Delegate Control in Active Directory (Step-by-Step Guide)

Last Updated: July 20, 2023 by Robert Allen

How to delegate control in active directory

Do you need to give the helpdesk staff permissions to reset passwords and unlock user accounts?

Do you want to allow specific users to modify group membership?

No problem.

In this guide, you will learn how to use the delegation control wizard in Active Directory to grant users very specific permissions.

It is important to know how to correctly use the delegation of control in Active Directory to avoid giving users more rights than they need. Whatever you do, do not add users into highly privileged groups like Domain Admins.

Table of Contents:

Delegation of Control Best Practices

Here are my recommendations and tips for delegating permissions in Active Directory.

Good OU Design

Delegating permissions in Active Directory is done by using organizational units (OU), so it is critical to have a good OU design. The OU design will be different for every organization, but a simple design is to put all similar resources into their own OU.

  • Computer OU – All computers go here
  • Users OU – All user accounts go here
  • Servers OU – All server accounts go here
  • Groups – All groups go here.

You can then create sub-OUs to further organize your resources.

users ou

In the above screenshot, I have the “ADPRO Users” OU for all my user accounts. I then created sub-OUs for each department to further organize the user accounts. With this design, I can easily delegate control to all resources or resources in a specific sub-OU. For example, HR hired their own IT support person and they want to reset passwords for all HR users. I can delegate the password reset permissions to just the HR OU.

You can structure the sub-OUs any way that you like. For example, you could make them based on geographic locations, or by user type such as regular, privileged, and so on.

With a good OU design, it makes delegating permissions easy and helps to avoid delegating more permissions than needed.

To read more on OU design see the Microsoft guide Designing OU structures that work.

Don’t use Built-in Security Groups

When delegating control it is best to create new security groups rather than using built-in AD groups. For example, don’t use “Account Operators” or Backup Operators” when delegating permissions. These built-in AD groups have special permissions that can give users more rights than needed.

Delegate Control to Groups, NOT USERS

Do not delegate control to a user account. This will become a security nightmare as it will be very difficult to audit and manage. Assigning permissions to groups makes it easy to add and remove permissions.

Use Descriptive Group Names

Have you come across a group in Active Directory and have no idea what it is for? This happens a lot and drives me bonkers. Creating a descriptive name will make it easy for you and other admins to identify its use.

For example, if the helpdesk wants to reset user passwords I would create a group like this:

Helpdesk_password_reset

If a group of users needs to modify a specific AD attribute such as the telephone field I would create a group like this:

IT_modify_telephone

active directory group names

You can see that in the screenshot above, the group name and description make it easy for anyone to identify what the group is used for.

Tip: I also put details into the group description. I can then use PowerShell to search for all of the groups that have “delegate control” in the description.

get-adgroup -Properties * -filter {Description -like 'Delegate*'} | select name, description

Audit AD Delegated Controls Yearly

You should review the Active Directory ACL permissions each year. AD permissions can easily get out of control and the only true way to know who has what rights is to audit the ACL permissions.

See the last section in this guide for details on auditing Active Directory Permissions.

Don’t Over Delegate Control (Use lease Privilege)

Only delegate control to what is needed.

If another department wants to reset their own passwords don’t grant them this permission to all user objects, but instead to just their group or department.

If the helpdesk needs the rights to delete computer accounts, don’t grant this permission to all computer objects, but instead to just the ones the helpdesk manages (hint… not the servers).

Over delegating control can easily be avoided by having a good OU design.

Now let’s check out some examples on how to delegate permissions.

Delegate Password Reset and Unlock Permissions

In this example, I’ll use the delegation control wizard to give helpdesk users permissions to reset passwords and unlock user accounts. I’ll also demonstrate how to limit this to a specific group of users (department).

Step 1: Create a New Active Directory Group

I’m going to create a new group and name it “Helpdesk_password_reset”. Use whatever naming convention makes sense to you, I just recommend it to be descriptive. I also recommend using the description field to provide exact details on what the group is used for. With a descriptive name and the description filled out, there should be no confusion about what this group is used for, this will help you and other System Admins.

helpdesk password reset group

Next, I’ll add the helpdesk staff to this group. When the delegation is complete you can easily add or remove rights by changing the membership of this group.

