Thursday, 29 June 2017

PerfC Vaccination for ExPetr/Petya/NotPetya Wiper

This is a script I've written to 'vaccinate' our domain against the ExPetr/Petya/NotPetya Wiper.

In short, it finds all computer objects in the domain, with an OS that isn't 'Unknown' or 'Windows Server 2003', and attempts to copy 'perfc' to the C:\Windows directory of each machine. I'm not supplying a copy of the file, only the mechanism to deploy it.

If you wish to test the scripts behaviour on a subset of computers on your domain, I've deliberately left a (commented out) searchbase filter on line 24 -


#$WindowsComputers = (get-adcomputer -server $dc -filter * -SearchBase "ou=SOMEOU,dc=YOUR,dc=DOMAIN,dc=HERE").name

....that you can adjust as necessary. Once you've amended line 24, comment out line 20 -

$WindowsComputers = (Get-ADComputer -Server $DC -filter {}).name



This script is provided 'as-is' without warranty of any kind.

EDIT: Fixed bug where summary reported the successful count as the failed count and vice versa
       


#
# Powershell script to copy PerfC vaccine to computers found in Active Directory
#           by Daniel Shuttleworth 
#                credit to @KieranWalsh for his WannaCry PoSH script that this script makes use of
#


# You must specify a source location for PerfC
$Source = "C:\Windows\Perfc"

# You must specify a domain controller here
$DC = "somedc.your.domain"

# Log directory
$log = Join-Path -Path ([Environment]::GetFolderPath('MyDocuments')) -ChildPath "PerfC presence status for $($ENV:USERDOMAIN).log"

#=========================================================

# Find computer objects in Active Directory
$WindowsComputers = (Get-ADComputer -Server $DC -filter {(OperatingSystem  -notlike 'Windows Server 2003*') -and (OperatingSystem -notlike 'Unknown')}).name | Sort-Object


# If you want to test the script and filter on an OU, I've left the below in..
#$WindowsComputers = (get-adcomputer -server $dc -filter * -SearchBase "ou=SOMEOU,dc=YOUR,dc=DOMAIN,dc=HERE").name

# Count computers found in the domain
$ComputerCount = $WindowsComputers.count
"There are $ComputerCount computers in the domain"

#=========================================================

# Create arrays to deliver counts at the end of processing

$PerfCPresent = @()
$Offline = @()
$CopyFail = @()
$CopySuccess = @()

#=========================================================

# Loop through each computer found in the domain and vaccinate if required 


foreach ($computer in $WindowsComputers)
{
 
 # Check computer is online
 try
 {
  if (Test-Connection $computer -Count 1 -ErrorAction Stop)
  {
   
   # Check if device already has a PerfC file
   $CheckPerfC = Test-Path \\$computer\C$\Windows\Perfc
   
   # If it does, skip to the next computer
   if ($CheckPerfC -eq $true)
   {
    Write-Host -fore Green "File already present, skipping " -NoNewline; write-host -fore White $computer
    $PerfCPresent += $computer
   }
   
   # If it doesn't exist, copy the file and check it copies successfully
   if ($CheckPerfC -eq $false)
   {
    
    write-host -fore Yellow "Copying to " -NoNewline; write-host -fore white $computer
    
    # Copy the file
    Copy-Item C:\Windows\perfc \\$Computer\C$\Windows\
                $CheckPerfCCopy = Test-Path \\$Computer\C$\Windows\perfc
    
    if ($CheckPerfCCopy -eq $true)
    {
     Write-Host -fore Green "File copied successfully to " -NoNewline; write-host -fore White $computer
     $CopySuccess += $computer
    }
    if ($CheckPerfCCopy -eq $false)
    {
     Write-Host -fore Yellow "File not found on " -NoNewline; write-host -fore White $computer -nonewline; write-host -fore Yellow " copy appears to have failed!"
     $CopyFail += $computer
    }
   }
  }
  
 }

 Catch { $Offline+=$Computer }
}


#=========================================================
 
 # Summarise findings
 
 "Summary for domain: $ENV:USERDNSDOMAIN"
 "PerfC Present ($($PerfCPresent.count)):" | Out-File -FilePath $log -Append
 $PerfCPresent -join (', ') | Out-File -FilePath $log -Append
 '' | Out-File -FilePath $log -Append
 "PerfC Copy Succeeded($($CopySuccess.count)):" | Out-File -FilePath $log -Append
 $CopySuccess -join (', ') | Out-File -FilePath $log -Append
 '' | Out-File -FilePath $log -Append
 "PerfC Copy Failed($($CopyFail.count)):" | Out-File -FilePath $log -Append
 $CopyFail -join (', ') | Out-File -FilePath $log -Append
 '' | Out-File -FilePath $log -Append
 "Offline/Untested($(($Offline).count)):" | Out-File -FilePath $log -Append
 $Offline -join (', ') | Out-File -FilePath $log -Append
 
 "Of the $($WindowsComputers.count) windows computers in active directory, $($Offline.count) were off, $($CopyFail.count) had issues copying PerfC, $($CopySuccess.count) were vaccinated this run and $($PerfCPresent.count) had a PerfC vaccine present already."
 'Full details in the log file.'
 
 try
 {
  Start-Process -FilePath notepad++ -ArgumentList $log
 }
 catch
 {
  Start-Process -FilePath notepad.exe -ArgumentList $log
 }


#=========================================================


 

No comments:

Post a Comment

PerfC Vaccination for ExPetr/Petya/NotPetya Wiper

This is a script I've written to 'vaccinate' our domain against the ExPetr/Petya/NotPetya Wiper. In short, it finds all comput...