-
Notifications
You must be signed in to change notification settings - Fork 0
/
basicFim.ps1
149 lines (114 loc) · 4.34 KB
/
basicFim.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
# function Test-Administrator()
# {
# $user = [Security.Principal.WindowsIdentity]::GetCurrent();
# (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
# }
# Check if script is executed with Admin privileges
# if (Test-Administrator == false){
# Write-Host "Please run as Admin"
# Break
# }
# Check if Script is called with first argument as monitoring directory
# else monitoring directpry is the current working directory
$param1=$args[0]
$param2=$args[1]
if ($param2 -ne $null) {
Write-Host "Too many arguments ! "
Write-Host "Exiting..."
Break
}
if ($param1 -eq $null){
$monitoring_dir = Get-Location
} else {
if (Test-Path -Path $param1){
$monitoring_dir=$param1
}else{
Write-Host "The Directory you entered doesn't exist ! "
Write-Host "Exiting ..."
Break
}
}
$baseline_path = "$monitoring_dir/baseline.txt"
Function Calculate-File-Hash($filepath) {
$filehash = Get-FileHash -Path $filepath -Algorithm SHA512
return $filehash
}
Function Erase-Baseline-If-Already-Exists() {
$baselineExists = Test-Path -Path $baseline_path
if ($baselineExists) {
# Delete it
Write-Host "Baseline already exists !"
Write-Host "Deleting existing baseline ..."
Write-Host "Creating new baseline ..."
Remove-Item -Path $baseline_path
}
}
#User input
Write-Host ""
Write-Host "What would you like to do?"
Write-Host ""
Write-Host " A) Collect new Baseline?"
Write-Host " B) Begin monitoring files with saved Baseline?"
Write-Host ""
$response = Read-Host -Prompt "Please enter 'A' or 'B'"
Write-Host ""
if ($response -eq "A".ToUpper()) {
# Delete baseline.txt if it already exists
Erase-Baseline-If-Already-Exists
# Calculate Hash from the target files and store in baseline.txt
# Collect all files in the target folder
$files = Get-ChildItem -Path $monitoring_dir
# $files = Get-ChildItem -Path .\Files
# For each file, calculate the hash, and write to baseline.txt
foreach ($f in $files) {
$hash = Calculate-File-Hash $f.FullName
"$($hash.Path)|$($hash.Hash)" | Out-File -FilePath $baseline_path -Append
}
Write-Host "Baseline created successfully"
}
elseif ($response -eq "B".ToUpper()) {
Write-Host "Start..."
Write-Host "Monitoring Files"
Write-Host "You will be notified of any changes here"
Write-Host "For more details about changes made, see logs.txt file"
Write-Host "Press [CTRL+C] to stop monitoring."
$fileHashDictionary = @{}
# Load file|hash from baseline.txt and store them in a dictionary
$filePathsAndHashes = Get-Content -Path $baseline_path
foreach ($f in $filePathsAndHashes) {
$fileHashDictionary.add($f.Split("|")[0],$f.Split("|")[1])
}
# Begin (continuously) monitoring files with saved Baseline
while ($true) {
Start-Sleep -Seconds 1
# $files = Get-ChildItem -Path .\Files
$files = Get-ChildItem -Path $monitoring_dir
# For each file, calculate the hash, and write to baseline.txt
foreach ($f in $files) {
$hash = Calculate-File-Hash $f.FullName
#"$($hash.Path)|$($hash.Hash)" | Out-File -FilePath .\baseline.txt -Append
# Notify if a new file has been created
if ($fileHashDictionary[$hash.Path] -eq $null) {
# A new file has been created!
Write-Host "$($hash.Path) has been created!" -ForegroundColor Green
}
else {
# Notify if a new file has been changed
if ($fileHashDictionary[$hash.Path] -eq $hash.Hash) {
# The file has not changed
}
else {
# File file has been compromised!, notify the user
Write-Host "$($hash.Path) has changed!!!" -ForegroundColor Yellow
}
}
}
foreach ($key in $fileHashDictionary.Keys) {
$baselineFileStillExists = Test-Path -Path $key
if (-Not $baselineFileStillExists) {
# One of the baseline files must have been deleted, notify the user
Write-Host "$($key) has been deleted!" -ForegroundColor DarkRed -BackgroundColor Gray
}
}
}
}