Step 2: Use Delegation of Control Wizard

This is where good OU design is important. I want to grant this group permission to change the password for all users in the domain, and since I have all users in the “ADPro Users” OU this can easily be done. The delegated rights will apply to the root and all sub-OUs.

Right-click on the OU and select “Delegate Control”.

delegate control on ou

Click “Next”

Select the group you want to delegate control to.

delegate control select group

Click “Next”

Select “Create a custom task to delegate”

select custom task to delegate

Select “Only the following objects in the folder” then select “User objects”

select user objects

Click “Next”

Select “General” and “Property-specific”

Then enable the following permissions:

  • Change password
  • Reset password
  • Read lockoutTime
  • Write lockoutTime
delegate control unlock user accounts

Click “Next”

Click “Finish”

Now any member of the “Helpdesk_password_reset” group can change/reset passwords and unlock user accounts for all users in the “ADPRO Users” OU.

What if you had a department that wanted to reset/unlock their own accounts? For example, the HR department wants to reset/unlock their own accounts without having to call IT support.

Here are the steps: (The steps are basically the same as above you just run the delegation control on a specific OU)

  1. Create a new group for the HR users (example, HR_password_reset).
  2. Use the delegation control wizard on the HR OU.
  3. Select the HR group (example, HR_password_reset).
  4. Set permissions (change password, reset password, read lockoutTime, write lockoutTime). See the above screenshots for more details.
delegate control to department

If you delegated control to the entire domain or an OU with all users then you gave HR staff more permissions than they need. They could reset/unlock users for the entire domain, you want to avoid this.

Delegate Permissions to Modify Telephone Number

In this example, I want to give a group of users permission to only modify the Telephone number in Active Directory. You will see in the delegation of control wizard you can grant permissions to other user fields (address, zip, state, and so on).

Step 1: Create a group.

I created a group called “IT_Modify_Telephone”.

Step 2: Run delegation Control Wizard.

Run the delegation control wizard on the target OU.

Select the group.

Select “create a custom task to delegate”

Select “Only the following objects in the folder” then select “User Object”

Select “Property-specific”

Enable “Read Telephone Number” and “Write Telephone Number”

delegate control telephone number

Click “Next” then “Finish” to complete.

Now any member of the group can modify the “Telephone Number” field in Active Directory. All other fields are read-only.

active directory user screenshot

Delegate Permissions to Modify Group Membership

In this example, I will give a group of users permission to modify group membership (add/remove users to groups).

This one is easier than previous examples as Microsoft has a common task for it.

Step 1: Create AD Group

Step 2: Run Delegation Control Wizard

If you have all groups in a specific OU then run the delegation wizard on the OU. For example, all of my groups are in an OU called “ADPRO Groups”.

delegate control to groups ou

Select the group you want to delegate control to.

Click “Next”

Select “Modify the group membership of a group”

modify group membership task

Click “Next” and click “Finish”.

Delegate Control to Delete Computer Accounts

Helpdesk or other IT staff will often need rights to delete computer accounts in Active Directory. Here is how to delegate those rights.

Step 1: Create AD Group

For example “IT_delete_computers”.

Step 2: Run delegation control wizard on OU.

Make sure you run the wizard on the OU that contains the computer objects.

Select the group to delegate control

Click “Next”

Select “Create a custom task to delegate”

Select “This folder, existing objects in this folder, and creation of new objects in this folder”.

Click “Next”

Select “creation/deletion of specific child objects”

Then select “Delete Computer objects”

delete computer objects task

Now members of the selected group can delete computer objects.

How to Audit Active Directory (ACL) Permissions

Over time Active Directory permissions can easily spiral out of control. It is recommended to audit your AD permissions at least once a year. How else are you going to know if someone gave unnecessary rights to a user or group?

Maybe someone used the delegation of control wizard and accidentally gave helpdesk the rights to delete servers. The only way to determine this, is to check the ACL permissions in Active Directory.

You can view the ACL on an OU by right-clicking the OU selecting properties and the Security tab. But this would take too long if you had a lot of OUs.

The best option I have found is the AD ACL Scanner PowerShell tool. This tool lets you choose what to scan and creates an easy-to-read report on Active Directory permissions.

