Powershell Cryptolocker蜜罐文件系统监视程序
我是一个新手,当谈到脚本,所以请容忍我。我正在尝试创建一个脚本来监视添加到服务器上所有文件共享的诱饵文件。当脚本看到文件被修改时,它将阻止对进行修改的用户的访问并发送电子邮件。除了FileSystemWatcher之外,脚本似乎工作正常。它将只监视最后一个共享。我在这里看到了一个问题,但对答案感到困惑。有人能帮我为每个bait文件创建一个FileSystemWatcher吗?我还想知道我如何在其他方面改进脚本。非常感谢你的帮助Powershell Cryptolocker蜜罐文件系统监视程序,powershell,alert,filesystemwatcher,malware-detection,honeypot,Powershell,Alert,Filesystemwatcher,Malware Detection,Honeypot,我是一个新手,当谈到脚本,所以请容忍我。我正在尝试创建一个脚本来监视添加到服务器上所有文件共享的诱饵文件。当脚本看到文件被修改时,它将阻止对进行修改的用户的访问并发送电子邮件。除了FileSystemWatcher之外,脚本似乎工作正常。它将只监视最后一个共享。我在这里看到了一个问题,但对答案感到困惑。有人能帮我为每个bait文件创建一个FileSystemWatcher吗?我还想知道我如何在其他方面改进脚本。非常感谢你的帮助 $to = "joe@blow.com" $File = "test
$to = "joe@blow.com"
$File = "test.txt"
$FilePath = "C:\temp"
$md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
## SEND MAIL FUNCTION
function sendMail($s, $to) {
$smtpServer = "mail.nowhere.com"
$smtpFrom = "alert@nowhere.com"
$smtpTo = $to
$messageSubject = $s[0]
$message = New-Object System.Net.Mail.MailMessage $smtpfrom, $smtpto
$message.Subject = $messageSubject
$message.IsBodyHTML = $false
$message.Body = $s[1]
$smtp = New-Object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($message)
}
## Get a list of shares and Perform tasks on each location.
$cryptopaths = Get-WmiObject -Class win32_share -filter "Type=0 AND name like '%[^$]'" | ForEach ($_.Path) {
$cryptopath = $_.Path
## Copy the bait file to the share location
Copy $FilePath\$File $cryptopath\$File -Force
##Get files hash
Try {
$Origin = [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes("$FilePath\$File")))
$Copy = [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes("$CryptoPath\$File")))
}
##Error on reading hash
Catch {
echo "error reading $CryptoPath\$File"
}
## If files don't match, then Send messaged and quit
if (Compare-Object $Origin $Copy){
## files don't match
$subject = "Error logged on $CryptoPath\$File by $env:username on $env:computername"
$body = "The original file does not match the witness file. Aborting monitor script."
$email =@($subject,$body)
sendMail -s $email -to "ben22@nowhere.com"
Exit
}
## CREATE WATCHER ON DIRECTORY
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = $CryptoPath
$watcher.Filter = $File
$watcher.IncludeSubdirectories = $false
$watcher.EnableRaisingEvents = $false
$watcher.NotifyFilter = [System.IO.NotifyFilters]::LastWrite -bor [System.IO.NotifyFilters]::FileName
}
## Execute Watcher
while($TRUE){
$result = $watcher.WaitForChanged([System.IO.WatcherChangeTypes]::Changed `
-bor [System.IO.WatcherChangeTypes]::Renamed `
-bor [System.IO.WatcherChangeTypes]::Deleted `
-bor [System.IO.WatcherChangeTypes]::Created, 1000);
if ($result.TimedOut){
continue;
}
if ($result.Name -eq $File) {
### Make sure the files do not match
try {
$FileCheck = [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes("$CryptoPath\$File")))
if (Compare-Object $Origin $FileCheck){
## files don't match
$body = "Witness file $FilePath\$File on $env:computername has been modified."
}
}
catch {
## file deleted
$body = "Witness file $FilePath\$File on $env:computername has been deleted"
}
finally {
## Deny owner of changed file access to shares and disconnect their open sessions. Send email alert
Get-Acl "$CryptoPath\$File" | foreach ($_.Owner) {
Get-SmbShare | Block-SmbShareAccess –AccountName $_.Owner
Close-SmbSession –ClientUserName $_.Owner
}
$subject = "EMERGENCY ON FILE SERVER -- $FilePath\$File by $env:username on $env:computername"
$email =@($subject,$body)
sendMail -s $email -to "ben22@nowhere.com"
sendMail -s $email -to "5555555555@txt.bell.ca"
Exit
}
}
}
问题是,您在循环(
ForEach($.Path){}
)中创建了FileSystemWatcher
实例,但将它们分配给了相同的变量$watcher
,每次都会覆盖以前的引用。一旦跳出循环,您就可以使用$watcher
变量,该变量引用您创建的最后一个FileSystemWatcher
实例,这就是为什么您只接收最后一个文件的通知
要使其正常工作,您应该使用允许存储多个引用的类型,即数组。例如:
$watchers = @();
...
$watcher = New-Object System.IO.FileSystemWatcher;
...
$watchers += $watcher;
此外,我还建议使用基于事件处理程序/回调/委托的方法,而不是使用waitforchange()
等待更改,因为等待多个文件系统观察器将需要并行化的解决方案(理想情况下)。用于注册事件处理程序,并特别查看此示例:
PowerShellPack还有一个Start FileSystemWatcher
cmdlet,可以很好地完成这一切,但我不确定PowerShellPack的总体状态。不过,它应该是Windows7/8资源工具包的一部分