-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathantiransom_shutdown.vbs
148 lines (113 loc) · 4.25 KB
/
antiransom_shutdown.vbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
Option Explicit
' ==================================================================================
' Description:
' This script, given a user name as a command line argument, utilizes the "net session" command to find
' the host with the most recent file access activity associated with the given user name
'
' Attempts to shut down the remote host when given the additional "shutdown" command line parameter
'
' Usage
' =====
' cscript antiransom_shutdown.vbs <USERNAME>
' cscript antiransom_shutdown.vbs <USERNAME> shutdown
'
' IMPORTANT
' =========
' * User name must be passed WITHOUT domain name
' * This script will not work for users who have not connected to this server in more than 24 hours
'
' Examples
' ========
'
' 1. Find out from which host the user "jill.rogers" most recently accessed this server
' cscript.exe antiransom_shutdown.vbs jill.rogers
'
' 2. Shutdown the computer from which user "jill.rogers" most recently accessed this server from
' cscript.exe antiransom_shutdown.vbs jill.rogers shutdown
' ==================================================================================
'*******************************************************************************
'* DEFINE CONSTANTS
'*******************************************************************************
Const SHUTDOWN_WARNING = "Ransomware potentially detected on your computer. Contact your IT department immediately."
Const SHUTDOWN_TIMEOUT = "60"
' ==================================================================================
Function GetHostOfSmallestIdleTime(dictObj)
Dim smallestIdleTime, objKey
smallestIdleTime = 999999999
For Each objKey in dictObj
If objKey < smallestIdleTime Then
smallestIdleTime = objKey
End If
Next
GetHostOfSmallestIdleTime = dictObj(smallestIdleTime)
End Function
' ==================================================================================
Dim WshShell, oExec
If WScript.Arguments.Count = 0 Then
Wscript.Echo "Argument missing, specify user name"
Wscript.Quit(1)
End If
Set WshShell = WScript.CreateObject("WScript.Shell")
Set oExec = WshShell.Exec("net session")
Dim strText
Do While Not oExec.StdOut.AtEndOfStream
strText = strText & oExec.StdOut.ReadLine() & "#"
Loop
Dim dictIdleTimeToRemoteHost
Set dictIdleTimeToRemoteHost = CreateObject("Scripting.Dictionary")
Dim arrayLines, sessionEntry
arrayLines = Split(strText, "#")
For Each sessionEntry in arrayLines
Dim arrayTokens, token
Dim colRemoteHost, colUsername
Dim idleTime, colPos
arrayTokens = Split(sessionEntry, " ")
colRemoteHost = ""
colUsername = ""
idleTime = ""
colPos = 0
For Each token in arrayTokens
If Len(token) > 0 Then
' First column is host
If colPos = 0 Then
colRemoteHost = token
End If
' Second column is user
If colPos = 1 Then
colUsername = token
End If
' We only consider (parse) idle times less than 24 hours
If Instr(token, ":") > 0 Then
idleTime = token
End If
colPos = colPos + 1
End If
Next
If Len(colRemoteHost) > 0 And Len(colUsername) > 0 Then
If LCase(Wscript.Arguments.Item(0)) = LCase(colUsername) Then
Dim numIdleTime, arrayTime
arrayTime = Split(idleTime, ":")
If ubound(arrayTime) = 2 Then
numIdleTime = arrayTime(0)*3600 + arrayTime(1)*60 + arrayTime(2)
dictIdleTimeToRemoteHost(numIdleTime) = colRemoteHost
End If
End If
End If
Next
Dim mostRecentHostForUser
mostRecentHostForUser = GetHostOfSmallestIdleTime(dictIdleTimeToRemoteHost)
If Len(mostRecentHostForUser) > 0 Then
Wscript.Echo "Most recent activity from user """ & Wscript.Arguments.Item(0) & """ was from host """ & mostRecentHostForUser & """"
If WScript.Arguments.Count = 2 Then
If LCase(Wscript.Arguments.Item(1)) = "shutdown" Then
Dim commandLine
commandLine = "shutdown.exe /m " & mostRecentHostForUser & " /r /t " & SHUTDOWN_TIMEOUT & " /f /c """ & SHUTDOWN_WARNING & """"
Set oExec = WshShell.Exec(commandLine)
Wscript.Echo "Issued shutdown command to remote host."
End If
End If
Wscript.Quit(0)
Else
Wscript.Echo "No recent connection for user """ & Wscript.Arguments.Item(0) & """ was found."
Wscript.Quit(2)
End If