Monitoring with PowerShell: Monitoring VSS snapshot availability

Intro

Wow! It’s been some time since I’ve blogged. I’ve simply been so swamped with CIPP that I’ve simply let the running a blog go completely. It’s a disgrace as a result of I feel out of all my hobbies it’s one I get pleasure from essentially the most. It’s at all times good serving to others obtain their scripting goal. I even received a few LinkedIn questions asking if I used to be finished with running a blog however I’m not. Writing at all times provides me some extra piece of thoughts so I’ll attempt to catch up once more. I do know I’ve mentioned that earlier than however this time I’ll comply with by means of. I’m sitting down proper now and scheduling the discharge of 5 blogs in a single go. No extra whining and no extra ready.

At this time we’re beginning with a easy one that usually will get missed. One in every of my mates considerably just lately made the comply with LinkedIn publish:

It felt sort of serendipitous that he made this publish proper earlier than my session at Dattocon. My session there was about defending your self towards these form of assaults. So, as we speak I’m sharing with you methods to monitor in case your VSS snapshots haven’t been deleted, and if they’re above the rely that you just’ve specified.

VSS Monitoring script

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

$SnapshotCountMin = 3
$Snapshots = Get-CimInstance -ClassName Win32_ShadowCopy -Property *


if (!$SnapShots -or $SnapshotCountMin -le $Snapshots.size ) {
    write-host "Unhealthy - There are not any snapshots out there or lower than the particular minimal."
    exit 1
} else {
    write-host "Wholesome - Snapshots are current"
}

Now this can be a fairly brief one proper? Don’t you hate it whenever you anticipate a weblog for months and don’t get greater than a spoon full? I do. So let’s resolve one other downside in Ryan’s publish. When attackers hit they typically edit the bcd file means earlier than executing the precise assault, so it’s a superb factor to sign on;

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

$BCDExportFile = "C:programdatabcdedit.txt"
$BCDContent = Get-Content material $BCDExportFile -ErrorAction SilentlyContinue
if ($BCDContent)  Out-File $BCDExportFile

else  Out-File $BCDExportFile


if($ComparedObject){
    write-host "There's a distinction in boot configuration. Please examine"
} else {
    write-host "Wholesome"
}

Two pretty simple scripts, however each may prevent loads of headache.

All the time, Comfortable PowerShelling. 🙂