Created
September 27, 2017 16:52
-
-
Save ujeenator/9a907ff14ef87c4609e9661459df3cef to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #petya #notpetya #virus #петя #вирус | |
| Windows Petya protection check list for System Administrators (Version 1.2) | |
| Provided AS IS without warranty, use it only if you understand what you doing | |
| 1. Close vulnerable ports via CMD (WARNING it disables SMB) | |
| netsh advfirewall firewall add rule name="Petya TCP" dir=in action=block protocol=TCP localport=1024-1035,135,139,445 | |
| netsh advfirewall firewall add rule name="Petya UDP" dir=in action=block protocol=UDP localport=1024-1035,135,139,445 | |
| 2. Create Petya kill switch via CMD | |
| del %WINDIR%\perfc.dat /f | |
| del %WINDIR%\perfc.dll /f | |
| del %WINDIR%\perfc /f | |
| type NUL > %WINDIR%\perfc.dat | |
| type NUL > %WINDIR%\perfc.dll | |
| type NUL > %WINDIR%\perfc | |
| attrib +R %WINDIR%\perfc.dat | |
| attrib +R %WINDIR%\perfc.dll | |
| attrib +R %WINDIR%\perfc | |
| icacls %WINDIR%\perfc.dat /reset | |
| icacls %WINDIR%\perfc.dat /inheritance:r | |
| icacls %WINDIR%\perfc.dat /deny "BUILTIN\Users":(F) | |
| icacls %WINDIR%\perfc.dat /deny "BUILTIN\Administrators":(F) | |
| icacls %WINDIR%\perfc.dat /deny "SYSTEM":(F) | |
| icacls %WINDIR%\perfc.dll /reset | |
| icacls %WINDIR%\perfc.dll /inheritance:r | |
| icacls %WINDIR%\perfc.dll /deny "BUILTIN\Users":(F) | |
| icacls %WINDIR%\perfc.dll /deny "BUILTIN\Administrators":(F) | |
| icacls %WINDIR%\perfc.dll /deny "SYSTEM":(F) | |
| icacls %WINDIR%\perfc /reset | |
| icacls %WINDIR%\perfc /inheritance:r | |
| icacls %WINDIR%\perfc /deny "BUILTIN\Users":(F) | |
| icacls %WINDIR%\perfc /deny "BUILTIN\Administrators":(F) | |
| icacls %WINDIR%\perfc /deny "SYSTEM":(F) | |
| echo DONE | |
| 3. Apply group policy based vaccine | |
| https://eddwatton.wordpress.com/2017/06/27/use-group-policy-preferences-to-deploy-the-notpetya-vaccine/ | |
| 4. Patch MS17-010 (aka EternalBlue, especially cve-2017-0144 vulnerability which used by Petya) | |
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx | |
| 5. Patch CVE-2017-0199 | |
| https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199 | |
| 6. Disable legacy 30-year-old SMBv1 via PowerShell (Windows XP user may lose access to SMB share) | |
| Set-SmbServerConfiguration -EnableSMB1Protocol $false | |
| 7. Disable wmic.exe and psexec.exe via PowerShell | |
| New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psexec.exe" -Force | |
| New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psexec.exe" -Name "Debugger" -PropertyType "String" -Value "svchost.exe" -Force | |
| New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmic.exe" -Force | |
| New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmic.exe" -Name "Debugger" -PropertyType "String" -Value "svchost.exe" -Force | |
| 8. Protect your MBR | |
| https://www.talosintelligence.com/mbrfilter | |
| 9. Run ESET's utility to check EternalBlue vulnerability | |
| https://help.eset.com/eset_tools/ESETEternalBlueChecker.exe |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment