Investigating Ransomware Deployments that happened via Group Policy

Group Policy is a powerful tool that attackers are using to deploy their ransomware across a network. This blog post will cover some tips on how we can hunt for this type of activity in the event logs, and so on. We will be relying on the default Windows event logs that are straight out of the box.

In order to deploy a GPO and push it to an entire Windows network. It typically requires having Domain Admin or equivalent rights in the first place.

Let’s cover a real example. BleepingComputers reported last year in 2021 that LockBit was using Group Policies to infect an entire Windows network. During this blogpost, we will be using a LockBit sample that has these capabilities.

GPO Analysis

As we can see here, we have executed the LockBit ransomware encryptor on a Domain Controller and it was leveraging Group Policy to push the ransomware across the environment. The GPO is linked to the Domain Naming Context, which covers all the machines in the domain. Let’s review the GPO settings that is configured by LockBit and map it to the MITRE ATT&CK framework.

T1562 – Impair Defenses

We can see in the GPO settings that the ransomware will disable Windows Defender to make the rollout of the ransomware deployment go easier, since AV may block it.

T1489 – Service Stop

Ransomware is usually known for stopping services to be able to successfully encrypt files. At this example, we can see that the ransomware is stopping SQL services. If you are curious why this is the case. Without terminating SQL services, it can be challenging to encrypt .mdf files which are MS SQL databases.

T1135 – Network Share Discovery

The GPO will enumerate all the network shares on a machine.

T1105 – Ingress Tool Transfer

This ransomware is staged in SYSVOL and uses GPO to copy it from SYSVOL to the Desktop of all the machines.

T1053 – Scheduled Task

Two scheduled tasks will be created. The first one will terminate a bunch of processes via taskkill.exe

The second scheduled task will execute the ransomware encryptor.

Hunting Analysis

If we know which Domain Controller was used to create the GPO and deploy the ransomware. It can help a lot in the investigation to speed things up. First thing, we can take a look at is the Windows security event logs on a DC. As we may know. A GPO is a virtual object that is identified by its GUID and stored at the domain level. GPO is stored in two locations, which is the Group Policy Container and Group Policy Template. The Group Policy container (GPC) is an Active Directory container that contains GPO properties, such as version information, GPO status, and other component settings, so every time a GPO is created. We will be creating a new object in AD and store it at CN=Policies,CN=System,DC=contoso,DC=com.

Windows Security Event Logs

Creating an object in AD may generate a couple of event ID 4662 on a Domain Controller. First event indicates that a GPO is created. We can recognize the Access Mask value is set to 0x1, which means that an object was created. There is also a specific GUID that we can see. This is the GUID that represents the created GPO.

The second event we will be seeing is the same, but at this time. The access mask is set to 0x20, indicating that the GPO was modified.

Microsoft-Windows-GroupPolicy/Operational

This ETW Provider can show lots of useful insights to hunt for changes in GPO, and so on. The first one will be event ID 4017. We can see a GUID, which is the GPO that is stored in the second location of the GPO and known as Group Policy Template.

If we go directly to this location and open that file, we will be able to see the display name. In this example, A78AD74588E5F0 is the display name of the GPO.

The second event ID will be 4016 that can hint what kind of changes have been made to a GPO.

At this part, we can see that a scheduled task was configured. We have discussed previously that this was the method to deploy the ransomware.

Here we can see that some changes were made to services. As discussed earlier, ransomware often terminates services to be able to encrypt files successfully. Examples of services can be from EDR solutions or SQL services.

Summary

This is a short blog post that covers how we can use default Windows event logs to find who modified a GPO and when. Default event logging doesn’t do a great job in keeping track of what exactly was changed in a GPO. Security event logs can roll quickly, which is something we have to keep in mind.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s