Jump to content
nicecube

UPDATE YOUR SCREENCONNECT NOW

Recommended Posts

Posted (edited)

The update you received concerns the security hole that was used to infect us. They say the flaw has not been exploited but that's a big lie ...

We use Automate to clean a lots of pc with auto join group and scripts, We have been working 16 hours a day every day since last Wednesday we are all exhausted. We are starting to see the light at the end of the tunnel. We have lost some customers but I believe our company will survive. I don't wish this on anyone it's really a nightmare. Once the decryption was finished and the station disinfected, we thought the pc would be usable but the ransonware destroyed all NTFS permissions. We are working on a script to put this back in place with basic permissions while we reinstall windows in the next few weeks.

 

Anyone know of a good tool for fixing NTFS permissions? I tried Windows Repair Tool from tweaking.com with the options that reset permissions but it didn't work. I have also tried the basic subinacl / takeown / icacls commands (Script include) but it doesn't work perfectly :S With my permissions script, people can work on the computer while we reinstall all of our clients' PCs. It's a temporary fix while you get it right.


We have uninstalled all of our customers' webroot and Huntress agents as these products have not been able to protect our customers. We will try crowdstrike we got a good price. From what I have read it is really good protection.

 

perms.PNG.81ee18369f5996e2e8f93d8165bdbc90.PNG

 

image.png.1e530f3309f930d41ab1a41bf3354cb5.png

 

subinacl /subdirectories c:\ /grant=system=f
subinacl /subdirectories c:\ /grant=administrators=f

takeown /F "C:\Program Files" /A
icacls "c:\program files" /grant "NT SERVICE\TrustedInstaller:(F)"
icacls "c:\program files" /grant "NT SERVICE\TrustedInstaller:(CI)(IO)(F)"
icacls "c:\program files" /grant "NT AUTHORITY\SYSTEM:(M)"
icacls "c:\program files" /grant "NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)"
icacls "c:\program files" /grant BUILTIN\Administrators:(M)
icacls "c:\program files" /grant BUILTIN\Administrators:(OI)(CI)(IO)(F)
icacls "c:\program files" /grant BUILTIN\Users:(RX)
icacls "c:\program files" /grant BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
icacls "c:\program files" /grant "CREATOR OWNER:(OI)(CI)(IO)(F)"
icacls "c:\program files" /grant "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)"
icacls "c:\program files" /grant "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)"
icacls "c:\program files" /grant "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)"
icacls "c:\program files" /grant "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)"
icacls "c:\program files" /grant "AUTORITE NT\Système:(M)"
icacls "c:\program files" /grant "AUTORITE NT\Système:(OI)(CI)(IO)(F)"
icacls "c:\program files" /grant BUILTIN\Administrateurs:(M)
icacls "c:\program files" /grant BUILTIN\Administrateurs:(OI)(CI)(IO)(F)
icacls "c:\program files" /grant BUILTIN\Utilisateurs:(RX)
icacls "c:\program files" /grant BUILTIN\Utilisateurs:(OI)(CI)(IO)(GR,GE)
icacls "c:\program files" /grant "CREATEUR PROPRIETAIRE:(OI)(CI)(IO)(F)"
icacls "c:\program files" /grant "AUTORITÉ DE PACKAGE D'APPLICATION\TOUS LES PACKAGES D'APPLICATION:(RX)"
icacls "c:\program files" /grant "AUTORITÉ DE PACKAGE D'APPLICATION\TOUS LES PACKAGES D'APPLICATION:(OI)(CI)(IO)(GR,GE)"
icacls "c:\program files" /grant "AUTORITÉ DE PACKAGE D'APPLICATION\TOUS LES PACKAGES D'APPLICATION RESTREINTS:(RX)"
icacls "c:\program files" /grant "AUTORITÉ DE PACKAGE D'APPLICATION\TOUS LES PACKAGES D'APPLICATION RESTREINTS:(OI)(CI)(IO)(GR,GE)"
icacls "c:\Program Files" /setowner "NT SERVICE\TrustedInstaller"


takeown /F "C:\Program Files (x86)" /A
icacls "c:\program files (x86)" /grant "NT SERVICE\TrustedInstaller:(F)"
icacls "c:\program files (x86)" /grant "NT SERVICE\TrustedInstaller:(CI)(IO)(F)"
icacls "c:\program files (x86)" /grant "NT AUTHORITY\SYSTEM:(M)"
icacls "c:\program files (x86)" /grant "NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)"
icacls "c:\program files (x86)" /grant BUILTIN\Administrators:(M)
icacls "c:\program files (x86)" /grant BUILTIN\Administrators:(OI)(CI)(IO)(F)
icacls "c:\program files (x86)" /grant BUILTIN\Users:(RX)
icacls "c:\program files (x86)" /grant BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
icacls "c:\program files (x86)" /grant "CREATOR OWNER:(OI)(CI)(IO)(F)"
icacls "c:\program files (x86)" /grant "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)"
icacls "c:\program files (x86)" /grant "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)"
icacls "c:\program files (x86)" /grant "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)"
icacls "c:\program files (x86)" /grant "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)"
icacls "c:\program files (x86)" /grant "AUTORITE NT\Système:(M)"
icacls "c:\program files (x86)" /grant "AUTORITE NT\Système:(OI)(CI)(IO)(F)"
icacls "c:\program files (x86)" /grant BUILTIN\Administrateurs:(M)
icacls "c:\program files (x86)" /grant BUILTIN\Administrateurs:(OI)(CI)(IO)(F)
icacls "c:\program files (x86)" /grant BUILTIN\Utilisateurs:(RX)
icacls "c:\program files (x86)" /grant BUILTIN\Utilisateurs:(OI)(CI)(IO)(GR,GE)
icacls "c:\program files (x86)" /grant "CREATEUR PROPRIETAIRE:(OI)(CI)(IO)(F)"
icacls "c:\program files (x86)" /grant "AUTORITÉ DE PACKAGE D'APPLICATION\TOUS LES PACKAGES D'APPLICATION:(RX)"
icacls "c:\program files (x86)" /grant "AUTORITÉ DE PACKAGE D'APPLICATION\TOUS LES PACKAGES D'APPLICATION:(OI)(CI)(IO)(GR,GE)"
icacls "c:\program files (x86)" /grant "AUTORITÉ DE PACKAGE D'APPLICATION\TOUS LES PACKAGES D'APPLICATION RESTREINTS:(RX)"
icacls "c:\program files (x86)" /grant "AUTORITÉ DE PACKAGE D'APPLICATION\TOUS LES PACKAGES D'APPLICATION RESTREINTS:(OI)(CI)(IO)(GR,GE)"
icacls "c:\Program Files (x86)" /setowner "NT SERVICE\TrustedInstaller"

takeown /F "C:" /A
icacls c:\ /grant "NT AUTHORITY\SYSTEM:(OI)(CI)(F)"
icacls c:\ /grant BUILTIN\Administrators:(OI)(CI)(F)
icacls c:\ /grant BUILTIN\Users:(OI)(CI)(RX)
icacls c:\ /grant BUILTIN\Users:(CI)(AD)
icacls c:\ /grant BUILTIN\Users:(CI)(IO)(WD)
icacls c:\ /grant "CREATOR OWNER:(OI)(CI)(IO)(F)"
icacls c:\ /grant "AUTORITE NT\Système:(OI)(CI)(F)"
icacls c:\ /grant BUILTIN\Administrateurs:(OI)(CI)(F)
icacls c:\ /grant BUILTIN\Utilisateurs:(OI)(CI)(RX)
icacls c:\ /grant BUILTIN\Utilisateurs:(CI)(AD)
icacls c:\ /grant BUILTIN\Utilisateurs:(CI)(IO)(WD)
icacls c:\ /grant "CREATEUR PROPRIETAIRE:(OI)(CI)(IO)(F)"
icacls c:\ /setowner "NT SERVICE\TrustedInstaller"

takeown /F "C:\Users" /A
icacls "C:\Users" /grant "NT AUTHORITY\SYSTEM:(OI)(CI)(F)"
icacls "C:\Users" /grant BUILTIN\Administrators:(OI)(CI)(F)
icacls "C:\Users" /grant BUILTIN\Users:(RX)
icacls "C:\Users" /grant BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
icacls "C:\Users" /grant Everyone:(RX)
icacls "C:\Users" /grant Everyone:(OI)(CI)(IO)(GR,GE)
icacls "C:\Users" /setowner "NT AUTHORITY\SYSTEM"
icacls "C:\Users" /grant "AUTORITE NT\Système:(OI)(CI)(F)"
icacls "C:\Users" /grant BUILTIN\Administrateurs:(OI)(CI)(F)
icacls "C:\Users" /grant BUILTIN\Utilisateurs:(RX)
icacls "C:\Users" /grant BUILTIN\Utilisateurs:(OI)(CI)(IO)(GR,GE)
icacls "C:\Users" /grant Tout le monde:(RX)
icacls "C:\Users" /grant Tout le monde:(OI)(CI)(IO)(GR,GE)
icacls "C:\Users" /setowner "AUTORITE NT\Système"

 

Edited by nicecube
  • Sad 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...