-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCanaryShell-ita.ps1
93 lines (91 loc) · 3.69 KB
/
CanaryShell-ita.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
$chosen = Read-Host "Scegli un file-sentinella già esistente"
$chosenF = Split-Path -Path $chosen
$action = Switch (Read-Host @"
Scegli l'azione da eseguire come allarme:
1 - disconnessione USB drive e utente
2 - disconnessione USB drive, rete e utente (richiede admin)
3 - spegnimento pc
4 - tentativo di riavvio al BIOS
5 - comando personalizzato
Scelta
"@) {
1 { @"
#disconnessione USB drive
`$usbDrives = Get-CimInstance -Class Win32_DiskDrive -Filter 'InterfaceType = "USB"' |
Get-CimAssociatedInstance -ResultClassName Win32_DiskPartition |
Get-CimAssociatedInstance -ResultClassName Win32_LogicalDisk |
ForEach-Object { `$_.DeviceID }
foreach (`$drive in `$usbDrives) {
`$driveEject = New-Object -comObject Shell.Application
`$driveEject.Namespace(17).ParseName(`$drive).InvokeVerb("Eject")
}
#disconnessione utente
logoff
"@
}
2 { @"
#disconnessione USB drive
`$usbDrives = Get-CimInstance -Class Win32_DiskDrive -Filter 'InterfaceType = "USB"' |
Get-CimAssociatedInstance -ResultClassName Win32_DiskPartition |
Get-CimAssociatedInstance -ResultClassName Win32_LogicalDisk |
ForEach-Object { `$_.DeviceID }
foreach (`$drive in `$usbDrives) {
`$driveEject = New-Object -comObject Shell.Application
`$driveEject.Namespace(17).ParseName(`$drive).InvokeVerb("Eject")
}
#disconnessione rete
`$activeAdapter = Get-NetAdapter | Where-Object { `$_.Status -eq "Up" }
if (`$activeAdapter -eq `$null) {
logoff
} else {
foreach (`$NetAdapt in `$activeAdapter) {
Disable-NetAdapter -Name `$activeAdapter.Name -Confirm:`$false
}
}
start-sleep 1
#disconnessione utente
logoff
"@
}
3 { "shutdown /s /f /t 1 #rapido arresto forzato sistema" }
4 { "shutdown /r /fw /f /t 0 #riavvio al BIOS" }
5 { Read-Host "Inserire comando" }
}
$pausa = Read-Host "Scegli i secondi di intervallo fra i monitoraggi (default: 10)"
if ($(Test-Path $chosen) -eq $false) {
Write-Host "`nIl file-sentinella non è presente; crearlo e ripetere la procedura. Questa finestra verrà chiusa.`n" -ForegroundColor Yellow
cmd /C pause
exit
}
if (!$pausa) {
$pausa = 10
}
$CanFile = ((Get-Item $chosen | Select-Object LastAccessTime).lastaccesstime).tostring()
$outputF = Read-Host "Scegli il percorso e il nome dello script (.ps1) di monitoraggio"
New-Item -ItemType File -Path $outputF -Value @"
while (`$true) {
#intervallo all'avvio e fra i monitoraggi
Start-Sleep $($pausa)
`#controllo presenza canary
if (`$(Test-Path $chosen) -eq `$false) {
$action
break
} else {
`#controllo ultimo accesso
if ("$($CanFile)" -notmatch `$((Get-Item $chosen `| `Select-Object `LastAccessTime).lastaccesstime).tostring()) {
$action
break
}
`#controllo clipboard
If ((((Get-Clipboard -Format FileDropList).Name) | findstr "$(Split-Path $chosen -Leaf)") -or (((Get-Clipboard -Format FileDropList).Name | findstr "$($chosenF.split("\")[-1])"))) {
$action
break
}
`#controllo storia comandi PowerShell
If ((Get-Content (Get-PSReadlineOption).HistorySavePath | findstr "$(Split-Path $chosen -Leaf)") -or (Get-Content (Get-PSReadlineOption).HistorySavePath | findstr "$(Split-Path $chosen)")) { #rileva esecuzione di qualunqe comando PowerShell coinvolga esplicitamente il canary o la sua cartella
$action
break
}
}
}
"@