So I have a code offering today, which I’m calling DangItBobby.ps1. It lets you remotely disable the NIC of a computer given only the username that is logged in. In essence, when in the middle of a ransomware infection, and you see that the owner of all the files is changing to Bobby, you run the script and provide credentials of a local admin account. Then you tell it you’re looking for Bobby, it’ll check AD to make sure that’s a valid account, then check with WMI to see if there’s an explorer.exe process running under Bobby’s context on each computer, which you can narrow down with the first few characters of what the workstation might be. If they’re logged into multiple workstations it’ll let you choose which one to work with. Then it’ll give you a list of NICs and a little information about each one, and let you choose which one to disable.

I hope I don’t need to tell you to be careful running this.

I ended up needing to do this last week, we have a LOB application that people access via Terminal Services, and it doesn’t clean up after itself in the Temp folder, which causes the application to act up. Can’t get the developers to fix the problem so it’s on us. The existing fix was one batch file, tied to one scheduled task, for every user (50+) of the terminal server. Nightmare to keep maintained.

So I built a simple powershell script, one script for all user profiles.

for(;;) {
try {
Set-Location "C:\Users"
Remove-Item ".\*\AppData\Local\Temp\*" -recurse -force
}
catch {
# EventSentry will watch for Powershell dying.
Break
}

# wait for a minute
Start-Sleep 60
}

Then I created a scheduled task to have Powershell run on startup with the argument -file Path:\to\script.ps1 and had it run as SYSTEM with highest privileges. Since this was the first time using ps1 files on this server I also needed to Set-ExecutionPolicy RemoteSigned.