In this example, I’m going to scan my ADPRO Users OU, and scan each Sub-OU.

active directory acl scanner

When the tool is done scanning you will get a report like below.

acl scanner report

In the report, I can see the AD groups that I delegated control to and what permissions they have. Very easy to use and saves a ton of time.

Summary

In this guide, I walked you through several examples of delegating control in Active Directory. The delegation of Control Wizard can be confusing as it’s not always clear where to find specific permissions. It’s best to use groups for delegating control and set very specific permissions. Lastly, I showed you how to audit Active Directory ACL permissions using the AD ACL scanner tool. Don’t forget to audit the ACL permissions at least once a year.

Recommended: Active Directory Permissions Reporting Tool

The ARM Permissions Reporting Tool helps you monitor, analyze, and report on the permissions assigned to users, groups, computers, and organizational units in your Active Directory

You can easily identify who has what permissions, where they came from, and when they were granted or revoked. You can also generate compliance-ready reports for various standards and regulations, such as HIPAA, PCI DSS, SOX, and GDPR

Try the Permissions Reporting Tool today and take control of your permissions management

Download Free Trial

Source :
https://activedirectorypro.com/delegate-control-in-active-directory/

Configure Windows LAPS (Local Administrator Passwords Solution) in AD

April 25, 2023

Windows LAPS (Local Administrator Password Solution) allows you to centrally manage the passwords for the local administrators on the computers in your AD domain. The current local administrator password is stored in the protected attributes of computer objects in Active Directory, is automatically changed on a regular basis, and can be viewed by authorized users.

In this guide, we’ll show you how to configure and use Windows LAPS to manage the local administrator password on computers joined to an AD domain.

Contents:

Until April 2023, you should manually download the LAPS MSI installation file, deploy the administrator or client components to computers, install ADMX GPO templates for LAPS, and extend the AD schema

Updates adding native support for the new version of LAPS in Windows were released in April 2023. You no longer need to manually download and install the MSI package to use LAPS.

New Built-in Windows LAPS Overview

The following cumulative updates in April 2023 added native support for Windows LAPS:

  • Windows 11 22H2 – KB5025239
  • Windows 11 21H2 – KB5025224
  • Windows 10 22H2 — KB5025221
  • Windows Server 2022 – KB5025230
  • Windows Server 2019 – KB5025229

What’s new in Windows LAPS?

  • All the components of the new LAPS are part of Windows;
  • Allows storing administrator passwords in on-premises Active Directory or in Azure AD;
  • DSRM (Directory Services Restore Mode) password management on AD domain controllers;
  • Support for password encryption;
  • Password history;
  • Allow the local administrator password to be automatically changed after it has been used to log on to the computer locally.

At least Windows Server 2016 domain functional level is required for the new version of Windows LAPS.

As we mentioned above, you no longer need to manually download and install the LAPS client or Group Policy client-side extension (CSE). All the necessary LAPS components are available in Windows after you install the April updates.

The following Windows LAPS management tools are available:

  • New ADMX group policy file;
  • A separate LAPS tab in computer properties in Active Directory Users and Computers (ADUC) console;
  • Windows LAPS PowerShell module;
  • Separate log in the Event Viewer: Application and Service Logs -> Microsoft -> Windows -> LAPS -> Operational. Windows LAPS event logs in Event Viewer

Microsoft notes that you must disable the Group Policies and remove the settings from the previous version of LAPS (legacy MSI) before deploying the new LAPS GPO. To do this, stop new installations of legacy LAPS and remove all settings in the following registry key HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\State.

Events with the following Event IDs will appear in the Event Viewer if the legacy version of LAPS is not removed:

  • Event ID 10033, LAPS — The machine is configured with legacy LAPS policy settings, but legacy LAPS product appears to be installed. The configured account’s password will not be managed by Windows until the legacy product is uninstalled. Alternatively, you may consider configuring the newer LAPS policy settings.
  • Event 10031, LAPS — LAPS blocked an external request that tried to modify the password of the current manager account.

Deploying Local Administrator Password Solution in Active Directory Domain

You can start deploying the new version of LAPS after you have installed the new updates on all domain controllers.

To manage the Local Administrator Password Solution, use the PowerShell cmdlets from the LAPS module. You can use the following commands:

Get-Command -Module LAPS

  • Get-LapsAADPassword
  • Get-LapsDiagnostics
  • Find-LapsADExtendedRights
  • Get-LapsADPassword
  • Invoke-LapsPolicyProcessing
  • Reset-LapsPassword
  • Set-LapsADAuditing
  • Set-LapsADComputerSelfPermission
  • Set-LapsADPasswordExpirationTime
  • Set-LapsADReadPasswordPermission
  • Set-LapsADResetPasswordPermission
  • Update-LapsADSchema
laps powershell module

After installing updates on DCs and clients, you must perform an AD schema update. This will add new attributes. Run the command:

Update-LapsADSchema

If not all DCs have been updated, the command will return an error:

Update-LapsADSchema : A local error occurred.

The following attributes will be added to the AD schema:

  • msLAPS-PasswordExpirationTime
  • msLAPS-Password
  • msLAPS-EncryptedPassword
  • msLAPS-EncryptedPasswordHistory
  • msLAPS-EncryptedDSRMPassword
  • msLAPS-EncryptedDSRMPasswordHistory

The attributes used in the previous version to store the password are not used in Windows LAPS (ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime).

Open the ADUC console (dsa.msc), select any computer in AD, and go to the AD object Attribute Editor tab. Check that the object now has new attributes available.

msLAPS-Password attribute

The msLAPS* attributes are not yet populated.

You must now allow computers in the specified Organizational Unit (OU) to update msLAPS* attributes in their AD account properties.

For example, I want to allow computers in a MUN container to update passwords stored in AD attributes.

Set-LapsADComputerSelfPermission -Identity "OU=Computers,OU=MUN,OU=DE,DC=woshub,DC=com"

Let’s use PowerShell to create a group that can view local administrator passwords on computers in this OU:

New-ADGroup MUN-LAPS-Admins -path 'OU=Groups,OU=MUN,OU=DE,DC=woshub,DC=com' -GroupScope local -PassThru –Verbose
Add-AdGroupMember -Identity MUN-LAPS-Admins -Members a.morgan,b.krauz

We will allow this group to view and reset the local admin password:

$ComputerOU = "OU=Computers,OU=MUN,OU=DE,DC=woshub,DC=com"
Set-LapsADReadPasswordPermission –Identity $ComputerOU –AllowedPrincipals MUN-LAPS-Admins
Set-LapsADResetPasswordPermission -Identity $ComputerOU -AllowedPrincipals MUN-LAPS-Admins

By default, members of the Domain Admins group can view local administrator passwords on all AD computers.

Use the Find-LapsADExetendedRights command to check the current permissions to LAPS attributes in an OU.

Configure GPO to Change Local Administrator Passwords

A new set of administrative templates for managing the LAPS configuration via GPO will appear when you install the latest updates on Windows (%systemroot%\PolicyDefinitions\laps.admx).

Copy LAPS.admx to the following location if you are using a Central GPO store for the ADMX templates\\woshub.com\SysVol\woshub.com\Policies\PolicyDefinitions .

The next GPO section contains the LAPS options: Computer Configuration -> Policies -> Administrative Templates -> System -> LAPS. The following LAPS group policy options are available here:

  • Enable password backup for DSRM accounts
  • Configure size of encrypted password history
  • Enable password encryption
  • Configure authorized password descriptors
  • Name of administrator account to manage
  • Configure password backup directory
  • Do not allow password expiration time longer than required by policy
  • Password Settings
  • Post-authentication actions
Configure Group Policy settings for Windows LAPS

Let’s try to enable the minimum Group Policy LAPS settings for the Active Directory domain

  1. Open the Group Policy Management console (gpmc.msc), create a new GPO and link it to the OU containing the computers;
  2. Open a new GPO and navigate to the section that contains the LAPS options;
  3. Enable the Configure password backup directory policy and set Active Directory here. This policy allows the administrator password to be stored in the computer account attribute in the on-premises Active Directory;Windows LAPS also allows you to store passwords in the Azure Active Directory (AAD) instead of in the local ADDS.Save LAPS password to on-prem Active Directory
  4. Then enable the Password Settings option. Here you must specify the password complexity, length, and change frequency parameters;The following LAPS password settings are enabled by default: password complexity, 14-character password length, and password change every 30 days.
  5. Specify the name of the local administrator account whose password you want to change in Name of administrator account to manage. If you are using the built-in Windows Administrator, type Administrator here.The LAPS GPO does not create any local administrator accounts. If you want to use another administrator account, create it on computers using GPO or PowerShell.
  6. Restart your computer to apply the new GPO settings.

