Created
February 28, 2019 00:32
-
-
Save p0shkatz/f81656b7b6ac7ee62fd5ffb77c501133 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # FileSystemWatcher.ps1 | |
| # To stop the monitoring, run the following command: | |
| # Get-EventSubscriber | Unregister-Event | |
| # Log settings | |
| $LogFilePath = "$env:userprofile\desktop\FileSystemWatcher.log" | |
| # Execution settings | |
| $patchexec = $false | |
| # You will need to change this | |
| $patchBinary = "legit.exe" | |
| # You will need to change this | |
| $ourBinary = "$env:userprofile\Desktop\$patchBinary" | |
| $ourBinaryHash = Get-FileHash -Algorithm MD5 $ourBinary | |
| # File target | |
| $folder = Read-Host "Enter the root directory to monitor" # Enter the root path you want to monitor. | |
| $filter = $patchBinary # You can enter a wildcard filter here. | |
| if(!(Test-Path $folder)){New-Item -ItemType Directory $folder} | |
| # In the following line, you can change 'IncludeSubdirectories to $true if required. | |
| $fsw = New-Object IO.FileSystemWatcher $folder, $filter -Property @{IncludeSubdirectories = $true;NotifyFilter = [IO.NotifyFilters]'FileName, DirectoryName, LastWrite, Security'} | |
| # Created object event monitor plus file replace | |
| Register-ObjectEvent $fsw Created -SourceIdentifier FileCreated -Action { | |
| $name = $Event.SourceEventArgs.FullPath | |
| $changeType = $Event.SourceEventArgs.ChangeType | |
| $timeStamp = $Event.TimeGenerated | |
| $msg = "File Activity Summary:`n`nHost: $fqdn`nObject: $name`nChange type: Object $changeType`nDate/Time: $timeStamp`n`nFile Activity Details:" | |
| $msg += $Event | Format-List -property * | Out-String | |
| Write-Host $msg | |
| Out-File -FilePath $LogFilePath -Append -InputObject $msg | |
| $patchBinaryHash = Get-FileHash -Algorithm MD5 "$folder\$patchBinary" | |
| Copy-Item $ourBinary $folder -Force | |
| $newBinaryHash = Get-FileHash -Algorithm MD5 "$folder\$patchBinary" | |
| $hashMsg = "Original patch hash: $patchBinaryHash`r`nOur binary hash: $ourBinaryHash`r`nNew patch hash: $newBinaryHash" | |
| Write-Host $hashMsg | |
| Out-File -FilePath $LogFilePath -Append -InputObject $hashMsg | |
| } | |
| # Deleted object event monitor | |
| Register-ObjectEvent $fsw Deleted -SourceIdentifier FileDeleted -Action { | |
| $name = $Event.SourceEventArgs.FullPath | |
| $changeType = $Event.SourceEventArgs.ChangeType | |
| $timeStamp = $Event.TimeGenerated | |
| $msg = "File Activity Summary:`n`nHost: $fqdn`nObject: $name`nChange type: Object $changeType`nDate/Time: $timeStamp`n`nFile Activity Details:" | |
| $msg += $Event | Format-List -property * | Out-String | |
| Write-Host $msg | |
| Out-File -FilePath $LogFilePath -Append -InputObject $msg} | |
| # Disposed object event monitor | |
| Register-ObjectEvent $fsw Disposed -SourceIdentifier FileDisposed -Action { | |
| $name = $Event.SourceEventArgs.FullPath | |
| $changeType = $Event.SourceEventArgs.ChangeType | |
| $timeStamp = $Event.TimeGenerated | |
| $msg = "File Activity Summary:`n`nHost: $fqdn`nObject: $name`nChange type: Object $changeType`nDate/Time: $timeStamp`n`nFile Activity Details:" | |
| $msg += $Event | Format-List -property * | Out-String | |
| Write-Host $msg | |
| Out-File -FilePath $LogFilePath -Append -InputObject $msg} | |
| # Changed object event monitor | |
| Register-ObjectEvent $fsw Changed -SourceIdentifier FileChanged -Action { | |
| $name = $Event.SourceEventArgs.FullPath | |
| $changeType = $Event.SourceEventArgs.ChangeType | |
| $timeStamp = $Event.TimeGenerated | |
| $msg = "File Activity Summary:`n`nHost: $fqdn`nObject: $name`nChange type: Object $changeType`nDate/Time: $timeStamp`n`nFile Activity Details:" | |
| $msg += $Event | Format-List -property * | Out-String | |
| Write-Host $msg | |
| Out-File -FilePath $LogFilePath -Append -InputObject $msg} | |
| # Renamed object event monitor | |
| Register-ObjectEvent $fsw Renamed -SourceIdentifier FileRenamed -Action { | |
| $name = $Event.SourceEventArgs.FullPath | |
| $changeType = $Event.SourceEventArgs.ChangeType | |
| $timeStamp = $Event.TimeGenerated | |
| $msg = "File Activity Summary:`n`nHost: $fqdn`nObject: $name`nChange type: Object $changeType`nDate/Time: $timeStamp`n`nFile Activity Details:" | |
| $msg += $Event | Format-List -property * | Out-String | |
| Write-Host $msg | |
| Out-File -FilePath $LogFilePath -Append -InputObject $msg} | |
| # Error object event monitor | |
| Register-ObjectEvent $fsw Error -SourceIdentifier FileError -Action { | |
| $name = $Event.SourceEventArgs.FullPath | |
| $changeType = $Event.SourceEventArgs.ChangeType | |
| $timeStamp = $Event.TimeGenerated | |
| $msg = "File Activity Summary:`n`nHost: $fqdn`nObject: $name`nChange type: Object $changeType`nDate/Time: $timeStamp`n`nFile Activity Details:" | |
| $msg += $Event | Format-List -property * | Out-String | |
| Write-Host $msg | |
| Out-File -FilePath $LogFilePath -Append -InputObject $msg} | |
| # Watch for process execution and get image hash value | |
| do{ | |
| $Proc = Get-Process legit -ErrorAction SilentlyContinue | |
| Start-Sleep 1 | |
| }until($Proc -ne $Null) | |
| $patchexec = $true | |
| $patchmsg = "$(Get-Date): Patch execution detected" | |
| Write-Host $patchmsg | |
| Out-File -FilePath $LogFilePath -Append -InputObject $patchmsg | |
| $execBinaryHash = Get-FileHash -Algorithm MD5 $Proc.Path | |
| $execMsg = "Executed patch hash: $execBinaryHash" | |
| Write-Host $execMsg | |
| Out-File -FilePath $LogFilePath -Append -InputObject $execMsg | |
| # Unregister event subscribers | |
| Get-EventSubscriber | Unregister-Event |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment