3

August 2016 SysAdmin Magazine

Ransom ware prot ect ion Using FSRM and PowerShell

3 Quick Tweaks t o Prevent Ransom ware At t acks

Ransom ware Survival Guide: Defending Against Crypt o-Ransom ware

How t o Secure Your Com pany f rom Rogue Adm inist rat ors

Contents

5

12

13

Tech Tips: 4 Secur it y Log Event s t o Audit 19

How-t o for IT Pro: Det ect Password Changes in Act ive Direct ory

Free Tool of t he Mont h: Account Lockout Exam iner21

16

3

3 Quick Tweaks to Prevent

Ransom ware At t acks

Ransomware is everywhere ? that insidious t hreat that encrypts your precious

documents and other files and holds them hostage until you pay a substantial sum to

an anonymous third party. Fortunately, there are measures you can take to reduce the

likelihood of an attack. Here are three tweaks you can make to mitigate this threat.

by Jonathan HassellIT Pro, entrepreneur

August 2016 SysAdmin Magazine

Get a bet t er grasp on your inbound e-m ail m essages

Ask your e-mail hygiene provider to enable their URL scanning protection? this is

sometimes called ClickProtect or URLScan. It replaces links in inbound e-mail messages

with a link to the hygiene provider?s portal, and once that edited link is clicked, the

hygiene provider can examine the target destination and decide whether it is potentially

malicious or not. If it is, the hygiene provider can display a big warning saying ?Don?t

Proceed,? and that may be just enough to convince your users they?ve been fooled.

Have good, consistent backups and test restorat ion regularly

- The best way to beat ransomware creators at their game is to remove the need to

pay the ransom, and the only way you can do that is to have in your back pocket

the ability to get back to a ?last known good? state on your own and go from

there. The only way you can get to this point is to make regular backups.

- Use Shadow Copies on your Windows Servers, take multiple snapshots per day,

and test your restores all the time? both on a consistent basis and also on a

surprise basis. Take some of your backups offsite, and make sure that backup

drives that are not in use are disconnected from your servers entirely so as not to

subject them to any future versions of malware that might be smart enough to

delete volume shadow copy entries from your backup medium.

- Contrary to what you might think, you do not need any additional significant

investment to get going on a regular backup scheme.If your budget is tight, buy

three USB hard drives from Costco and use the built-in Windows Server Backup

service to get going. For Linux, there are several suitable open source backup

packages that will work with USB mounted drives. Whatever you do, you need to

start with this, and you can do so for no more than $250.

Look at appl icat ion whitel ist ing

Basically your only chance at decidedly, effectively preventing a ransomware infestation

is to use application whitelisting. With this approach, you tell your operating system

which binaries you will allow to run, and the operating system prevents everything else

from running? including legitimate programs that have not been approved by you just

yet. This whitelist is derived from building a list of checksums and digital signatures from

executable files, so there is some manual labor involved in both deploying the

whitelisting solution in the first place and keeping it up to date.

4

1

2

3

August 2016 SysAdmin Magazine

5

Ransomware Protect ion

Using FSRM and PowerShell

While the FBI continues to investigate the MedStar attacks and a series of other recent

ransomware attacks, I decided to describe a case from my own experience when I

received an encrypted file and opened it. What steps should I have been undertaking

to protect my system from file-encrypting malware?

by Matt HoptonNetwork Architect

August 2016 SysAdmin Magazine

Background

Well, I received an email with the usual ?please see attached document, or it?ll cost you lots of money?.

Attached was a zip file with 2 files inside ? a Word document and a JavaScript file.

I was surprised that the spammers are now using the latest version of Office as an excuse as to why

you can?t read their (macro-enabled) document.

6 August 2016 SysAdmin Magazine

Just for fun, I enabled macros in an isolated network environment and monitored what happened

next using Process Monitor from Sysinternals.

The Word docum ent downloaded a base64-encoded t ext docum ent , w rot e it t o t he user ?s

%t em p% folder , renam ed it t o .exe and execut ed it . (The JavaScr ipt f i le t hat was in t he or iginal

zip f i le provides a sim ilar exper ience.)

