Prevent Mimikatz | Install Lithnet Idle Logoff | PowerShell

Intro

Do you make sure to logout of your sessions when using Windows? If not you could open the systems you manage to a Mimikatz attack and cause breaches.

What is Mimikatz?

Mimikatz is a tool that can be used to extract passwords and other sensitive data from Windows systems. It is an open-source application that can be used by both attackers and security professionals:

• Attackers: Use Mimikatz to steal credentials and gain access to systems and networks. Mimikatz can be used to bypass authentication measures like multi-factor authentication. Attackers can also use Mimikatz to perform attacks like pass the hash and pass the ticket.
• Security professionals: Use Mimikatz to detect and exploit vulnerabilities in networks. 

Managing Logoffs On Servers

The way I went about this was using a third-party solution called Lithnet Idle Logoff. This will put a prompt on the screen and automatically logout of user sessions. You can configure with Group Policy and you can attach a WMI filter to your GPO to only apply to the servers you want if only targeting servers.

WMI Filter for Servers | GPO

• For the WMI Filter you can configure as follows:

Namespace: root\CIMv2
Query: select * from Win32_ComputerSystem where Name LIKE "WR-SVR-VM-DC" OR Name LIKE "WR-SVR-VM-FS" OR Name LIKE "WR-SVR-VM-APP"

You can use OR and just keep adding more servers if needed.

Install Lithnet Idle Logoff | PowerShell Script

This script will download, install the program, and also install the GPOs.

# Check if the OS is Windows 10 Pro or Windows 11 Pro and not a Server OS
$OSInfo = Get-ComputerInfo

if (($OSInfo.OsArchitecture -eq "64-bit") -and 
    (($OSInfo.OsName -match "Windows 10") -or ($OSInfo.OsName -match "Windows 11")) -and 
    ($OSInfo.ProductType -eq "WinNT") -and 
    (($OSInfo.OsName -match "Windows 10 Pro") -or ($OSInfo.OsName -match "Windows 11 Pro"))) {
    
    Write-Host "Windows 10 Pro or Windows 11 Pro detected, continuing compatibility check..." -ForegroundColor Cyan
} else {
    Write-Host "This script is intended for Windows 10 Pro or Windows 11 Pro only. It will not run on other versions or Windows Server." -ForegroundColor Red
    exit
}

# Define file URLs
$URL1 = "https://github.com/lithnet/idle-logoff/releases/download/v1.2.8134/lithnet.idlelogoff.setup.msi"
$URL2 = "https://github.com/lithnet/idle-logoff/archive/refs/tags/v1.2.8134.zip"

# Define paths
$Destination = "C:\TEMP"
$LogFile = Join-Path $Destination "Lithnet_Install.txt"
$DownloadPath1 = Join-Path $Destination "lithnet.idlelogoff.setup.msi"
$DownloadPath2 = Join-Path $Destination "idle-logoff-1.2.8134.zip"
$ExtractedPath = Join-Path $Destination "idle-logoff-1.2.8134"
$PolicyPath1 = "C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions"
$PolicyPath2 = "C:\Windows\PolicyDefinitions"

# Function to log messages
function Log-Message($Message) {
    "$((Get-Date).ToString("yyyy-MM-dd HH:mm:ss")) - $Message" | Out-File -Append -FilePath $LogFile
}

# Function to create directory
function Ensure-Directory($Path) {
    if (!(Test-Path $Path)) {
        New-Item -Path $Path -ItemType Directory -Force | Out-Null
    }
}

# Function to download files with error handling
function Download-File($URL, $OutputPath) {
    try {
        Invoke-WebRequest -Uri $URL -OutFile $OutputPath -ErrorAction Stop
        Log-Message "Downloaded: $OutputPath"
    } catch {
        Log-Message "Failed to download: $URL"
        exit 1
    }
}

# Function to install MSI silently
function Install-MSI($MSIPath) {
    if (Test-Path $MSIPath) {
        Start-Process msiexec.exe -ArgumentList "/i `"$MSIPath`" /quiet /norestart" -NoNewWindow -Wait
        Log-Message "Installed MSI: $MSIPath"
    } else {
        Log-Message "MSI file not found: $MSIPath"
        exit 1
    }
}

# Function to extract ZIP
function Extract-ZIP($ZIPPath, $DestinationPath) {
    if (Test-Path $ZIPPath) {
        Expand-Archive -LiteralPath $ZIPPath -DestinationPath $DestinationPath -Force
        Log-Message "Extracted: $ZIPPath to $DestinationPath"
    } else {
        Log-Message "ZIP file not found: $ZIPPath"
        exit 1
    }
}

# Function to copy policy files
function Copy-PolicyFiles($Source, $Destination) {
    if (Test-Path $Source) {
        Ensure-Directory $Destination
        Copy-Item -Path $Source -Destination $Destination -Recurse -Force
        Log-Message "Copied policy files to: $Destination"
    } else {
        Log-Message "Source policy files not found: $Source"
        exit 1
    }
}

