-
Notifications
You must be signed in to change notification settings - Fork 4
/
FSRM_NOCRYPTO_2012_to_2022.ps1
267 lines (189 loc) · 9.13 KB
/
FSRM_NOCRYPTO_2012_to_2022.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
##############################
# FSRM_NOCRYPTO_2012_to_2022 #
# W2012, w2012R2 w2016 w2019 #
# W2022 #
# David ANDE #
# GNU GENERAL PUBLIC LICENSE #
##############################
# First of all powershell 3 or higher is needed
# This scripts is not compatible with Powershell v2
$powershellVer = $PSVersionTable.PSVersion.Major
if ($powershellVer -le 2)
{
Write-Host "ERROR: PowerShell v3 or higher required."
pause
exit
}
# Force TLS1.2 to download files from Internet
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
########## VARIABLE TO MODIFY #############
# $PSScriptRoot is where the scripts are
# better using this one
# $PSScriptRoot = "C:\FSRMNOCRYPTO"
# $url is where to donwload extensionnlist from
# don't change if You don't know what You are doing
# updated cause not update anymore from experiant
# $url = "https://fsrm.experiant.ca/api/v1/get"
$url = "https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt"
# Group Name in FSRM #
$fileGroupName = "Crypto_Blocker_extensions"
$fileTemplateName = "Crypto_Blocker_Template"
$fileScreenName = "Crypto_Blocker_Filter"
# Define if you want to keep passive protection shares.
# Passive protection shares allow writing forbidden extension but generate an event log
# So FSRM do not protect passive protection Shares
# Set it to 1 or another value different than 0 will cause de script to delete Passive Shares generated by this script from FSRM
$delpassive = "1"
#############################################
# First test that extensions.old is present and not empty and online extensions list is reachable
If ((Test-Path "$PSScriptRoot\extensions.old") -eq $True)
{
Write-Host "extensions.old founded"
}
else
{
New-Item -ItemType "file" "$PSScriptRoot\extensions.old"
Add-Content -path "$PSScriptRoot\extensions.old" -value "exemple"
}
$taille = Get-Item "$PSScriptRoot\extensions.old" | Select Mode,Length | Select -ExpandProperty Length
If ($taille -lt 1)
{
Add-Content -path "$PSScriptRoot\extensions.old" -value "exemple"
Write-Host "Extensions.old fixed"
}
else
{
Write-Host "extensions.old not empty Good"
}
Try
{
# Verifying if new crypto extensions available #
Invoke-WebRequest $url -OutFile $PSScriptRoot\extensions.txt -UseBasicParsing -ContentType 'application/json; charset=UTF-8'
$dif = compare-object -referenceobject $(get-content "$PSScriptRoot\extensions.txt") -differenceobject $(get-content "$PSScriptRoot\extensions.old")
if (!$dif) {
Write-Host "No new extensions to apply - Quit"
rm $PSScriptRoot\extensions.txt
exit
}
}
Catch
{
Write-Host "Remote extension list Offline - Quit"
If (Test-Path "$PSScriptRoot\extensions.txt")
{rm $PSScriptRoot\extensions.txt}
else
{
exit
}
}
Write-Host New Crypto extensions available will be added to FSRM
# Listing all shared drives#
$drivesContainingShares = Get-WmiObject Win32_Share | Select Name,Path,Type | Where-Object { $_.Type -match '0|2147483648' } | Select -ExpandProperty Path | Select -Unique
# Excluding shares present in share_to_accept.txt
$exclShares= Get-Content $PSScriptRoot\share_to_accept.txt | ForEach-Object { $_.Trim() } | Where-Object {$_ -notlike "#*"}
$monitoredShares = $drivesContainingShares | Where-Object { $exclShares -notcontains $_ }
if (!$exclShares) {
Write-Host "Shares bypassing filtering file is empty"
}
else {
Write-Host "Shares bypassing filtering : $exclShares"
}
# Command to be lunch in case of violation of Anticrypto FSRM rules #
# defdault rule is only notification but You can use this one by adding
# $Command to the notification in the Template (add "-Command $command" in line 228)
# This command stop lanmaserver to stop all shares
# To restart the service use the comman "net start lanmanserver"
$Commande = New-FsrmAction -Type Command -Command "c:\Windows\System32\cmd.exe" -CommandParameters "/c net stop lanmanserver /y" -SecurityLevel LocalSystem -KillTimeOut 0
###################################################################################################
# Fonction to convert the extensions list #
# in a compatible FSRM format #
function ConvertFrom-Json20([Object] $obj)
{
Add-Type -AssemblyName System.Web.Extensions
$serializer = New-Object System.Web.Script.Serialization.JavaScriptSerializer
return ,$serializer.DeserializeObject($obj)
}
Try
{
$monitoredExtensions = ((Invoke-WebRequest -Uri $url -ErrorAction Stop).Content | ConvertFrom-Json).filters
}
Catch
{
Write-Host Error parsing extension list - Quit
rm $PSScriptRoot\extensions.txt
exit
}
# excluding from the filtered extension list ext_to_accept.txt
$exclExtensions= Get-Content $PSScriptRoot\ext_to_accept.txt | ForEach-Object { $_.Trim() } | Where-Object {$_ -notlike "#*"}
$monitoredExtensions = $monitoredExtensions | Where-Object { $exclExtensions -notcontains $_ }
if (!$exclExtensions) {
Write-Host "Extensions bypassing filtering is empty"
}
else {
Write-Host "Extensions bypassing filtering : $exclExtensions"
}
#Including extension manually from the extension list ext_to_include.txt
$InclExtensions= Get-Content $PSScriptRoot\ext_to_include.txt | ForEach-Object { $_.Trim() } | Where-Object {$_ -notlike "#*"}
$monitoredExtensions = $monitoredExtensions + $Inclextensions
if (!$InclExtensions) {
Write-Host "Extensions in ext_to_include.txt is empty"
}
else {
Write-Host "Extensions in ext_to_include.txt added : $inclExtensions"
}
# Destination mail adress Modify if You use mail notification
# in the case of Mail Notification check your SMTP setting in the FSRM Options
$maildestination = "[email protected]"
$MailNotification = New-FsrmAction -Type Email -MailTo "$maildestination" -Subject "Cryptolocker Alert" -Body "The user [Source Io Owner] try to save [Source File Path] in [File Screen Path] on [Server]. This extension is contained in [Violated File Group], and is not permit on this server." -RunLimitInterval 60
###############################################
$EventNotification = New-FsrmAction -Type Event -EventType Warning -Body "The user [Source Io Owner] try to save [Source File Path] in [File Screen Path] on [Server]. This extension is contained in [Violated File Group], and is not permit on this server." -RunLimitInterval 60
# Removing FSRM File Screens if allready exist
$delFSRMShares= Get-FsrmFileScreen | Select Template, Path | Where-Object {$_.Template -like "$fileTemplateName"} | Select -ExpandProperty Path
foreach ($Path in $delFSRMShares) {
Remove-FsrmFileScreen $Path -Confirm:$False
Write-Host FSRM Share "$Path" using file Screen Template "$fileTemplateName" Deleted
}
# Removing FSRM File Screen Template if Allready Exist
$delScreentemplate= Get-FsrmFileScreenTemplate | Select Name | Where-Object {$_.Name -like "$fileTemplateName"} | Select -ExpandProperty Name
foreach ($Name in $delScreenTemplate) {
Remove-FsrmFileScreenTemplate $Name -Confirm:$False
Write-Host FSRM Screen Template $Name using File Group Name $fileGroupName Deleted
}
# Removing File Group if allready exist
$delFSRMGroupName= Get-FsrmFileGroup | Select Name | Where-Object {$_.Name -like "$fileGroupName"} | Select -ExpandProperty Name
foreach ($Name in $delFSRMGroupName) {
Remove-FsrmFileGroup $Name -Confirm:$False
Write-Host FSRM File group $Name Deleted
}
# Creating FSRM File Group#
Write-Host Creating FSRM File Group $fileGroupName
New-FsrmFileGroup -Name "$fileGroupName" -IncludePattern $monitoredExtensions |Out-Null
# Creating FSRM File Template #
# You Can modify the Notification to add the command to execute in case of violation
# -Notification $EventNotification,$commande that will add $Commande to be started
Write-Host Creating FSRM File Template $fileTemplateName including $fileGroupName
New-FsrmFileScreenTemplate -Name "$fileTemplateName" -Active:$True -IncludeGroup "$fileGroupName" -Notification $EventNotification
# Creating FSRM File Screen #
foreach ($share in $monitoredShares) {
New-FsrmFileScreen -Path $share -Active:$true -Description "$fileScreenName" -IncludeGroup "$filegroupname" -Template "$fileTemplateName"
Write-Host Share File Screen $share based on $fileTemplateName for the extensions list group $fileGroupName has been created
}
# Deleting Passive Protection Shares if needed
if ($delpassive -ne '0') {
$delpassiveshares= Get-FsrmFileScreen | Select Active, Path, Template | Where-Object { ($_.active -like 'False') -and ($_.Template -like "$fileTemplateName")} | Select -ExpandProperty Path
foreach ($Path in $delpassiveshares) {
Remove-FsrmFileScreen $Path -Confirm:$False
Write-Host FSRM Deleting Passive Protection Share::: $path
}
}
else {
Write-host FSRM Keeping Passive Protection Shares
}
# Keeping list to compare next #
#time with new one
rm $PSScriptRoot\extensions.old
cp $PSScriptRoot\extensions.txt $PSScriptRoot\extensions.old
rm $PSScriptRoot\extensions.txt
Write-Host "`n"
echo Finish
Exit