Marcus Hall

User Tools

Site Tools

Trace: internetexplorer powershell
software:powershell

This is an old revision of the document!

Table of Contents

Set-​Execution​Policy and About Signing

From: https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Security/Set-ExecutionPolicy?view=powershell-5.1

From: https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/about_Signing?view=powershell-5.1 

The Set-ExecutionPolicy cmdlet changes the user preference for the Windows PowerShell execution policy.

The Restricted execution policy does not permit any scripts to run. The AllSigned and RemoteSigned 
execution policies prevent Windows PowerShell from running scripts that do not have a digital 
signature.+
This topic explains how to run selected scripts that are not signed, even while the execution 
policy is RemoteSigned, and how to sign scripts for your own use.

Commands

http://technet.microsoft.com/en-us/library/ee176949.aspx 

  Get-ExecutionPolicy

http://technet.microsoft.com/en-us/library/ee176961.aspx 

  Set-ExecutionPolicy RemoteSigned
  & "C:\My Scripts\Test.ps1"
  
  Get-Service | Sort-Object Status | Format-Table

Removing Security protected files from c:\ after infection of bProtector

PowerShell Community Extensions (PSCX)

http://pscx.codeplex.com/releases

http://social.technet.microsoft.com/Forums/eu/winserverpowershell/thread/87679d43-04d5-4894-b35b-f37a6f5558cb

Solution: (First: Thanks to AlfredHall & Sheng Jiang for starting me in the right direction in their discussion here) 0) Run PS as administrator if UAC is enabled. 1) Use PSCX to elevate your privileges Import-Module “PSCX” 

  Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions
  Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking
  Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership

2) Create a new, Owner-only ACL with only the Owner specified with the administrative group as the owner. 

  $blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
  $blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'BUILTIN\Administrators')

3) Use SetAccessControl to set that Owner. 

  (Get-Item "F:\testpath\locked").SetAccessControl($blankdirAcl)

4) Modify File Permissions, Auditing, Ownership using Get-Acl, Set-Acl as normal.

By using the new Owner-only ACL object and SetAccessControl, Ownership has now changed to Administrators and you can use Get-Acl,Set-Acl as desired.

In honor of Diana - goddess of the hunt - 

  Import-Module -Name "C:\Users\Diana\Downloads\Pscx-2.1.1\PSCX" -verbose
  Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions
  Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking
  Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership
  
  $blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
  $blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'Diana-PC\Diana')
  
  (Get-Item "c:\6dc5d7208340ab9995c48afe1508").SetAccessControl($blankdirAcl)
       
  takeown /F "c:\6dc5d7208340ab9995c48afe1508" /R /D Y
  
  $Acl = Get-Acl "C:\6dc5d7208340ab9995c48afe1508"
  $Ar = New-Object  system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow")
  $Acl.SetAccessRule($Ar)
  Set-Acl "C:\6dc5d7208340ab9995c48afe1508" $Acl
  
  $Acl = Get-Acl "c:\6dc5d7208340ab9995c48afe1508\bProtectorForWindows"
  $Ar = New-Object  system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow")
  $Acl.SetAccessRule($Ar)
  Set-Acl "c:\6dc5d7208340ab9995c48afe1508\bProtectorForWindows" $Acl
  
  $Acl = Get-Acl "c:\6dc5d7208340ab9995c48afe1508\searchplugins"
  $Ar = New-Object  system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow")
  $Acl.SetAccessRule($Ar)
  Set-Acl "c:\6dc5d7208340ab9995c48afe1508\bProtectorForWindows" $Acl
  
  $Acl = Get-Acl "c:\6dc5d7208340ab9995c48afe1508\bProtectorForWindows\2.2.453.59"
  $Ar = New-Object  system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow")
  $Acl.SetAccessRule($Ar)
  Set-Acl "c:\6dc5d7208340ab9995c48afe1508\bProtectorForWindows\2.2.453.59" $Acl
  
  rmdir "c:\6dc5d7208340ab9995c48afe1508"

Did it for one! 

  
  Import-Module -Name "C:\Users\Diana\Downloads\Pscx-2.1.1\PSCX" -verbose
  Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeRestorePrivilege", $true) #Necessary to set Owner Permissions
  Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeBackupPrivilege", $true) #Necessary to bypass Traverse Checking
  Set-Privilege (new-object Pscx.Interop.TokenPrivilege "SeTakeOwnershipPrivilege", $true) #Necessary to override FilePermissions & take Ownership
  
  $blankdirAcl = New-Object System.Security.AccessControl.DirectorySecurity
  $blankdirAcl.SetOwner([System.Security.Principal.NTAccount]'Diana-PC\Diana')
  $excluded = @("hp","users","PerfLogs","Program Files","ProgramData","Qoobox","speedDIAL","System Volume Information","Windows","autoexec.bat","bootmgr","BOOTSECT.BAK","config.sys","hiberfil.sys","IO.SYS","MSDOS.SYS","pagefile.sys","TDSSKiller.2.8.16.0_23.02.2013_08.59.56_log.txt","TDSSKiller.2.8.16.0_23.02.2013_09.20.12_log.txt","updatedatfix.log","Windows Sidebar","Boot","ComboFix","Config.Msi","Documents and Settings","*.BIN")
  
  $LockedDirs = Get-ChildItem $Directorypath -force -name -exclude $excluded # get all of the locked directories.
  #$LockedDirs
  
  Foreach ($Locked in $LockedDirs) {
      $Locked
      $FileName = "c:\$Locked"
      $FileName
      
      (Get-Item $FileName).SetAccessControl($blankdirAcl)
      
      takeown /F $FileName /R /D Y
      
      $Acl = Get-Acl $FileName
      $Ar = New-Object  system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow")
      $Acl.SetAccessRule($Ar)
      Set-Acl $FileName $Acl
      
      $Acl = Get-Acl "$FileName\bProtectorForWindows"
      $Ar = New-Object  system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow")
      $Acl.SetAccessRule($Ar)
      Set-Acl "$FileName\bProtectorForWindows" $Acl
      
      $Acl = Get-Acl "$FileName\searchplugins"
      $Ar = New-Object  system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow")
      $Acl.SetAccessRule($Ar)
      Set-Acl "$FileName\bProtectorForWindows" $Acl
      
      $Acl = Get-Acl "$FileName\bProtectorForWindows\2.2.453.59"
      $Ar = New-Object  system.security.accesscontrol.filesystemaccessrule("Diana-PC\Diana","FullControl","Allow")
      $Acl.SetAccessRule($Ar)
      Set-Acl "$FileName\bProtectorForWindows\2.2.453.59" $Acl
      
      rmdir $FileName
  }

Done!

software/powershell.1502043886.txt.gz · Last modified: 2017/08/06 18:24 by superwizard