Cyb3r-Monk/RespondRansom.ps1

## RespondRansom.ps1
<#snipped section#>
#get events related to the honeyfolder. this time we are using eventId 4656.
$events=Get-WinEvent -FilterHashtable @{LogName="Security"; Id = 4656; StartTime = [datetime]::Now.AddMinutes(-5)} |Where-Object -Property Message -Match 'honeyfolder' | Where-Object -Property Message -Match ('Read|DELETE|WriteData') -ErrorAction Stop

<#snipped section#>
#process Id is in hex format in EventID 4656, need to convert it to integer using [int].
foreach ($event in $events) {

        #parse the process Id.
        $processId=[int][regex]::Match($event.message,'Process\sID\:\s+(0x.+)\s').captures.groups[1].Value
        $processes += $processId
        }
<#the rest of the script is the same. dump the process memory#>
<#dumping the memory may not be a good idea.
You can trigger other actions like full evidence acqusition, shutting down the computer, etc. without checking anything#>
	<#snipped section#>
	#get events related to the honeyfolder. this time we are using eventId 4656.
	$events=Get-WinEvent -FilterHashtable @{LogName="Security"; Id = 4656; StartTime = [datetime]::Now.AddMinutes(-5)} \|Where-Object -Property Message -Match 'honeyfolder' \| Where-Object -Property Message -Match ('Read\|DELETE\|WriteData') -ErrorAction Stop

	<#snipped section#>
	#process Id is in hex format in EventID 4656, need to convert it to integer using [int].
	foreach ($event in $events) {

	#parse the process Id.
	$processId=[int][regex]::Match($event.message,'Process\sID\:\s+(0x.+)\s').captures.groups[1].Value
	$processes += $processId
	}
	<#the rest of the script is the same. dump the process memory#>
	<#dumping the memory may not be a good idea.
	You can trigger other actions like full evidence acqusition, shutting down the computer, etc. without checking anything#>