Le but de ce script est de surveiller le branchement de clé USB inconnues. En cas de détection, les informations à propos de la clé et le listing de son contenue sera journalisé. Une clé USB sera considérée comme de confiance lorsqu'elle aura été enregistrée grâce à la fonction [b]Add-Trusted-USB[/b] de ce script. Pour cela, il suffit d'initialiser la variable $ENROLL à 1, et la clé USB nouvellement insérée sera alors considérée comme clé connue et de confiance.





La liste des fonctions qui seront abordées :


Show-MsgBox
Get-USB-Drives
Umount-Disk($usb_data)
Get-USB-Infos
Add-Trusted-USB()
Print-Info($USB_Drive_Letter,$HRSize,$Model,$Auth)







########################################################################################################################
#
# Description
#
########################################################################################################################
 
<#
 
  .SYNOPSIS  
  Monitor USB mass storage events
 
  .DESCRIPTION 
  Running in loop to monitor USB mass storage changes and notify if unknown key is plugged
 
  .AUTHOR
  Nicolas F.
 
#>
 
 
 
 
########################################################################################################################
#
# Paramètrage du script
#
########################################################################################################################
 
$LOG = "c:/windows/USB.log"
$TRUSTED_USB_KEYS_FILE = "c:/windows/system32/usb.trusted.cfg"
$TRUSTED_USB_KEYS      = $(Get-Content $TRUSTED_USB_KEYS_FILE)
$ENROLL = 1
$SEPARATOR = "
========================================================================================================================
"
 
 
 
########################################################################################################################
#
# Fonctions
#
########################################################################################################################
 
function Show-MsgBox 
{ 
<#
 
  # Fonction de notification 
  # --------------------------------------------------------------------------------------------------------------------
 
  .AUTHOR
  BigTeddy
 
  .RELEASE_DATE
  August 24, 2011
 
  .SOURCE
  http://social.technet.microsoft.com/profile/bigteddy/.
 
  .SYNOPSIS
  Shows a graphical message box, with various prompt types available. 
 
  .DESCRIPTION 
  Emulates the Visual Basic MsgBox function.  It takes four parameters, of which only the prompt is mandatory 
 
  .INPUTS 
  The parameters are:- 
 
    Prompt (mandatory):  
    Text string that you wish to display 
 
    Title (optional): 
    The title that appears on the message box 
 
    Icon (optional).  Available options are: 
    Information, Question, Critical, Exclamation (not case sensitive) 
 
    BoxType (optional). Available options are: 
    OKOnly, OkCancel, AbortRetryIgnore, YesNoCancel, YesNo, RetryCancel (not case sensitive) 
 
    DefaultButton (optional). Available options are: 
    1, 2, 3 
 
  .OUTPUTS 
  Microsoft.VisualBasic.MsgBoxResult 
 
  .EXAMPLE 
  C:PS> Show-MsgBox Hello 
  Shows a popup message with the text "Hello", and the default box, icon and defaultbutton settings. 
 
  .EXAMPLE 
  C:PS> Show-MsgBox -Prompt "This is the prompt" -Title "This Is The Title" -Icon Critical -BoxType YesNo `
                     -DefaultButton 2 
  Shows a popup with the parameter as supplied. 
 
  .LINK 
  http://msdn.microsoft.com/en-us/library/microsoft.visualbasic.msgboxresult.aspx 
 
  .LINK 
  http://msdn.microsoft.com/en-us/library/microsoft.visualbasic.msgboxstyle.aspx 
 
#> 
 
  [CmdletBinding()] 
    param( 
    [Parameter(Position=0, Mandatory=$true)]  [string]$Prompt, 
    [Parameter(Position=1, Mandatory=$false)] [string]$Title ="", 
    [Parameter(Position=2, Mandatory=$false)] [ValidateSet("Information", "Question", "Critical", 
    "Exclamation")] [string]$Icon ="Information", 
 
    [Parameter(Position=3, Mandatory=$false)] [ValidateSet("OKOnly", "OKCancel", "AbortRetryIgnore", `
        "YesNoCancel", "YesNo", "RetryCancel")] [string]$BoxType ="OkOnly", 
    [Parameter(Position=4, Mandatory=$false)] [ValidateSet(1,2,3)] [int]$DefaultButton = 1 
    ) 
 
  [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.VisualBasic") | Out-Null 
  switch ($Icon)
  {
    "Question" {$vb_icon = [microsoft.visualbasic.msgboxstyle]::Question } 
    "Critical" {$vb_icon = [microsoft.visualbasic.msgboxstyle]::Critical} 
    "Exclamation" {$vb_icon = [microsoft.visualbasic.msgboxstyle]::Exclamation} 
    "Information" {$vb_icon = [microsoft.visualbasic.msgboxstyle]::Information}
  }
  switch ($BoxType)
  { 
    "OKOnly" {$vb_box = [microsoft.visualbasic.msgboxstyle]::OKOnly} 
    "OKCancel" {$vb_box = [microsoft.visualbasic.msgboxstyle]::OkCancel} 
    "AbortRetryIgnore" {$vb_box = [microsoft.visualbasic.msgboxstyle]::AbortRetryIgnore} 
    "YesNoCancel" {$vb_box = [microsoft.visualbasic.msgboxstyle]::YesNoCancel} 
    "YesNo" {$vb_box = [microsoft.visualbasic.msgboxstyle]::YesNo} 
    "RetryCancel" {$vb_box = [microsoft.visualbasic.msgboxstyle]::RetryCancel}
  } 
  switch ($Defaultbutton)
  {
    1 {$vb_defaultbutton = [microsoft.visualbasic.msgboxstyle]::DefaultButton1} 
    2 {$vb_defaultbutton = [microsoft.visualbasic.msgboxstyle]::DefaultButton2} 
    3 {$vb_defaultbutton = [microsoft.visualbasic.msgboxstyle]::DefaultButton3}
  } 
  $popuptype = $vb_icon -bor $vb_box -bor $vb_defaultbutton 
  $ans = [Microsoft.VisualBasic.Interaction]::MsgBox($prompt,$popuptype,$title) 
  return $ans 
} #end function
 
 
 
 
<#
 
  # Liste les clé USB ayant un lecteur (E:, F:, ...) attribué
  # --------------------------------------------------------------------------------------------------------------------
 
#>
 
Function Get-USB-Drives
{
  $Obj = (gwmi win32_diskdrive | ?{$_.interfacetype -eq "USB"} | %{
  gwmi -Query "ASSOCIATORS OF {Win32_DiskDrive.DeviceID=`"$($_.DeviceID.replace('',''))`"} WHERE `
                 AssocClass = Win32_DiskDriveToDiskPartition"
  } | %{
  gwmi -Query "ASSOCIATORS OF {Win32_DiskPartition.DeviceID=`"$($_.DeviceID)`"} WHERE AssocClass = `
                 Win32_LogicalDiskToPartition"
  } | %{
  $_
  })
  return( $Obj )
}
 
 
 
 
Function Umount-Disk($usb_data)
{
<#
 
  # Fonction de collecte des informations 
  # --------------------------------------------------------------------------------------------------------------------
 
  .SOURCE
  https://www.experts-exchange.com/questions/27513069/  ↵
  powershell-command-to-identify-the-usb-device-id-based-upon-drive-letter-or-volume-name.html
 
  .AUTHOR
  Chris Dent
 
#>
 
  $key_letter = $usb_data.DeviceID
  $driveEject = New-Object -comObject Shell.Application
  $driveEject.Namespace(17).ParseName($key_letter).InvokeVerb("Eject")
  # TODO: $usb_data.SetPowerState
}
 
 
 
Function Get-USB-Infos
{
<#
 
  # Fonction de collecte des informations 
  # --------------------------------------------------------------------------------------------------------------------
 
  .SOURCE
  https://www.experts-exchange.com/questions/27513069/  ↵
  powershell-command-to-identify-the-usb-device-id-based-upon-drive-letter-or-volume-name.html
 
  .AUTHOR
  Chris Dent
 
#>
 
  [CmdLetBinding(DefaultParameterSetName = "DriveLetter")]
  Param(
    [Parameter(Position = 1, Mandatory = $True, ParameterSetName = "DriveLetter")]
    [String]$DriveLetter,
 
    [Parameter(Mandatory = $True, ParameterSetName = "VolumeName")]
    [String]$VolumeName
  )
 
  If ($PsCmdLet.ParameterSetName -eq "DriveLetter") {
    $Filter = "DeviceID LIKE '$DriveLetter%'"
  } Else {
    $Filter = "VolumeName LIKE '$VolumeName%'"
  }
 
  Get-WmiObject Win32_LogicalDisk -Filter $Filter | ForEach-Object {
 
    $Partition = Get-WmiObject -Query "ASSOCIATORS OF {Win32_LogicalDisk.DeviceID='$($_.DeviceID)'} WHERE `
                                         AssocClass = Win32_LogicalDiskToPartition" | 
      Select-Object * -Exclude __*
 
    $PhysicalDisk = Get-WmiObject Win32_DiskDrive -Filter "Index=$($Partition.DiskIndex)" | `
                      Select-Object * -Exclude __*
 
    $PNPDevice = Get-WmiObject Win32_PNPEntity -Filter ("PNPDeviceID='$($PhysicalDisk.PNPDeviceID)'" `
                                                 -Replace '', '')
    $USBController = Get-WmiObject -Query "ASSOCIATORS OF {$($PNPDevice.__RELPATH)} WHERE `
                                             AssocClass = Win32_USBControllerDevice" | `
                                              Select-Object * -Exclude __*
 
    $DriveLetter = [String]$_.Name
    $VolumeName  = [String]$_.VolumeName
 
    if( $VolumeName -eq "" )
    {
      $VolumeName = "<Aucun nom>"
    }
 
    $USBInfos = @{
      "Description"          = [String]$_.Description
      "DeviceName"           = [String]$_.Name
      "FreeSpace"            = [String]$_.FreeSpace
      "PhysicalSerialNumber" = [String]$PhysicalDisk.SerialNumber
      "Model"                = [String]$PhysicalDisk.Model
      "Size"                 = [String]$PhysicalDisk.Size
      "SystemName"           = [String]$_.SystemName
      "USBPortDescription"   = [String]$PhysicalDisk.Description
      "VolumeSerialNumber"   = [String]$_.VolumeSerialNumber
      "PNPDeviceID"          = [String]$PhysicalDisk.PNPDeviceID.Split("
")[-1]      
      "VolumeName"           = $VolumeName
    }
 
    # # Toutes les informations accessibles :
    # # LogicalDisk
    # $_ | Select-Object *
 
    # # Physical Disk
    # $PhysicalDisk
 
    # # USB Controller
    # $USBController    
 
  } # ForEach-Object
 
  return( $USBInfos )
}
 
 
 
 
########################################################################################################################
#
# Traitement des clés de confiance
#
########################################################################################################################
 
function Add-Trusted-USB()
{
  "NE PAS débrancher les clés, processus d'enregistrement en cours ...`r`n"
 
  foreach( $USB_Drive in  Get-USB-Drives )
  {
    $USB_Infos   = Get-USB-Infos $USB_Drive.DeviceID
 
    if( $TRUSTED_USB_KEYS -and $TRUSTED_USB_KEYS  -match $CurrentUSBInfos )
    {
      "Clé déjà enregistrée"
    }
    else
    {
      "Lecteur : " + $USB_Drive
      "Modèle  : " + $USB_Infos["Model"]
      "Taille  : " + $USB_Infos["Size"]
 
      $Date_Enroll = (Get-Date|Out-String).Split("`r`n")[2]
 
