Anlage des Repos

archive/Block-AccessByEvent/Archiv/20160829_Ransomware.txt

@@ -0,0 +1,2 @@
+Get-FsrmFileScreen
+New-FsrmFileGroup -Name "Ransomware" –IncludePattern @("*.k","*.encoderpass","*.key","*.ecc","*.ezz","*.exx","*.zzz","*.xyz","*.aaa","*.abc","*.ccc","*.vvv","*.xxx","*.ttt","*.micro","*.encrypted","*.locked","*.crypto","_crypt","*.crinf","*.r5a","*.xrtn","*.XTBL","*.crypt","*.R16M01D05","*.pzdc","*.good","*.LOL!","*.OMG!","*.RDM","*.RRK","*.encryptedRSA","*.crjoker","*.EnCiPhErEd","*.LeChiffre","*.keybtc@inbox_com","*.0x0","*.bleep","*.1999","*.vault","*.HA3","*.toxcrypt","*.magic","*.SUPERCRYPT","*.CTBL","*.CTB2","*.locky","HELPDECRYPT.TXT","HELP_YOUR_FILES.TXT","HELP_TO_DECRYPT_YOUR_FILES.txt","RECOVERY_KEY.txt","HELP_RESTORE_FILES.txt","HELP_RECOVER_FILES.txt","DECRYPT_INSTRUCTIONS.TXT","INSTRUCCIONES_DESCIFRADO.TXT","How_To_Recover_Files.txt","YOUR_FILES.HTML","YOUR_FILES.url","encryptor_raas_readme_liesmich.txt","Help_Decrypt.txt","DECRYPT_INSTRUCTION.TXT","HOW_TO_DECRYPT_FILES.TXT","ReadDecryptFilesHere.txt","Coin.Locker.txt","_secret_code.txt","About_Files.txt","Read.txt","ReadMe.txt","DECRYPT_ReadMe.TXT","DecryptAllFiles.txt","FILESAREGONE.TXT","IAMREADYTOPAY.TXT","HELLOTHERE.TXT","READTHISNOW!!!.TXT","SECRETIDHERE.KEY","IHAVEYOURSECRET.KEY","SECRET.KEY","HELPDECYPRT_YOUR_FILES.HTML","help_decrypt_your_files.html","HELP_TO_SAVE_FILES.txt","RECOVERY_FILES.txt","RECOVERY_FILE.TXT","RECOVERY_FILE*.txt","HowtoRESTORE_FILES.txt","HowtoRestore_FILES.txt","howto_recover_file.txt","restorefiles.txt","howrecover+*.txt","_how_recover.txt","recoveryfile*.txt","recoverfile*.txt","Howto_Restore_FILES.TXT","help_recover_instructions+*.txt","_Locky_recover_instructions.txt","*.trun","trun.key","*.fantom","DECRYPT_YOUR_FILES.HTML","Recovery+bwpnl.html","Recovery+bwpnl.txt","Recovery+bwpnl.png","_ReCoVeRy_orqit.html","_ReCoVeRy_orqit.png","_ReCoVeRy_orqit.txt","*.cerber","*.bart.zip","*.zepto","*@*")

