2

In a sort of small mitigation for a large network for the exploit of replacing utilman.exe on windows repair, by cmd.exe, then changing user password, I'm doing a small script based on EventSentry tool that will detect that utilman.exe is changed and I can attach an action to it. But this detect will take place after the attacker already logged in to the local computer. So, I'm doing a script that will change access rights, and blocking delete and rename of utilman.exe and I want to add the password change for the current logged user and then log off.

This is what I have so far:

 @ECHO off
 takeown /f c:\windows\system32\utilman.exe
 icacls c:\windows\system32\utilman.exe /deny *S-1-1-0:(DE,WD,AD,RX)
 net user [NeedToGetLogedUser] 123456
 shutdown -L

The action that I attach will execute this script under another user (not the actual logged user). So I need to get the actual current user logged to the computer instead of the user that this script will run under.

I was thinking of:

C:\Users\MyUser>query user
USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
>MyUser              console             1  Active      none   7/9/2020 6:27 PM

But I can't figure out how to parse the result just to get "MyUser" alone (using findstr) to use it with the net user command.

Kurt Raschke
  • 103
  • 2
DefToneR
  • 461
  • 5
  • 12
  • You need something like `awk` of UNIX world in Windows. You can have the same result using powershell, is this an option for you? – Krackout Jul 24 '20 at 13:15
  • Powershell could be a plan B, some powershell scripting is blocked because security policy. but if there is no other option I could use it. – DefToneR Jul 24 '20 at 13:18
  • Why are people still cobbling together batch scripts? Powershell has been around for 13 years now, and at least two thirds of that time it's been mature enough to be used for everyday work. It's so much more powerful and easy to use than batch. – Gerald Schneider Jul 24 '20 at 13:18
  • I guess the question is not related about if batch of powershell is good. ;) but sadly, in mid and high security networks powershell scripting must be disabled or restricted in order to meet PCI, STIG and another security standards. I would love to use powershell – DefToneR Jul 24 '20 at 13:36

5 Answers5

4

for /F "tokens=2 delims==" %f in ('wmic computersystem get username /value ^| find "="') do set "ConsoleUser=%f"

Output:

" \>set "ConsoleUser=COMPUTERORDOMAINNAME\username

When run in a batch file, replace % with %%

for /F "tokens=2 delims==" %%f in ('wmic computersystem get username /value ^| find "="') do set "ConsoleUser=%%f"
echo %ConsoleUser%

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • Thanks for the reply! for some reason in command line or batch file I get "| was unexpected at this time." I guess it does not like the pipe – DefToneR Jul 24 '20 at 14:10
  • I found that ^ is needed: for /F "tokens=2 delims==" %f in ('wmic computersystem get username /value ^| find "="') do set "ConsoleUser=%f" – DefToneR Jul 24 '20 at 14:31
  • @Deftoner: yes, that is odd, it must have been stripped out when I pasted it in. – Greg Askew Jul 24 '20 at 14:36
2

Thanks for all replies. It helped me to find the solution. I ended up doing this script that works perfect for what I need :)

@ECHO off
set ConsoleUser=None
takeown /f c:\windows\system32\utilman.exe
icacls c:\windows\system32\utilman.exe /deny *S-1-1-0:(DE,WD,AD,RX)
for /F "tokens=1" %%f in ('query user ^| find ">"') do set "ConsoleUser=%%f"
net user %ConsoleUser:~1% 123456
shutdown -L

This script will limit the execution, deletion and rename of utilman.exe, will reset the password of the user that is logged in and then log the user off. So attacker cant modify utilman.exe again or execute it, and password of the user was changed.

Thanks again!

DefToneR
  • 461
  • 5
  • 12
  • If anybody is curious, this is the article/script that I wrote based on this code. THANKS https://lnkd.in/expq4_y – DefToneR Aug 31 '20 at 15:19
0

If you want to split the username and domain and then use it to set a localappdata path for the user here's how to do it

:: Get current session user's Domain and username
for /F "tokens=2 delims==" %%f in ('wmic computersystem get username /value ^| find "="') do set "ConsoleUser=%%f"
:: Split and set variables for current session user's Domain and username
FOR /f "tokens=1 delims=\" %%a IN ("%ConsoleUser%") do set "domain=%%a"
FOR /f "tokens=2 delims=\" %%b IN ("%ConsoleUser%") do set "user=%%b"
:: Echo username and domain
echo %domain%
echo %user%
:: Set variable localappdata path and echo
set localappdata "C:\users\%user%\AppData\Local"
echo %localappdata%
0

Same as below using Powershell

# get the Session ID of this process - the same as that of the user
$sessionId = Get-Process -id $pid | select-object -expand SessionId

# get the output of 'query.exe user' for that session ID
$quOutput = query.exe user $sessionId

# parse the output of query.exe to get the user ID only
$userId = $quOutput[1] -replace '^>([^\s]+)+.*$','$1'

# set localappdata path
$localappdata = "C:\users\${userid}\appdata\local"
  • If you run the script with elevated user rights you can get the username directly from `Get-Process` with the `-IncludeUserName` parameter. – Gerald Schneider Oct 20 '21 at 13:47
  • And don't bother writing `above` or `below` in your answer. The order depends on the number of votes and modification time and will change. – Gerald Schneider Oct 20 '21 at 13:49
  • Reread the question and you will see the reason that the -includeusername will not return the info needed. Also being a bit more polite to a new contributor would have been nice. – Phil Lawson Oct 21 '21 at 14:27
0

..and for the hat trick - the same at the above using vbscript

Set wshShell = WScript.CreateObject("WScript.Shell")
 
' Get the username 
strUsername = Get_LoggedOnUserName()
 
' Set localappdata variable and then echo it out
 Dim localappdata 
localappdata = "C:\users\" & strUsername & "\appdata\local"
wscript.echo localappdata

Function Get_LoggedOnUserName
  Dim Array
  strComputer = "." 
  Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") 
  Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem",,48) 
 
  For Each objItem in colItems 
    Array = Split(objItem.UserName, "\", -1, 1)  
 
    Get_LoggedOnUserName = Array(1)
  Next 
 
End Function