Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by nicecube

  1. The update you received concerns the security hole that was used to infect us. They say the flaw has not been exploited but that's a big lie ... We use Automate to clean a lots of pc with auto join group and scripts, We have been working 16 hours a day every day since last Wednesday we are all exhausted. We are starting to see the light at the end of the tunnel. We have lost some customers but I believe our company will survive. I don't wish this on anyone it's really a nightmare. Once the decryption was finished and the station disinfected, we thought the pc would be usable but the ransonware destroyed all NTFS permissions. We are working on a script to put this back in place with basic permissions while we reinstall windows in the next few weeks. Anyone know of a good tool for fixing NTFS permissions? I tried Windows Repair Tool from tweaking.com with the options that reset permissions but it didn't work. I have also tried the basic subinacl / takeown / icacls commands (Script include) but it doesn't work perfectly With my permissions script, people can work on the computer while we reinstall all of our clients' PCs. It's a temporary fix while you get it right. We have uninstalled all of our customers' webroot and Huntress agents as these products have not been able to protect our customers. We will try crowdstrike we got a good price. From what I have read it is really good protection. subinacl /subdirectories c:\ /grant=system=f subinacl /subdirectories c:\ /grant=administrators=f takeown /F "C:\Program Files" /A icacls "c:\program files" /grant "NT SERVICE\TrustedInstaller:(F)" icacls "c:\program files" /grant "NT SERVICE\TrustedInstaller:(CI)(IO)(F)" icacls "c:\program files" /grant "NT AUTHORITY\SYSTEM:(M)" icacls "c:\program files" /grant "NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)" icacls "c:\program files" /grant BUILTIN\Administrators:(M) icacls "c:\program files" /grant BUILTIN\Administrators:(OI)(CI)(IO)(F) icacls "c:\program files" /grant BUILTIN\Users:(RX) icacls "c:\program files" /grant BUILTIN\Users:(OI)(CI)(IO)(GR,GE) icacls "c:\program files" /grant "CREATOR OWNER:(OI)(CI)(IO)(F)" icacls "c:\program files" /grant "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)" icacls "c:\program files" /grant "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)" icacls "c:\program files" /grant "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)" icacls "c:\program files" /grant "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)" icacls "c:\program files" /grant "AUTORITE NT\Système:(M)" icacls "c:\program files" /grant "AUTORITE NT\Système:(OI)(CI)(IO)(F)" icacls "c:\program files" /grant BUILTIN\Administrateurs:(M) icacls "c:\program files" /grant BUILTIN\Administrateurs:(OI)(CI)(IO)(F) icacls "c:\program files" /grant BUILTIN\Utilisateurs:(RX) icacls "c:\program files" /grant BUILTIN\Utilisateurs:(OI)(CI)(IO)(GR,GE) icacls "c:\program files" /grant "CREATEUR PROPRIETAIRE:(OI)(CI)(IO)(F)" icacls "c:\program files" /grant "AUTORITÉ DE PACKAGE D'APPLICATION\TOUS LES PACKAGES D'APPLICATION:(RX)" icacls "c:\program files" /grant "AUTORITÉ DE PACKAGE D'APPLICATION\TOUS LES PACKAGES D'APPLICATION:(OI)(CI)(IO)(GR,GE)" icacls "c:\program files" /grant "AUTORITÉ DE PACKAGE D'APPLICATION\TOUS LES PACKAGES D'APPLICATION RESTREINTS:(RX)" icacls "c:\program files" /grant "AUTORITÉ DE PACKAGE D'APPLICATION\TOUS LES PACKAGES D'APPLICATION RESTREINTS:(OI)(CI)(IO)(GR,GE)" icacls "c:\Program Files" /setowner "NT SERVICE\TrustedInstaller" takeown /F "C:\Program Files (x86)" /A icacls "c:\program files (x86)" /grant "NT SERVICE\TrustedInstaller:(F)" icacls "c:\program files (x86)" /grant "NT SERVICE\TrustedInstaller:(CI)(IO)(F)" icacls "c:\program files (x86)" /grant "NT AUTHORITY\SYSTEM:(M)" icacls "c:\program files (x86)" /grant "NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)" icacls "c:\program files (x86)" /grant BUILTIN\Administrators:(M) icacls "c:\program files (x86)" /grant BUILTIN\Administrators:(OI)(CI)(IO)(F) icacls "c:\program files (x86)" /grant BUILTIN\Users:(RX) icacls "c:\program files (x86)" /grant BUILTIN\Users:(OI)(CI)(IO)(GR,GE) icacls "c:\program files (x86)" /grant "CREATOR OWNER:(OI)(CI)(IO)(F)" icacls "c:\program files (x86)" /grant "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)" icacls "c:\program files (x86)" /grant "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)" icacls "c:\program files (x86)" /grant "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)" icacls "c:\program files (x86)" /grant "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)" icacls "c:\program files (x86)" /grant "AUTORITE NT\Système:(M)" icacls "c:\program files (x86)" /grant "AUTORITE NT\Système:(OI)(CI)(IO)(F)" icacls "c:\program files (x86)" /grant BUILTIN\Administrateurs:(M) icacls "c:\program files (x86)" /grant BUILTIN\Administrateurs:(OI)(CI)(IO)(F) icacls "c:\program files (x86)" /grant BUILTIN\Utilisateurs:(RX) icacls "c:\program files (x86)" /grant BUILTIN\Utilisateurs:(OI)(CI)(IO)(GR,GE) icacls "c:\program files (x86)" /grant "CREATEUR PROPRIETAIRE:(OI)(CI)(IO)(F)" icacls "c:\program files (x86)" /grant "AUTORITÉ DE PACKAGE D'APPLICATION\TOUS LES PACKAGES D'APPLICATION:(RX)" icacls "c:\program files (x86)" /grant "AUTORITÉ DE PACKAGE D'APPLICATION\TOUS LES PACKAGES D'APPLICATION:(OI)(CI)(IO)(GR,GE)" icacls "c:\program files (x86)" /grant "AUTORITÉ DE PACKAGE D'APPLICATION\TOUS LES PACKAGES D'APPLICATION RESTREINTS:(RX)" icacls "c:\program files (x86)" /grant "AUTORITÉ DE PACKAGE D'APPLICATION\TOUS LES PACKAGES D'APPLICATION RESTREINTS:(OI)(CI)(IO)(GR,GE)" icacls "c:\Program Files (x86)" /setowner "NT SERVICE\TrustedInstaller" takeown /F "C:" /A icacls c:\ /grant "NT AUTHORITY\SYSTEM:(OI)(CI)(F)" icacls c:\ /grant BUILTIN\Administrators:(OI)(CI)(F) icacls c:\ /grant BUILTIN\Users:(OI)(CI)(RX) icacls c:\ /grant BUILTIN\Users:(CI)(AD) icacls c:\ /grant BUILTIN\Users:(CI)(IO)(WD) icacls c:\ /grant "CREATOR OWNER:(OI)(CI)(IO)(F)" icacls c:\ /grant "AUTORITE NT\Système:(OI)(CI)(F)" icacls c:\ /grant BUILTIN\Administrateurs:(OI)(CI)(F) icacls c:\ /grant BUILTIN\Utilisateurs:(OI)(CI)(RX) icacls c:\ /grant BUILTIN\Utilisateurs:(CI)(AD) icacls c:\ /grant BUILTIN\Utilisateurs:(CI)(IO)(WD) icacls c:\ /grant "CREATEUR PROPRIETAIRE:(OI)(CI)(IO)(F)" icacls c:\ /setowner "NT SERVICE\TrustedInstaller" takeown /F "C:\Users" /A icacls "C:\Users" /grant "NT AUTHORITY\SYSTEM:(OI)(CI)(F)" icacls "C:\Users" /grant BUILTIN\Administrators:(OI)(CI)(F) icacls "C:\Users" /grant BUILTIN\Users:(RX) icacls "C:\Users" /grant BUILTIN\Users:(OI)(CI)(IO)(GR,GE) icacls "C:\Users" /grant Everyone:(RX) icacls "C:\Users" /grant Everyone:(OI)(CI)(IO)(GR,GE) icacls "C:\Users" /setowner "NT AUTHORITY\SYSTEM" icacls "C:\Users" /grant "AUTORITE NT\Système:(OI)(CI)(F)" icacls "C:\Users" /grant BUILTIN\Administrateurs:(OI)(CI)(F) icacls "C:\Users" /grant BUILTIN\Utilisateurs:(RX) icacls "C:\Users" /grant BUILTIN\Utilisateurs:(OI)(CI)(IO)(GR,GE) icacls "C:\Users" /grant Tout le monde:(RX) icacls "C:\Users" /grant Tout le monde:(OI)(CI)(IO)(GR,GE) icacls "C:\Users" /setowner "AUTORITE NT\Système"
  2. Small update on the situation. We paid for the ransom, and we received a decryptor that contains all the keys. We have made a decryption script that we will launch tonight at all our impacted customers. The security flaw was our user API which did not have a double credentialing factor. Please make sure that this user is not an administrator.
  3. @Jas Thanks for the information, my boss has a call with Webroot this morning, he'll help us disinfect all the computer with a custom script. Huntress will also help us, he got the logs and will do an update. This afternoon ConnectWise will be reinstalling Screenconnect and Labtech and making sure they are all safe. I took so that our database was not infected, we spent thousands of hours working. What pains me the most is that we are forced to campaign to raise the necessary funds to pay for the ransom.
