Comments (6)
That's a good catch. I'll look into it and either update honey pot handling or blame it on PowerShell.
from fsrm-anti-ransomware.
Working towards a solution: I was testing doing a Get-ChildItem. I didn't realize that it could return more than one type. I'm an old C hack, a current Python hack, and I hate PowerShell so I don't expect this aberrant behavior. If I used a filter that returned only a single matching directory it was type System.IO.FileSystemInfo but if I had multiple hits it returned a type System.Array. Took me a stupid amount of time to figure out but I'm on the golden path now.
Now we'll cast our results as an array by doing something like this:
$result = @(Get-ChildItem -Filter ?asdf*)
$result += @(Get-ChildItem -Filter .asdf*)
The point of all this array casting is that we can't assume the number of hits the first Get-ChildItem will return, and by inference, the data type of the return. The second item's cast is just for belt and suspenders. I know exactly what data type I want so we'll be explicit in the code.
@("hoopdy","doo"). Take that ambiguity!
or @("um","kay")
Matching the honeypot directories that begin with a dot is a little weird. We can sometimes pretend the dot is an actual character, but not with wildcard matching. Other times it means this directory. And still other times it means, "Hey, everything after me is a file name extension and I'm just a place holder."
So why are we even bothering instead of just saying this is a special case that we are going to ignore? Macs and *nix, that's why. And because I hate PowerShell and love my Mac/Linux systems. Capricious? Sure. Will it hurt the non-Mac and non-Linux systems? Nope, they won't act any differently. And it's a challenge. That's why. Let's do this!
Steps to do - we tear into the actual script code and do four things:
- create a flag variable that controls finding the dot
- breakup up the pipelined code that gets the matching directories
- check match-the-dot flag and take appropriate action
- substring replace on the honey pot name pattern, replace '?' with '.'
Finally, this is really just a rambling note so that if I procrastinate I'll know where to pick this up later.
from fsrm-anti-ransomware.
No longer considering this a bug. It's really normal Windows behavior. I just don't like it so we're going to work around it.
from fsrm-anti-ransomware.
Awesome, thanks! I'm sure I found the only character PowerShell doesn't like as a character to start a directory name and I always seem to run into obscure issues like this one. I'm not really a coder myself, just able to hack around existing code if needed.
from fsrm-anti-ransomware.
Testing new code.
from fsrm-anti-ransomware.
Added option to include honey pot directories that begin with a leading dot. Really great suggestion. Thanks.
from fsrm-anti-ransomware.
Related Issues (8)
- NT AUTHORITY\SYSTEM triggers but no event log entry but email is sent
- Study feasibility of applying a quota to honey pots - avoid full disk DoS with passive
- Documentation / Quick Start?
- DenyPermissionsEventParsing.PS1 does not kill active transfer HOT 3
- *._NEMTY_<*>_" glitch, illegal filter specs, the fix and the work around HOT 2
- DLL not registering HOT 1
- How to exclude files HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fsrm-anti-ransomware.