LAPS: Get a Local Administrator Password on Windows

After implementing LAPS group policies, Windows changes the local administrator password at startup and then writes it to the msLAPS-Password protected attribute on the computer object in AD. You can get the current password for the computer in the ADUC console or by using PowerShell.

Open the ADUC console and search for the computer for which you want to find out the current password of the local administrator. A new LAPS tab has appeared in the Computer object properties.

View LAPS password in computer properties in AD

The following info is displayed on this tab:

  • Current LAPS password expiration
  • LAPS local admin account name
  • LAPS local admin account password

You can also use PowerShell to get the computer’s current administrator password:

Get-LapsADPassword mun-pc221 -AsPlainText

ComputerName : mun-pc221
DistinguishedName : CN=mun-pc221,OU=…
Account : administrator
Password : 3f!lD1.23!l32
PasswordUpdateTime : 4/24/2023 11:14:26 AM
ExpirationTimestamp : 5/24/2023 11:14:26 AM
Source : EncryptedPassword
DecryptionStatus : Success
AuthorizedDecryptor : WOSHUB\Domain Admins
Get-LapsADPassword - laps powershell get admin password

Use this password to log on locally to this computer as an administrator.

In order to immediately rotate the LAPS password for the local admin account, run the command:

Reset-LapsPassword

This will force an immediate password change for the currently logged local administrator account and write the new password to AD.

Windows Local Administrator Password Solution is a simple, built-in feature that allows you to improve the security of using local administrator accounts on domain computers. LAPS stores the current administrator password in a secure AD attribute and changes it on all computers on a regular basis.

Source :
https://woshub.com/manage-local-administrator-passwords-with-laps/

How to Allow Multiple RDP Sessions on Windows 10 and 11

June 30, 2023 

Remote users can connect to their Windows 10 and 11 computers through the Remote Desktop Services (RDP). All you need to do is enable Remote Desktop, grant the user RDP access permissions, and connect to the computer using any remote desktop client. However, the number of concurrent RDP sessions is limited in desktop versions of Windows. Only one active Remote Desktop user session is allowed.

A warning will appear asking you to disconnect the first user’s session if you try to establish a second RDP connection.

Another user is signed in. If you continue, they’ll be disconnected. Do you want to sign in anyway?
windows11 dosnt allow multiple rdp - Another user is signed in. If you continue, they’ll be disconnected. Do you want to sign in anyway?

Contents:

Number of Concurrent RDP Connections on Windows

There are a number of restrictions on the use of Remote Desktop Services in all desktop versions of Windows 10 and 11:

  1. Only Windows Professional and Enterprise editions can accept remote desktop connections. RDP access is not allowed to Home/Single Language Windows editions;
  2. Only one simultaneous RDP connection is available. Attempting to start a second RDP session will prompt the user to end the active session;
  3. If the user is working at the computer console (locally), their local session is disconnected (locked) when they make a remote RDP connection. The remote RDP session will also be terminated if the user logs into Windows from the computer’s console.

The number of concurrent RDP connections on Windows is actually a license limitation. Microsoft prohibits the creation of a workstation-based Terminal RDP server for multiple users to work simultaneously.

If your tasks require the deployment of a terminal server, Microsoft suggests purchasing Windows Server (allows two simultaneous RDP connections by default). If you need more concurrent user sessions, you will need to purchase RDS CALs, install, and configure the Remote Desktop Session Host (RDSH) role or deploy an RDS farm.

Technically, any version of Windows with sufficient RAM and CPU resources can support dozens of remote user sessions simultaneously. On average, an RDP user session requires 150-200MB of memory (excluding running apps). This means that the maximum number of concurrent RDP sessions is limited only by the available resources of the computer.

