File Change Tripwire

File Change Tripwire

This PowerShell script will monitor your selected folders for any created, modified, renamed or deleted files. You'll then be e-mailed a list of all the changes at a set interval, along with a time and details of each filename. This script could be set to run in the background to monitor important folder for security intrusions - for example, on a Windows based webserver.

All of the variables you need to configure are listed in the first two blocks of code. You'll need an SMTP server to take advantage of the e-mail capability, but this can easily be edited out if desired.

You'll need to create a "/Logs" sub-directory in the location of the PS file, this is used as a local log folder.

To Do List:
  • Excluded File Filters
  • Multiple Folder Monitoring
  • Automatic Log folder Creation
  • Optional E-Mail and Logging Settings

Code:
#   __          ___           _                  __  ___  ______                                               
#   \ \        / (_)         | |                /_ |/ _ \|  ____|                                               
#    \ \  /\  / / _ _ __   __| | _____      _____| | | | | |__ ___  _ __ _   _ _ __ ___  ___   ___ ___  _ __ ___
#     \ \/  \/ / | | '_ \ / _` |/ _ \ \ /\ / / __| | | | |  __/ _ \| '__| | | | '_ ` _ \/ __| / __/ _ \| '_ ` _ \
#      \  /\  /  | | | | | (_| | (_) \ V  V /\__ \ | |_| | | | (_) | |  | |_| | | | | | \__ \| (_| (_) | | | | | |
#       \/  \/   |_|_| |_|\__,_|\___/ \_/\_/ |___/_|\___/|_|  \___/|_|   \__,_|_| |_| |_|___(_)___\___/|_| |_| |_|
#
#
# PowerShell Script Repository: https://www.windows10forums.com/articles/categories/powershell-scripts.8/
# Author: Ian Cunningham

### MONITORING SETTINGS

    $serverName = "Host1"   #server name
    $emailFreq = "5"   #number of minutes between e-mail notification batches
    $monitorFolder = "C:\inetpub\vhosts"   #folder to monitor
    $fileFilter = @(".txt",".doc",".xls",".zip")   #array of extensions to monitor

### EMAIL SETTINGS

    $From = "[email protected]"
    $To = "[email protected]"
    $SMTPServer = "smtp.test.com"
    $SMTPPort = "587"
    $Username = "[email protected]"
    $Password = "password"


### SET FOLDER TO WATCH + FILES TO WATCH + SUBFOLDERS YES/NO
    $filewatcher = New-Object System.IO.FileSystemWatcher
    $filewatcher.Path = $monitorFolder
    $filewatcher.Filter = "*.*"
    $filewatcher.IncludeSubdirectories = $true
    $filewatcher.EnableRaisingEvents = $true

### STARTUP VARS

    $global:body = @()
    $global:changes = $false
    $global:firsttimestamp = $(Get-Date)


### DEFINE ACTIONS AFTER A EVENT IS DETECTED
 
    $fileaction = {
 
                $path = $Event.SourceEventArgs.FullPath
                $extension = [io.path]::GetExtension($path)

                if ($fileFilter -contains $extension) {

                        $changeType = $Event.SourceEventArgs.ChangeType
                        $logline = "$(Get-Date), ${changeType}: $path"
                        Add-content "$PSScriptRoot\Logs\$(get-date -f yyyy-MM-dd).txt" -value $logline
                 
                        $global:body += $logline
                        $global:body += "`r`n"

                        if ($global:changes -eq $false) {

                            $global:changes = $true
                            $global:firsttimestamp = $(Get-Date)

                        }
                }

              } 


### DECIDE WHICH EVENTS SHOULD BE WATCHED + SET CHECK FREQUENCY
    $filecreated = Register-ObjectEvent $filewatcher "Created" -Action $fileaction
    $filechanged = Register-ObjectEvent $filewatcher "Changed" -Action $fileaction
    $filedeleted = Register-ObjectEvent $filewatcher "Deleted" -Action $fileaction
    $filerenamed = Register-ObjectEvent $filewatcher "Renamed" -Action $fileaction

while ($true) {
    sleep 1

    if ((($(Get-Date) - ($global:firsttimestamp)).TotalMinutes -ge $emailFreq) -AND ($global:changes -eq $true)) {

    $smtp = New-Object System.Net.Mail.SmtpClient($SMTPServer, $SMTPPort);
    $smtp.EnableSSL = $true
    $smtp.Credentials = New-Object System.Net.NetworkCredential($Username, $Password);
    $smtp.Send($From, $To, "File Change Log - $serverName", $global:body);

    Write-Host "E-Mail Sent"
    Write-Host $global:body

    $global:changes = $false
    $global:body = @()

    }

}
  • Like
Reactions: Regedit32
Author
Ian
Downloads
2,074
First release
Last update

More resources from Ian

Top