This PR contains scripts that can be modified and used to monitor numerous different types of storage devices. The scripts contained within this PR should be considered a proof of concept that demonstrates the ability to monitor a wide spectrum storage devices without the usage of FSRM.
There are some known issues that should be addressed prior to utilizing this PoC in an active environment.
For each file change, multiple events are fired causing the defined $action to execute multiple times where one would expect only a single execution of $action to occur. This in turn can cause multiple attempt to stop the Samba_server service as well as send multiple emails for a single incident.
This could be resolved by implementing a timer function that only allows complete execution of the action event once in a predefined amount of time.
The number of extension in the JSON file seems to limit the scripts ability to find a match within a timely manner. This results in no email ever being sent as well as the Samba_server service never being stopped. The issue is not encounter if the list of extensions is shortened significantly.
Further testing on limiting the amount of extensions stored in the $json variable may yield a favorable outcome, ultimately resulting in the usage of several $json-like variable.
This proof of concept does not implement the ability to mark file extensions that have been previously associated with ransomware to be white-listed as safe file extensions. Ideally, a white list of file extensions would be checked prior to parsing through known extensions that are not wanted on the network.
This script only addresses the potential of the storage device being accessible via a Samba-based share. While the script is capable of monitoring any storage device it only has a method for removing access to a Samba-based share. PowerShell is capable of restricting access to other drives through the modification of access permissions; however, modifying file access permissions cannot be implemented as quickly as completely removing access to the storage device. Additional methods would be needed to restrict access to various types of storage devices and would be somewhat environment-specific.
This PR contains scripts that can be modified and used to monitor numerous different types of storage devices. The scripts contained within this PR should be considered a proof of concept that demonstrates the ability to monitor a wide spectrum storage devices without the usage of FSRM.
There are some known issues that should be addressed prior to utilizing this PoC in an active environment.
Further testing on limiting the amount of extensions stored in the $json variable may yield a favorable outcome, ultimately resulting in the usage of several $json-like variable.