Category Archives: PowerShell

PowerShell

Fight against Ransomware

At the moment a major risk is endangering businesses worldwide: Ransomware.

Most common types of ransomware encrypt all user’s data – wherether it’s stored on local computers or on network drives. Even unmounted network shares are not safe, as long as the user has access to it’s contents. This elevates ransomware to a high business risk.

In order to mitigate the risk in Microsoft Windows environments a couple of built in technologies help to achieve a safer Corporate-IT.

A couple of days ago I stumbled over a promising technique – published by Matt Hopton. But it involves some manually performed actions. Let’s add some PowerShell magic 🙂

This script will

  • add FSRM Windows-Feature, if required
  • configure FSRM mail settings
  • get currently known ransomware file pattern list from ThePhoton (GitHub)
  • add file screen for path given
  • create file group update script
  • create update task

Just set the settings according to your need. You can run this script several times for different $ScreenPaths, if necessary.

#region Parameters
           
[cmdletbinding()]
param(
        [Parameter(ValueFromPipeline=$true,Mandatory=$true)] [ValidateNotNullOrEmpty()]
        [string] $ScreenPath,
        # Path to be screened
     
        [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] 
        [bool] $BlockSpecialShares 
        #On detection: Block access to hidden shares (e.g. C$), too?
                           
)
                   
#endregion

#region Settings
# File screen group name
$FileGroupName = "Known Ransomware Files”

# FSRM's mail settings
$FromEmailAddress ="FileServer@MyCompandy.net"
$AdminEmailAddress = "my@mail.com"
$SmtpServer = "localhost"

# Mail content
$MailTo = "[Admin Email]"
$MailSubject = "FSRM - WARNING: Possible ransomware activity detected!"
$MailBody = 'User "[Source Io Owner]" tried to save the file "[Source File Path]" at "[File Screen Path]" on server "[Server]". This file is known for ransomware activities ([Violated File Group]). File access for this user has been denied!'

# Event body
$EventBody = $MailBody

# Auto Update FSRM File Group Scheduled Task
$AutoUpdate = $true
$AutoUpdatePath = "C:ScriptsUpdate-FsrmKnownRansomware.ps1" #Will be created
$TaskName = "FSRM - Update Known Ransomware Files"
$TaskDescription = "Updates FSRM File Group 'Known Ransomware Files'"

#endregion

#######################
# Install FSRM Action #
#######################

$fsrmStatus = Get-WindowsFeature FS-Resource-Manager
if (-not ($fsrmStatus.Installed)) {
    Install-WindowsFeature –Name FS-Resource-Manager –IncludeManagementTools
}
Import-Module FileServerResourceManager

######################
# Set  FSRM SMTP     #
######################

### Set default mail server / adresses

Set-FsrmSetting -SmtpServer $SmtpServer -FromEmailAddress $FromEmailAddress -AdminEmailAddress $AdminEmailAddress

######################
# Create File Group  #
######################

### Get known ransomware file group and create/update...
$decryptreadme = (Invoke-WebRequest "https://raw.githubusercontent.com/thephoton/ransomware/master/filescreendecryptreadme.txt”).Content
$fileexts = (Invoke-WebRequest "https://raw.githubusercontent.com/thephoton/ransomware/master/filescreenextensions.txt”).Content
$filescreengroup = @()

foreach($line in $decryptreadme.Split("`r`n”)){ if ($line -ne "”) {$filescreengroup += $line} }
foreach($line in $fileexts.Split("`r`n”)){ if ($line -ne "”) {$filescreengroup += $line} }

$FsrmFileGroup = Get-FsrmFileGroup $FileGroupName -ErrorAction SilentlyContinue
if ($FsrmFileGroup) 
{
    $FsrmFileGroup | Set-FsrmFileGroup -IncludePattern $filescreengroup
} else {
    New-FsrmFileGroup -Name $FileGroupName -IncludePattern $filescreengroup
}

