Last active
October 25, 2017 06:37
-
-
Save jymcheong/8f1db345bca81d70f9a9b1f578bb0723 to your computer and use it in GitHub Desktop.
Vaccine for BadRabbit... credits to Cybereason https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $files = @("cscc.dat", "infpub.dat") | |
| $files | foreach { | |
| write-host $env:windir\$_ | |
| echo "" > $env:windir\$_ | |
| $acl = Get-Acl $env:windir\$_ | |
| $acl.SetAccessRuleProtection($true,$true) # removes inheritence | |
| $acl | Set-Acl | |
| $acl = Get-Acl $env:windir\$_ | |
| $acl.Access | %{$acl.RemoveAccessRule($_)} # removes rules | |
| $acl | Set-Acl | |
| } |
Tested on Win7 & 10. Latter will have some error but the 2 files are created and have equivalent effect as the GUI way as shared by Cybereason. Doing so effectively blocks the main DLL from writing to disk.
For larger fleet, sys-admin may want to automate the execution upon logon or something equivalent.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Run Powershell ISE as admin, paste the code in, click RUN.