Closed Samsonait closed 1 year ago
Something you could try is the following code:
# Define variables
$ErrorLog = "C:\FSRMscript\Error\FSRMscript.txt"
$DateTime = Get-Date
$UpdateURL = "https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt"
$FsrmFileGroupName = "Known Ransomware Files"
$Logfile = $ErrorLog
Function LogWrite {
Param ([string]$logstring)
Add-Content $Logfile -Value $logstring -Encoding UTF8
}
try {
# Get last updated date
LogWrite "Fetching last updated date from $UpdateURL ..."
$LastUpdated = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).lastupdated
$Date = $LastUpdated.Substring(0, $LastUpdated.LastIndexOf('T'))
# Get extensions
LogWrite "Fetching list of extensions from $UpdateURL ..."
$Extensions = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).filters
# Check if file group exists, update or create file group accordingly
if (Get-FsrmFileGroup -Name $FsrmFileGroupName -ErrorAction SilentlyContinue) {
LogWrite "File group '$FsrmFileGroupName' already exists. Updating include and exclude patterns ..."
$FSRMgroup = Get-FsrmFileGroup $FsrmFileGroupName
$NewExtensions = Compare-Object -ReferenceObject $Extensions -DifferenceObject $FSRMgroup.IncludePattern -PassThru | Sort-Object
$listInclude = $FSRMgroup.IncludePattern + @($NewExtensions)
$listExclude = $FSRMgroup.ExcludePattern + @("*.lck")
Set-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $listInclude -ExcludePattern $listExclude
}
else {
LogWrite "Creating new file group '$FsrmFileGroupName' with include and exclude patterns ..."
New-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $Extensions -ExcludePattern "*.lck" -ErrorAction Stop | Out-Null
$NewExtensions = $Extensions | Sort-Object
}
LogWrite "Script completed successfully."
}
catch {
$ErrorMessage = $_.Exception.Message
Write-Host -ForegroundColor Yellow $ErrorMessage
LogWrite "$($DateTime) - ERROR: $ErrorMessage"
}
Something you could try is the following code:
# Define variables $ErrorLog = "C:\FSRMscript\Error\FSRMscript.txt" $DateTime = Get-Date $UpdateURL = "https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt" $FsrmFileGroupName = "Known Ransomware Files" $Logfile = $ErrorLog Function LogWrite { Param ([string]$logstring) Add-Content $Logfile -Value $logstring -Encoding UTF8 } try { # Get last updated date LogWrite "Fetching last updated date from $UpdateURL ..." $LastUpdated = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).lastupdated $Date = $LastUpdated.Substring(0, $LastUpdated.LastIndexOf('T')) # Get extensions LogWrite "Fetching list of extensions from $UpdateURL ..." $Extensions = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).filters # Check if file group exists, update or create file group accordingly if (Get-FsrmFileGroup -Name $FsrmFileGroupName -ErrorAction SilentlyContinue) { LogWrite "File group '$FsrmFileGroupName' already exists. Updating include and exclude patterns ..." $FSRMgroup = Get-FsrmFileGroup $FsrmFileGroupName $NewExtensions = Compare-Object -ReferenceObject $Extensions -DifferenceObject $FSRMgroup.IncludePattern -PassThru | Sort-Object $listInclude = $FSRMgroup.IncludePattern + @($NewExtensions) $listExclude = $FSRMgroup.ExcludePattern + @("*.lck") Set-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $listInclude -ExcludePattern $listExclude } else { LogWrite "Creating new file group '$FsrmFileGroupName' with include and exclude patterns ..." New-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $Extensions -ExcludePattern "*.lck" -ErrorAction Stop | Out-Null $NewExtensions = $Extensions | Sort-Object } LogWrite "Script completed successfully." } catch { $ErrorMessage = $_.Exception.Message Write-Host -ForegroundColor Yellow $ErrorMessage LogWrite "$($DateTime) - ERROR: $ErrorMessage" }
I will try! And if i add new extensions to that, is it comma seperated? @(".lck",".one") Or like this: @(".lck")@(".one")
Yes you could even define a variable at the top if you want to make it a bit easier.
Like this: $ExcludeExtensions = @("*.lck", "*.one")
Than define it like @($ExcludeExtensions)
at the $FSRMgroup.ExcludePattern +
line should do the trick.
$ErrorLog = "C:\Services\Ransomware\FSRMscript.txt" $DateTime = Get-Date $UpdateURL = "https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt" $FsrmFileGroupName = "Ransomware" $Logfile = $ErrorLog $ExcludeExtension = @(".lck", ".one")
Function LogWrite { Param ([string]$logstring) Add-Content $Logfile -Value $logstring -Encoding UTF8 }
try {
LogWrite "Fetching last updated date from $UpdateURL ..."
$LastUpdated = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).lastupdated
$Date = $LastUpdated.Substring(0, $LastUpdated.LastIndexOf('T'))
# Get extensions
LogWrite "Fetching list of extensions from $UpdateURL ..."
$Extensions = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).filters
# Check if file group exists, update or create file group accordingly
if (Get-FsrmFileGroup -Name $FsrmFileGroupName -ErrorAction SilentlyContinue) {
LogWrite "File group '$FsrmFileGroupName' already exists. Updating include and exclude patterns ..."
$FSRMgroup = Get-FsrmFileGroup $FsrmFileGroupName
$NewExtensions = Compare-Object -ReferenceObject $Extensions -DifferenceObject $FSRMgroup.IncludePattern -PassThru | Sort-Object
$listInclude = $FSRMgroup.IncludePattern + @($NewExtensions)
$listExclude = $FSRMgroup.ExcludePattern + @($ExcludeExtensions)
Set-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $listInclude -ExcludePattern $listExclude
}
else {
LogWrite "Creating new file group '$FsrmFileGroupName' with include and exclude patterns ..."
New-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $Extensions -ExcludePattern "*.lck" -ErrorAction Stop | Out-Null
$NewExtensions = $Extensions | Sort-Object
}
LogWrite "Script completed successfully."
} catch { $ErrorMessage = $_.Exception.Message Write-Host -ForegroundColor Yellow $ErrorMessage LogWrite "$($DateTime) - ERROR: $ErrorMessage" }
Which results in a Set-FsrmFileGroup : 0x80070057, The parameter is incorrect. At C:\Services\Ransomware\UpdateRansonwareLijst.ps1:37 char:9
+ CategoryInfo : InvalidArgument: (MSFT_FSRMFileGroup (Name = "Ransomware"):Root/Microsoft/...T_FSRMFileGroup) [S
et-FsrmFileGroup], CimException
+ FullyQualifiedErrorId : MI RESULT 4,Set-FsrmFileGroup
But i dont see a typo on
Set-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $listInclude -ExcludePattern $listExclude
Any idea m8? :) Thanks for the help for now, its been really helpfull.
Hmmm....
I have ran a test on my test VM and seems to work as expected. Here is the code that I used for it:
# Define variables
$ErrorLog = "C:\FSRMscript\Error\FSRMscript.txt"
$DateTime = Get-Date
$UpdateURL = "https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt"
$FsrmFileGroupName = "Known Ransomware Files"
$Logfile = $ErrorLog
$ExcludeExtension = @(".lck", ".one")
Function LogWrite {
Param ([string]$logstring)
Add-Content $Logfile -Value $logstring -Encoding UTF8
}
try {
# Get last updated date
LogWrite "Fetching last updated date from $UpdateURL ..."
$LastUpdated = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).lastupdated
$Date = $LastUpdated.Substring(0, $LastUpdated.LastIndexOf('T'))
# Get extensions
LogWrite "Fetching list of extensions from $UpdateURL ..."
$Extensions = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).filters
# Check if file group exists, update or create file group accordingly
if (Get-FsrmFileGroup -Name $FsrmFileGroupName -ErrorAction SilentlyContinue) {
LogWrite "File group '$FsrmFileGroupName' already exists. Updating include and exclude patterns ..."
