nathanmcnulty · April 8, 2026 05:53
diff --git a/mitigate-bluehammer.ps1 b/mitigate-bluehammer.ps1
 # =============================================
 # HARDEN \BaseNamedObjects\Restricted DACL
 # Remove create-object rights for Everyone / Users
 # Run as Administrator in a TEST VM only!
 # =============================================

 Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -Force

 Install-Module NtObjectManager -Scope CurrentUser -Force -AllowClobber
 Import-Module NtObjectManager -Force

 $dirPath = "\BaseNamedObjects\Restricted"

 # === BACKUP FIRST (critical!) ===
 $backupPath = "C:\OM_Restricted_DACL_Backup_$(Get-Date -Format yyyyMMdd_HHmmss).txt"
 $originalSD = Get-NtSecurityDescriptor -Path $dirPath -SecurityInformation Dacl
 $originalSD | Out-File $backupPath -Encoding UTF8
 Write-Host "✅ Backup saved to: $backupPath" -ForegroundColor Green

 # === MODIFY DACL ===
 $sd = Get-NtSecurityDescriptor -Path $dirPath -SecurityInformation Dacl
 $dacl = $sd.Dacl

 $modified = $false
 foreach ($ace in @($dacl)) {   # copy to avoid modification-while-iterating
    if ($ace.Sid.Name -eq "Everyone" -or $ace.Sid.Name -like "*Users*" -or $ace.Sid -eq "WD") {
        $oldMask = $ace.Mask
        # Remove create-object (0x4) and create-subdirectory (0x8) bits
        $ace.Mask = $ace.Mask -band -bnot 0x0000000C
        if ($oldMask -ne $ace.Mask) {
            $modified = $true
            Write-Host "   Modified ACE for $($ace.Sid.Name): removed create rights" -ForegroundColor Yellow
        }
    }
 }

 if ($modified) {
    $sd.Dacl = $dacl
    Set-NtSecurityDescriptor -Path $dirPath -SecurityDescriptor $sd -SecurityInformation Dacl
    Write-Host "✅ DACL hardened successfully on $dirPath" -ForegroundColor Green
 } else {
    Write-Host "⚠️ No Everyone/Users create rights found to remove" -ForegroundColor Yellow
 }

 # === VERIFY ===
 Write-Host "`n=== New DACL ===" -ForegroundColor Cyan
 (Get-NtSecurityDescriptor -Path $dirPath -SecurityInformation Dacl).Dacl | Format-List Sid, Mask, Type, Flags
	# =============================================
	# HARDEN \BaseNamedObjects\Restricted DACL
	# Remove create-object rights for Everyone / Users
	# Run as Administrator in a TEST VM only!
	# =============================================

	Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -Force

	Install-Module NtObjectManager -Scope CurrentUser -Force -AllowClobber
	Import-Module NtObjectManager -Force

	$dirPath = "\BaseNamedObjects\Restricted"

	# === BACKUP FIRST (critical!) ===
	$backupPath = "C:\OM_Restricted_DACL_Backup_$(Get-Date -Format yyyyMMdd_HHmmss).txt"
	$originalSD = Get-NtSecurityDescriptor -Path $dirPath -SecurityInformation Dacl
	$originalSD \| Out-File $backupPath -Encoding UTF8
	Write-Host "✅ Backup saved to: $backupPath" -ForegroundColor Green

	# === MODIFY DACL ===
	$sd = Get-NtSecurityDescriptor -Path $dirPath -SecurityInformation Dacl
	$dacl = $sd.Dacl

	$modified = $false
	foreach ($ace in @($dacl)) { # copy to avoid modification-while-iterating
	if ($ace.Sid.Name -eq "Everyone" -or $ace.Sid.Name -like "Users" -or $ace.Sid -eq "WD") {
	$oldMask = $ace.Mask
	# Remove create-object (0x4) and create-subdirectory (0x8) bits
	$ace.Mask = $ace.Mask -band -bnot 0x0000000C
	if ($oldMask -ne $ace.Mask) {
	$modified = $true
	Write-Host " Modified ACE for $($ace.Sid.Name): removed create rights" -ForegroundColor Yellow
	}
	}
	}

	if ($modified) {
	$sd.Dacl = $dacl
	Set-NtSecurityDescriptor -Path $dirPath -SecurityDescriptor $sd -SecurityInformation Dacl
	Write-Host "✅ DACL hardened successfully on $dirPath" -ForegroundColor Green
	} else {
	Write-Host "⚠️ No Everyone/Users create rights found to remove" -ForegroundColor Yellow
	}

	# === VERIFY ===
	Write-Host "`n=== New DACL ===" -ForegroundColor Cyan
	(Get-NtSecurityDescriptor -Path $dirPath -SecurityInformation Dacl).Dacl \| Format-List Sid, Mask, Type, Flags
No results found