Featured image of post Monitoring with PowerShell: Monitoring VSS Snapshots

Monitoring with PowerShell: Monitoring VSS Snapshots

Intro

Wow! It’s been a while since I’ve blogged. I’ve just been so swamped with CIPP that I’ve just let the blogging go entirely. It’s a shame because I think out of all my hobbies it’s one I enjoy the most. It’s always nice helping others achieve their scripting target. I even got a couple of LinkedIn questions asking if I was done with blogging but I’m not. Writing always gives me some more piece of mind so I’ll try to catch up again. I know I’ve said that before but this time I’ll follow through. I’m sitting down right now and scheduling the release of 5 blogs in one go. No more whining and no more waiting.

Today we’re starting with a simple one that often gets missed. One of my friends somewhat recently made the follow LinkedIn post: Ryan Weeks asking about VSS

It felt kind of serendipitous that he made this post right before my session at Dattocon. My session there was about protecting yourself against these sort of attacks. So, today I’m sharing with you how to monitor if your VSS snapshots have not been deleted, and if they are above the count that you’ve specified.

VSS Monitoring script

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
$SnapshotCountMin = 3
$Snapshots = Get-CimInstance -ClassName Win32_ShadowCopy -Property *


if (!$SnapShots -or $SnapshotCountMin -le $Snapshots.length ) {
    write-host "Unhealthy - There are no snapshots available or less than the specific minimum."
    exit 1
} else {
    write-host "Healthy - Snapshots are present"
}

Now this is a pretty short one right? Don’t you hate it when you wait for a blog for months and don’t get more than a spoon full? I do. So let’s solve another problem in Ryan’s post. When attackers hit they often edit the bcd file way before executing the actual attack, so it’s a good thing to signal on;

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
$BCDExportFile = "C:\programdata\bcdedit.txt"
$BCDContent = Get-Content $BCDExportFile -ErrorAction SilentlyContinue
if ($BCDContent) {
    $ComparedObject = Compare-Object ($BCDContent) (bcdedit /enum)
    bcdedit /enum | Out-File $BCDExportFile
}
else {
    bcdedit /enum | Out-File $BCDExportFile
}

if($ComparedObject){
    write-host "There is a difference in boot configuration. Please investigate"
} else {
    write-host "Healthy"
}

Two fairly easy scripts, but both could save you a lot of headache.

Always, Happy PowerShelling. :)

All blogs are posted under AGPL3.0 unless stated otherwise
comments powered by Disqus
Built with Hugo
Theme Stack designed by Jimmy