search

DFFspace / CryptoBlocker

A script to deploy File Server Resource Manager and associated scripts to block infected users
GNU General Public License v2.0
15 stars 4 forks source link

Question about AddFSRMFileGroup.ps1 #52

Closed Samsonait closed 1 year ago

Samsonait commented 1 year ago

Question about the simplified version, its great!

How would you add an -ExcludePattern? I have 1 particular pattern which is .lck which is used by an Database on a production server. So when i update, i want to exclude a particular patern automaticly.

Is that possible? And which line would you add? Richt now: -ExcludePattern @("*.lck")

Is creating a system error for me, without the line its working perfect

DFFspace commented 1 year ago

Something you could try is the following code:

# Define variables
$ErrorLog          = "C:\FSRMscript\Error\FSRMscript.txt"
$DateTime          = Get-Date
$UpdateURL         = "https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt"
$FsrmFileGroupName = "Known Ransomware Files"
$Logfile           = $ErrorLog

Function LogWrite {
    Param ([string]$logstring)
    Add-Content $Logfile -Value $logstring -Encoding UTF8
}

try {
    # Get last updated date
    LogWrite "Fetching last updated date from $UpdateURL ..."
    $LastUpdated = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).lastupdated
    $Date = $LastUpdated.Substring(0, $LastUpdated.LastIndexOf('T'))

    # Get extensions
    LogWrite "Fetching list of extensions from $UpdateURL ..."
    $Extensions = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).filters

    # Check if file group exists, update or create file group accordingly
    if (Get-FsrmFileGroup -Name $FsrmFileGroupName -ErrorAction SilentlyContinue) {
        LogWrite "File group '$FsrmFileGroupName' already exists. Updating include and exclude patterns ..."
        $FSRMgroup = Get-FsrmFileGroup $FsrmFileGroupName
        $NewExtensions = Compare-Object -ReferenceObject $Extensions -DifferenceObject $FSRMgroup.IncludePattern -PassThru | Sort-Object
        $listInclude = $FSRMgroup.IncludePattern + @($NewExtensions)
        $listExclude = $FSRMgroup.ExcludePattern + @("*.lck")
        Set-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $listInclude -ExcludePattern $listExclude
    }
    else {
        LogWrite "Creating new file group '$FsrmFileGroupName' with include and exclude patterns ..."
        New-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $Extensions -ExcludePattern "*.lck" -ErrorAction Stop | Out-Null
        $NewExtensions = $Extensions | Sort-Object
    }

    LogWrite "Script completed successfully."
}
catch {
    $ErrorMessage = $_.Exception.Message
    Write-Host -ForegroundColor Yellow $ErrorMessage
    LogWrite "$($DateTime) - ERROR: $ErrorMessage"
}
Samsonait commented 1 year ago

Something you could try is the following code:

# Define variables
$ErrorLog          = "C:\FSRMscript\Error\FSRMscript.txt"
$DateTime          = Get-Date
$UpdateURL         = "https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt"
$FsrmFileGroupName = "Known Ransomware Files"
$Logfile           = $ErrorLog

Function LogWrite {
    Param ([string]$logstring)
    Add-Content $Logfile -Value $logstring -Encoding UTF8
}

try {
    # Get last updated date
    LogWrite "Fetching last updated date from $UpdateURL ..."
    $LastUpdated = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).lastupdated
    $Date = $LastUpdated.Substring(0, $LastUpdated.LastIndexOf('T'))

    # Get extensions
    LogWrite "Fetching list of extensions from $UpdateURL ..."
    $Extensions = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).filters

    # Check if file group exists, update or create file group accordingly
    if (Get-FsrmFileGroup -Name $FsrmFileGroupName -ErrorAction SilentlyContinue) {
        LogWrite "File group '$FsrmFileGroupName' already exists. Updating include and exclude patterns ..."
        $FSRMgroup = Get-FsrmFileGroup $FsrmFileGroupName
        $NewExtensions = Compare-Object -ReferenceObject $Extensions -DifferenceObject $FSRMgroup.IncludePattern -PassThru | Sort-Object
        $listInclude = $FSRMgroup.IncludePattern + @($NewExtensions)
        $listExclude = $FSRMgroup.ExcludePattern + @("*.lck")
        Set-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $listInclude -ExcludePattern $listExclude
    }
    else {
        LogWrite "Creating new file group '$FsrmFileGroupName' with include and exclude patterns ..."
        New-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $Extensions -ExcludePattern "*.lck" -ErrorAction Stop | Out-Null
        $NewExtensions = $Extensions | Sort-Object
    }

