Created
June 30, 2023 16:31
-
-
Save Patrick-Kelley/f583b1cc597356dcff3673881252d744 to your computer and use it in GitHub Desktop.
Potential candidate for quickly locating encrypted files using the CPS wordlist.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $drive = "C:\" | |
| $days = 7 # Number of days to consider as "recent" | |
| # Download the wordlist file | |
| $wordlistUrl = "https://raw.githubusercontent.com/CriticalPathSecurity/Zeek-Intelligence-File-Names/main/Zeek-Intelligence-File-Names.txt" | |
| $wordlistPath = "$env:TEMP\Zeek-Intelligence-File-Names.txt" | |
| Invoke-WebRequest -Uri $wordlistUrl -OutFile $wordlistPath | |
| # Read the wordlist file into an array | |
| $wordlist = Get-Content -Path $wordlistPath | |
| $recentFiles = Get-ChildItem -Path $drive -Recurse | Where-Object { | |
| $_.LastWriteTime -gt (Get-Date).AddDays(-$days) | |
| } | |
| $ransomwareMatches = $recentFiles | Where-Object { | |
| $filename = $_.Name.ToLower() | |
| $wordlist | ForEach-Object { | |
| if ($filename -like "*$_*") { | |
| $true | |
| break | |
| } | |
| } | |
| } | |
| if ($ransomwareMatches.Count -gt 0) { | |
| Write-Host "Potentially ransomware files found:" | |
| $ransomwareMatches | Select-Object FullName, LastWriteTime | |
| } | |
| else { | |
| Write-Host "No potentially ransomware files found." | |
| } | |
| # Remove the downloaded wordlist file | |
| Remove-Item -Path $wordlistPath -Force |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment