Last active
July 20, 2021 18:27
-
-
Save martinsohn/14726d6f49b86284ab9e7518df82307d to your computer and use it in GitHub Desktop.
Advice for SAM and SYSTEM readable by BUILTIN\Users
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Check if system is vulnerable. Run as Administrator with PowerShell. Requires the VSS service to be running. | |
| ## Get all shadow copies | |
| $ShadowCopies = (Get-WMIObject -Class Win32_ShadowCopy).DeviceObject | |
| ## Check for vulnerable permissions of shadow copy files | |
| ("SAM","SYSTEM") | % { | |
| foreach ($ShadowCopy in $ShadowCopies) { | |
| if ((.\icacls.exe $env:windir\System32\config\$_) -match "BUILTIN\\Users") { | |
| Write-Host "Current system is vulnerable! '$_' is readable by 'BUILTIN\Users'. You should delete and disable Shadow Copies." -ForegroundColor Red | |
| return | |
| } | |
| } | |
| } | |
| # Mitigate vulnerability | |
| ## Delete all previous shadow copies | |
| wmic shadowcopy delete /NOINTERACTIVE | |
| ## Disable and stop Shadow Copy service. Previous shadow copies will remain and system will still be vulnerable! | |
| Stop-Service vss -Force | |
| Set-Service vss -StartupType Disabled | |
| # Reenable shadowcopies when Microsoft has released patch | |
| ## Enable and start Shadow Copy service. | |
| Set-Service vss -StartupType Manual | |
| Start-Service vss | |
| # PowerShell code to grab hives | |
| send me a pm |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment