# # This script does simple things but oh so well :) # @Author: Mr.Rebel#

1. #
2. # This script does simple things but oh so well :)
3. # @Author: Mr.Rebel
4. #
5. #Set-ExecutionPolicy RemoteSigned
6. #./MpCmdRun.exe -Scan -ScanType 2
7. #https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus
8.  
9. echo "*************************************"
10. echo "RUNNING FOR BOX: $box"
11. echo "*************************************"
12.  
13. function build_wall{
14. #while(1){
15. echo "Putting old rules into rules.txt!!!!"
16. Get-NetFirewallRule | Out-File -FilePath .\rules.txt -NoClobber
17. echo "Restoring firewall rules to default"
18. netsh advfirewall reset
19. netsh advfirewall set allprofiles state on
20. netsh advfirewall firewall delete rule name=all
21. netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
22. #Remove-NetFirewallRule -All
23. echo "*****************************"
24. echo "BUILDING WALL"
25. echo "*****************************"
26. for($num = 21; $num -lt 2000; $num++){
27. #depending on box we don't want to block certain ports
28. if($num -eq 80 -OR $num -eq 443 -OR $num -eq 53 -OR $num -eq 514){
29. continue
30. }
31. echo "Blocking port + $num"
32. echo "Blocking TCP"
33. netsh advfirewall firewall add rule name="Blocktcp_in + $num" protocol=TCP dir=in localport=$num action=block
34. netsh advfirewall firewall add rule name="Blocktcp_out + $num" protocol=TCP dir=out localport=$num action=block
35. echo "Blocking UDP"
36. netsh advfirewall firewall add rule name="Blocktcp_in + $num" protocol=UDP dir=in localport=$num action=block
37. netsh advfirewall firewall add rule name="Blocktcp_out + $num" protocol=UDP dir=out localport=$num action=block
38. }
39.  
40. #Sleep for 180 seconds before running again
41. #Start-Sleep -s 180
42. #}
43. }
44.  
45. function stop_process{
46. echo "Dummping running processes into proccess.txt"
47. tasklist | Out-File "processes.txt"
48. $tasklist = tasklist.exe
49. $tasklist = $tasklist.Split(" ")
50. $truetaskList = @()
51.  
52. ForEach($task in $tasklist){
53. if (($task -match '.exe' -OR -$task -match '.py' -OR $task -match '.ps1') -and -Not($truetaskList.Contains($task)) -and -Not($task -match 'powershell')){
54. $truetaskList += $task
55. }
56. }
57.  
58. ForEach($task in $truetaskList){
59. Try{
60. $truetask = $task.Substring(0,$task.Length-4)
61. if($truetask -eq "powershell.exe" -OR $truetask -eq "turnoff.ps1"){
62. continue
63. }
64. echo "Stopping: $truetask"
65. Stop-Process -Name $truetask
66. }
67. Catch{
68. continue
69. }
70. }
71. }
72.  
73. function change_users{
74. $Accounts = Get-WmiObject -Class Win32_UserAccount -filter "LocalAccount = True"
75. $ListUsers = @()
76. $currentuser = $env:USERNAME
77. $Accounts = $Accounts -split ' '
78. ForEach($account in $Accounts){
79. $stringAccount = [string]$account -split '"'
80. for($i = 0; $i -lt $stringAccount.Count; $i+=1){
81. if ($i -eq 3){
82. $user = $stringAccount[$i]
83. $ListUsers += $user
84. }
85. }
86. }
87. #Disable-LocalUser -Name $username
88. $Password = (ConvertTo-SecureString -AsPlainText "TenToesDownForLife$10!" -Force)
89. ForEach($user in $ListUsers){
90. Try{
91. echo "Changing password for User: $user"
92. $User | Set-LocalUser -Password $Password
93. echo "Successfully changed password for $User"
94. }
95. Catch{
96. $string_err = $_ | Out-String
97. echo $string_err
98. continue
99. }
100. }
101. }
102.  
103. function scan{
104. echo "Starting quick scan!!!!!!!"
105. Try{
106. Set-MpPreference -ScanParameters 2 -ScanScheduleDay 0 -ScanScheduleQuickScanTime 1 -UnknownThreatDefaultAction "Quarantine" -SevereThreatDefaultAction "Quarantine" -HighThreatDefaultAction "Quarantine" -LowThreatDefaultAction "Quarantine" -ModerateThreatDefaultAction "Quarantine" -CheckForSignaturesBeforeRunningScan 1 -DisableRealtimeMonitoring 0
107. Start-MpScan -ThrottleLimit 0 -ScanType 1
108. echo "Sleeping for 30 seconds then running full scan!"
109. Start-Sleep 30
110. Start-MpScan -ThrottleLimit 0 -ScanType 2
111. }
112. Catch{
113. Try{
114. C:\"Program Files"\"Windows Defender"\MpCmdRun.exe -Scan -ScanType 1
115. echo "Sleeping for 60 seconds then running full scan!"
116. Start-Sleep 30
117. C:\"Program Files"\"Windows Defender"\MpCmdRun.exe -Scan -ScanType 2
118. }
119. Catch{
120. $string_err = $_ | Out-String
121. echo $string_err
122. }
123. }
124. }
125.  
126. function dump_tasks{
127. echo "Putting scheduledtasks into tasks.txt"
128. Get-ScheduledTask | Out-File "tasks.txt"
129. echo "Putting scheduledtask information into tasksinfo.txt"
130. Get-ScheduledTask | Get-ScheduledTaskInfo | Out-File "tasksinfo.txt"
131. }
132.  
133. function main{
134. Clear
135. #$UserAccount = Get-LocalUser -Name "Administrator"
136. # Disable SMB if not scored service!
137. Try{
138. echo "Disabling SMB1"
139. Disable-WindowsOptionalFeature -Online -FeatureName 'SMB1Protocol' -ErrorAction SilentlyContinue -WarningAction SilentlyContinue -NoRestart | Out-Null
140. echo "Disabling SMB2"
141. Set-SmbServerConfiguration -EnableSMB2Protocol $false
142. echo "Disabling SMB3"
143. Set-SmbServerConfiguration -EnableSMB3Protocol $false
144. }
145. Catch{
146. $string_err = $_ | Out-String
147. echo $string_err
148. }
149. }
150. echo "Disabling RDP!!!"
151. try{
152. Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0
153. echo "RDP Disabled"
154. }
155. Catch{
156. $string_err = $_ | Out-String
157. echo $string_err
158. }
159. }
160. # set mp preferences
161. # set environment policy and rerun script!!!
162. echo "Setting lockdown policy"
163. Try{
164. [Environment]::SetEnvironmentVariable('__PSLockdownPolicy', '4', 'Machine')
165. }
166. Catch{
167. $string_err = $_ | Out-String
168. echo $string_err
169. }
170. dump_tasks
171. change_users
172. stop_process
173. build_wall
174. scan
175. }
176.  
177. main