In this article, we are going to show you three ways to remove the limit on the number of concurrent RDP connections in Windows 10 and 11:

  • RDP Wrapper
  • Modifying the termsrv.dll file
  • Upgrading Windows 10/11 edition to Enterprise for virtual desktops (multi-session)

Note. Any modifications to the operating system that are described in this article are considered a violation of the Windows License Agreement and may be used at your own risk.

Before you proceed, make sure that the Remote Desktop protocol is enabled in Windows.

  • Go to Settings -> System —Remote Desktop -> Enable Remote Desktop;
  • Or use the classic Control Panel: run the command SystemPropertiesRemote and check the option Allow remote connection to this computer.

Find out how to enable and configure Remote Desktop on Windows.

RDP Wrapper: Enable Multiple RDP Sessions on Windows

The RDP Wrapper Library OpenSource project allows you to enable multiple RDP sessions on Windows 10/11 without replacing the termsrv.dll file. This tool acts as a layer between SCM (Service Control Manager) and the Remote Desktop Services. The RDP wrapper doesn’t make any changes to the termsrv.dll file, it simply loads the termsrv with the modified settings.

Thus, the RDPWrap will work even in the case of termsrv.dll file update. It allows you not to be afraid of Windows updates.

Important. Before installing the RDP Wrapper, it is important to make that you are using the original (unpatched) version of the termsrv.dll file. Otherwise, RDP Wrapper may become unstable or not start at all.

You can download the RDP Wrapper from the GitHub repository https://github.com/binarymaster/rdpwrap/releases (the latest available version of the RDP Wrapper Library is v1.6.2). The project hasn’t been updated since 2017, but it can be used in all new builds of Windows 10 and 11. To use the wrapper on modern versions of Windows, simply update the rdpwrap.ini configuration file.

RDP Wrapper is detected as a potentially dangerous program by most antivirus scanners.  For example, it is classified as PUA:Win32/RDPWrap (Potentially Unwanted Software) with a low threat level by the built-in Microsoft Defender antivirus. If your antivirus settings are blocking the RDP Wrapper from starting, you will need to add it to the exceptions.

rdpwrap detected as potentially unwanted software

The RDPWrap-v1.6.2.zip archive contains some files:

  • RDPWinst.exe — used to install/uninstall an RDP wrapper library;
  • RDPConf.exe — RDP Wrapper configuration tool;
  • RDPCheck.exe —an RDP check tool (Local RDP Checker);
  • install.bat, uninstall.bat, update.bat — batch files to install, uninstall, and update RDP Wrapper.
RDPWrap-v1.6.2 install files

To install RDPWrap, run the install.bat file as an administrator. The program is installed in the C:\Program Files\RDP Wrapper directory.

installing install RDP Wrapper Library in windows 10

Run RDPConfig.exe when the installation is complete.

windows 10: rdp wrapper not supported issue

Most likely, immediately after installation, the tool will show that the RDP wrapper is running (Installed, Running, Listening), but not working. Note the red [not supported] warning. It reports that this version of Windows 10 22H2 (ver. 10.0.19041.1949) is not supported by the RDPWrapper.

This is because the rdpwrap.ini configuration file does not contain settings for your Windows version (build). +

✅ Download the latest version of rdpwrap.ini here https://raw.githubusercontent.com/sebaxakerhtc/rdpwrap.ini/master/rdpwrap.ini

Manually copy the contents of this page into the C:\Program Files\RDP Wrapper\rdpwrap.ini file. Or download the INI file using the PowerShell cmdlet Invoke-WebRequest (you must first stop the Remote Desktop service):

Stop-Service termservice -Force
Invoke-WebRequest https://raw.githubusercontent.com/sebaxakerhtc/rdpwrap.ini/master/rdpwrap.ini -outfile "C:\Program Files\RDP Wrapper\rdpwrap.ini"

update rdpwrap.ini file

You can create a scheduled task to check for changes to rdpwrap.ini and update it automatically.

This screenshot shows that the latest version of the rdpwrap.ini file (Updated=2023-06-26) is used on the computer.

