Title: Group Policy Attacks: Investigating and Remedying the Threat
This article explores Group Policy attacks, focusing on a ransomware investigation conducted by the Sophos X-Ops Incident Response team. By discussing the malicious behaviors associated with Active Directory and Group Policy attacks, we aim to provide insights into investigating and remediating these threats. While the information is also available in a video format on Sophos X-Ops YouTube channel, this article presents the material in a reader-friendly format.
In the case of the Cyclops ransomware attack, the threat actor initially gained access through an unpatched Exchange server using the ProxyShell vulnerability. The attacker then proceeded to perform various malicious actions, including disabling endpoint protection, clearing event logs and browser history, leveraging Remote Desktop Protocol (RDP) for lateral movement, installing Cobalt Strike command-and-control malware and AnyDesk remote access software, exfiltrating data to cloud storage providers, and ultimately using Active Directory Group Policy to distribute and execute the ransomware binary. The attack concluded by deleting volume shadow copy backups and encrypting files on machines, leaving ransom notes.
Why Target Group Policy?
Group Policy attacks are indicative of broader Active Directory attacks. Threat actors exploit existing Group Policy Objects to execute malicious payloads or intercept user passwords set via Group Policy. Once privileges are escalated, threat actors create GPOs to disable core security software and features, deploy malicious tools, and maintain persistence on compromised systems.
When investigating a ransomware attack, collecting victim testimonies and forensic data is crucial. Analyzing standard forensic artifacts such as event logs, PowerShell history, scheduled tasks, and startup items can reveal indicators of a Group Policy attack. The presence of synchronized or recurring evidence, such as remote execution or the use of Group Policy, can be strong indications. Additionally, the absence of system logs related to software deployment tools or Windows Management Instrumentation suggests a compromised Group Policy.
Identifying Group Policy Attacks:
Investigators should examine Group Policy objects on the domain controller using PowerShell commands to list and filter them based on modification and creation times. Generating a GPO report provides further insights into the purpose of suspiciously named Group Policy objects. In the Cyclops case, three suspicious GPOs named “Pawn,” “Rook,” and “Queen” were identified. Analyzing these GPOs and checking associated files against known malicious hashes can help identify and block malware.
To remediate a Group Policy attack, containment and remediation can be initiated through the Group Policy Management tool on the Active Directory management server. Disabling the GPOs that undermine Windows Firewall and Windows Defender operations, prevent malware distribution, and disable malicious scheduled tasks are crucial steps. Proper remediation involves taking steps that counter the actions of malicious GPOs, which can be done at scale with GPOs or other device management platforms. Alternatively, enterprises may choose to rollback and inspect archived material for infection or unwanted alterations.
1. Group Policy attacks are indicative of broader Active Directory attacks, involving the exploitation of existing GPOs and interception of user passwords.
2. Investigating Group Policy attacks involves analyzing standard forensic artifacts and identifying synchronized or recurring evidence.
3. PowerShell commands can be used to list and filter GPOs based on modification and creation times, and GPO reports can provide further insights.
4. Remediation steps include disabling GPOs undermining security operations, preventing malware distribution, and disabling malicious scheduled tasks.
5. Proper remediation involves countering the actions of malicious GPOs and may involve scaling with GPOs or device management platforms, or opting for rollback and inspection of archived material.