nexxai / CryptoBlocker

A script to deploy File Server Resource Manager and associated scripts to block infected users

GNU General Public License v2.0

201 stars 72 forks source link

Pattern download and then implement #66

Open kiriswiss opened 6 years ago

kiriswiss commented 6 years ago

Hi everyone, our Management would like that we first download the script to our local Server, check it first if all is OK and then implement the script in our FSRM. Has anyone done something similiar or am I the first one with this requirement?

Thanks for any answer Regards Andre

Rooven-tech commented 5 years ago

Hi,

I think what you want to do is first is save the JSON file to the server and give it a name such as C:\Preview\BlockList.txt

Then edit your script so it looks like this

# Download list of CryptoLocker file extensions
Write-Host "`n####"
$monitoredExtensions = Get-Content C:\Preview\BlockList.txt

kiriswiss commented 5 years ago

Thanks for this update and sorry for late response. We would like to implement as well an automatic download of the pattern. But when I click on https://fsrm.experiant.ca/api/v1/get it tells me File not found. Is there a direct download link to download the file.... https://fsrm.experiant.ca/api/v1/get/get.json ==> file not found thanks for an update Andre

jkmurphy1 commented 5 years ago

First link you provided works when I click on it.

On Fri, Jul 12, 2019, 4:14 AM kiriswiss notifications@github.com wrote:

Thanks for this update and sorry for late response. We would like to implement as well an automatic download of the pattern. But when I click on https://fsrm.experiant.ca/api/v1/get it tells me File not found. Is there a direct download link to download the file.... https://fsrm.experiant.ca/api/v1/get/get.json ==> file not found thanks for an update Andre

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/nexxai/CryptoBlocker/issues/66?email_source=notifications&email_token=AAYMOK5L227JTI7DN7OXGULP7BDOFA5CNFSM4GDHOYY2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZZGSWY#issuecomment-510814555, or mute the thread https://github.com/notifications/unsubscribe-auth/AAYMOKZAC6RWSN43LYKKID3P7BDOFANCNFSM4GDHOYYQ .

kiriswiss commented 5 years ago

OK, yes I was able to download the file now... and I called it get.txt When I change my powershell script, I get now following error: Program 'filescrn.exe' failed to run: The filename or extension is too longAt C:\Scripts\Ransom\Test.ps1:254 char:5

&filescrn.exe Filegroup Add "/Filegroup:$($group.fileGroupName)" ...


At C:\Scripts\Ransom\Test.ps1:254 char:82

... legroup:$($group.fileGroupName)" "/Members:$($group.array -Join '|')"


+ CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed

Line 214: $monitoredExtensions = Get-Content C:\Scripts\Ransom\get.txt Line 254: &filescrn.exe Filegroup Add "/Filegroup:$($group.fileGroupName)" "/Members:$($group.array -Join '|')"

What do I need to change? Thanks Andre

Rooven-tech commented 5 years ago

Try this script to download file. You will need to edit line 14 for path

`Function ConvertFrom-Json20 {

Deserializes JSON input into PowerShell object output

Param (
    [Object] $obj
)
Add-Type -AssemblyName System.Web.Extensions
$serializer = New-Object System.Web.Script.Serialization.JavaScriptSerializer
return ,$serializer.DeserializeObject($obj)

}

$jsonStr = Invoke-WebRequest -Uri https://fsrm.experiant.ca/api/v1/get -UseBasicParsing $monitoredExtensions = @(ConvertFrom-Json20 $jsonStr | ForEach-Object { $_.filters }) $monitoredExtensions | Out-file -filepath C:\path\get.txt`

kiriswiss commented 5 years ago

Thanks mate, you saved my weekend. Great, it works