Last active
July 11, 2020 14:46
-
-
Save Cyb3r-Monk/9234aa82023cdf008f73987dac9f23aa to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #This script reads the Sysmon event logs, gets process IDs from the event and dumps its memory. | |
| #Since task scheduler cannot provide the process id as an input for the script, we have to read Sysmon logs to get the process Ids. | |
| $events=Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sysmon"; Id = 11; StartTime = [datetime]::Now.AddMinutes(-20)} -ErrorAction Stop | |
| #the below function was copied from PowerSploit. | |
| #It dumps the full memory of a given process Id into a specified folder. | |
| function Out-Minidump { | |
| <# SNIPPED SECTION #> | |
| #Specify Save location for the dump files. | |
| #you just need to change this part of the function. | |
| $DumpFilePath = "C:\AntiRansom" | |
| ) | |
| <# SNIPPED SECTION #> | |
| PROCESS | |
| { | |
| $ProcessId = $Process.Id | |
| $ProcessName = $Process.Name | |
| $ProcessHandle = $Process.Handle | |
| #small change for dump file name. will be used to check if the dump file exists. | |
| $ProcessFileName = "$($ProcessId).dmp" | |
| #$ProcessFileName = "$($ProcessName)_$($ProcessId).dmp" | |
| <# SNIPPED SECTION AGAIN #> | |
| } | |
| #Check if the evet log query returns at least one event. | |
| #If there is no event, exit.Since we already used -ErrorAction Stop, this is not necessary. | |
| #if you change it to SilentlyContinue, you need to make sure the query returns at least one event. | |
| if (!$events[0].message) { | |
| Exit | |
| } | |
| else { | |
| $processes = @() | |
| #for each event, get process Id and dump it. | |
| #this is because the ransomware process can spawn multiple process for encryption. | |
| foreach ($event in $events) { | |
| #parse the process Id. | |
| [int]$processId=[regex]::Match($event.message,'ProcessId\:\s(.+)').captures.groups[1].Value | |
| $processes += $processId | |
| } | |
| $processes = $processes | Select -Unique | |
| foreach ($process in $processes) { | |
| #define the dump name based on the Process Id. | |
| $dumpFileName = $process.ToString()+".dmp" | |
| #check if the process has already been dumped. | |
| if (Test-Path '"C:\AntiRansom\$dumpFileName"') { | |
| Exit | |
| } | |
| else { | |
| #dump the process. | |
| Out-Minidump -Process (Get-Process -Id $process) | |
| } | |
| } | |
| } | |
| Exit |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment