Automation blocking Petya / NonPetya

Colleagues, good day.

In connection with the hype around Petya / NonPetya, my colleague Vladislav Kovalev developed a PowerShell script to combat the pest, for which he thanks a lot. I hope someone will be useful. If anyone is interested, I ask under the cat

The petya_youshellnotpass script does the following:
')
- creates rules in the firewall, blocking vulnerable ports;
- searches perfc files in C: \ Windows and deletes files on detection;
- creates new perfc files and sets a ban on them for everyone;
- searches in the Temp folder for each user exe-files and displays a list of found, you need to view and delete suspicious files (manually, by yourself)

Startup Rule:
Runs in normal Windows mode (not secure and not PE).

1. Run the powershell console from the admin and register:
Set-executionpolicy unrestricted -force

2. Execute the petya_youshellnotpass script. Closely monitor the output of the script. Check the files he finds in the Temp folder.

3. In the powershell console enter the command:
Set-executionpolicy restricted -force

Code:

# Get the ID and security principal of the current user account $myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent() $myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID) # Get the security principal for the Administrator role $adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator # Check to see if we are currently running "as Administrator" if ($myWindowsPrincipal.IsInRole($adminRole)) { # We are running "as Administrator" - so change the title and background color to indicate this $Host.UI.RawUI.WindowTitle = $myInvocation.MyCommand.Definition + "(Elevated)" $Host.UI.RawUI.BackgroundColor = "DarkBlue" clear-host } else { # We are not running "as Administrator" - so relaunch as administrator # Create a new process object that starts PowerShell $newProcess = new-object System.Diagnostics.ProcessStartInfo "PowerShell"; # Specify the current script path and name as a parameter $newProcess.Arguments = $myInvocation.MyCommand.Definition; # Indicate that the process should be elevated $newProcess.Verb = "runas"; # Start the new process [System.Diagnostics.Process]::Start($newProcess); # Exit from the current, unelevated, process exit } $Compname = Get-WmiObject -Class win32_computersystem | select -expa name $Cred = $Compname+"\admin" Write-Verbose -Message "Start process" -Verbose Write-Verbose -Message "Adding firewall rule" -Verbose try{New-NetFirewallRule -Action Block -Description Peta.A -Direction Inbound -DisplayName Peta.A_Block -Profile Any -Protocol TCP -LocalPort 135,139,445,1024-1035} catch{netsh advfirewall firewall add rule name="Petya.A_Block" protocol=TCP dir=in localport=135,139,445,1024-1035 action=block} if((Test-Path -Path C:\Windows\perfc) -eq $true) { try { Remove-Item -Path C:\Windows\perfc -Force -ea Stop Write-Verbose -Message "File perfc was already exist" -Verbose } catch {Write-Verbose -Message "File perfc already fixed" -Verbose} } if((Test-Path -Path C:\Windows\perfc.dll) -eq $true) { try { Remove-Item -Path C:\Windows\perfc.dll -Force -ea Stop Write-Verbose -Message "File perfc.dll was already exist" -Verbose } catch {Write-Verbose -Message "File perfc.dll already fixed" -Verbose} } if((Test-Path -Path C:\Windows\perfc.dat) -eq $true) { try { Remove-Item -Path C:\Windows\perfc.dat -Force -ea stop Write-Verbose -Message "File perfc.dat was already exist" -Verbose } catch {Write-Verbose -Message "File perfc.dat already fixed" -Verbose} } try{ New-item -Path C:\Windows -ItemType File -Name Perfc -Force -ea Stop New-item -Path C:\Windows -ItemType File -Name Perfc.dll -Force -ea Stop New-item -Path C:\Windows -ItemType File -Name Perfc.dat -Force -ea stop }catch{Write-Verbose -Message "Dont need to create new files"} Write-Verbose -Message "Successfully created" -Verbose $acl1 = Get-acl C:\Windows\Perfc $acl2 = Get-acl C:\Windows\Perfc.dll $acl3 = Get-acl C:\Windows\Perfc.dat $acl1.SetAccessRuleProtection($true,$true) $acl2.SetAccessRuleProtection($true,$true) $acl3.SetAccessRuleProtection($true,$true) $accrule1 = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM","FullControl","Deny") $accrule2 = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\","FullControl","Deny") $accrule3 = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\","ReadAndExecute","Allow") $accrule4 = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\","ReadAndExecute","Allow") $acl1.SetAccessRule($accrule1) $acl1.SetAccessRule($accrule2) $acl1.SetAccessRule($accrule3) $acl1.SetAccessRule($accrule4) $acl2.SetAccessRule($accrule1) $acl2.SetAccessRule($accrule2) $acl2.SetAccessRule($accrule3) $acl2.SetAccessRule($accrule4) $acl3.SetAccessRule($accrule1) $acl3.SetAccessRule($accrule2) $acl3.SetAccessRule($accrule3) $acl3.SetAccessRule($accrule4) Set-Acl -AclObject $acl1 -Path C:\Windows\Perfc -ea SilentlyContinue Set-Acl -AclObject $acl2 -Path C:\Windows\Perfc.dll -ea SilentlyContinue Set-Acl -AclObject $acl2 -Path C:\Windows\Perfc.dat -ea SilentlyContinue Write-Verbose -Message "Searching for exe files in temp" -Verbose $Prof= Get-ChildItem -Path "C:\Users" -Force |where {!($_.Name -like " ")-or!($_.Name -like "Public")}| select -expa fullname [array]$TempFiles = $null [array]$TempPath = $nell Foreach ($P in $Prof) { $TempPath = $P+"\AppData\Local" Get-ChildItem -Path "$TempPath" -Force -Recurse -ErrorAction SilentlyContinue | where {$_.name -like "*.exe"} | select name,fullname | Format-Table -HideTableHeaders } if ($TempFiles -eq $null){Write-Verbose -Message "None exe file was found" -Verbose} else{Write-Warning -Message "$TempFiles" -Verbose} Write-Host "Press any key to continue ..." $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")