    LogWrite "Script completed successfully."
}
catch {
    $ErrorMessage = $_.Exception.Message
    Write-Host -ForegroundColor Yellow $ErrorMessage
    LogWrite "$($DateTime) - ERROR: $ErrorMessage"
}

I will try! And if i add new extensions to that, is it comma seperated? @(".lck",".one") Or like this: @(".lck")@(".one")

DFFspace commented 1 year ago

Yes you could even define a variable at the top if you want to make it a bit easier.

Like this: $ExcludeExtensions = @("*.lck", "*.one")

Than define it like @($ExcludeExtensions) at the $FSRMgroup.ExcludePattern + line should do the trick.

Samsonait commented 1 year ago

Define variables

$ErrorLog = "C:\Services\Ransomware\FSRMscript.txt" $DateTime = Get-Date $UpdateURL = "https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt" $FsrmFileGroupName = "Ransomware" $Logfile = $ErrorLog $ExcludeExtension = @(".lck", ".one")

Forceert TLS12 voor een veilige pull

Function LogWrite { Param ([string]$logstring) Add-Content $Logfile -Value $logstring -Encoding UTF8 }

try {

Get last updated date

LogWrite "Fetching last updated date from $UpdateURL ..."
$LastUpdated = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).lastupdated
$Date = $LastUpdated.Substring(0, $LastUpdated.LastIndexOf('T'))

# Get extensions
LogWrite "Fetching list of extensions from $UpdateURL ..."
$Extensions = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).filters

# Check if file group exists, update or create file group accordingly
if (Get-FsrmFileGroup -Name $FsrmFileGroupName -ErrorAction SilentlyContinue) {
    LogWrite "File group '$FsrmFileGroupName' already exists. Updating include and exclude patterns ..."
    $FSRMgroup = Get-FsrmFileGroup $FsrmFileGroupName
    $NewExtensions = Compare-Object -ReferenceObject $Extensions -DifferenceObject $FSRMgroup.IncludePattern -PassThru | Sort-Object
    $listInclude = $FSRMgroup.IncludePattern + @($NewExtensions)
    $listExclude = $FSRMgroup.ExcludePattern + @($ExcludeExtensions)
    Set-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $listInclude -ExcludePattern $listExclude
}
else {
    LogWrite "Creating new file group '$FsrmFileGroupName' with include and exclude patterns ..."
    New-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $Extensions -ExcludePattern "*.lck" -ErrorAction Stop | Out-Null
    $NewExtensions = $Extensions | Sort-Object
}

LogWrite "Script completed successfully."

} catch { $ErrorMessage = $_.Exception.Message Write-Host -ForegroundColor Yellow $ErrorMessage LogWrite "$($DateTime) - ERROR: $ErrorMessage" }

Which results in a Set-FsrmFileGroup : 0x80070057, The parameter is incorrect. At C:\Services\Ransomware\UpdateRansonwareLijst.ps1:37 char:9

But i dont see a typo on

Set-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $listInclude -ExcludePattern $listExclude

Any idea m8? :) Thanks for the help for now, its been really helpfull.

DFFspace commented 1 year ago

Hmmm....

I have ran a test on my test VM and seems to work as expected. Here is the code that I used for it:

# Define variables
$ErrorLog          = "C:\FSRMscript\Error\FSRMscript.txt"
$DateTime          = Get-Date
$UpdateURL         = "https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt"
$FsrmFileGroupName = "Known Ransomware Files"
$Logfile           = $ErrorLog
$ExcludeExtension  = @(".lck", ".one")

Function LogWrite {
    Param ([string]$logstring)
    Add-Content $Logfile -Value $logstring -Encoding UTF8
}

try {
    # Get last updated date
    LogWrite "Fetching last updated date from $UpdateURL ..."
    $LastUpdated = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).lastupdated
    $Date = $LastUpdated.Substring(0, $LastUpdated.LastIndexOf('T'))

    # Get extensions
    LogWrite "Fetching list of extensions from $UpdateURL ..."
    $Extensions = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).filters

