Automation of blocking Forex/NonPetya

Colleagues, good day.

In connection with the hype around Forex/NonPetya, my colleague Vladislav Kovalev was developed by a script on PowerShell for pest control, for which he thanks a lot. I hope someone will be useful. If anyone is interested, I ask under kat

Petya_youshellnotpass the script does the following:

— create rules in firewall that blocks vulnerable ports;
searches C:\Windows the perfc file and remove when detected.
— creates new file and sets perfc they ban for all;
— looking in the Temp folder for each user. exe files and lists the found, you want to view and delete the suspicious files (manually yourself)

The start rule:
Runs in normal Windows mode (not safe and not PE).

1.Start the powershell console from the administrator and to register:
Set-executionpolicy unrestricted -force

2.To execute the script petya_youshellnotpass. Closely monitor the script output. To check the files it will find in the Temp folder.

3.In the powershell console enter the command:
Set-executionpolicy restricted -force

Code:

the 
# Get the ID and security principal of the current user account
$myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent()
$myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID)

# Get the security principal for the Administrator role
$adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator

# Check to see  if  we are currently running "as Administrator"
if ($myWindowsPrincipal.IsInRole($adminRole))
{
# We are running "as Administrator" - so change the title and background color to indicate this
$Host.UI.RawUI.WindowTitle = $myInvocation.MyCommand.Definition + "(Elevated)"
$Host.UI.RawUI.BackgroundColor = "DarkBlue"
clear-host
}
else
{
# We are not running "as Administrator" - so relaunch as administrator

# Create a new process object that starts PowerShell
$newProcess = new-object System.Diagnostics.ProcessStartInfo "PowerShell";

# Specify the current script path and name as a parameter
$newProcess.Arguments = $myInvocation.MyCommand.Definition;

# Indicate that the process should be elevated
$newProcess.Verb = "runas";

# Start the new process
[System.Diagnostics.Process]::Start($newProcess);

# Exit from the current, unelevated, process
exit
}

$Compname = Get-WmiObject -Class win32_computersystem | select-expa name
$Cred = $Compname+"\admin"

Write-Verbose -Message "Start process" -Verbose
Write-Verbose -Message "Adding firewall rule" -Verbose

try{New-NetFirewallRule -Action Block -Description Peta.A-Direction Inbound-DisplayName Peta.A_Block -Profile Any-Protocol TCP -LocalPort 135,139,445,1024-1035}
catch{netsh advfirewall firewall add rule name="Petya.A_Block" protocol=TCP dir=in localport=135,139,445,1024-1035 action=block}



if((Test-Path -Path C:\Windows\perfc) -eq $true)
{
try
{
Remove-Item-Path C:\Windows\perfc -Force -ea Stop
Write-Verbose -Message "File was already exist perfc" -Verbose
}
catch {Write-Verbose -Message "File perfc already fixed" -Verbose}
}

if((Test-Path -Path C:\Windows\perfc.dll) -eq $true)
{
try
{
Remove-Item-Path C:\Windows\perfc.dll -Force -ea Stop
Write-Verbose -Message "File perfc.dll was already exist" -Verbose
}
catch {Write-Verbose -Message "File perfc.dll already fixed" -Verbose}
}

if((Test-Path -Path C:\Windows\perfc.dat) -eq $true)
{
try
{
Remove-Item-Path C:\Windows\perfc.dat -Force -ea stop
Write-Verbose -Message "File perfc.dat was already exist" -Verbose
}
catch {Write-Verbose -Message "File perfc.dat already fixed" -Verbose}
}

try{
New-item-Path C:\Windows -ItemType File-Name Perfc -Force -ea Stop
New-item-Path C:\Windows -ItemType File-Name Perfc.dll -Force -ea Stop
New-item-Path C:\Windows -ItemType File-Name Perfc.dat -Force -ea stop
}catch{Write-Verbose -Message "Dont need to create new files"}

Write-Verbose -Message "Successfully created" -Verbose
$acl1 = Get-acl C:\Windows\Perfc
$acl2 = Get-acl C:\Windows\Perfc.dll
$acl3 = Get-acl C:\Windows\Perfc.dat

$acl1.SetAccessRuleProtection($true,$true)
$acl2.SetAccessRuleProtection($true,$true)
$acl3.SetAccessRuleProtection($true,$true)

$accrule1 = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM","FullControl","Deny")
$accrule2 = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators","FullControl","Deny")
$accrule3 = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrator","ReadAndExecute","Allow")
$accrule4 = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrator","ReadAndExecute","Allow")

$acl1.SetAccessRule($accrule1)
$acl1.SetAccessRule($accrule2)
$acl1.SetAccessRule($accrule3)
$acl1.SetAccessRule($accrule4)

$acl2.SetAccessRule($accrule1)
$acl2.SetAccessRule($accrule2)
$acl2.SetAccessRule($accrule3)
$acl2.SetAccessRule($accrule4)

$acl3.SetAccessRule($accrule1)
$acl3.SetAccessRule($accrule2)
$acl3.SetAccessRule($accrule3)
$acl3.SetAccessRule($accrule4)

Set-Acl -AclObject $acl1 -Path C:\Windows\Perfc -ea SilentlyContinue
Set-Acl -AclObject $acl2 -Path C:\Windows\Perfc.dll -ea SilentlyContinue
Set-Acl -AclObject $acl2 -Path C:\Windows\Perfc.dat -ea SilentlyContinue

Write-Verbose -Message "Searching for exe files in the temp" -Verbose

$Prof= Get-ChildItem -Path "C:\Users" -Force |where {!($_.Name -like "All users")-or!($_.Name -like "Public")}| select-expa fullname

[array]$TempFiles = $null
[array]$TempPath = $nell

Foreach ($P in $Prof)
{

$TempPath = $P+"\AppData\Local"
Get-ChildItem -Path "$TempPath" -Force-Recurse-ErrorAction SilentlyContinue | where {$_.name-like "*.exe"} | select name,fullname | Format-Table -HideTableHeaders

}

if ($TempFiles -eq $null){Write-Verbose -Message "None of the. exe file was found" -Verbose}
else{Write-Warning -Message "$TempFiles" -Verbose}



Write-Host "Press any key to continue ..."

$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

Briefly on how to make your Qt geoservice plugin

Изображение
+ =? The next step after GPS module , became its practical application in my project. Maybe someone this post will be more interesting. First, some source data: Required: the Offline mapping service the Integration with QML Features: the the libosmscout — library providing the OSM data in the wrapper with the friendly API the Qt5Location with dev branch summary of the previous 160 series In Qt since time immemorial was a wonderful beam-process QtMobility and he was so wonderful that he lived, he lived, and bent. Yes, of course, he is still here, and even used my N9 and someone's Blackberry, but the fact that Digia will no longer support this API at all. But in Digia are working not fools, they gradually started to pull the pieces QtMobility in Qt5. One such component is a QtLocation. In Qt 5.3, you can see only a piece QtLocation, QtPositioning which refers to Digia. I must say nice stuff, gave her the NMEA from the local socket, and she...
Далее...

Database replication PostgreSQL-based SymmetricDS

In this article I will tell how to configure database replication for PostgreSQL. For the experiments we use a distribution of Linux CentOS 5.3, although this is not essential. we will use a version of PostgreSQL 8.4.7 and SymmetricDS-2.2.2. What is replication? In fact, it is a mechanism to automatically synchronize the contents of databases running on different servers. As a result of replication of these databases contain absolutely identical data. This is necessary for example in order to provide fault tolerance system (in the case of the fall of the first database server, the work enters the second), or to implement load balancing, different customers can serve different server. For replication you need at least two database servers, so prepare two identical servers with a PostgreSQL database on each. The first is the IP address 10.0.2.20, the second — 10.0.2.21, both gateway 10.0.2.2. You can do a virtual machine like VirtualBox to create two virtual servers and run...
Далее...

Developing for Sailfish OS: notifications for example apps for taking notes

Изображение
Hello! This article is a continuation of cycle of articles, dedicated to developing applications for the mobile platform Sailfish OS. This time we will talk about the app for taking notes, allowing the user to keep records, mark the tags, add images, photos, reminders, and sync with Evernote account. Let's start the article with an extensive user interface applications , and then move on to technical details . application Description The main application screen is a list of user records, where each list item shows the title of the notes, a description (or part of it, if the description does not fit completely), and the image if it is added. List items also have a context menu allowing you to delete the note or to open a dialog to edit it. And by clicking on a list item opens a screen showing all the information about this article. Talk details about the user interface of the application. The main application screen is a list of user records, where each list item shows...
Далее...