This appears to be a variant of the ?Teslacrypt? malware family and proceeds to encrypt all of the

user?s documents, desktop and pretty much anything else that it can touch. In a real-life environment

however; hopefully most, if not all, of the user?s files are being stored on a file server through one

means or another ? be it Work Folders, Folder Redirection etc.

Using File Server Resource Manager

We can use File Server Resource Manager (FSRM) as a system to help prevent the already-executing

malware from infecting the entire file server.

We will setup FSRM to monitor the shares for suspicious activity associated with Ransomware, email

designated admin addresses and then block the infected user?s access to the shares on that server.

If you don?t already have File Server Resource Manager installed on your file server, go ahead and

install it now from Server Manager -> Add Roles and Features:

7 August 2016 SysAdmin Magazine

Once installed, launch it from the Server Manager?s Tools menu.

The first thing we need to do is setup the email alert system with your mail server. To do this, choose

?Configure Options? from the right hand ?actions? panel. A window appears on the ?Email Notifications?

tab.

Enter your mail server?s fully qualified domain name (FQDN), or IP address in the first box, a

semicolon-separated list of emails to receive the alerts in the 2nd, and a valid email address on your

email server in the 3rd. Press Send Test E-mail and wait for it to be sent. If you don?t receive anything,

you may need to enable unauthenticated relaying for this file server on your email system. Press OK

to finish.

Set t ing up t he File Screen

FSRM has an excellent function called File Screening, whereby you can set actions to be performed

when users attempt to save certain types of files to the network. In our environment, we use this to

prevent users from saving executable files to their home folders.

In this case, we?re going to setup screening on the regular file share and on a new file share that will

act as a honeypot for ransomware.

- In the navigation pane, click ?File Screens? and ?Create File Screen? on the action pane.

- Hit browse and navigate to the top level of your file shares. For example, I?ve setup some

shares in D:\Shares\? so that?s the path to pick here.

- Click ?Define custom file screen properties? -> Custom Properties.

- Leave the ?screening type? as ?active?, which will help prevent your file server being filled with

encrypted files.

- Click ?Create? under ?Maintain file groups?

- Give the group a name like ?Known Ransomware Files? and add ?testfile.txt? into the first box:

(We will be updating this list via a script later.)

8 August 2016 SysAdmin Magazine

- Click OK, then tick the group in the list:

- On the second tab, tick the ?Send e-mail? box and customise the message if you wish.

- In the ?Command? tab, tick the box and enter the path to PowerShell.exe in the first box. On

my system, it is as below:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

- In the second box, ?command arguments?, enter the PowerShell script below:

-ExecutionPolicy Unrestricted -NoLogo -Command ?& { Get-SmbShare -Special $false | ForEach-Object {

Block-SmbShareAccess -Name $_.Name -AccountName ?[Source Io Owner]? -Force } }?

This script will block the user?s access to all shares on this server whenever it is detected that they

have written a file that matches the ransomware file screen pattern, effectively preventing the

malware doing more damage, but without causing downtime for other users of the server. (Hooray,

finally a genuine use for share permissions!)

- If you?re still running Server 2008, the Get-SmbShare command isn?t available. Instead, you can

use Windows Firewall to block access for all users to the server. In the first box, enter:

c:\windows\system32\netsh.exe

- Then, in the second:

advfirewall firewall add rule name=?* TEMPORARY BLOCK RANSOMWARE DETECTED* ? dir=in protocol=tcp

interface=any action=block localport=139,443,445

But be warned ? this blocks everyone?s access to the server!

- Finally, click ?Local System? in the ?run as? section and press OK.

- Click create and save the properties as ?Ransomware Screen Template?. This will allow you to

easily apply it to any other shares that you might have. 9 August 2016 SysAdmin Magazine

The Honeypot

To take this a step further, we can create a new Share to act as a ?honeypot? and entice the

ransomware to write to it without damaging user?s files. Using Server Manager -> File and Storage

Services -> Shares, create a new Share called ?$Honeypot?.

Make sure you give ?Authenticated Users? full control over both the file permissions and the share

permissions.

We use the dollar sign at the start in order to place the honeypot first in the list of shares when

browsing the file server, in the hope that the ransomware will attempt to encrypt it first.

Creat e a ?read-m e? f i le in t he honeypot folder :

This file is here to help instruct users if they come across the folder, but also as a trap for

ransomware, as it will attempt to encrypt the file when it discovers it. Go ahead and create a new File

Screen on this new share, selecting ?Derive Properties from template? and choosing our ?Ransomware

Template? that we saved earlier.

Modify the file screen so that it includes an ?All Files? group: * .* ? this will help to protect against new

unknown file names as nobody should be writing to the honeypot folder.

10 August 2016 SysAdmin Magazine

Test ing

Remotely, attempt to create a file called ?testfile.txt? on the server; either in one of the protected

shares, or in the honeypot share. Within seconds, you should get an email along the following lines:

Then that user?s access to the shares on that server should be denied.

Updat ing t he File Screen

Run the script below in PowerShell to download the latest known file extensions and apply to your

file group. This will update all file screens that use that particular group.

You will need to change the name in the last line if you called it something else earlier.

- $decryptreadme = (Invoke-WebRequest

?https://raw.githubusercontent.com/thephoton/ransomware/master/filescreendecryptreadme.txt?).Content

- $fileexts = (Invoke-WebRequest

?https://raw.githubusercontent.com/thephoton/ransomware/master/filescreenextensions.txt?).Content

- $filescreengroup = @()

- foreach($line in $decryptreadme.Split(?̀ r` n?)){ if ($line -ne ??) {$filescreengroup += $line} }

foreach($line in $fileexts.Split(?̀ r` n?)){ if ($line -ne ??) {$filescreengroup += $line} }

- Get-FsrmFileGroup ?Known Ransomware Files? | Set-FsrmFileGroup -IncludePattern $filescreengroup

Rem oving a user ?s share block af t er an infect ion

If you should get an infection and the user has their access to the server blocked, run the script below

to undo that access (after making sure everything is clear of course!)

Get-SmbShare -Special $false | ForEach-Object { Unblock-SmbShareAccess -Name $_.Name -AccountName ?ACCOUNT

NAME TO UNBLOCK? -Force }

Good luck in your quest t o block Ransom ware!

11 August 2016 SysAdmin Magazine

12

Ransomware Survival Guide:

Defending Against Crypt o-Ransom ware

Cyber Threat Alliance reports that CryptoWall 3.0 alone has already cost victims $325 mil l ion

Download.(pdf )

Get a walk t hrough on:

- How ransomware is delivered to a user 's computer

- Stages of crypto-ransomware infection

- Best practices that can be applied immediately

While ransomware attacks have been around for years, security experts say they've become far

more dangerous recently because of advances in encryption and other technologies. A

crypto-ransomware attack can take hostage not only data stored on a company?s individual

computers, but also the files on its servers and cloud-based file-sharing systems ? leading to

financial losses, stopping business in its tracks and potentially damaging the organization?s

reputation. According to a report prepared by the Cyber Threat Alliance (CTA), CryptoWall version

3.0 alone has already cost victims $325 million. To learn m ore, download Ransomware Guide ->

August 2016 SysAdmin Magazine

13

How to Secure Your Com pany

from Rogue Administrators

Sometime back, I chronicled one of the most infamous ?hacks? that ever happened. A

gentleman named Jason Cornish brought the Shionogi Pharmaceutical Company to its

knees. In a nutshell, he and his friend saw that things were going bad for them and

decided to take revenge. They altered an account to allow themselves access from

outside the company?s network, got in, and deleted several dozens of systems (all of

them were VMs). Effectively, they destroyed the company?s ability to conduct business

for several days, which resulted in almost a million dollars in lost revenue.

by Richard Muniz IT Engineer

August 2016 SysAdmin Magazine

Underst anding t he process

Sadly, this could have been avoided. In this blog, I intend to demonstrate how using some built-in

tools will help. First, I?m making two big assumptions here. One is that we have a good Change

Management system in place. Someone has to request something, it has to seek approval through a

board, and once approved, the change is made. My second assumption is that once a change is made,

we have a validation process, and this is where AD native auditing comes in.