    # Check if file group exists, update or create file group accordingly
    if (Get-FsrmFileGroup -Name $FsrmFileGroupName -ErrorAction SilentlyContinue) {
        LogWrite "File group '$FsrmFileGroupName' already exists. Updating include and exclude patterns ..."
        $FSRMgroup = Get-FsrmFileGroup $FsrmFileGroupName
        $NewExtensions = Compare-Object -ReferenceObject $Extensions -DifferenceObject $FSRMgroup.IncludePattern -PassThru | Sort-Object
        $listInclude = $FSRMgroup.IncludePattern + @($NewExtensions)
        $listExclude = $FSRMgroup.ExcludePattern + @($ExcludeExtension)
        Set-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $listInclude -ExcludePattern $listExclude
    }
    else {
        LogWrite "Creating new file group '$FsrmFileGroupName' with include and exclude patterns ..."
        New-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $Extensions -ExcludePattern $ExcludeExtension -ErrorAction Stop | Out-Null
        $NewExtensions = $Extensions | Sort-Object
    }

    LogWrite "Script completed successfully."
}
catch {
    $ErrorMessage = $_.Exception.Message
    Write-Host -ForegroundColor Yellow $ErrorMessage
    LogWrite "$($DateTime) - ERROR: $ErrorMessage"
}

image

Samsonait commented 1 year ago

I think i had a typo somewhere, its working like a charm. Thanks bro!

Samsonait commented 1 year ago

Hey man, i need to reopen this. Can you help me with the following?

The Files to exclude are also in the include which is causing it to break. Also it gets double entrys

Im using the code above, but after running the powershell from a task shedule i get double entries See:

afbeelding

Samsonait commented 1 year ago

And if you run it twice this is what happens: afbeelding

Samsonait commented 1 year ago

I feel like i also have to do this $NewExtensions = Compare-Object -ReferenceObject $Extensions -DifferenceObject $FSRMgroup.IncludePattern -PassThru | Sort-Object****

but then also with the exclude?

DFFspace commented 1 year ago

That's odd.... I'll be running some tests and debugs later to see what causes this.

Samsonait commented 1 year ago

That's odd.... I'll be running some tests and debugs later to see what causes this.

Much appreciated man! Anywhere i can buy you a cup of coffee?

DFFspace commented 1 year ago

From my tests I noticed that the only issue seems to be adding duplicates of the excluded extensions. The other error message where it tells you that it can't have both in include or exclude is normal cause you cannot have both extensions in the include and exclude pattern. That would be strange if they allowed it to happen haha.

From my tests the above code does not add the exclude extensions to the include pattern but it does seems to duplicate the excluded extensions on every run. I will look what causes this. I have noticed this to with only using the included extension when I have a extension but it has a typo, when I fix the typo it keeps duplicating the extension that had the typo.

DFFspace commented 1 year ago 
# Define variables
$ErrorLog          = "C:\FSRMscript\Error\FSRMscript.txt"
$DateTime          = Get-Date
$UpdateURL         = "https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt"
$FsrmFileGroupName = "Known Ransomware Files"
$Logfile           = $ErrorLog
$ExcludeExtension  = @("*.lck", "*.one")

Function LogWrite {
    Param ([string]$logstring)
    Add-Content $Logfile -Value $logstring -Encoding UTF8
}

try {
    # Get last updated date
    LogWrite "Fetching last updated date from $UpdateURL ..."
    $LastUpdated = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).lastupdated
    $Date = $LastUpdated.Substring(0, $LastUpdated.LastIndexOf('T'))

    # Get extensions
    LogWrite "Fetching list of extensions from $UpdateURL ..."
    $Extensions = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).filters

