{
	"id": "779a6c77-5937-4fc9-80db-7ad3c55803a1",
	"created_at": "2026-04-06T00:18:43.238225Z",
	"updated_at": "2026-04-10T03:21:48.51283Z",
	"deleted_at": null,
	"sha1_hash": "e8b4453cee8b6f7e20fb4fc01a4f47452609997e",
	"title": "Powershell – Caintech.co.uk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 442654,
	"plain_text": "Powershell – Caintech.co.uk\r\nArchived: 2026-04-05 16:12:07 UTC\r\nMany companies spend a fortune on Next Generation anti-virus and Machine Learning “AI” tools to halt the\r\nspread of ransomware and although I strongly believe that user education and training plays a key part in this\r\nWindows does can help in a massive way. Windows File Services Resource Manager (FSRM) a resource already\r\nbuilt into Windows can halt the spread and quarantine accounts that are affected.\r\nThis solution utilises PowerShell and Windows File Services Resource Manager to automatically lockout a user\r\naccount when ransomware activities are detected.\r\nInstalling FSRM\r\nFirst and foremost, you will need to set up FSRM on your file servers. This feature is part of the File Services\r\nRole and can be installed with the following PowerShell command (all one line).\r\nInstall-WindowsFeature –Name FS-Resource-Manager\r\n–IncludeManagementTool\r\nTake note, FSRM is only available on Windows Server. If you’re interested in workstation mitigation, comment\r\nbelow and I’ll get to writing!\r\nGet Email Alerts\r\nIn order to be emailed of the action our killswitch takes, we will need to set up the SMTP Server settings within\r\nFSRM. We don’t necessarily have to do this right now, but it saves us from seeing annoying prompts in the future\r\nsteps.\r\nOpen up Server Manager \u003e File and Storage Services \u003e Right-click on your server \u003e File Server Resource\r\nManager (this can also be accessed through Administrative Tools). Once opened, right-click “File Server Resource\r\nhttps://caintechnews.wordpress.com/category/windows/powershell/\r\nPage 1 of 8\n\nManager (Local)” in the left pane and select “Configure Options…” Go ahead and set up all your email settings,\r\nsimilar to below.\r\nSet up Killswitch Directory\r\nIn your corporate file share(s), set up a directory that begins with an underscore. If the ransomware is encrypting\r\nalphabetically, this will ensure that it is tripped as soon as possible. Within that directory, we will place a text file\r\ncalled killswitch.txt.\r\nhttps://caintechnews.wordpress.com/category/windows/powershell/\r\nPage 2 of 8\n\nSet Up the Killswitch\r\nMany variants of ransomware look to find mapped drives and will begin encrypting data in alphabetical order.\r\nBecause of this, our killswitch is going to be a directory placed in the file shares that begins with an underscore.\r\nCreate a new File Group under File Screening Management that will look at all files except our killswitch.txt.\r\nNext, we will create a File Screen Template utilizing the File Group we created called “All File Types”.\r\nhttps://caintechnews.wordpress.com/category/windows/powershell/\r\nPage 3 of 8\n\nWe will want to configure email alerts, so on the E-Mail Message tab, fill out the pertinent information.\r\nhttps://caintechnews.wordpress.com/category/windows/powershell/\r\nPage 4 of 8\n\nWe also want to automate the removal of the offending user in order to stop the ransomware from encrypting our\r\nentire file server. We will do this with some PowerShell. Copy the following and save it to your preferred location.\r\nIn this example, I’m just saving it to C:\\kickuser.ps1.\r\nparam( [string]$username = “” ) Get-SmbShare -Special $false | ForEach-Object { Block-SmbShareAccess -Name\r\n$_.Name -AccountName “$username” -Force }\r\nOn the Command-Tab, check “Run this command or script:” and the following:\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nFor the command arguments, insert the following:\r\n-Command “\u0026 {C:\\smbblock.ps1 -username ‘[Source Io Owner]’}”\r\nSet it to run as Local System.\r\nhttps://caintechnews.wordpress.com/category/windows/powershell/\r\nPage 5 of 8\n\nApply the File Screen\r\nFrom within FSRM, Select File Screening Management \u003e File Screens and create a new File Screen. Set the path\r\nto your underscore directory and use the “Detect Ransomware” File Screen template that we created earlier.\r\nhttps://caintechnews.wordpress.com/category/windows/powershell/\r\nPage 6 of 8\n\nTesting\r\nTo test, I created a test account (test guy) and modified the file. I was instantly locked out of the share. The output\r\nof our PowerShell script, as well as the share permissions, show this:\r\nhttps://caintechnews.wordpress.com/category/windows/powershell/\r\nPage 7 of 8\n\nWrapping Up\r\nThis methodology should help mitigate some risk around ransomware attacks. In the future, it may also be\r\nbeneficial to make the following changes:\r\n1. Create a secondary killswitch in a ZZZ_Killswitch directory in case a ransomware-variant starts in reverse-alphabetical order.\r\n2. Extend the PowerShell script to also lock out their AD account.\r\n3. Create more killswitch files and file screens due to newer ransomware variants focusing on document and\r\nimage files (.doc, .docx, .pdf, .jpg, .png, etc.)\r\nI believe in using the resources we already have available to us in helping secure our organisations, and hopefully,\r\nthis helps. Feel free to comment with any questions or suggestions.\r\nSource: https://caintechnews.wordpress.com/category/windows/powershell/\r\nhttps://caintechnews.wordpress.com/category/windows/powershell/\r\nPage 8 of 8\n\n  https://caintechnews.wordpress.com/category/windows/powershell/    \nApply the File Screen     \nFrom within FSRM, Select File Screening Management \u003e File Screens and create a new File Screen. Set the path\nto your underscore directory and use the “Detect Ransomware” File Screen template that we created earlier.\n   Page 6 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://caintechnews.wordpress.com/category/windows/powershell/"
	],
	"report_names": [
		"powershell"
	],
	"threat_actors": [],
	"ts_created_at": 1775434723,
	"ts_updated_at": 1775791308,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e8b4453cee8b6f7e20fb4fc01a4f47452609997e.pdf",
		"text": "https://archive.orkl.eu/e8b4453cee8b6f7e20fb4fc01a4f47452609997e.txt",
		"img": "https://archive.orkl.eu/e8b4453cee8b6f7e20fb4fc01a4f47452609997e.jpg"
	}
}