This Script will generate alert if any file is Encrypted in Specified path and Trigger the VEEAM AGENT BACKUP to backup the given path.
Output will have User details of where and when file is encrypted (i.e) created, modified date and time of encrypted file, owner of Encrypted file and Veeam agent status in the Endpoint.
NOTE:
Run as System User
path=r"C:\Users\C1-En_230\Downloads" # Give the Path want to monitor
path_to_bckup=r"C:\Users\C1-En_230\Desktop\Backup" #Give the path where want to store backedup files.
import os
import ctypes
import re
import time
import shutil
import datetime
import socket
import platform
import sys
class disable_file_system_redirection:
_disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
_revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
def __enter__(self):
self.old_value = ctypes.c_long()
self.success = self._disable(ctypes.byref(self.old_value))
def __exit__(self, type, value, traceback):
if self.success:
self._revert(self.old_value)
def alert(arg):
sys.stderr.write("%d%d%d" % (arg, arg, arg))
def file_owner(filename):
import ctypes as ctypes
from ctypes import wintypes as wintypes
advapi32 = ctypes.WinDLL('advapi32', use_last_error=True)
# required constants
ERROR_INSUFFICIENT_BUFFER = 0x007A
OWNER_SECURITY_INFORMATION = 0x00000001
# related constants
ERROR_INVALID_FUNCTION = 0x0001
ERROR_FILE_NOT_FOUND = 0x0002
ERROR_PATH_NOT_FOUND = 0x0003
ERROR_ACCESS_DENIED = 0x0005
GROUP_SECURITY_INFORMATION = 0x00000002
DACL_SECURITY_INFORMATION = 0x00000004
SACL_SECURITY_INFORMATION = 0x00000008
LABEL_SECURITY_INFORMATION = 0x00000010
ATTRIBUTE_SECURITY_INFORMATION = 0x00000020
SCOPE_SECURITY_INFORMATION = 0x00000040
BACKUP_SECURITY_INFORMATION = 0x00010000
UNPROTECTED_SACL_SECURITY_INFORMATION = 0x10000000
UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000
PROTECTED_SACL_SECURITY_INFORMATION = 0x40000000
PROTECTED_DACL_SECURITY_INFORMATION = 0x80000000
# type definitions
LPBOOL = ctypes.POINTER(wintypes.BOOL)
LPDWORD = ctypes.POINTER(wintypes.DWORD)
PSID = ctypes.POINTER(wintypes.BYTE)
PSECURITY_DESCRIPTOR = ctypes.POINTER(wintypes.BYTE)
SECURITY_INFORMATION = wintypes.DWORD
class SID_NAME_USE(wintypes.DWORD):
_sid_types = dict(enumerate('''
User Group Domain Alias WellKnownGroup DeletedAccount
Invalid Unknown Computer Label'''.split(), 1))
def __init__(self, value=None):
if value is not None:
if value not in self.sid_types:
raise ValueError('invalid SID type')
wintypes.DWORD.__init__(value)
def __str__(self):
if self.value not in self._sid_types:
raise ValueError('invalid SID type')
return self._sid_types[self.value]
PSID_NAME_USE = ctypes.POINTER(SID_NAME_USE)
# function pointer prototypes
def _check_bool(result, func, args,
WinError=ctypes.WinError,
get_last_error=ctypes.get_last_error):
if not result:
raise WinError(get_last_error())
return args
# msdn.microsoft.com/en-us/library/aa446639
advapi32.GetFileSecurityW.errcheck = _check_bool
advapi32.GetFileSecurityW.argtypes = (
wintypes.LPCWSTR, # _In_ lpFileName
SECURITY_INFORMATION, # _In_ RequestedInformationRequested
PSECURITY_DESCRIPTOR, # _Out_opt_ pSecurityDescriptor
wintypes.DWORD, # _In_ nLength
LPDWORD) # _Out_ lpnLengthNeeded
# msdn.microsoft.com/en-us/library/aa446651
advapi32.GetSecurityDescriptorOwner.errcheck = _check_bool
advapi32.GetSecurityDescriptorOwner.argtypes = (
PSECURITY_DESCRIPTOR, # _In_ pSecurityDescriptor
ctypes.POINTER(PSID), # _Out_ pOwner
LPBOOL) # _Out_ lpbOwnerDefaulted
# msdn.microsoft.com/en-us/library/aa379166
advapi32.LookupAccountSidW.errcheck = _check_bool
advapi32.LookupAccountSidW.argtypes = (
wintypes.LPCWSTR, # _In_opt_ lpSystemName
PSID, # _In_ lpSid
wintypes.LPCWSTR, # _Out_opt_ lpName
LPDWORD, # _Inout_ cchName
wintypes.LPCWSTR, # _Out_opt_ lpReferencedDomainName
LPDWORD, # _Inout_ cchReferencedDomainName
PSID_NAME_USE) # _Out_ peUse
def get_file_security(filename, request):
length = wintypes.DWORD()