$FSRMgroup = Get-FsrmFileGroup $FsrmFileGroupName
$NewExtensions = Compare-Object -ReferenceObject $Extensions -DifferenceObject $FSRMgroup.IncludePattern -PassThru | Sort-Object
$listInclude = $FSRMgroup.IncludePattern + @($NewExtensions)
$listExclude = $FSRMgroup.ExcludePattern + @($ExcludeExtension)
Set-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $listInclude -ExcludePattern $listExclude
}
else {
LogWrite "Creating new file group '$FsrmFileGroupName' with include and exclude patterns ..."
New-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $Extensions -ExcludePattern $ExcludeExtension -ErrorAction Stop | Out-Null
$NewExtensions = $Extensions | Sort-Object
}
LogWrite "Script completed successfully."
}
catch {
$ErrorMessage = $_.Exception.Message
Write-Host -ForegroundColor Yellow $ErrorMessage
LogWrite "$($DateTime) - ERROR: $ErrorMessage"
}
I think i had a typo somewhere, its working like a charm. Thanks bro!
Hey man, i need to reopen this. Can you help me with the following?
The Files to exclude are also in the include which is causing it to break. Also it gets double entrys
Im using the code above, but after running the powershell from a task shedule i get double entries See:
And if you run it twice this is what happens:
I feel like i also have to do this $NewExtensions = Compare-Object -ReferenceObject $Extensions -DifferenceObject $FSRMgroup.IncludePattern -PassThru | Sort-Object****
but then also with the exclude?
That's odd.... I'll be running some tests and debugs later to see what causes this.
That's odd.... I'll be running some tests and debugs later to see what causes this.
Much appreciated man! Anywhere i can buy you a cup of coffee?
From my tests I noticed that the only issue seems to be adding duplicates of the excluded extensions. The other error message where it tells you that it can't have both in include or exclude is normal cause you cannot have both extensions in the include and exclude pattern. That would be strange if they allowed it to happen haha.
From my tests the above code does not add the exclude extensions to the include pattern but it does seems to duplicate the excluded extensions on every run. I will look what causes this. I have noticed this to with only using the included extension when I have a extension but it has a typo, when I fix the typo it keeps duplicating the extension that had the typo.
# Define variables
$ErrorLog = "C:\FSRMscript\Error\FSRMscript.txt"
$DateTime = Get-Date
$UpdateURL = "https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt"
$FsrmFileGroupName = "Known Ransomware Files"
$Logfile = $ErrorLog
$ExcludeExtension = @("*.lck", "*.one")
Function LogWrite {
Param ([string]$logstring)
Add-Content $Logfile -Value $logstring -Encoding UTF8
}
try {
# Get last updated date
LogWrite "Fetching last updated date from $UpdateURL ..."
$LastUpdated = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).lastupdated
$Date = $LastUpdated.Substring(0, $LastUpdated.LastIndexOf('T'))
# Get extensions
LogWrite "Fetching list of extensions from $UpdateURL ..."
$Extensions = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).filters
# Check if file group exists, update or create file group accordingly
if (Get-FsrmFileGroup -Name $FsrmFileGroupName -ErrorAction SilentlyContinue) {
LogWrite "File group '$FsrmFileGroupName' already exists. Updating include and exclude patterns ..."
$FSRMgroup = Get-FsrmFileGroup $FsrmFileGroupName
$NewExtensions = Compare-Object -ReferenceObject $Extensions -DifferenceObject $FSRMgroup.IncludePattern -PassThru | Sort-Object
$NewExcludeExtension = Compare-Object -ReferenceObject $ExcludeExtension -DifferenceObject $FSRMgroup.ExcludePattern -PassThru | Sort-Object
$listInclude = $FSRMgroup.IncludePattern + @($NewExtensions)
$listExclude = $FSRMgroup.ExcludePattern + @($NewExcludeExtension)
Set-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $listInclude -ExcludePattern $listExclude
}
else {
LogWrite "Creating new file group '$FsrmFileGroupName' with include and exclude patterns ..."