This screen shot is of the Active Directory User OU in my test lab.

I?ve got Kevin Riley highlighted because I?m going to make him a member of the ?Domain Admins?

group. This is going to be a big red flag, and I?m going to get an e-mail regarding this event.

- First, we have to understand how the process might work. When someone is added to the

Domain Admins group, an approval should be passed and the IT team should get a notification

that Kevin now has admin rights. Most ticketing systems will allow you to build in an ?Approval?

function. It doesn?t have to be anything more complicated than a pull down that allows the

individual in charge of approving it (and incidentally, only that person has the rights to add his

or her names to the box) to do so. Anything associated with this ticket (e-mails, etc.) becomes a

part of the ticket. This enables us to see what happened at every step along the way and to

ensure the process has been adhered to.

14 August 2016 SysAdmin Magazine

- The pertinent questions are as follows: ?Does the approval process really help protect against

unauthorized changes? How about protection from a rogue administrator? This is where

change monitoring comes in. In the Kevin?s case, the function is governed by the process.

However, if someone just gave him the rights (accidentally or intentionally), I want to know

about it.

- To understand the process, we have to look for events. Whenever anyone is added to certain

groups, such as Domain Admins, a key event is triggered. The magic Event ID you?re looking for

is 4732. These get logged on just the Domain Controllers, so I?ll go to the Domain Controller.

- Now that I know that, what do I do with that piece of information? First, I need to understand

that Domain Admins is a security group. In theory, every time I add someone to this group,

that event will be generated.

Building aler t inside t he Dom ain Cont roller

I could buy software that would do this for me, but I prefer building my own Alert inside the Domain

Controller. To do that, proceed through the following:

- Go to Start > Accessories > System tools > Task Scheduler.

- Click on ?Create a Basic Task.?

- Give the task a name and describe what it?s supposed to do (so if you get hit by a bus,

someone knows what it does).

15 August 2016 SysAdmin Magazine

- Specify a trigger, in this case, an event.

- Fill in the information you need.

16 August 2016 SysAdmin Magazine

- Choose the action to be performed. In this case, I want it to send me an e-mail.

- Enter the required information. I?m keeping it rather simple.

Now, the single major objection I hear concerning doing this (or any kind of real-time alerts) is that it

generates too much garbage, and it does. However, it all boils down to this: If you?re expecting the

change, it?s safe to ignore it. If you?re not, you better ask questions.

17 August 2016 SysAdmin Magazine

There?s a lot of commercial software that will do the same thing for you and take a lot of the tedious

work out for you. This makes investing in one of the commercial software packages well worth it.

Another thing you should watch for are inactive accounts. Most people would consider anyone who

hasn?t logged on in 30 days inactive. Asking why there isn?t any activity on an account should start

leading you in the right direction. Let?s look at some possible answers:

- The person is no longer with the company and somehow you missed deactivating them.

- They?re out on maternal leave, sick leave, vacation, or any number of reasons and you missed

this somehow.It?s a service account (you should have a list of your service accounts? the fewer,

the easier for you to keep track of).

- Something else is going on.

Using PowerShell scr ipt

You can use a simple Powershell command run from inside your domain controller:

Search-ADAccount-AccountInactive -TimeSpan 60 -UsersOnly |  Where-Object { $_.Enabled -eq $true } |  

Format-Table Name, UserPrincipalName | Export-CSV FileName.csv -NoTypeInformation

You can change the number of days to any number you need.

Notice that I?m having it send me a report as a CSV file. This becomes useful for auditing purposes, not to

mention justification of anything I need to do to that account (like opening a ticket and deleting it).

Deploying professional t ool

Instead of using PowerShell scripts, you can deploy a professional tool to get reports to your e-mail.

Try Net wr ix Audit or for Free ->

18 August 2016 SysAdmin Magazine

Tech Tips:4 Secur it y Log Event s to Audit

19

by Troy ThompsonIT Expert, AD administrator

In this piece, I?ll brief you on the four key areas to watch out for in your event logs

across your workstations and your overall domain as well as the rationale behind all

of them.

