Created
July 21, 2021 18:28
-
-
Save lawndoc/063364b4c0cb2375cd47e8c000952255 to your computer and use it in GitHub Desktop.
HiveNightmare ACL Fix (and Shadow Copies)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#change permissions and delete shadows | |
$checkPermissions = icacls c:\Windows\System32\config\sam | |
if ($checkPermissions -like '*BUILTIN\Users:(I)(RX*)*') { | |
icacls c:\windows\system32\config\*.* /inheritance:e | |
vssadmin delete shadows /quiet /all | |
$vulnerable = $true | |
} | |
else { | |
$vulnerable = $false | |
} | |
#check permissions | |
if ($vulnerable -eq $true) { | |
$checkPermissions = icacls C:\windows\system32\config\sam | |
if ($checkPermissions -like '*BUILTIN\Users:(I)(RX*)*') { | |
$permissionsSucces = $false | |
write-host "ACL change failed. Check permissions running script." | |
} | |
else { | |
$permissionsSucces = $true | |
Write-Host "Successfully reset permission inheritance on affected files." | |
} | |
} | |
#check shadow | |
if ($vulnerable -eq $true) { | |
$checkShadow = Get-WmiObject Win32_ShadowStorage -Property UsedSpace | Select-Object -ExpandProperty UsedSpace | |
if (0 -eq $checkShadow) { | |
$shadowSucces = $true | |
Write-Host "Successfully deleted old volume shadow copies." | |
} | |
else { | |
$shadowSucces = $false | |
write-host "Shadow deletion failed. Security software may be blocking this action." | |
} | |
} | |
#check if fixed logic | |
if ($vulnerable -eq $true) { | |
if ($permissionsSucces -eq $true -and $shadowSucces -eq $true) { | |
$fixed = $true | |
} | |
else { | |
$fixed = $false | |
} | |
} | |
else { | |
$fixed = 'Not applicable' | |
} | |
#create new shadow | |
if ($vulnerable -eq $true -and $shadowSucces -eq $true -and $permissionsSucces -eq $true) { | |
wmic shadowcopy call create Volume='C:\' | |
Write-Host "" | |
} | |
#output data | |
write-host "vulnerable: $vulnerable" | |
write-host "Fixed: $fixed" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Make sure you are running the script as system via SCCM or similar