New-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $Extensions -ExcludePattern $ExcludeExtension -ErrorAction Stop | Out-Null
$NewExtensions = $Extensions | Sort-Object
}
LogWrite "Script completed successfully."
}
catch {
$ErrorMessage = $_.Exception.Message
Write-Host -ForegroundColor Yellow $ErrorMessage
LogWrite "$($DateTime) - ERROR: $ErrorMessage"
}
This should solve it. You where in the right direction with adding one for the exclude to haha.
$listExclude = $FSRMgroup.ExcludePattern + @($ExcludeExtension)
by running that it just kept adding them over and over when it runs.
$NewExcludeExtension = Compare-Object -ReferenceObject $ExcludeExtension -DifferenceObject $FSRMgroup.ExcludePattern -PassThru | Sort-Object
adding this and changing this $listExclude = $FSRMgroup.ExcludePattern + @($NewExcludeExtension)
solves this.
Nice! I dont get doubles!
Do you also still have that they put the extension in the include - and - exclude?
I deleted the entire ransomware list (except 1 because it wants 1 in there) i re-ran the script, and still it ads it in the include, and the exclude lol
And you still havent told me where i can buy you an coffee, do you take donations?
Can you share the script that you are using with your scheduled task?
And I don't take any donations haha.
$ErrorLog = "C:\Services\Ransomware\FSRMscript.txt" $DateTime = Get-Date $UpdateURL = "https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt" $FsrmFileGroupName = "Ransomware" $Logfile = $ErrorLog $ExcludeExtension = @(".lck", ".one", ".tro", ".szf")
Function LogWrite { Param ([string]$logstring) Add-Content $Logfile -Value $logstring -Encoding UTF8 }
try {
LogWrite "Fetching last updated date from $UpdateURL ..."
$LastUpdated = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).lastupdated
$Date = $LastUpdated.Substring(0, $LastUpdated.LastIndexOf('T'))
# Get extensions
LogWrite "Fetching list of extensions from $UpdateURL ..."
$Extensions = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).filters
# Check if file group exists, update or create file group accordingly
if (Get-FsrmFileGroup -Name $FsrmFileGroupName -ErrorAction SilentlyContinue) {
LogWrite "File group '$FsrmFileGroupName' already exists. Updating include and exclude patterns ..."
$FSRMgroup = Get-FsrmFileGroup $FsrmFileGroupName
$NewExtensions = Compare-Object -ReferenceObject $Extensions -DifferenceObject $FSRMgroup.IncludePattern -PassThru | Sort-Object
$NewExcludeExtension = Compare-Object -ReferenceObject $ExcludeExtension -DifferenceObject $FSRMgroup.ExcludePattern -PassThru | Sort-Object
$listInclude = $FSRMgroup.IncludePattern + @($NewExtensions)
$listExclude = $FSRMgroup.ExcludePattern + @($NewExcludeExtension)
Set-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $listInclude -ExcludePattern $listExclude
}
else {
LogWrite "Creating new file group '$FsrmFileGroupName' with include and exclude patterns ..."
New-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $Extensions -ExcludePattern $ExcludeExtension -ErrorAction Stop | Out-Null
$NewExtensions = $Extensions | Sort-Object
}
LogWrite "Script completed successfully."
} catch { $ErrorMessage = $_.Exception.Message Write-Host -ForegroundColor Yellow $ErrorMessage LogWrite "$($DateTime) - ERROR: $ErrorMessage" }
Send-MailMessage -From ransomwareupdate@ltonoord.nl -Subject "Update geslaagd op $env:COMPUTERNAME" -To ict@ltonoord.nl -Body "Nieuwe Ransomware groep update geslaagd op $env:COMPUTERNAME " -BodyAsHtml -DeliveryNotificationOption OnSuccess -SmtpServer 192.168.1.9
Looks like the extensions that you are excluding seem to appear in the KnownExtensions list as well. So that seems to be the issue where it adds them to both.
