我正在尝试构建“勒索软件金丝雀”的简单变体,其中 FSRM 监视目录,如果有任何更改,它会立即关闭计算机。
这是我的 PowerShell 代码:
# Ransomware Canary
# Kenton
# December 28, 2018
#
# Creates an FSRM file screen that watches a folder(s) for any file changes,
# immediately shuts down the server if any are detected to slow down ransomware attacks
$CanaryPath = "C:\Users\Administrator\Desktop\Acounting" # Path to monitor, deliberately misspelled
$AnyGroup = "Any" # Name of FSRM file group to catch all files
$ShutdownCmd = "C:\Windows\System32\shutdown.exe" # Location of shutdown command
$ShutdownParameters = "/s /f" # /s = shut down computer immediately; /f = force close applications
# Install File Server Resource Manager (FSRM)
Add-WindowsFeature -Name FS-Resource-Manager -IncludeManagementTools
# Define file group to catch all possible names, since any changes in this folder should be disallowed
New-FsrmFileGroup -Name $AnyGroup -IncludePattern @("*")
# Define action to shut down computer
$ShutdownAction = New-FsrmAction -Type Command -Command $ShutdownCmd -CommandParameters $ShutdownParameters -SecurityLevel LocalSystem
# Define file screen
New-FsrmFileScreen -Path $CanaryPath -IncludeGroup $AnyGroup -Notification $ShutdownAction -Active
大多数情况下,一切似乎都有效,但是当我将 $ShutdownAction 添加到 New-FsrmFileScreen 的 -Notification 参数时,它会生成以下错误:
New-FsrmFileScreen : 0x8004530d, The specified property is out of range.
At C:\Users\Administrator\Desktop\add-ransomware-canary.ps1:23 char:1
+ New-FsrmFileScreen -Path $CanaryPath -IncludeGroup $AnyGroup -Notific ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MSFT_FSRMFileScreen:Root/Microsoft/..._FSRMFileScreen) [New-FsrmFileScree
n], CimException
+ FullyQualifiedErrorId : HRESULT 0x8004530d,New-FsrmFileScreen
我根据另一个例子建立了这个模式这里,但它使用的是“电子邮件”类型而不是“命令”类型。我没有找到很多使用“命令”类型的示例。我最初是在 GUI 中完成的,一切似乎都有效,只是在 PowerShell 中不行。我的代码明显有问题吗?
答案1
我找到了答案这里,感谢 TechNet 上的 GradeA-Phil。最重要的是,您必须向 New-FsrmAction 添加 -KillTimeOut 参数,因为其默认值 -1 对 New-FsrmFileScreen 来说是不可接受的。