  4. The password was a very long string of approximately 16 random characters. Couldn't be a brute force, and the password isn't in any Rainbow tables. As I said this is the only user who did not have a 2 factor authentication. Probably they have recovered an authentication token or they have used a security hole in ScreenConnect. To make the situation worse, the hacker doesn't seem to want to sell us individual decryption keys, he wants more than a million for the full batch ...
  5. I don't have slack and I'm busy restoring Vms. A chance that the third of our infrastructure is under Hp Simplivity
  6. *Sry for my english this is not my native language. The hacker mentioned having logged into our screenconnect and he also mentioned the number of connected machines. In the screenconnect log we se the compromised user (ConnectWise API) the only one not using 2 factor authentification. We look at the command sent by Screenconnect - Disabling the firewall (Regkey) - Disabled UAC - Powershell script to download and run the ransomware We dont' know what is the vulnerability, maybe a zeroday or something like that. We exlude Bruteforce because Ip was ban after 3 false atempt, we also have geoBloking The hacker is clearly targeting MSPs and they know what they're doing, they've erased all of veeam backup in command line. They logged into screenconnect at 02:27 at 02:35 the commands were sent to all of our computers.
  7. This night a hacker managed to log into our screenconnect 20.1 and infected ALL of our clients with ransomware. He asks for 1.5 million USD for all the keys, about 5500 infected computers. I chatted with the hacker over Tor and he mentioned the number of computers we have in screenconnect. We had the 2 factor authentication with duo and geolocation blocking All of our clients had webroot and Huntress installed and they didn't detect anything. Worse when I connect to the machine I get a webroot popup that says my machine is safe with 6 green hooks.
  8. Thank you for this contribution, I will test this for my next deployment.
  9. Im using this method to monitor admin group on Domain Controller, this script run every 5 minute. I have a monitor set on my Automate to check for Event ID 20 $CurrentAdminsHash = Get-FileHash -Path '@monitor_folder@\@monitor_file@' | Select-Object -expandProperty Hash $Date = Get-Date $newAdmins = '@monitor_folder@\@monitor_new@' $Change = '' Get-ADGroupMember -Identity '@AdminGroup@' | Select-Object -ExpandProperty samaccountname | Export-Clixml -Path $newAdmins -Force $NewAdminsHash = Get-FileHash -Path $newAdmins | Select-Object -expandProperty Hash If ($NewAdminsHash -ne $CurrentAdminsHash){ $Change = 'Yes' $ChangesDetected = 'Domain Admins Group changed detected on: ' + $date $ChangesDetected | Out-File -FilePath '@monitor_folder@\@monitor_change@' -Append -Force } else { $Change = 'No' $NoChangesDetected = 'No Changes detected on: ' + $Date $NoChangesdetected | Out-File -FilePath '@monitor_folder@\@monitor_no_change@' -Append -Force Write-EventLog -log HelpOX -source AdMonitor -EntryType Information -eventID 10 -Message "Aucun Changements dans le groupe @AdminGroup@" } If ($Change -eq 'Yes') { $change = Compare-Object (get-content C:\HelpOX\Monitors\AdminGroup\CurrentDomainAdmins.xml) -DifferenceObject (get-content C:\HelpOX\Monitors\AdminGroup\NewAdmins.xml) | foreach {$_.InputObject} $change = $change -replace "<S>", '' $change = $change -replace "</S>", '' $MyEventInfo = @{ LogName='HelpOX'; Source='AdMonitor'; EventID='20'; EntryType='Information'; Message="ATTENTION Changement dans le groupe Domain Admins, utilisateur(s) suivant a ete modifier: $change" } Write-EventLog @MyEventInfo Get-ADGroupMember -Identity "Domain Admins" | Select-Object -ExpandProperty samaccountname | Export-Clixml -Path 'C:\HelpOX\Monitors\AdminGroup\CurrentDomainAdmins.xml' }
  10. You can create a powershell script that runs with scheduled windows tasks. If the file is in problem the script create an alert in the event viewer. Then you can create a monitor who checks the custum alert you have created and provide personalized action. The script and the scheduled task can be deployed by a labtech script
  11. Hello, I have made a script to send a notification to users to tell them that there will be Windows updates to advise them to save their work and leave their computers open. I would like to recover in the database the day of maintenance. Can someone tell me in which table I could find this information, or if there is a simpler way, I could make an extra data field but I would prefer that all be automatic. sorry for my english it's not my main language So far i foud this SELECT NextInstallWindowServerTime FROM computerpatchingstats WHERE ComputerId = %computerid% $sql_complete_date = "@sql_complete_date@" $sql_date = $sql_complete_date -replace ".*=" -replace " .*" $sql_date_day = (get-date $sql_date).DayOfWeek echo $sql_date_day
  12. Hi, don't know if you still need this scrip but i made one. Printer setup + Config.xml
  13. You can do a Shell Encanced: Command: %userprofile% Variable List: Profile Now you have the user profile path in a variable %Profile%
  • Create New...