-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCanaryShell+logging.ps1
107 lines (105 loc) · 4.05 KB
/
CanaryShell+logging.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
$chosen = Read-Host "Choose an already existing sentinel-file"
$chosenF = Split-Path -Path $chosen
$action = Switch (Read-Host @"
Choose an alarm action:
1 - disconnect USB drives and user
2 - disconnect USB drives, networks and user (requires admin)
3 - shutdown PC
4 - try to restart to BIOS
5 - custom command
Choice
"@) {
1 { @"
#disconnect USB drive
`$usbDrives = Get-CimInstance -Class Win32_DiskDrive -Filter 'InterfaceType = "USB"' |
Get-CimAssociatedInstance -ResultClassName Win32_DiskPartition |
Get-CimAssociatedInstance -ResultClassName Win32_LogicalDisk |
ForEach-Object { `$_.DeviceID }
foreach (`$drive in `$usbDrives) {
`$driveEject = New-Object -comObject Shell.Application
`$driveEject.Namespace(17).ParseName(`$drive).InvokeVerb("Eject")
}
#disconnect user
logoff
"@
}
2 { @"
#disconnect USB drive
`$usbDrives = Get-CimInstance -Class Win32_DiskDrive -Filter 'InterfaceType = "USB"' |
Get-CimAssociatedInstance -ResultClassName Win32_DiskPartition |
Get-CimAssociatedInstance -ResultClassName Win32_LogicalDisk |
ForEach-Object { `$_.DeviceID }
foreach (`$drive in `$usbDrives) {
`$driveEject = New-Object -comObject Shell.Application
`$driveEject.Namespace(17).ParseName(`$drive).InvokeVerb("Eject")
}
#disconnect networks
`$activeAdapter = Get-NetAdapter | Where-Object { `$_.Status -eq "Up" }
if (`$activeAdapter -eq `$null) {
logoff
} else {
foreach (`$NetAdapt in `$activeAdapter) {
Disable-NetAdapter -Name `$activeAdapter.Name -Confirm:`$false
}
}
start-sleep 1
#disconnect user
logoff
"@
}
3 { "shutdown /s /f /t 1 #force quick system shutdown" }
4 { "shutdown /r /fw /f /t 0 #riavvio al BIOS" }
5 { Read-Host "Insert command" }
}
$pause = Read-Host "Choose seconds of interval between monitoring activities (default: 10)"
if ($(Test-Path $chosen) -eq $false) {
Write-Host "`nThe sentinel-file is not present; create it and repeat the procedure. This window will be closed.`n" -ForegroundColor Yellow
cmd /C pause
exit
}
if (!$pause) {
$pause = 10
}
$CanFile = ((Get-Item $chosen | Select-Object LastAccessTime).lastaccesstime).tostring()
$outputF = Read-Host "Choose the path and the name of the monitoring script (.ps1)"
$ErrLog = Read-Host "Choose the path and the name of the error log file (default is: \Desktop\error-log.txt)"
if (!$ErrLog) {
$ErrLog = "$HOME\Desktop\error-log.txt"
}
New-Item -ItemType File -Path $outputF -Value @"
if ((Test-Path "$($ErrLog)") -eq `$false) {
New-Item "$($ErrLog)"
}
start-transcript "$($ErrLog)"
while (`$true) {
#interval at startup and between monitoring activities
Start-Sleep $($pause)
`#check canary presence
if (`$(Test-Path "$($chosen)") -eq `$false) {
$action
break
} else {
`#check last access
if ("$($CanFile)" -notmatch `$((Get-Item "$($chosen)" `| `Select-Object `LastAccessTime).lastaccesstime).tostring()) {
$action
break
}
`#check clipboard
If ((((Get-Clipboard -Format FileDropList).Name) | findstr "$(Split-Path "$($chosen)" -Leaf)") -or (((Get-Clipboard -Format FileDropList).Name | findstr "$($chosenF.split("\")[-1])"))) {
$action
break
}
`#check PowerShell commands history
If ((Get-Content (Get-PSReadlineOption).HistorySavePath | findstr "$(Split-Path "$($chosen)" -Leaf)") -or (Get-Content (Get-PSReadlineOption).HistorySavePath | findstr "$(Split-Path $chosen)")) { #detect any execution of a PowerShell command that explicitly involves the canary or its folder
$action
break
}
if (`$Error[0] -ne `$null) {
stop-transcript
notepad.exe "$($ErrLog)"
break
}
}
}
stop-transcript
"@