Last active
October 7, 2022 07:04
-
-
Save xasz/53754812e48311a65c7d0b6bc3376634 to your computer and use it in GitHub Desktop.
Helferskript ProxyNotShell CVE-2022-41040 and CVE-2022-41082f
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Helferskript ProxyNotShell CVE-2022-41040 and CVE-2022-41082f | |
!! Run this in Exchange Management Shell !! | |
!! Have the permission - Best Domain Admin !! | |
!! Do it on your own risk !! | |
!! Run "Add-WindowsFeature RSAT-AD-Powershell" if missing the Module | |
Deaktiert Powershell Remoting fuer alle Benutzer die nicht Mitglied der folgenden Well-Known Gruppen sind: | |
- Administratoren | |
- Domaenen-Admins | |
- Organisations-Admins | |
HAZARDOUS - DANGE- ACHTUNG - ATTENTIONE - BITTE LESEN! | |
Think very hard about your plans about your next hours before you hit "Yes" in the final Step. | |
There is a high chance, this will brick alot | |
github.com\xasz | |
@Credit to ConanChiles for his amazing work, which just was to complex for my cases: | |
https://gist.github.com/ConanChiles/3d3a5703f9737e5f90f554bd325fe3e2 | |
#> | |
Start-Transcript -Path "C:\Ostalb IT\Logs\DisablePowershell.txt" -Append | |
$ErrorActionPreference = "Stop" | |
$Domain = Get-ADDomain | |
$WellKnownGroups = @() | |
$WellKnownGroups += Get-ADGroup -Filter ("SID -eq '{0}'" -f ("{0}-512" -f $Domain.DomainSID) ) # Domain Admins | |
$WellKnownGroups += Get-ADGroup -Filter ("SID -eq '{0}'" -f ("{0}-519" -f $Domain.DomainSID) ) # Enterprise Admins | |
$WellKnownGroups += Get-ADGroup -Filter ("SID -eq '{0}'" -f "S-1-5-32-544") # Administrators | |
$UsersWithRemotePowerShellEnabled = Get-User -ResultSize Unlimited | Where-Object {$_.RemotePowerShellEnabled -eq $true} | |
$UsersInWellKnownGroups = $WellKnownGroups | ForEach-Object { Get-ADGroupMember -Identity $_ -Recursive } | |
$UsersToDisableRemotePowershell = @() | |
foreach($user in $UsersWithRemotePowerShellEnabled){ | |
if($UsersInWellKnownGroups.SamAccountName -contains $user.SamAccountName){ | |
Write-Host "Ausgefiltert: $($user.Name) - SamAccountName: $($user.SamAccountName )" -ForegroundColor Green | |
}else{ | |
$UsersToDisableRemotePowershell += $user | |
} | |
} | |
Write-Host "---------------------------------------------------------------------------------" -ForegroundColor Red | |
Write-Host "Fuer folgende Nutzer wird PowershellRemoting deaktiviert" -ForegroundColor Red | |
Write-Host "---------------------------------------------------------------------------------" -ForegroundColor Red | |
$UsersToDisableRemotePowershell | Select-Object Name, SamAccountName, RemotePowerShellEnabled | Format-Table | |
Write-Host "---------------------------------------------------------------------------------" -ForegroundColor Red | |
Write-Host "Folgende Schritte sind als moeglicherweise destruktiv anzusehen" -ForegroundColor Red | |
Write-Host "---------------------------------------------------------------------------------" -ForegroundColor Red | |
Write-Host "PowerShell Remoting deaktivieren" | |
Write-Host "Bist du dir absolut sicher, dass du Powershell-Remoting an allen oben genannten Benutzer deaktivieren moechttest." | |
$choice = Read-Host "Bitte (Ja) eingeben" | |
if($choice -eq "Ja"){ | |
Write-Host 'Du weist also was du tust!' | |
$UsersToDisableRemotePowershell | Select-Object | ForEach-Object{ | |
Write-Host "PoweShell deaktivieren fuer: $($_.DistinguishedName)" -ForegroundColor Red | |
Set-User -Identity $_.DistinguishedName -RemotePowerShellEnabled $false | |
} | |
}else{ | |
Write-Host 'Nix machen, macht zumindest nix kaputt' | |
} | |
Stop-Transcript |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment