CryptoBlocker icon indicating copy to clipboard operation
CryptoBlocker copied to clipboard
verified publisher icon m-dwyer

Removal of Deny Permissions on Shares

Open nm777 opened this issue 9 years ago • 1 comments

On servers with many shares, removal of the share-level deny ACL applied when an infection is detected is very tedious. By modifying your KillUserSession.ps1 script, I was able to write a script to restore user share access after an infection has been cleaned. I'm sharing my script below for your review and possible inclusion in your project.

Function RemoveDenySharePermission ([string] $ShareName, [string] $DomainUser)
{
    $domainUserSplit = $DomainUser.Split("\")

    $shss = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter "Name='$ShareName'"
    $sd = Invoke-WmiMethod -InputObject $shss -Name GetSecurityDescriptor | Select -ExpandProperty Descriptor

    $sclass = [wmiclass] "ROOT\CIMV2:Win32_SecurityDescriptor"
    $newsd = $sclass.CreateInstance()
    $newsd.ControlFlags = $sd.ControlFlags

    foreach ($oace in $sd.DACL)
    {
        if ($oace.Trustee.Domain -ne $domainUserSplit[0] -or $oace.Trustee.Name -ne $domainUserSplit[1]) {
            $newsd.DACL +=  [System.Management.ManagementBaseObject] $oace
        }
    }

    $share = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter "Name='$ShareName'"
    $setResult = $share.SetSecurityDescriptor($newsd)

    #return $setResult.ReturnValue
}

# Verify the script is being run as an administrator
If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] “Administrator”))
{
    Write-Warning “You do not have Administrator rights to run this script!`nPlease re-run this script as an Administrator!”
    Break
}

# Request the username
Write-Host "This script will remove the Deny ACLs that were created on shares`nto protect against crypto virus infection.`n"
$DomainUser = Read-Host -Prompt "User account (DOMAIN\User)"

# Let's try altering share permissions..
$Username = $DomainUser.Split("\")[1]

$affectedShares = Get-WmiObject -Class Win32_Share |
                    Select Name, Path, Type |
                    Where { $_.Type -eq 0 }

$affectedShares | % {
    Write-Host "Removing deny ACL for [$DomainUser] on share [$($_.Name)]..."
    RemoveDenySharePermission -ShareName $_.Name -DomainUser $DomainUser
}

Write-Host $affectedShares

nm777 avatar Jun 10 '16 20:06 nm777

This is a great edition, I was very worried about how long it would take to reverse the changes. Has this been implemented as of yet?

Solaris17 avatar Jun 26 '16 20:06 Solaris17