Created
May 10, 2018 09:31
-
-
Save gislig/4948a2c2d36d58da7b8bc3f489d2693f to your computer and use it in GitHub Desktop.
Run as service and detect if you have specific files on a users computer, was specifically created for wannacry virus
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#CREATED BY GISLI GUDMUNDSSON | |
#GLOBAL VARIABLES | |
$MailTo = "admin@yourcompany.com" | |
$SmptServer = "yourmxserver.domain.com" | |
function SendInfectionMessage(){ | |
Send-MailMessage -To $MailTo -From "$env:COMPUTERNAME" -Subject "WannaCry Infection Detected - $env:COMPUTERNAME" -Body "WannaCry Infection Was Likely Detected on Computer $env:COMPUTERNAME. Please contact Username $env:USERNAME to investigate further. The Network Was Disabled On Remote Machine" -SmtpServer $SmtpServer | |
} | |
function DisableInfectedComputer(){ | |
#Send The message to IT Admin | |
SendInfectionMessage | |
#Search for all network working network adapters | |
$NetworkAdapters = get-wmiobject win32_networkadapter | where { $_.MACAddress -ne $null } | |
foreach($NetworkAdapter in $NetworkAdapters){ | |
#Disables Network Adapters | |
$NetworkAdapter.Disable() | |
} | |
} | |
function MainDetection(){ | |
#Figures out if the temp storage has specified extension | |
$TempFilePath = $env:TEMP | |
$FilesInTemp = Get-ChildItem -Path $TempFilePath -Filter "*.WCRYT" -Recurse | |
#Checks for if the computer has already been affected | |
$Desktop = $env:USERPROFILE + "\Desktop" | |
$GetWallpaper = Get-ChildItem -Path $Desktop -Filter "!WannaCryptor!.bmp" -Recurse | |
#If it contains any files then run the DisableInfectedComputer | |
if($FilesInTemp -ne $null -or $GetWallpaper -ne $null){ | |
DisableInfectedComputer | |
} | |
} | |
#Run detection program | |
MainDetection |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment