-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathRemove-RansomwareNote.ps1
164 lines (116 loc) · 5.77 KB
/
Remove-RansomwareNote.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
#Requires -Version 3.0
Function Remove-RansomwareNote {
<#
.SYNOPSIS
This script utilizes the SMB port 445 to map the C drive of remote devices, discover and delete a ransomware note by its file name
.DESCRIPTION
Delete ransomware notes saved on devices that have the same filename for the file by mapping the remote drive and searching for the file by is file name
.PARAMETER ComputerName
List of devices to map the remote drive of and remove ransomware notes off of
.PARAMETER FileName
Name of the ransomware file note to filter for
.PARAMETER Credential
Specifies a user account that has permission to do this action. The default is the current user.
Since PowerShell 3.0, when the value of the Root parameter is a UNC path, you can use credentials to create file system drives.
Type a user name, such as User01 or Domain01\User01 , or enter a PSCredential object generated by the `Get-Credential` cmdlet. If you type a user name, you're prompted to enter the password.
Credentials are stored in a PSCredential (/dotnet/api/system.management.automation.pscredential)object and the password is stored as a SecureString (/dotnet/api/system.security.securestring).
> [!NOTE] > For more information about SecureString data protection, see > How secure is SecureString? (/dotnet/api/system.security.securestring#how-secure-is-securestring).
.EXAMPLE
Remove-RansomwareNote -ComputerName $ComputerName -FileName "Ransom.txt" -Credential (Get-Credential -Message "Enter your credentials to map the C drive of remote devices")
# This example finds all files named 'Ransom.txt' all computers in the $ComputerName value and deletes them
.EXAMPLE
Remove-RansomwareNote -ComputerName "dc01.domain.com","dhcp.domain.com","files.domain.com" -FileName "Ransom.txt" -Credential (Get-Credential -Message "Enter your credentials to map the C drive of remote devices")
# This example finds all files named 'Ransom.txt' from servers dc01, dhcp, and files in domain.com and deletes them
.NOTES
Author: Robert Osborne
Alias: tobor
Contact: [email protected]
.LINK
https://osbornepro.com
https://encrypit.osbornepro.com
https://writeups.osbornepro.com
https://btpssecpack.osbornepro.com
https://github.com/tobor88
https://github.com/OsbornePro
https://gitlab.com/tobor88
https://www.powershellgallery.com/profiles/tobor
https://www.linkedin.com/in/roberthosborne/
https://www.credly.com/users/roberthosborne/badges
https://www.hackthebox.eu/profile/52286
.INPUTS
System.String[]
.OUTPUTS
System.Management.Automation.PSObject
#>
[OutputType([System.Management.Automation.PSObject])]
[CmdletBinding()]
param(
[Parameter(
Position=0,
Mandatory=$True,
ValueFromPipeline=$True,
ValueFromPipelineByPropertyName=$False,
HelpMessage="[H] Enter a list of FQDNs, hostnames, or IP addresses of devices you wish to remotely delete the ransomware note from `n[?] Computer Names "
)] # End Parameter
[String[]]$ComputerName,
[Parameter(
Position=1,
Mandatory=$True,
ValueFromPipeline=$False,
HelpMessage="[H] Enter the name of the ransomware note file to find and delete `n[E] EXAMPLE: RansomwareNote.txt `n[?] File Name "
)] # End Parameter
[SupportsWildcards()]
[ValidateScript({$_ -notlike "\" -and $_ -notlike "/"})]
[String]$FileName,
[Parameter(
ParameterSetName="Credential",
Position=2,
Mandatory=$True,
ValueFromPipeline=$False
)] # End Parameter
[ValidateNotNull()]
[System.Management.Automation.PSCredential]
[System.Management.Automation.Credential()]
$Credential = [System.Management.Automation.PSCredential]::Empty
) # End param
BEGIN {
$Results = @()
} PROCESS {
ForEach ($C in $ComputerName) {
Try {
Write-Verbose -Message "[v] Mapping temporary drive"
New-PSDrive -Name Temp -PSProvider FileSystem -Root "\\$C\C$\" -Description "Temp drive mapped to delete files" -Credential $Credential -ErrorAction Stop | Out-Null
Write-Verbose -Message "[v] Discovering files named $FileName on $C"
$Path = (Get-ChildItem -Path "C:\" -Recurse -Filter $FileName -Force -ErrorAction SilentlyContinue).FullName
If (Test-Path -Path $Path) {
Write-Verbose -Message "[v] Deleting the discovered files by the name $FileName"
Remove-Item -Path $Path -Force -Confirm:$False
Write-Debug -Message "[v] Adding SUCCESS result for $C"
$Results += New-Object -TypeName PSCustomObject -Property @{
ComputerName=$C;
DriveMapped=$True;
FilesDeleted=$(Test-Path -Path $Path)
} # End New-Object -Property
} Else {
Write-Debug -Message "[v] Adding SUCCESS result for $C"
$Results += New-Object -TypeName PSCustomObject -Property @{
ComputerName=$C;
DriveMapped=$True;
FilesDeleted="No files found using name filter: $FileName"
} # End New-Object -Property
} # End If Else
} Catch {
Write-Debug -Message "[v] Adding FAILURE result for $C"
$Results += New-Object -TypeName PSCustomObject -Property @{
ComputerName=$C;
DriveMapped=$False;
FilesDeleted=$False;
} # End New-Object -Property
} Finally {
Remove-PSDrive -Name Temp -PSProvider FileSystem -Force -Confirm:$False -ErrorAction SilentlyContinue | Out-Null
} # End Try Catch Finally
} # End ForEach
} END {
Return $Results
} # End B P E
} # End Function Remove-RansomwareNote