{"id":558,"date":"2016-04-07T07:51:47","date_gmt":"2016-04-07T13:51:47","guid":{"rendered":"http:\/\/danieltharp.com\/weblog\/?p=558"},"modified":"2016-04-07T07:51:47","modified_gmt":"2016-04-07T13:51:47","slug":"that-script-aint-right","status":"publish","type":"post","link":"https:\/\/danieltharp.com\/weblog\/2016\/04\/that-script-aint-right\/","title":{"rendered":"That script ain&#8217;t right"},"content":{"rendered":"<p>So I have a code offering today, which I&#8217;m calling <a href=\"https:\/\/gist.github.com\/pxdnbluesoul\/c7754a2da87b2a517ddd76e2231e14c8\">DangItBobby.ps1<\/a>. It lets you remotely disable the NIC of a computer given only the username that is logged in. In essence, when in the middle of a ransomware infection, and you see that the owner of all the files is changing to Bobby, you run the script and provide credentials of a local admin account. Then you tell it you&#8217;re looking for Bobby, it&#8217;ll check AD to make sure that&#8217;s a valid account, then check with WMI to see if there&#8217;s an explorer.exe process running under Bobby&#8217;s context on each computer, which you can narrow down with the first few characters of what the workstation might be. If they&#8217;re logged into multiple workstations it&#8217;ll let you choose which one to work with. Then it&#8217;ll give you a list of NICs and a little information about each one, and let you choose which one to disable.<\/p>\n<p>I hope I don&#8217;t need to tell you to be careful running this.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So I have a code offering today, which I&#8217;m calling DangItBobby.ps1. It lets you remotely disable the NIC of a computer given only the username that is logged in. In essence, when in the middle of a ransomware infection, and you see that the owner of all the files is changing to Bobby, you run [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[9,16],"tags":[],"class_list":["post-558","post","type-post","status-publish","format-standard","hentry","category-nerd-stuff","category-work"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1RwV4-90","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/danieltharp.com\/weblog\/wp-json\/wp\/v2\/posts\/558","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/danieltharp.com\/weblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/danieltharp.com\/weblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/danieltharp.com\/weblog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/danieltharp.com\/weblog\/wp-json\/wp\/v2\/comments?post=558"}],"version-history":[{"count":1,"href":"https:\/\/danieltharp.com\/weblog\/wp-json\/wp\/v2\/posts\/558\/revisions"}],"predecessor-version":[{"id":559,"href":"https:\/\/danieltharp.com\/weblog\/wp-json\/wp\/v2\/posts\/558\/revisions\/559"}],"wp:attachment":[{"href":"https:\/\/danieltharp.com\/weblog\/wp-json\/wp\/v2\/media?parent=558"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/danieltharp.com\/weblog\/wp-json\/wp\/v2\/categories?post=558"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/danieltharp.com\/weblog\/wp-json\/wp\/v2\/tags?post=558"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}