August 2016 SysAdmin Magazine

20

1. Audit success and failure event s in t he

syst em log

The idea here is to identify patterns of use over a

normal period of time so that when a nefarious

actor attempts to gain access to your system, you

can detect his or her actions using a spreadsheet

or other analysis software to identify patterns

that are out of the norm. According to Microsoft,

system success and failure events are generally

low volume but tend to offer a high value in

terms of the information they present, so these

should be the cornerstone of any auditing and

profiling scheme you may deploy.

2. Look for policy change success event s on

t he dom ain cont rollers

These types of events indicate that someone on

the system is attempting to alter the Local

Security Authority (LSA) policy configuration. This

is one way intruders could attempt to download a

copy of the Active Directory database or plant

malware in sensitive domain controllers. The

frequency of these policy change success events

should be rare enough to be indicative of

nefarious activity. Unfortunately, it is typical to

have many failure events on normal, completely

unbreached systems, so the signal-to-noise ratio

on monitoring failure events is usually too low to

be worth the bother.

3. Look for success event s in account

m anagem ent

These events are written when users are created,

modified, or deleted and when groups are

created, deleted, or have their memberships

changed. A combination of success events is a

good forensic to trace potential breaches of your

directory back to where nefarious actors were

able to create accounts or elevate existing

accounts to a highly privileged state? for

example, to a domain administrator.

4. Exam ine success event s in t he logon

cat egor ies

Do it both on individual computers and on

domain controllers. For individual workstations,

this will give you a record of when users sign on

and off their computers. (For member servers on

a domain, there is no need to monitor success

events, since those events will be covered by

monitoring for success events on a domain

controller.) You can easily trace a stolen password

or other breach by examining the dates and

times of successful logon events of the account in

question.

Monitoring logon success events for domain

controllers shows you when accounts sign on and

off the domain. This information can be used in a

similar fashion if you are working with the Active

Directory. Of course, the larger the domain or

number of users, the more legitimate success

events will be written, so you will need to come

up with a retention policy that defines when you

can purge successful event data from your audit

system so that it does not become overburdened

with data.

You m ay be int erest ed in:

Try Net wr ix f reeware t ools to be informed

about changes in your IT infrastructure.

August 2016 SysAdmin Magazine

21

Free Tool of t he Mont h

Account Lockout Examiner

Account Lockout Examiner is a freeware tool notifies IT administrators

about account lockouts and helps them identify the root causes so

they can quickly restore normal operations. Administrators can unlock

user accounts from the tool?s console or a mobile device.

Download

Exam ple of t he account lockout repor t

August 2016 SysAdmin Magazine

How-t o for IT Pro:

Detect Password Changes in Active Directory

22

Accidental or intentional unauthorized software installation on Windows Server enables disruptive

malware activity that can lead to server performance slowdowns and even leaks of sensitive data. To

gain access to systems, hackers scan targets for unprotected software and scam users into

downloading malware. Employees may also unknowingly download and install malicious files in

violation of your software installation policy.

Run GPMC.msc (url2open.com/gpmc) ? open "Default Domain Policy" ? Computer

Configuration ? Policies ? Windows Settings ? Security Settings ? Local Policies ? Audit

Policy:

- Audit account management ? Define ? Success and Failure.

1.

Run GPMC.msc ? open "Default Domain Policy" ? Computer Configuration ? Policies ?

Windows Settings ? Security Settings ? Event Log ? Define:

- Maximum security log size to 1GB

- Retention method for security log to Overwrite events as needed

2.

Open Event viewer and search Security log for event id?s: 628/4724 ? password reset attempt

by administrator and 627/4723 ? password change attempt by user. 3.

August 2016 SysAdmin Magazine

Try Net wr ix Audit or 8.0: Track Active Directory and

Group Policy Changes netwrix.com/go/auditor

Copyright © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/or one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark Off ice and in other countries. All other trademarks and registered trademarks are the property of their respective owners.

Corporate Headquarters: 8001 Irvine Center Drive, Suite 1100 Irvine, CA 92618

Phone: 1-949-407-5125 Tol l -f ree: 888-638-9749 EMEA: +44 (0) 203-318-02

Next Steps:

netwrix.com | Follow us