# N.B. This query may fail with ERROR_INVALID_FUNCTION
# for some filesystems.
try:
advapi32.GetFileSecurityW(filename, request, None, 0,
ctypes.byref(length))
except WindowsError as e:
if e.winerror != ERROR_INSUFFICIENT_BUFFER:
raise
if not length.value:
return None
sd = (wintypes.BYTE * length.value)()
advapi32.GetFileSecurityW(filename, request, sd, length,
ctypes.byref(length))
return sd
def look_up_account_sid(sid):
SIZE = 256
name = ctypes.create_unicode_buffer(SIZE)
domain = ctypes.create_unicode_buffer(SIZE)
cch_name = wintypes.DWORD(SIZE)
cch_domain = wintypes.DWORD(SIZE)
sid_type = SID_NAME_USE()
advapi32.LookupAccountSidW(None, sid, name, ctypes.byref(cch_name),
domain, ctypes.byref(cch_domain), ctypes.byref(sid_type))
return name.value, domain.value, sid_type
def get_file_owner(filename):
sd = get_file_security(filename, OWNER_SECURITY_INFORMATION)
sid = PSID()
sid_defaulted = wintypes.BOOL()
advapi32.GetSecurityDescriptorOwner(sd, ctypes.byref(sid),
ctypes.byref(sid_defaulted))
name, domain, sid_type = look_up_account_sid(sid)
return name, domain, sid_type
import sys
if isinstance(filename, bytes):
filename = filename.decode('mbcs')
name, domain, sid_type = get_file_owner(filename)
if domain:
name = '{0}\\{1}'.format(domain, name)
print("\nFile : {0}".format(filename))
print("Owner: {0} ({1})".format(name, sid_type))
def check():
with disable_file_system_redirection():
os.chdir(path)
inst=os.popen("cipher").read()
return inst
def again():
with disable_file_system_redirection():
os.chdir(path)
ins=os.popen("wmic product get name,identifyingnumber").read()
if 'Veeam Agent' in ins:
print "\n Veeam Agent is installed on Endpoint"
print "\n Veeam agent is Backing up your files, takes time to finish up based on FILE SIZES"
veeam()
else:
print "\nCouldn't find Veeam Agent on Endpoint"
print "\n Please Install Veeam Agent to start Backup"
def veeam ():
os.chdir(path)
os.popen('"C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Manager.exe" /standalone '+path_to_bckup)
time.sleep(60)
os.chdir(path_to_bckup)
so=os.popen('dir').read()
if "Backup Job" in so:
print "\n Backup is completed and stored in specified path"
inst=check()
if len(inst)>0:
find=re.findall('E\s(.*)',inst)
if len(find)>0:
alert(1)
print "\nFound Encrypted files on Specified path:\n"
print "User IP :"+socket.gethostbyname(socket.gethostname())
print "Os Details :"+platform.platform()
for f in find:
fn=path+'\\'+f
file_owner(fn)
print "File Created Date : "+time.strftime("%Y/%m/%d",time.localtime(os.path.getctime(path+'\\'+f)))
print "File Created Time : "+time.strftime("%I:%M:%S %p",time.localtime(os.path.getctime(path+'\\'+f)))
print "File Modified Date: "+time.strftime("%Y/%m/%d",time.localtime(os.path.getmtime(path+'\\'+f)))
print "File Modified Time: "+time.strftime("%I:%M:%S %p",time.localtime(os.path.getmtime(path+'\\'+f)))
print "\n Checking for Veeam agent status in Endpoint"
again()
else:
print "No file is Encrypted in Specified path"
alert(0)
Comments