Bad rabiit

Bad Rabbit Vaccine

Vaccine to protect against Bad Rabbit

Description

This is an Agent Procedure to protect Windows endpoints against the Bad Rabbit Malware.
The procedure create 2 files (C:\Windows\cscc.dat and C:\Windows\infpub.dat) and disable inheritance from these files.
Link for more information on the new ransomware: http://www.zdnet.com/article/bad-rabbit-ten-things-you-need-to-know-about-the-latest-ransomware-outbreak/
Link about the vaccine: https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware

Categories
Developer
  • Name: Douglas Sanchez
  • Company: Kaseya
  • Website: http://www.kaseya.com
  • Contact Developer
  • Summary
  • Bad Rabbit Vaccine
  • 449 Downloads
  • Released on October 25th, 2017
  • Reviews

    Bad Rabbit Vaccine has no reviews.

    Discussion
    Gravatar for Björn Hansson
    Björn Hansson about 2 months ago

    Hello Douglas, Great work. Perhaps it's a typo, but shouldn't it be "/inheritance:r" instead of "/inheritance:d" Otherwise existing permissions would not be removed, and will make no difference. icacls /? ... /inheritance:e|d|r e - enables inheritance d - disables inheritance and copy the ACEs r - remove all inherited ACEs ... //Björn Hansson - Teleservice

    Gravatar for Björn Hansson
    Björn Hansson about 2 months ago

    Not the best formatting in the discussion pane, but I hope it will be readable!

    Gravatar for pcrecovery
    pcrecovery about 2 months ago

    Perhaps both need to be done? In the cybersecurity examples, it seems that it's two parts...the existing permissions are removed AND the inheritance is disabled/turned-off.

    Gravatar for Björn Hansson
    Björn Hansson about 2 months ago

    It is one action: "disable inheritance", but with a question. Should permissions be converted (remain) or removed. This question is equivalent to "/inheritance:e|r" where 'e' is "converted" and 'r' is "remove"

    Gravatar for Björn Hansson
    Björn Hansson about 2 months ago

    There seems to be no way to remove older post. The last statement should be "/inheritance:e|d|r" where 'd' is "converted" and 'r' is "remove"

    Gravatar for Douglas Sanchez
    Douglas Sanchez about 2 months ago

    I updated the procedure in the listing to disable the inheritance and remove the permissions. Let me know how this goes.

    Gravatar for Buster Davis
    Buster Davis about 2 months ago

    downloaded the xml and imported it in to my vsa as is and tried to run it on my workstation and the procedure does not complete.

    Gravatar for Adam Wall
    Adam Wall about 2 months ago

    i just ran the procedure via my Kaseya VSA onto 2 different machines and it deployed correctly

    Gravatar for Buster Davis
    Buster Davis about 2 months ago

    I tried on Windows 7 and it ran but not on WIndows 10

    Gravatar for Sam
    Sam about 2 months ago

    Have tested on latest version of Windows 10, works a treat. Files cannot be modified by non system account.

    Gravatar for Buster Davis
    Buster Davis about 2 months ago

    I tried it on another Windows 10 machine and it does not run.

    Gravatar for Adam Wall
    Adam Wall about 2 months ago

    i ran on 2 windows 10 including my win10 pc. completed successfully and 2 files are now on machines

    Gravatar for Adam Wall
    Adam Wall about 2 months ago

    i ran on 2 windows 10 including my win10 pc. completed successfully and 2 files are now on machines

    Gravatar for Adam Wall
    Adam Wall about 2 months ago

    i ran on 2 windows 10 including my win10 pc. completed successfully and 2 files are now on machines

    Gravatar for Adam Wall
    Adam Wall about 2 months ago

    i ran on 2 windows 10 including my win10 pc. completed successfully and 2 files are now on machines

    Gravatar for Buster Davis
    Buster Davis about 2 months ago

    Adam Wall did you modify the procedure in anyway or use the original procedure unchanged?

    Gravatar for Adam Wall
    Adam Wall about 2 months ago

    for clarity ran on my PC with new fall creator update successfully and 2 other win10 with previous creator update. then ran on older 1607 win10 build. all worked

    Gravatar for eas@manningllp.com
    eas@manningllp.com about 2 months ago

    I ran on my Windows 10 machine and the files didn't install either. If I run the echo command manually it works. But that would defeat the purpose of having a procedure do it. :)

    Gravatar for Buster Davis
    Buster Davis about 2 months ago

    well its nice to know I am not the only one having the issue so whats the fix

    Gravatar for Adam Wall
    Adam Wall about 2 months ago

    i uploaded the second procedure the author created and deployed via agents procedure. both files are in my system drive

    Gravatar for Buster Davis
    Buster Davis about 2 months ago

    That is the one That I used too

    Gravatar for Andrew Rowntree
    Andrew Rowntree about 2 months ago

    Works fine here. Thankyou Douglas.

    Gravatar for pcrecovery
    pcrecovery about 2 months ago

    Ran across 111 workstations with all succeeding. Thanks for the script!

    Gravatar for Cees
    Cees about 2 months ago

    Hi Douglas Sanchez, great job. Thought at first it did not work but found out it did. Looking through KLC - Files cannot see the created files but through the KLC - Commands I found them in the C:\Windows folder. I get confused when I first did not see them and try to do the first procedure command manual getting a "permission" error. All works well but just have to know where to verify the files. Cheers mate

    Gravatar for Douglas Sanchez
    Douglas Sanchez about 2 months ago

    Thank you all for the feedback. For anyone for which the procedure does not work, could you provide me some more information? Any error message? Windows 10 32 or 64 bits? Anything that could help me troubleshoot would be great as it worked on my end on Windows 10.

    Gravatar for Buster Davis
    Buster Davis about 2 months ago

    Douglas, still can't get it deployed on my Windows 10 64 bit machines.. When i run it on windows 7, it executes immediately. But for win 10, click the procedure to execute and it just sits there and never completes

    Gravatar for eas@manningllp.com
    eas@manningllp.com about 2 months ago

    The latest version now works for me on my Windows 10 Machine. Thanks!

    Gravatar for eas@manningllp.com
    eas@manningllp.com about 2 months ago

    The latest version now works for me on my Windows 10 Machine. Thanks!

    Gravatar for Tim McCarty
    Tim McCarty about 2 months ago

    Thanks for this Mr Sanchez ! Deployed to over 150 Win 10 machines. 95% of them 64 bit. All deployed successfully !

    Gravatar for Hem Pandya
    Hem Pandya about 1 month ago

    Didn't work for me initially. Then I created a batch file which creates the files the same way described above and removes permissions from it. Placed that batch file in k-server and distributed it to all the machines and ran that batch file on all the remote machines. It worked.

    Gravatar for Hem Pandya
    Hem Pandya about 1 month ago

    Didn't work for me initially. Then I created a batch file which creates the files the same way described above and removes permissions from it. Placed that batch file in k-server and distributed it to all the machines and ran that batch file on all the remote machines. It worked.

    Gravatar for Hem Pandya
    Hem Pandya about 1 month ago

    Didn't work for me initially. Then I created a batch file which creates the files the same way described above and removes permissions from it. Placed that batch file in k-server and distributed it to all the machines and ran that batch file on all the remote machines. It worked.

    Gravatar for Hem Pandya
    Hem Pandya about 1 month ago

    Didn't work for me initially. Then I created a batch file which creates the files the same way described above and removes permissions from it. Placed that batch file in k-server and distributed it to all the machines and ran that batch file on all the remote machines. It worked.