# Execute functions
Ensure-Directory $Destination
Log-Message "Starting script execution"
Download-File $URL1 $DownloadPath1
Download-File $URL2 $DownloadPath2
Install-MSI $DownloadPath1
Extract-ZIP $DownloadPath2 $ExtractedPath

# Only copy to SYSVOL if it's a server OS
if ($OSInfo.OsName -match "Server") {
    Copy-PolicyFiles "$ExtractedPath\idle-logoff-1.2.8134\src\Lithnet.IdleLogoff\PolicyDefinitions\*" $PolicyPath1
} else {
    Copy-PolicyFiles "$ExtractedPath\idle-logoff-1.2.8134\src\Lithnet.IdleLogoff\PolicyDefinitions\*" $PolicyPath2
}

Log-Message "Script execution completed successfully!"

You also need to install Lithnet Idle Logoff for each client computer if wanting to target those. Domain-joined computers will pull the GPOs from the SYSVOL location after you push this script on the PDCs.

Summary of Script

This PowerShell script is designed to automate the process of downloading, installing, and configuring the Lithnet Idle Logoff software. Below is a summary of the operations it performs:

Step-by-Step Breakdown:

1. OS Compatibility Check
   • The script begins by checking if the operating system is either Windows 10 Pro or Windows 11 Pro, excluding server versions. If the system doesn’t meet these requirements, the script halts with an error message.
2. Defining URLs and File Paths:
   • Two URLs are defined for downloading the Lithnet Idle Logoff setup (MSI installer and ZIP archive).
   • Destination directory (C:\TEMP) is specified to store the downloaded files, extracted content, and the log file.
   • Paths for policy definitions in SYSVOL and PolicyDefinitions directories are defined.
3. Helper Functions:
   • Log-Message: Logs messages to a log file, including timestamps for each message.
   • Ensure-Directory: Checks if a directory exists, and if not, it creates it.
   • Download-File: Downloads the file from the given URL and saves it to the specified destination. It logs a message on success or failure.
   • Install-MSI: Installs the MSI file using msiexec with silent installation (/quiet) and no restart (/norestart).
   • Extract-ZIP: Extracts the ZIP file to the specified directory.
   • Copy-PolicyFiles: Copies policy files from the extracted folder to the appropriate PolicyDefinitions folder.
4. Script Execution:
   • Ensures that the destination directory exists.
   • Logs the start of script execution.
   • Downloads the MSI and ZIP files.
   • Installs the MSI silently.
   • Extracts the ZIP archive to the destination.
   • Copies the extracted policy files to the system’s policy directories (C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions and C:\Windows\PolicyDefinitions).
   • Logs the successful completion of the script.

How the Script Works:

• Downloading Files:
  • The Download-File function uses Invoke-WebRequest to download the MSI and ZIP files to the $Destination directory.
  • The script logs each download, and if any download fails, it exits with an error.
• Installing the Software:
  • The Install-MSI function runs the MSI installer silently using msiexec. This installs the Lithnet Idle Logoff software without requiring user input.
• Extracting the ZIP Archive:
  • The Extract-ZIP function expands the ZIP file to a specific directory using Expand-Archive.
• Copying Policy Files:
  • The script copies the extracted policy definitions from the ZIP archive to the required system directories, ensuring the necessary Group Policy definitions are available.
• Logging:
  • Throughout the script, Log-Message is used to log key events (e.g., downloading, installation, extraction, copying files) along with timestamps to the log file (Lithnet_Install.txt).

Potential Issues and Considerations:

• Permissions: The script will require administrative privileges to install the MSI, extract files, and copy files to system directories.
• Network Access: Ensure that the system running this script has internet access to download the files from GitHub.
• File Locations: Ensure the paths ($Destination, $PolicyPath1, $PolicyPath2) are correct and accessible.
• Existing Files: If the files already exist at the destination (e.g., MSI, ZIP, policy files), the script will either overwrite or skip based on the behavior of the Expand-Archive and Copy-Item cmdlets.

Final Note:

This script is well-structured for automating the installation and configuration of the Lithnet Idle Logoff software and its associated Group Policy definitions, ensuring everything is handled efficiently and logged for future reference.

Conclusion

Well, that’s a wrap! Hopefully this helps.

WinReflection

My name is Dex Sandel, author at WinReflection.

I am a Christian, conservative, and truth seeker that is not afraid to be vocal on important or controversial issues, silence leads to death. When a person has that courage the enemy tries to send haters and wolves in sheep’s clothing their way. There are many rewards earned in Heaven for those that refuse to give up. There’s more to life than the worldly status quo and that’s why many are sad and depressed, they’re suffocating! Truth and purpose can bring fresh air into one’s life and that’s my mission.

The best is yet to come, and nothing can stop what’s coming!

John 3:16: For God so loved the world that he gave his one and only Son, that whoever believes in him shall not perish but have eternal life.