######################
# Create FSRM Action #
######################

### Create command action
$Command = "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe"
$CommandParameters = "-ExecutionPolicy Unrestricted -NoLogo -Command `"& { Get-SmbShare -Special `$$BlockSpecialShares | ForEach-Object { Block-SmbShareAccess -Name `$_.Name -AccountName [Source Io Owner] -Force } }`""
$CommandNotification = New-FsrmAction  -Type Command -Command $Command -CommandParameters $CommandParameters -SecurityLevel LocalSystem -KillTimeOut 120

### Create mail notification action
$MailNotification = New-FsrmAction -Type Email -MailTo $MailTo -MailCC "[Source Io Owner Email]" -Subject $MailSubject -Body $MailBody -RunLimitInterval 120

### Create command action
$EventNotification = New-FsrmAction  -Type Event  -EventType Warning -Body $EventBody

### Create file screen
New-FsrmFileScreen -Path $ScreenPath –IncludeGroup $FileGroupName -Notification @($CommandNotification,$MailNotification,$EventNotification) -Active

######################
# Create Update Task #
######################

if ($AutoUpdate) 
{
    #Check if path exists
    if (-not (Test-Path(Split-Path $AutoUpdatePath))) {
        New-Item -ItemType Directory (Split-Path $AutoUpdatePath) 
        }
    #Check if script exists
    if (-not (Test-Path $AutoUpdatePath)) {
        $AutoUpdateScript = 
'$FileGroupName = "'+$FileGroupName+'”
$decryptreadme = (Invoke-WebRequest "https://raw.githubusercontent.com/thephoton/ransomware/master/filescreendecryptreadme.txt”).Content

$fileexts = (Invoke-WebRequest "https://raw.githubusercontent.com/thephoton/ransomware/master/filescreenextensions.txt”).Content

$filescreengroup = @()

foreach($line in $decryptreadme.Split("`r`n”)){ if ($line -ne "”) {$filescreengroup += $line} }
foreach($line in $fileexts.Split("`r`n”)){ if ($line -ne "”) {$filescreengroup += $line} }


try {
    Get-FsrmFileGroup $FileGroupName -ErrorAction Stop
    Get-FsrmFileGroup $FileGroupName | Set-FsrmFileGroup -IncludePattern $filescreengroup
}
catch {
    New-FsrmFileGroup -Name $FileGroupName -IncludePattern $filescreengroup
}'
                                
        $AutoUpdateScript | Out-File $AutoUpdatePath

    }

    if ((Test-Path $AutoUpdatePath) -and -not (Get-ScheduledTask $TaskName -ErrorAction SilentlyContinue)) {
        #Create scheduled task if update-script exists and task does not exist

        $PSpath = "%windir%System32WindowsPowerShellv1.0powershell.exe"
        $Argument = "-NoProfile -WindowStyle Hidden `"$AutoUpdatePath`""

        $action = New-ScheduledTaskAction -Execute $PSpath -Argument $Argument
        $principal = New-ScheduledTaskPrincipal -UserId "LOCALSERVICE" -LogonType ServiceAccount

        $trigger =  New-ScheduledTaskTrigger -Daily -At 7am

        Register-ScheduledTask -Action $action -Trigger $trigger -TaskName $TaskName -Description $TaskDescription -Principal $principal

    }

}

If $AutoUpdate is set to $true, the script Update-FsrmKnownRansomware.ps1 will be run every day at 7am to update the FSRM file group with newest ransom ware file patterns.

Once a ransomware tries to save a file matching the known file group patterns all shares are set to block the originating user.

After cleaning the user’s computer, unblocking can be done by PowerShell, too:

Get-SmbShare -Special $false | ForEach-Object { Unblock-SmbShareAccess -Name $_.Name -AccountName 'ACCOUNT NAME TO UNBLOCK' -Force }

For details see Matt Hopton’s blog post.

Please remember: You have to apply this on every file server and user accessible directory. It does not prevent the encryption of a user’s client computer, nor does it eliminate the risk of infection/loss of data. Script is given without any warranty.

Get low-battery push notification from your notebook

Imagine the situation while presenting your newest PowerPoint slide show in front of your customer, when your notebook’s screen suddenly goes black.
Reason: You missed the “Your battery is running critically low on power” message.

But you’re lucky: If you are an owner of a Microsoft Band (or any other push-compatible smart wear), here is a tiny proof-of-concept solution, preventing such a blame: Continue reading