器上所有文件共享的诱饵文件。当脚本看到文件被修改时,它将阻止对进行修改的用户的访问并发送电子邮件。除了FileSystemWatcher之外,脚本似乎工作正常。它将只监视最后一个共享。我在这里看到了一个问题,但对答案感到困惑。有人能帮我为每个bait文件创建一个FileSystemWatcher吗?我还想知道我如何在其他方面改进脚本。非常感谢你的帮助Powershell Cryptolocker蜜罐文件系统监视程序,powershell,alert,filesystemwatcher,malware-detection,honeypot,Powershell,Alert,Filesystemwatcher,Malware Detection,Honeypot,我是一个新手,当谈到脚本,所以请容忍我。我正在尝试创建一个脚本来监视添加到服务器上所有文件共享的诱饵文件。当脚本看到文件被修改时,它将阻止对进行修改的用户的访问并发送电子邮件。除了FileSystemWatcher之外,脚本似乎工作正常。它将只监视最后一个共享。我在这里看到了一个问题,但对答案感到困惑。有人能帮我为每个bait文件创建一个FileSystemWatcher吗?我还想知道我如何在其他方面改进脚本。非常感谢你的帮助 $to = "joe@blow.com" $File = "test
$to = "joe@blow.com"
$File = "test.txt"
$FilePath = "C:\temp"
$md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
## SEND MAIL FUNCTION
function sendMail($s, $to) {
$smtpServer = "mail.nowhere.com"
$smtpFrom = "alert@nowhere.com"
$smtpTo = $to
$messageSubject = $s[0]
$message = New-Object System.Net.Mail.MailMessage $smtpfrom, $smtpto
$message.Subject = $messageSubject
$message.IsBodyHTML = $false
$message.Body = $s[1]
$smtp = New-Object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($message)
}
## Get a list of shares and Perform tasks on each location.
$cryptopaths = Get-WmiObject -Class win32_share -filter "Type=0 AND name like '%[^$]'" | ForEach ($_.Path) {
$cryptopath = $_.Path
## Copy the bait file to the share location
Copy $FilePath\$File $cryptopath\$File -Force
##Get files hash
Try {
$Origin = [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes("$FilePath\$File")))
$Copy = [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes("$CryptoPath\$File")))
}
##Error on reading hash
Catch {
echo "error reading $CryptoPath\$File"
}
## If files don't match, then Send messaged and quit
if (Compare-Object $Origin $Copy){
## files don't match
$subject = "Error logged on $CryptoPath\$File by $env:username on $env:computername"
$body = "The original file does not match the witness file. Aborting monitor script."
$email =@($subject,$body)
sendMail -s $email -to "ben22@nowhere.com"
Exit
}
## CREATE WATCHER ON DIRECTORY
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = $CryptoPath
$watcher.Filter = $File
$watcher.IncludeSubdirectories = $false
$watcher.EnableRaisingEvents = $false
$watcher.NotifyFilter = [System.IO.NotifyFilters]::LastWrite -bor [System.IO.NotifyFilters]::FileName
}
## Execute Watcher
while($TRUE){
$result = $watcher.WaitForChanged([System.IO.WatcherChangeTypes]::Changed `
-bor [System.IO.WatcherChangeTypes]::Renamed `
-bor [System.IO.WatcherChangeTypes]::Deleted `
-bor [System.IO.WatcherChangeTypes]::Created, 1000);
if ($result.TimedOut){
continue;
}
if ($result.Name -eq $File) {
### Make sure the files do not match
try {
$FileCheck = [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes("$CryptoPath\$File")))
if (Compare-Object $Origin $FileCheck){
## files don't match
$body = "Witness file $FilePath\$File on $env:computername has been modified."
}
}
catch {
## file deleted
$body = "Witness file $FilePath\$File on $env:computername has been deleted"
}
finally {
## Deny owner of changed file access to shares and disconnect their open sessions. Send email alert
Get-Acl "$CryptoPath\$File" | foreach ($_.Owner) {
Get-SmbShare | Block-SmbShareAccess –AccountName $_.Owner
Close-SmbSession –ClientUserName $_.Owner
}
$subject = "EMERGENCY ON FILE SERVER -- $FilePath\$File by $env:username on $env:computername"
$email =@($subject,$body)
sendMail -s $email -to "ben22@nowhere.com"
sendMail -s $email -to "5555555555@txt.bell.ca"
Exit
}
}
}
问题是,您在循环(
ForEach($.Path){}FileSystemWatcher$watcher$watcherFileSystemWatcher$watchers = @();
...
$watcher = New-Object System.IO.FileSystemWatcher;
...
$watchers += $watcher;
waitforchange()Start FileSystemWatcher