Skip to content

Instantly share code, notes, and snippets.

@fbogner
Created December 7, 2020 21:12
Show Gist options
  • Save fbogner/32fc8b73bcc50287ced91de1883421a9 to your computer and use it in GitHub Desktop.
Save fbogner/32fc8b73bcc50287ced91de1883421a9 to your computer and use it in GitHub Desktop.
$computername=$env:computername
$logfile="\\dc01\EgregorLog\$computername.csv"
$egregorDll="C:\Windows\egregor.dll"
#################################################################################################
# This is a small script to monitor/protect all domain joined systems from further Egregor activity.
# It was created during an incident by Florian Bogner, Bee IT Security (https://bee-itsecurity.at)
#
# As described by CyberReason (https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware)
# Egregor uses a DLL for the actual encryption process. This script checks if the "client"-specific
# file exists and logs the result. If possible, a placeholder is created, that should mitigate
# further infections. This is implemented by explicitly setting the following ACL: (Everyone:Full Control:Deny).
#
#################################################################################################
# Source: https://blog.ipswitch.com/de/erstellen-einer-logging-funktion-in-powershell
function Write-Log {
[CmdletBinding()]
param(
[Parameter()]
[ValidateNotNullOrEmpty()]
[string]$Message,
[Parameter()]
[ValidateNotNullOrEmpty()]
[ValidateSet('Information','Warning','Error')]
[string]$Severity = 'Information'
)
[pscustomobject]@{
Time = (Get-Date -f g)
Message = $Message
Severity = $Severity
} | Export-Csv -Path $logfile -Append -NoTypeInformation
}
#################################################################################################
Write-Log -Message "Starting Check for Egregor Encryption" -Severity Information
$testfile1="C:\RECOVER-FILES.txt"
$testfile2="C:\Users\Public\RECOVER-FILES.txt"
if ( (Test-Path $testfile1) -Or (Test-Path $testfile2) ) {
Write-Log -Message "RECOVER-FILES.txt found - System is encrypted!" -Severity Error
}
Else {
Write-Log -Message "RECOVER-FILES.txt NOT found - System is clean!" -Severity Information
}
#################################################################################################
Write-Log -Message "Starting Check for Egregor Infection" -Severity Information
if ( (Test-Path $egregorDll) -And ( (Get-Item $egregorDll).length -gt 100KB) ) {
Write-Log -Message "Malicious egregorDll found - System is infected - Trying to mitigate" -Severity Error
# Move egregorDll so that it can't be executed
Move-Item -Force -Path $egregorDll -Destination "$egregorDll.bad"
if (!$?) {
Write-Log -Message "Failed to clean system" -Severity Error
}
else{
Write-Log -Message "egregorDll moved - System was cleaned" -Severity Information
}
}
Else {
Write-Log -Message "Malicious egregorDll NOT found - System is clean!" -Severity Information
}
#################################################################################################
if ( -Not (Test-Path $egregorDll) ) {
Write-Log -Message "Creating egregorDll Protection" -Severity Information
"This is a placeholer" | Out-File $egregorDll
$acl = Get-Acl $egregorDll
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone","FullControl","Deny")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $egregorDll
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment