Got Crypto'd....

Hi all,

I just tested a solution at home which seems to work quite well. Basically, as others have suggested, I use File Server Resource Manager

1) Create file group containing dodgy extensions/filenames (help_decrypt., how_to_decrypt., etc) 2) Create a file screen template which uses the above file group -- I have it log to the event viewer and run a command. The command I run is C:\KillUserSession.bat. The command line argument passed in is [Source Io Owner] 3) My KillUserSession.bat looks as follows:

@echo off
powershell.exe -ExecutionPolicy Bypass -File "C:\KillUserSession.ps1" -DomainUser %1

4) I have a C:\KillUserSession.ps1 PowerShell script as follows:

param([string] $DomainUser)
$Username = $DomainUser.Split("\")[1]

$userComputer = Get-WmiObject -Class Win32_ServerSession | Select Username, ComputerName | Where { $_.Username.ToLower() -eq "$($Username.ToLower())"} |  Select -ExpandProperty ComputerName

Write-Host "$Username is connecting from $userComputer. Proceeding to kill and block connection.."

$firewallCommand = "netsh advfirewall firewall add rule name=`"$("BlockCrypto - $Username on $userComputer")`" dir=in action=block enable=yes profile=any remoteip=$userComputer protocol=tcp localport=445"

Invoke-Expression -Command:$firewallCommand

So basically, if a user writes a dodgy file to a network share, it quickly adds a firewall rule to block the user's IP address from accessing any network shares. I tried to be mindful and use netsh instead of newer cmdlets so it's more backwards compatible with Server 2008, etc.. But I've only tested it on Server 2012 R2 at home in a domain environment.

I would have liked to write the whole script in a simple batch file rather than relying on calling PowerShell, but I couldn't get the UserName and ComputerName with WMIC:

wmic path win32_serversession WHERE UserName="myuser" GET

Node - WS2012R2
Description = Generic failure

Hopefully others find that useful and improve on it.


/r/sysadmin Thread