@echo off
REM ===== Get administrator priviliege =====
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"
IF '%errorlevel%' NEQ '0' (
echo Ask for administrator priviliege ...
goto UACPrompt
) else ( goto gotAdmin )
:UACPrompt
echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
set params = %*:"=""
echo UAC.ShellExecute "cmd.exe", "/c %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs"
"%temp%\getadmin.vbs"
REM del "%temp%\getadmin.vbs"
exit /B
:gotAdmin
REM ===== Move to current path =====
pushd "%CD%"
CD /D "%~dp0"
setlocal
set CURPATH=%cd%
set SECUHOST=10.10.10.10
set SECUPORT=80
color 2f
echo ### ADV200006 Incident response Script by. security group ###
echo ### 1. Change filename atmfd.dll ###
systeminfo > systeminfo.txt
type systeminfo.txt | find /i "x64-based"
if NOT ERRORLEVEL 1 goto x64-based
echo ######### windows 32bit check ##########
cd "%windir%\system32"
takeown.exe /f atmfd.dll
IF ERRORLEVEL 1 goto no-atmfd-in-system32-at-32bit
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
SET RESULT="Changed-atmfd.dll-in-32bit-system"
:no-atmfd-in-system32-at-32bit
SET RESULT="Not-exist-atmfd.dll-in-32bit-system"
goto end-change-atmfd
:x64-based
echo ######### windows 64bit check ##########
cd "%windir%\system32"
takeown.exe /f atmfd.dll
IF ERRORLEVEL 1 goto no-atmfd-in-system32-at-64bit
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
SET RESULT="Changed-atmfd.dll-in-64bit-system"
:no-atmfd-in-system32-at-64bit
SET RESULT="Not-exist-atmfd.dll-in-64bit-system"
cd "%windir%\syswow64"
takeown.exe /f atmfd.dll
IF ERRORLEVEL 1 goto no-atmfd-in-syswow64-at-64bit
icacls.exe atmfd.dll /save atmfd.dll.acl
icacls.exe atmfd.dll /grant Administrators:(F)
rename atmfd.dll x-atmfd.dll
SET RESULT="Changed-atmfd.dll-in-64bit-system"
:no-atmfd-in-syswow64-at-64bit
SET RESULT="Not-exist-atmfd.dll-in-64bit-system"
:end-change-atmfd
echo %RESULT%
echo ### 2. Disable WebClient Service ###
net stop WebClient
sc config WebClient start=disabled
echo ### 3. Disable icon preview option and Remove check-box field in folder option ###
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableThumbnails /t REG_DWORD /d 1 /f
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableThumbnails /t REG_DWORD /d 1 /f
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v IconsOnly /t REG_DWORD /d 1 /f
echo ### Finished ADV200006 Incident response Script ###
PAUSE
::EXIT
:: [References]
:: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006
:: https://portal.msrc.microsoft.com/ko-kr/security-guidance/advisory/adv200006
:: https://docs.microsoft.com/ko-kr/security-updates/securitybulletins/2015/ms15-077
:: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-077
:: https://blog.alyac.co.kr/381
:: https://blog.alyac.co.kr/2855
:: https://jxo21.tistory.com/14
:: https://www.maketecheasier.com/disable-image-preview-thumbnail-windows/
'Exploit?' 카테고리의 다른 글
| Oracle WebLogic RCE POC [CVE-2020-2555] (0) | 2020.04.16 |
|---|---|
| CVE-2020-0796 SMBV3 REMOTE CHECK BY BASH (0) | 2020.04.07 |
| CVE-2020-0796 SMBV3 REMOTE CHECK BY PYTHON [KB4551762] (0) | 2020.04.07 |
| CVE-2017-7494 SMB REMOTE EXPLOIT IN METASPLOITMODULE (0) | 2020.04.07 |
| CVE-2017-7494 SMB REMOTE EXPLOIT IN PYTHON (0) | 2020.04.07 |