archive/Block-AccessByEvent/Archiv/20161206_Ransomware.txt

@@ -0,0 +1,2 @@
+Get-FsrmFileScreen
+New-FsrmFileGroup -Name "Ransomware" –IncludePattern @("*.k","*.encoderpass","*.key","*.ecc","*.ezz","*.exx","*.zzz","*.xyz","*.aaa","*.abc","*.ccc","*.vvv","*.xxx","*.ttt","*.micro","*.encrypted","*.locked","*.crypto","_crypt","*.crinf","*.r5a","*.xrtn","*.XTBL","*.crypt","*.R16M01D05","*.pzdc","*.good","*.LOL!","*.OMG!","*.RDM","*.RRK","*.encryptedRSA","*.crjoker","*.EnCiPhErEd","*.LeChiffre","*.keybtc@inbox_com","*.0x0","*.bleep","*.1999","*.vault","*.HA3","*.toxcrypt","*.magic","*.SUPERCRYPT","*.CTBL","*.CTB2","*.locky","HELPDECRYPT.TXT","HELP_YOUR_FILES.TXT","HELP_TO_DECRYPT_YOUR_FILES.txt","RECOVERY_KEY.txt","HELP_RESTORE_FILES.txt","HELP_RECOVER_FILES.txt","DECRYPT_INSTRUCTIONS.TXT","INSTRUCCIONES_DESCIFRADO.TXT","How_To_Recover_Files.txt","YOUR_FILES.HTML","YOUR_FILES.url","encryptor_raas_readme_liesmich.txt","Help_Decrypt.txt","DECRYPT_INSTRUCTION.TXT","HOW_TO_DECRYPT_FILES.TXT","ReadDecryptFilesHere.txt","Coin.Locker.txt","_secret_code.txt","About_Files.txt","Read.txt","ReadMe.txt","DECRYPT_ReadMe.TXT","DecryptAllFiles.txt","FILESAREGONE.TXT","IAMREADYTOPAY.TXT","HELLOTHERE.TXT","READTHISNOW!!!.TXT","SECRETIDHERE.KEY","IHAVEYOURSECRET.KEY","SECRET.KEY","HELPDECYPRT_YOUR_FILES.HTML","help_decrypt_your_files.html","HELP_TO_SAVE_FILES.txt","RECOVERY_FILES.txt","RECOVERY_FILE.TXT","RECOVERY_FILE*.txt","HowtoRESTORE_FILES.txt","HowtoRestore_FILES.txt","howto_recover_file.txt","restorefiles.txt","howrecover+*.txt","_how_recover.txt","recoveryfile*.txt","recoverfile*.txt","Howto_Restore_FILES.TXT","help_recover_instructions+*.txt","_Locky_recover_instructions.txt","*.trun","trun.key","*.fantom","DECRYPT_YOUR_FILES.HTML","Recovery+bwpnl.html","Recovery+bwpnl.txt","Recovery+bwpnl.png","_ReCoVeRy_orqit.html","_ReCoVeRy_orqit.png","_ReCoVeRy_orqit.txt","*.cerber","*.bart.zip","*.zepto","*@*","*.odin","*.aesir","*.uDz2j8mv")

archive/Block-AccessByEvent/Archiv/Block-SMBShare.cmd

@@ -0,0 +1 @@
+PowerShell.exe -NoProfile -Command "& {Start-Process PowerShell.exe -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""c:\scripts\block-smbshare.ps1""' -Verb RunAs}"

archive/Block-AccessByEvent/Archiv/Block-SMBShare.ps1

@@ -0,0 +1,18 @@
+$logfile = "c:\Scripts\logfile.csv"
+$events = Get-EventLog -LogName application -Source SRMSVC -After (get-date).AddMinutes(-10) | select ReplacementStrings -Unique
+if ($events.count -gt 50)
+	{
+		stop-computer -force
+	}
+else
+	{
+		foreach ($event in $events)
+			{
+				$sourceuser = $event.ReplacementStrings[0]
+				$smbsharepath = $event.ReplacementStrings[1]
+		
+				$blockaccess = Get-SmbShare | where {$_.path -like $smbsharepath} | Block-SmbShareAccess -AccountName $sourceuser -Force
+				$log = "$sourceuser" + ";" + "$smbsharepath"
+				$log | add-content $logfile
+			}
+	}

archive/Block-AccessByEvent/Archiv/Lockyscript_v4.ps1

@@ -0,0 +1,24 @@
+clear
+Push-Location $(Split-Path $Script:MyInvocation.MyCommand.Path)
+$datei = Get-content .\20160829_Ransomware.txt
+
+Remove-FsrmFileGroup -Name "Locky*"
+Remove-FsrmFileScreen -Path E:\Test
+
+$var = $datei.split(",")
+for($i=0; $i -lt $var.Length; $i=$i+20){
+
+$j = $i + 19
+Write-Host "$i..$j"
+$var.replace("""", $null)[$i..$j] -join ","
+
+New-FsrmFileGroup -Name "Locky$i" -IncludePattern $var[$i..$j]
+}
+
+$array = @()
+for($i=0; $i -lt $var.length; $i=$i+20){
+$array += 'Locky' + $i
+}
+$Notification = New-FsrmAction -Type Email -MailTo Test@test.de -Subject “FEHLER!!!!!!” -Body “[Violated File Group]  located at: [Source File Path]. It was created by User: [Source Io Owner]. Ressource-Manager should block future accessing.” -RunLimitInterval 120
+$Notification1 = New-FsrmAction -Type Event -EventType Warning -Body "Alert text here" -RunlimitInterval 30
+New-FsrmFileScreen -Path E:\Test -IncludeGroup $array -Notification $Notification,$Notification1