-
Notifications
You must be signed in to change notification settings - Fork 0
/
fim.ps1
124 lines (95 loc) · 3.86 KB
/
fim.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
Function Calculate-File-Hash($filepath) {
$filepath = Get-FileHash -Path $filepath -Algorithm SHA512
return $filepath
}
Function Erase-Baseline-IfAlready-Exists() {
$baslineExists = Test-Path -Path .\baseline.txt
if($baslineExists){
#Erase the content in it
Clear-Content -Path .\baseline.txt
}
}
while ($True){
Write-Host ""
Write-Host "What would you like to do?"
Write-Host " 1) Collect new baseline?"
Write-Host " 2) Begin monitoring files with saved baseline?"
Write-Host " 3) Exit"
$response = Read-Host -Prompt "Please enter your choice: "
Write-Host ""
switch($response){
1 {
#delte the baseline.txt file if it already exists
Erase-Baseline-IfAlready-Exists
#get the path of the file
$targetFilePath = Read-Host -Prompt "Enter the complete/full file path to target"
#check whether the entered path is valid or invalid
$pathValidity = Test-Path -Path $targetFilePath
if($pathValidity){
#calculate the hash of the target files and store it in the baseline.txt file
#collect all files in the target files in recursive
$files = Get-ChildItem -Path $targetFilePath -File -Recurse -Force
#calculate the hash of each file and write it to the baseline.txt
foreach($f in $files){
$hash = Calculate-File-Hash $f.FullName
"$($hash.Path)`t$($hash.Hash)" | Out-File -FilePath .\baseline.txt -Append
}
}
else{
#the path is invalid, so notify the user
Write-Host "Enter a valid path..." -ForegroundColor Red
}
}
2 {
$fileHashDictionary = @{}
#load the file hash from baseline.txt and store them in a dictionary
$filePathAndHash = Get-Content -Path .\baseline.txt
foreach($f in $filePathAndHash){
$fileHashDictionary.add($f.Split("`t")[0], $f.Split("`t")[1])
}
#$fileHashDictionary
#begining the continous monitoring of the files from the baseline.txt file
while($true){
Start-Sleep -Seconds 2
$files = Get-ChildItem -Path $targetFilePath -File -Recurse -Force
#calculate the hash of each file and write it to the baseline.txt
foreach($f in $files){
$hash = Calculate-File-Hash $f.FullName
#"$($hash.Path)|$($hash.Hash)" | Out-File -FilePath .\baseline.txt -Append
if($fileHashDictionary[$hash.Path] -eq $null){
#a new file hash been created!
Write-Host "$($hash.Path) has been created by $((whoami).split("\")[1]) at $(Get-Date -Format "dddd MM/dd/yyyy HH:mm")" -ForegroundColor Green
$fileHashDictionary[$hash.Path] = $hash.Hash
}
else{
if($fileHashDictionary[$hash.Path] -ne $hash.Hash){
#file has been compromised..
Write-Host "$($hash.Path) has been changed by $((whoami).split("\")[1]) at $(Get-Date -Format "dddd MM/dd/yyyy HH:mm")" -ForegroundColor Yellow
$fileHashDictionary[$hash.Path] = $hash.Hash
}
}
}
$keysToRemove = @()
foreach($key in $fileHashDictionary.Keys){
if (-not (Test-Path -Path $key)) {
# File has been deleted
Write-Host "$($key) has been deleted by $((whoami).split("\")[1]) at $(Get-Date -Format "dddd MM/dd/yyyy HH:mm")" -ForegroundColor Red
$keysToRemove += $key
}
}
# Remove the keys of deleted files from the dictionary
foreach ($keyToRemove in $keysToRemove) {
$fileHashDictionary.Remove($keyToRemove)
}
}
}
3 {
#exiting the program
break
}
default {
#enter the valid choice
Write-Host "Enter a valid operation"
}
}
}