      $TxtInfos = $Date_Enroll + ";" + $USB_Infos["VolumeSerialNumber"] + ";" + `
                    $USB_Infos["PhysicalSerialNumber"] + ";"
      $TxtInfos >> $TRUSTED_USB_KEYS_FILE 
    }
  }
}
 
 
function Print-Info($USB_Drive_Letter,$HRSize,$Model,$Auth)
{
  if( $Auth -eq "OK" ) {
    $color = "Green"
    Write-Host "Clé autorisée ......... : " -nonewline 
  }
  if( $Auth -eq "KO" ) {
    $color = "Red"
    Write-Host "Clé non autorisée ..... : " -nonewline 
  }
  Write-Host $USB_Drive_Letter              -nonewline -foregroundcolor $color
  Write-Host " ($HRSize)"                   -nonewline
  Write-Host " ["                           -nonewline
  Write-Host "$Model"                       -nonewline -foregroundcolor $color
  Write-Host "]"
}
 
 
 
 
########################################################################################################################
#
# Process d'enregistrement
#
########################################################################################################################
 
if( $ENROLL -eq 1 )
{
  foreach( $USB_Drive_Letter in  Get-USB-Drives )
  {
    Add-Trusted-USB $USB_Drive_Letter.DeviceID
  }
  exit
}
 
 
 
 
########################################################################################################################
#
# Boucle de monitoring
#
########################################################################################################################
 
while( $True )
{
  "En attente de clé USB ..."
  foreach( $USB_Drive in  Get-USB-Drives )
  {
 
    $USB_Drive_Letter = $USB_Drive.DeviceID
    $USB_Infos        = Get-USB-Infos $USB_Drive_Letter
    $CurrentUSBInfos  = ";" + $USB_Infos["VolumeSerialNumber"] + ";" + $USB_Infos["PhysicalSerialNumber"] + ";"
 
    $HRSize = [Int64]$USB_Infos["Size"]
    $HRSize = $HRSize / (1000*1000*1000)
    $HRSize = [String]$HRSize
    $HRSize = $HRSize.Split(".")[0]
    $HRSize = $HRSize + "Go "
 
    $Model = $USB_Infos["Model"]
 
    if(  $TRUSTED_USB_KEYS  -notmatch $CurrentUSBInfos  )
    {
      try
      {
        Get-ChildItem $USB_Drive_Letter > $Null
      }
      catch
      {
        continue
      }
      Print-Info $USB_Drive_Letter $HRSize $Model "KO"
      $SEPARATOR >> $LOG
      $Date = Get-Date
      $Date_Enroll = "Date de l'évènement            " + $Date >> $LOG
      $USB_Infos >> $LOG
      "`r`n" >> $LOG
      "Contenu de la clé : --------------------------------------------------------------------------------------------↵
      ---------------------------------------------" >> $LOG
      # Get-ChildItem $USB_Drive_Letter >> $LOG
 
       "Mode   | Attributs                  |  Date de création                     |  Date d'accès                    ↵
            |  Fichier                              " >> $LOG
       "-------+----------------------------+---------------------------------------+----------------------------------↵
       -----+---------------------------------------" >> $LOG
      (Get-ChildItem $USB_Drive_Letter ) | % {
        #$msg =  + "  " +  + "  " + 
        printf("%-5s  | %-25s  |  %-35s  |  %-35s  |  %s",[String]$_.Mode,[String]$_.Attributes,`
         [String]$_.CreationTime,[String]$_.LastAccessTime,[String]$_.FullName) >> $LOG
 
      }
      "----------------------------------------------------------------------------------------------------------------↵
      ---------------------------------------------" >> $LOG
      sleep 1
      Umount-Disk $USB_Drive
      Show-Msgbox "Clé USB inconnue détectée. Information et contenu à sa racine listés et journalisé." "Système" "Critical"
    }
    else
    {
      $msg = "Clé autorisée ......... : " + [String]$USB_Drive_Letter + " (" + $HRSize + ")" + " [" + $USB_Infos["Model"] + "] "
      Print-Info $USB_Drive_Letter $HRSize $Model "OK"
 
    }
 
  } # foreach
 
  sleep 1
}
 
 
 



   =>   Écrit par : Nicolas, le 04 juillet 2017


 
Mots clés :  
  powershell 
  
  usb 
    >   Articles connexes :

Powershell : récursivité

Powershell : récursivité



Powershell : base 64

Powershell : base 64



USB Sniffer

USB Sniffer


6026434