Server Fault Asked by DefToneR on December 30, 2021
In a sort of small mitigation for a large network for the exploit of replacing utilman.exe on windows repair, by cmd.exe, then changing user password, I’m doing a small script based on EventSentry tool that will detect that utilman.exe is changed and I can attach an action to it.
But this detect will take place after the attacker already logged in to the local computer.
So, I’m doing a script that will change access rights, and blocking delete and rename of utilman.exe and I want to add the password change for the current logged user and then log off.
This is what I have so far:
@ECHO off
takeown /f c:windowssystem32utilman.exe
icacls c:windowssystem32utilman.exe /deny *S-1-1-0:(DE,WD,AD,RX)
net user [NeedToGetLogedUser] 123456
shutdown -L
The action that I attach will execute this script under another user (not the actual logged user). So I need to get the actual current user logged to the computer instead of the user that this script will run under.
I was thinking of:
C:UsersMyUser>query user
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
>MyUser console 1 Active none 7/9/2020 6:27 PM
But I can’t figure out how to parse the result just to get "MyUser" alone (using findstr) to use it with the net user command.
..and for the hat trick - the same at the above using vbscript
Set wshShell = WScript.CreateObject("WScript.Shell")
' Get the username
strUsername = Get_LoggedOnUserName()
' Set localappdata variable and then echo it out
Dim localappdata
localappdata = "C:users" & strUsername & "appdatalocal"
wscript.echo localappdata
Function Get_LoggedOnUserName
Dim Array
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootCIMV2")
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem",,48)
For Each objItem in colItems
Array = Split(objItem.UserName, "", -1, 1)
Get_LoggedOnUserName = Array(1)
Next
End Function
Answered by Phil Lawson on December 30, 2021
Same as below using Powershell
# get the Session ID of this process - the same as that of the user
$sessionId = Get-Process -id $pid | select-object -expand SessionId
# get the output of 'query.exe user' for that session ID
$quOutput = query.exe user $sessionId
# parse the output of query.exe to get the user ID only
$userId = $quOutput[1] -replace '^>([^s]+)+.*$','$1'
# set localappdata path
$localappdata = "C:users${userid}appdatalocal"
Answered by Phil Lawson on December 30, 2021
If you want to split the username and domain and then use it to set a localappdata path for the user here's how to do it
:: Get current session user's Domain and username
for /F "tokens=2 delims==" %%f in ('wmic computersystem get username /value ^| find "="') do set "ConsoleUser=%%f"
:: Split and set variables for current session user's Domain and username
FOR /f "tokens=1 delims=" %%a IN ("%ConsoleUser%") do set "domain=%%a"
FOR /f "tokens=2 delims=" %%b IN ("%ConsoleUser%") do set "user=%%b"
:: Echo username and domain
echo %domain%
echo %user%
:: Set variable localappdata path and echo
set localappdata "C:users%user%AppDataLocal"
echo %localappdata%
Answered by Phil Lawson on December 30, 2021
Thanks for all replies. It helped me to find the solution. I ended up doing this script that works perfect for what I need :)
@ECHO off
set ConsoleUser=None
takeown /f c:windowssystem32utilman.exe
icacls c:windowssystem32utilman.exe /deny *S-1-1-0:(DE,WD,AD,RX)
for /F "tokens=1" %%f in ('query user ^| find ">"') do set "ConsoleUser=%%f"
net user %ConsoleUser:~1% 123456
shutdown -L
This script will limit the execution, deletion and rename of utilman.exe, will reset the password of the user that is logged in and then log the user off. So attacker cant modify utilman.exe again or execute it, and password of the user was changed.
Thanks again!
Answered by DefToneR on December 30, 2021
for /F "tokens=2 delims==" %f in ('wmic computersystem get username /value ^| find "="') do set "ConsoleUser=%f"
Output:
" >set "ConsoleUser=COMPUTERORDOMAINNAMEusername
When run in a batch file, replace % with %%
for /F "tokens=2 delims==" %%f in ('wmic computersystem get username /value ^| find "="') do set "ConsoleUser=%%f"
echo %ConsoleUser%
Answered by Greg Askew on December 30, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP