Identifying And Vaccinating Your Computers Against Bad Rabbit Ransomware

4/26/2018 2214 Contributors

Purpose:
You wish to identify and vaccinate computers against the Bad Rabbit ransomware exploit using PDQ Inventory and PDQ Deploy.

Resolution:
There are two parts to this resolution. The first is identifying which computers are not vaccinated against Bad Rabbit. The other part is vaccinating those computers.

Identify Vulnerable Computers
In order to identify computers that are not vaccinated against Bad Rabbit, you will need to create a custom Scan Profile and a Dynamic Collection. To create the Scan Profile, perform the following:

1. Open PDQ Inventory and go to Options > Scan Profiles.

2. Click on the New button and name the scan profile something meaningful.

3. Click on the Add button and select Files.
01.png

4. In the Include Pattern(s) section of the Files Scanner, add the location to scan for the infpub.dat and cscc.dat files: C:\Windows\infpub.dat and C:\Windows\cscc.dat.
02.png

5. Click OK, and OK again. Close out of the Scan Profiles window.

6. Scan the targets you would like to check for the existence of the infpub.dat and cscc.dat files (you can select one computer, multiple computers, or any collection to scan).

Create a Dynamic Collection to Display the Scan Results
1. Open PDQ Inventory and click on the New Dynamic Collection icon in the toolbar.

2. Name the collection something meaningful.

3. Use the following filter:
03.png

4. Click OK to save the collection. The results of the collection will be any computer that does not have both infpub.dat and cscc.dat in C:\Windows, which will include any computer that was not able to be scanned with the custom files scanner you created above. NOTE: if you want to know which computers are vaccinated, change the "Not Any" to "Any".

Vaccinating Your Computers Against Bad Rabbit
We will use PDQ Deploy to create infpub.dat and cscc.dat files identified to vaccinate against the exploit.

1. Open PDQ Deploy, select New Package from the toolbar and name the package something meaningful.

2. Create a New Step > Command.

3. In the Command step, add the following to the Command field:

copy /B NUL C:\windows\infpub.dat
copy /B NUL C:\windows\cscc.dat
icacls "C:\windows\infpub.dat" /inheritance:r
icacls "C:\windows\cscc.dat" /inheritance:r

4. You should end up with a Command step that looks like this:
04.png
NOTE: the icacls command removes inheritance and removes all users and groups that were inherited from the parent directory (C:\Windows). Essentially, the files have an owner but no permissions for any user or group.

5. Save the package and test.

6. Deploy the package to all machines identified as vulnerable from the custom Scan Profile and Dynamic Collection you created above.