我正在尝试构建“勒索软件金丝雀”的简单变体,其中FSRM监视目录,如果有任何更改,它将立即关闭计算机。
这是我的PowerShell代码:
# Ransomware Canary
# Kenton
# December 28, 2018
#
# Creates an FSRM file screen that watches a folder(s) for any file changes,
# immediately shuts down the server if any are detected to slow down ransomware attacks
$CanaryPath = "C:\Users\Administrator\Desktop\Acounting" # Path to monitor, deliberately misspelled
$AnyGroup = "Any" # Name of FSRM file group to catch all files
$ShutdownCmd = "C:\Windows\System32\shutdown.exe" # Location of shutdown command
$ShutdownParameters = "/s /f" # /s = shut down computer immediately; /f = force close applications
# Install File Server Resource Manager (FSRM)
Add-WindowsFeature -Name FS-Resource-Manager -IncludeManagementTools
# Define file group to catch all possible names, since any changes in this folder should be disallowed
New-FsrmFileGroup -Name $AnyGroup -IncludePattern @("*")
# Define action to shut down computer
$ShutdownAction = New-FsrmAction -Type Command -Command $ShutdownCmd -CommandParameters $ShutdownParameters -SecurityLevel LocalSystem
# Define file screen
New-FsrmFileScreen -Path $CanaryPath -IncludeGroup $AnyGroup -Notification $ShutdownAction -Active
大多数事情似乎都可以工作,但是当我将$ ShutdownAction添加到New-FsrmFileScreen的-Notification参数时,它会产生以下错误:
New-FsrmFileScreen : 0x8004530d, The specified property is out of range.
At C:\Users\Administrator\Desktop\add-ransomware-canary.ps1:23 char:1
+ New-FsrmFileScreen -Path $CanaryPath -IncludeGroup $AnyGroup -Notific ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MSFT_FSRMFileScreen:Root/Microsoft/..._FSRMFileScreen) [New-FsrmFileScree
n], CimException
+ FullyQualifiedErrorId : HRESULT 0x8004530d,New-FsrmFileScreen
I've based this pattern on another example here, but it uses the "Email" type instead of the "Command" type. I haven't found many examples with the "Command" type. I'd originally made this in the GUI, and it all seemed to work, just not in PowerShell. Is there something obviously wrong with my code?
最佳答案
I have found the answer here, hat tip to GradeA-Phil on TechNet. Bottom line is that you have to add a -KillTimeOut parameter to New-FsrmAction, because its default value of -1 is unacceptable to New-FsrmFileScreen.
