[ad_1]
In this put up we can be discussing Group Policy assaults, basing the menace hunt on a ransomware investigation undertaken by the Sophos X-Ops Incident Response staff earlier this 12 months. We will cowl malicious behaviors related to Active Directory and Group Policy assaults, displaying you find out how to examine and remediate a few of these threats.
Much of the fabric on this put up can also be lined within the video “Identifying Group Policy Attacks,” now displaying on our new Sophos X-Ops YouTube channel. The video reveals a hunt and remediation (utilizing Sophos Live Response — a key function of Sophos Intercept X Advanced with XDR, our customary investigation device, although hunters can replicate these steps on any Windows shell).
This put up walks by the identical materials, however offers the onscreen info in a reader-friendly format.
The case
In the Cyclops ransomware case underneath dialogue, the menace actor gained preliminary entry to the setting by leveraging a ProxyShell vulnerability to breach an unpatched Exchange server. Four days after attaining preliminary entry, the menace actor started executing their assault utilizing encoded PowerShell instructions from the net shell on the Exchange server.
The attacker proceeded to disable endpoint safety as a protection evasion method, and to clear Windows occasion logs and web browser historical past. The attacker then leveraged Remote Desktop Protocol (RDP) to carry out lateral motion to further machines on the community. Both Cobalt Strike command-and-control malware in addition to AnyDesk distant entry software program had been put in on a number of machines to keep up entry. A day later, the attacker used their community entry to exfiltrate knowledge to a number of cloud storage internet hosting suppliers.
After that, the attacker leveraged Active Directory Group Policy to distribute the Cyclops ransomware binary to machines on the area, additionally making a Group Policy to execute the ransomware binary utilizing scheduled duties. In the ultimate stage of the assault, the attacker deleted quantity shadow copy backups. Machines on the area ran the scheduled activity, executing the Cyclops ransomware binary, encrypting recordsdata, and leaving ransom notes.
Why goal Group Policy?
Group Policy assaults are a sign of a bigger Active Directory assault. In a Group Policy assault, menace actors could leverage present Group Policy Objects, comparable to UNC path, to execute malicious payloads from less-secure places preset on a GPO, or the interception of person passwords set through Group Policy with the susceptible cpassword attribute.
Once a menace actor has escalated privileges, they usually create GPOs to perform targets at scale, comparable to disabling of core safety software program and options together with firewalls, antivirus, safety updates, and logging. They might also use GPOs for deployment of malicious instruments by the creation of scheduled duties, startup or login scripts, or companies to keep up persistence and execute malware.
Happy searching
Investigators start a ransomware investigation-and-remediation course of by accumulating no matter sufferer testimonies and forensic knowledge can be found. Using the instruments at hand, they seek for indicators of compromise in the usual forensic artifacts, comparable to Windows occasion logs, PowerShell historical past, startup gadgets, shellbags, scheduled duties, shim cache, and so forth.
When performing an evaluation, if synchronized or reoccurring proof is discovered, it could be a key indication of a Group Policy assault. For instance, when a scheduled activity or file execution is seen on a number of machines, it signifies distant execution or the usage of Group Policy. When system logs indicating the usage of software program deployment instruments or Windows Management Instrumentation are usually not current, it serves as a sign that Group Policy was seemingly compromised. This use of malicious synchronizing is very evident throughout triage, when persistent scheduled duties reappear on methods after being eliminated.
Once a Group Policy assault is suspected, investigators ought to take a look at the Group Policy objects on the area controller, utilizing the PowerShell command get-GPO -All to checklist all of them. Filtering these outcomes
Get-GPO -All | Sort-Object ModificationTime -Descending | Format-Table DisplayName, ModificationTime, CreationTime
permits the investigator to see modification and creation occasions, looking for intersections with different info of the case. Sorting by the date on which recordsdata had been final modified can result in any GPOs created or modified by the menace actor. At this level, it’s helpful for the investigator to generate a GPO report for additional investigation.
Get-GPOReport -All -ReportType Html -Path "C:WindowsTempSophos_GPOReport.html”
Examining the GPO report we will discern the aim of any Group Policy objects with suspicious names. In the Cyclops case anonymized for our video, we recognized three suspicious-looking GPOs, which for anonymization functions we name “Pawn,” “Rook,” and “Queen.”
- In the case of Pawn, the attacker used the GPO to put in a scheduled activity on area computer systems to run this system rook.exe.
- The Rook GPO is used to repeat the rook.exe file to domain-joined machines from an administrative share on the file server. Since it might make sense for the attacker to do precisely that with malware, we instantly go to the native system to see if a duplicate remains to be accessible, utilizing Get-ItemProperty “C:Windowsrook.exe”. If it’s accessible, an investigator can get the hash worth for this file (utilizing Get-FileHash “C:Windowsrook.exe”) and verify it in opposition to VirusTotal to see if it’s recognized to be malicious; this hash additionally offers the means to dam the file within the setting. It’s smart in fact to retain a pattern of the malware for additional forensic evaluation.
- The Queen GPO configures Windows Firewall states to Off. It additionally seems that Queen disables Windows Defender’s antimalware protections, together with real-time scanning capability.
Making it higher
Once malicious behaviors in your setting are recognized, containment and remediation can start through the Group Policy Management device on the Active Directory administration server.
First, handle the Queen, which is undermining Windows Firewall and Windows Defender operations. Disabling this coverage will forestall these settings from overriding the default native Windows settings.
Next it’s Rook’s flip to be taken off the board. Disabling this coverage will forestall the malware rook.exe from being copied to any further machines on the community. The malware executable also needs to be blacklisted within the world settings for the complete community. This will get rid of the malware’s capability to be executed sooner or later – type a brand new attacker try, for example, or in case an contaminated backup makes an attempt to re-load the executable. (Good backup hygiene is a crucial matter for defenders to contemplate, nevertheless it lies barely exterior the scope of this text.)
Finally, remediate the malicious scheduled activity named Pawn. Disabling this GPO prevents further deployments of the scheduled activity to computer systems on the area. Following these remediation steps will assist forestall the unfold of malicious exercise all through the community.
All three of those steps contain disabling malicious GPOs, however that’s not sufficient; correct remediation will contain taking steps that can carry out the alternative motion(s) as these taken by the malicious GPOs. This can itself be completed at scale with GPOs or different system administration platforms. Another possibility, which some enterprises could choose, is rollback. If you select the latter, inspection of the archived materials for an infection or undesirable alteration is strongly really useful.
Acknowledgements
Elida Leite and Rajat Wason contributed to this analysis.