tdevropa-test

Look for Wanna Cry encrypted files on the C: drive - v1.1
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is the latest version.

1Look for Wanna Cry encrypted files on the C: drive5/13/2017 5:52:57 PM
2Look for Wanna Cry encrypted files on the C: drive - v1.15/15/2017 6:19:33 AM

Description

Seach for any files with .wncry extenstions that exist on the C: drive. Old school batch file, so if there are a ton of files, this will take a while and can possibly have a noticable performance impact when it runs.

This will create a file (c:\wannacry_files.txt) for the search results. There is a corresponding property (Wanna Cry Files - C: Drive) that will parse this file for any files that are found and report the results back up.

This file is expected to have the following two lines. Anymore than that is bad.

Volume in drive C has no label.
Volume Serial Number is 7A01-AEAF


There are three expected results returned by the property:

Wanna Cry Encrypted files found (this is bad)

No Encrypted Files Found (results file exists, nothing bad found, scan could still be running though)

Scan Results File Not Found (this means you have not executed this task yet)


Property Details

ID24312
StatusBeta - Preliminary testing ready for more
TitleLook for Wanna Cry encrypted files on the C: drive - v1.1
DomainBESC
SourceJason Cordell ([email protected])
Source Release Date5/15/2017 12:00:00 AM
Keywordswanna cry .wncry
Is TaskTrue
Added by on 5/15/2017 6:19:33 AM
Last Modified by on 5/15/2017 6:19:33 AM
Counters 2053 Views / 9 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

isWindows (Relevance 1172)
Used in 1067 fixlets and 522 analyses * Results in a true/false
Show indented relevance
windows of operating system
Used in 4 fixlets * Results in a true/false
Show indented relevance
exists folder "c:\"

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type tdevropa-test Action Script
waithidden cmd /c if exist c:\wannacry_files.txt del c:\wannacry_files.txt /q /f
waithidden cmd /c dir c:\*.wncry /a /s >c:\wannacry_files.txt
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.



Comments

Log In or Register to leave comments!
jasoncordell -
I added a newer version of this task (v1.1). Only change is updated verbiage on the Description tab to indicate 3 possible results. This task goes hand in hand with a property that I uploaded to parse the results file created by this task.

Recommended Articles

how do i uninstall winzip find bitlocker recovery password meraki system manager baretail for windows big fix ibm what is microsoft sql server 2005 compact edition enu how to uninstall vlc on mac cloudera hive odbc driver what is microsoft sharepoint workspace 2010 download java 7 update 71 vmware viclient all essbase administration services windows media encoder 9 series x64 what is microsoft sql server compact 3.5