    # Check if file group exists, update or create file group accordingly
    if (Get-FsrmFileGroup -Name $FsrmFileGroupName -ErrorAction SilentlyContinue) {
        LogWrite "File group '$FsrmFileGroupName' already exists. Updating include and exclude patterns ..."
        $FSRMgroup = Get-FsrmFileGroup $FsrmFileGroupName
        $NewExtensions = Compare-Object -ReferenceObject $Extensions -DifferenceObject $FSRMgroup.IncludePattern -PassThru | Sort-Object
        $NewExcludeExtension = Compare-Object -ReferenceObject $ExcludeExtension -DifferenceObject $FSRMgroup.ExcludePattern -PassThru | Sort-Object
        $listInclude = $FSRMgroup.IncludePattern + @($NewExtensions)
        $listExclude = $FSRMgroup.ExcludePattern + @($NewExcludeExtension)
        Set-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $listInclude -ExcludePattern $listExclude
    }
    else {
        LogWrite "Creating new file group '$FsrmFileGroupName' with include and exclude patterns ..."
        New-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $Extensions -ExcludePattern $ExcludeExtension -ErrorAction Stop | Out-Null
        $NewExtensions = $Extensions | Sort-Object
    }

    LogWrite "Script completed successfully."
}
catch {
    $ErrorMessage = $_.Exception.Message
    Write-Host -ForegroundColor Yellow $ErrorMessage
    LogWrite "$($DateTime) - ERROR: $ErrorMessage"
}

This should solve it. You where in the right direction with adding one for the exclude to haha.

$listExclude = $FSRMgroup.ExcludePattern + @($ExcludeExtension) by running that it just kept adding them over and over when it runs.

$NewExcludeExtension = Compare-Object -ReferenceObject $ExcludeExtension -DifferenceObject $FSRMgroup.ExcludePattern -PassThru | Sort-Object adding this and changing this $listExclude = $FSRMgroup.ExcludePattern + @($NewExcludeExtension) solves this.

Samsonait commented 1 year ago

Nice! I dont get doubles!

Do you also still have that they put the extension in the include - and - exclude? afbeelding

I deleted the entire ransomware list (except 1 because it wants 1 in there) i re-ran the script, and still it ads it in the include, and the exclude lol

And you still havent told me where i can buy you an coffee, do you take donations?

DFFspace commented 1 year ago

Can you share the script that you are using with your scheduled task?

And I don't take any donations haha.

Samsonait commented 1 year ago

Define variables

$ErrorLog = "C:\Services\Ransomware\FSRMscript.txt" $DateTime = Get-Date $UpdateURL = "https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt" $FsrmFileGroupName = "Ransomware" $Logfile = $ErrorLog $ExcludeExtension = @(".lck", ".one", ".tro", ".szf")

Forceert TLS12 voor een veilige pull

Function LogWrite { Param ([string]$logstring) Add-Content $Logfile -Value $logstring -Encoding UTF8 }

try {

Get last updated date

LogWrite "Fetching last updated date from $UpdateURL ..."
$LastUpdated = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).lastupdated
$Date = $LastUpdated.Substring(0, $LastUpdated.LastIndexOf('T'))

# Get extensions
LogWrite "Fetching list of extensions from $UpdateURL ..."
$Extensions = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).filters

# Check if file group exists, update or create file group accordingly
if (Get-FsrmFileGroup -Name $FsrmFileGroupName -ErrorAction SilentlyContinue) {
    LogWrite "File group '$FsrmFileGroupName' already exists. Updating include and exclude patterns ..."
    $FSRMgroup = Get-FsrmFileGroup $FsrmFileGroupName
    $NewExtensions = Compare-Object -ReferenceObject $Extensions -DifferenceObject $FSRMgroup.IncludePattern -PassThru | Sort-Object
    $NewExcludeExtension = Compare-Object -ReferenceObject $ExcludeExtension -DifferenceObject $FSRMgroup.ExcludePattern -PassThru | Sort-Object
    $listInclude = $FSRMgroup.IncludePattern + @($NewExtensions)
    $listExclude = $FSRMgroup.ExcludePattern + @($NewExcludeExtension)
    Set-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $listInclude -ExcludePattern $listExclude
}
else {
    LogWrite "Creating new file group '$FsrmFileGroupName' with include and exclude patterns ..."
    New-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $Extensions -ExcludePattern $ExcludeExtension -ErrorAction Stop | Out-Null
    $NewExtensions = $Extensions | Sort-Object
}

LogWrite "Script completed successfully."