$ErrorLog = "C:\Services\Ransomware\FSRMscript.txt"
$DateTime = Get-Date
$UpdateURL = "https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt"
$FsrmFileGroupName = "Ransomware"
$Logfile = $ErrorLog
$ExcludeExtension = @("*.lck", "*.one", "*.tro", "*.szf")
#Forceert TLS12 voor een veilige pull
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Function LogWrite {
Param ([string]$logstring)
Add-Content $Logfile -Value $logstring -Encoding UTF8
}
try {
# Get last updated date
LogWrite "Fetching last updated date from $UpdateURL ..."
$LastUpdated = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).lastupdated
$Date = $LastUpdated.Substring(0, $LastUpdated.LastIndexOf('T'))
# Get extensions
LogWrite "Fetching list of extensions from $UpdateURL ..."
$Extensions = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).filters
# Remove excluded extensions from extensions list
foreach ($exclude in $ExcludeExtension) {
$Extensions = $Extensions | Where-Object { $_ -notlike $exclude }
}
# Check if file group exists, update or create file group accordingly
if (Get-FsrmFileGroup -Name $FsrmFileGroupName -ErrorAction SilentlyContinue) {
LogWrite "File group '$FsrmFileGroupName' already exists. Updating include and exclude patterns ..."
$FSRMgroup = Get-FsrmFileGroup $FsrmFileGroupName
$NewExtensions = Compare-Object -ReferenceObject $Extensions -DifferenceObject $FSRMgroup.IncludePattern -PassThru | Sort-Object
$NewExcludeExtension = Compare-Object -ReferenceObject $ExcludeExtension -DifferenceObject $FSRMgroup.ExcludePattern -PassThru | Sort-Object
$listInclude = $FSRMgroup.IncludePattern + @($NewExtensions)
$listExclude = $FSRMgroup.ExcludePattern + @($NewExcludeExtension)
Set-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $listInclude -ExcludePattern $listExclude
}
else {
LogWrite "Creating new file group '$FsrmFileGroupName' with include and exclude patterns ..."
New-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $Extensions -ExcludePattern $ExcludeExtension -ErrorAction Stop | Out-Null
$NewExtensions = $Extensions | Sort-Object
}
LogWrite "Script completed successfully."
}
catch {
$ErrorMessage = $_.Exception.Message
Write-Host -ForegroundColor Yellow $ErrorMessage
LogWrite "$($DateTime) - ERROR: $ErrorMessage"
}
#Mailing
Send-MailMessage -From ransomwareupdate@ltonoord.nl -Subject "Update geslaagd op $env:COMPUTERNAME" -To ict@ltonoord.nl -Body "Nieuwe Ransomware groep update geslaagd op $env:COMPUTERNAME " -BodyAsHtml -DeliveryNotificationOption OnSuccess -SmtpServer 192.168.1.9
I have added some code that should remove them from the $Extensions
Line 26 to 29 has been added and I have added *
to the ExcludeExtensions.
Now a weird thing happens, instead of excluding them i get 2 of them in the Include LOL
Does this also happen when you remove the Ransomware FSRM group and rerun the script to create the FSRM group again?
I ran the above on my Windows Server 2022 and that seems to create the Ransomeware group while adding the 4 to exclude and don't appear in include, running it multiple times seems to still work as intended.
Deleting and re-adding solved the issue m8
You wont let me give you a cup of coffee, so i just have to thank you
Thanks man!
No problem!
/closed
Question about the simplified version, its great!
How would you add an -ExcludePattern? I have 1 particular pattern which is .lck which is used by an Database on a production server. So when i update, i want to exclude a particular patern automaticly.
Is that possible? And which line would you add? Richt now: -ExcludePattern @("*.lck")
Is creating a system error for me, without the line its working perfect