When I saw this trick from John Lambert being retweeted after the Petya malware campaign (remember, the one after the Wannacry campaign that exploited SMBv1 protocol and vulnerability called EternalBlue), it was clear it can be used to stop other ways used by Petya to propagate over the wire. Of course, you could block wmic.exe and psexec.exe if you’ve Applocker and an Enterprise version of Windows. But the above trick blocks the remote use of psexec and is a hardening measure with a broader scope. I thought, it would be nice to have a PowerShell module that would help playing with this defensive configuration of the Service Controller Manager.
I wanted to use the same approach I used for the NetCease module, where I’d just set the hardened configuration in the registry.
It appeared to be a bad idea because the registry value doesn’t exist by default
It’s also a very bad idea because you can have a different configuration based on the roles and features installed on your computer.
This is what you’d typically find on a Windows 7 computer
And this is what you’d find on Windows 2012 R2 with Hyper-V
These limits explain how and why the Set-SCManagerPermission function in the Service Control Manager ACL module (SCManager) adds a Deny to the network service (NT AUTHORITY\NETWORK, S-1-5-2).
I’ve also chosen to rely on sc.exe and the functions are most of the time of wrapper around sc.exe mainly because sc.exe is required when the registry key and value don’t exist and using sc.exe apply changes immediately without a reboot.
I’ve also published a digitally signed version on the PowerShell Gallery.
Set-SCManagerPermission -Verbose -Confirm:$false Get-SCManagerPermission | Select Transl*,Secu*,AccessMask,AceType | ft -AutoSize
If sc.exe is used to access any service remotely, it will end with an Access Denied error.
This module and the hardened configuration it sets will for sure block the remote use of psexec.exe or sc.exe.
But, it could also break some Microsoft or third party products or services.
It has the capability to undo the change made using the Restore-SCManagerPermission function without a reboot.
Restore-SCManagerPermission -Verbose -Confirm:$false
Please use it first in a testing environment and report any broken service/product you may encounter.