} catch { $ErrorMessage = $_.Exception.Message Write-Host -ForegroundColor Yellow $ErrorMessage LogWrite "$($DateTime) - ERROR: $ErrorMessage" }

Mailing

Send-MailMessage -From ransomwareupdate@ltonoord.nl -Subject "Update geslaagd op $env:COMPUTERNAME" -To ict@ltonoord.nl -Body "Nieuwe Ransomware groep update geslaagd op $env:COMPUTERNAME " -BodyAsHtml -DeliveryNotificationOption OnSuccess -SmtpServer 192.168.1.9

DFFspace commented 1 year ago

Looks like the extensions that you are excluding seem to appear in the KnownExtensions list as well. So that seems to be the issue where it adds them to both.

image

$ErrorLog = "C:\Services\Ransomware\FSRMscript.txt"
$DateTime = Get-Date
$UpdateURL = "https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt"
$FsrmFileGroupName = "Ransomware"
$Logfile = $ErrorLog
$ExcludeExtension = @("*.lck", "*.one", "*.tro", "*.szf")

#Forceert TLS12 voor een veilige pull
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Function LogWrite {
Param ([string]$logstring)
Add-Content $Logfile -Value $logstring -Encoding UTF8
}

try {
# Get last updated date
LogWrite "Fetching last updated date from $UpdateURL ..."
$LastUpdated = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).lastupdated
$Date = $LastUpdated.Substring(0, $LastUpdated.LastIndexOf('T'))

# Get extensions
LogWrite "Fetching list of extensions from $UpdateURL ..."
$Extensions = ((Invoke-WebRequest -Uri $UpdateURL -ErrorAction Stop).Content | ConvertFrom-Json).filters

# Remove excluded extensions from extensions list
foreach ($exclude in $ExcludeExtension) {
    $Extensions = $Extensions | Where-Object { $_ -notlike $exclude }
}

# Check if file group exists, update or create file group accordingly
if (Get-FsrmFileGroup -Name $FsrmFileGroupName -ErrorAction SilentlyContinue) {
    LogWrite "File group '$FsrmFileGroupName' already exists. Updating include and exclude patterns ..."
    $FSRMgroup = Get-FsrmFileGroup $FsrmFileGroupName
    $NewExtensions = Compare-Object -ReferenceObject $Extensions -DifferenceObject $FSRMgroup.IncludePattern -PassThru | Sort-Object
    $NewExcludeExtension = Compare-Object -ReferenceObject $ExcludeExtension -DifferenceObject $FSRMgroup.ExcludePattern -PassThru | Sort-Object
    $listInclude = $FSRMgroup.IncludePattern + @($NewExtensions)
    $listExclude = $FSRMgroup.ExcludePattern + @($NewExcludeExtension)
    Set-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $listInclude -ExcludePattern $listExclude
}
else {
    LogWrite "Creating new file group '$FsrmFileGroupName' with include and exclude patterns ..."
    New-FsrmFileGroup -Name $FsrmFileGroupName -IncludePattern $Extensions -ExcludePattern $ExcludeExtension -ErrorAction Stop | Out-Null
    $NewExtensions = $Extensions | Sort-Object
}

LogWrite "Script completed successfully."
}
catch {
$ErrorMessage = $_.Exception.Message
Write-Host -ForegroundColor Yellow $ErrorMessage
LogWrite "$($DateTime) - ERROR: $ErrorMessage"
}

#Mailing

Send-MailMessage -From ransomwareupdate@ltonoord.nl -Subject "Update geslaagd op $env:COMPUTERNAME" -To ict@ltonoord.nl -Body "Nieuwe Ransomware groep update geslaagd op $env:COMPUTERNAME " -BodyAsHtml -DeliveryNotificationOption OnSuccess -SmtpServer 192.168.1.9

I have added some code that should remove them from the $Extensions Line 26 to 29 has been added and I have added * to the ExcludeExtensions.

Samsonait commented 1 year ago

Now a weird thing happens, instead of excluding them i get 2 of them in the Include LOL

afbeelding

DFFspace commented 1 year ago

Does this also happen when you remove the Ransomware FSRM group and rerun the script to create the FSRM group again?

I ran the above on my Windows Server 2022 and that seems to create the Ransomeware group while adding the 4 to exclude and don't appear in include, running it multiple times seems to still work as intended.

image

Samsonait commented 1 year ago

Deleting and re-adding solved the issue m8

You wont let me give you a cup of coffee, so i just have to thank you

Thanks man!

DFFspace commented 1 year ago

No problem!

Samsonait commented 1 year ago

/closed