Restart your computer and run the RDPConfig.exe tool. Check that all items in the Diagnostics section are green and that the [Fully supported] message is displayed. The RDP wrapper started successfully on Windows 11 22H2 in my case.

rdpwrapper on windows11

Now try to establish several concurrent RDP sessions with this computer under different user accounts (use your favorite RDP client: mstsc.exe, RDCMan, mRemoteNG, etc).

You can use saved RDP credentials to connect to a remote computer.

You can check that two (or more) RDP sessions are active on the computer at the same time by using the command:

qwinsta

rdp-tcp#0         user1                 1  Active
rdp-tcp#1         user2                 2  Active
qwinsta: list active rdp sessions
multiple RDP sessions on Windows 10

The RDPWrap tool is supported in all Windows editions, so you can build your own terminal (RDS) server on any Windows device. So you can turn any version of Windows client into a full-featured terminal server.

The following options are available in the RDP Wrapper:

You can set limits on the duration of RDP user sessions using the Group Policy. This allows idle user sessions to be automatically disconnected.

RDP Wrapper Not Working on Windows

In some cases, the RDP Wrapper may not work as you expect it to and you may not be able to use more than one RDP connection on Windows.

The termsrv.dll file version can be updated during Windows Updates installation. If the description for your version of Windows is missing from the rdpwrap.ini file, then the RDP Wrapper will not be able to apply the necessary settings. In this case, the status [not supported]. will be displayed in the RDP Wrapper Configuration window.

✅ In this case, you must update the rdpwrap.ini file as described above.

If RDP Wrapper does not work after updating the rdpwrap.ini file, try to open the rdpwrap.ini file and look for the section for your version of Windows.

How to understand if your Windows version is supported in rdpwrapper config?

The screenshot below shows that for my version of Windows 11 (10.0.22621.317) there are two sections of settings:

[10.0.22621.317]
...
[10.0.22621.317-SLInit]
...
update rdpwrap.ini after installing windows updates

If there is no section in the rdpwrap configuration file for your version of Windows, try searching the web for the rdpwrap.ini file. Add the configuration settings you found to the end of the file.

If RDP Wrapper does not work after you install security updates or upgrade the Windows build, check that there is no Listener state: Not listening warning in the RDPWrap Diagnostics section.

rdp wrapper not listening

Try updating the rdpwrap.ini file, and then reinstalling the rdpwrapper service:

rdpwinst.exe -u
rdpwinst.exe -i

It can happen that when you try to make a second RDP connection as a different user, you will get an error message:

The number of connections to this computer is limited and all connections are in use right now. Try connecting later or contact your system administrator.
Windows 10 RDP warning:The number of connections to this computer is limited and all connections are in use right now

In this case, you can use the local Group Policy Editor (gpedit.msc) to enable the “Limit number of connections” option under Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections section. Increase the ‘RD maximum connection allowed’ value to 999999.

group policy: Limit the number of rdp connections

Restart your computer to update the local Group Policy and apply the settings.

Patch the Termsrv.dll to Enable Multiple Remote Desktop Sessions

To remove the limit on the number of concurrent RDP user connections in Windows without using rdpwrapper, you can replace the original termsrv.dll file. This is the main library file used by the Remote Desktop Service. The file is located in the C:\Windows\System32 directory.

It is advisable to make a backup copy of the termsrv.dll file before editing or replacing it. This will help you to revert to the original version of the file if necessary. Open an elevated command prompt and run the command:

copy c:\Windows\System32\termsrv.dll termsrv.dll_backup

Then you need to take ownership of the termsrv.dll file. To change a file’s owner from TrustedInstaller to the local Administrators group, use the command:

takeown /F c:\Windows\System32\termsrv.dll /A

SUCCESS: The file (or folder): c:\Windows\System32\termsrv.dll now owned by the administrators group

Now use the icacls.exe tool to grant Full Control permissions to the termsrv.dll file for the local Administrators group:

icacls c:\Windows\System32\termsrv.dll /grant Administrators:F

processed file: c:\Windows\System32\termsrv.dll Successfully processed 1 files; Failed processing 0 files.
termsrv.dll takeown and grant access permissions

Now you need to stop the Remote Desktop service (TermService) using the services.msc console or with the command:

net stop TermService

It also stops the Remote Desktop Services UserMode Port Redirector service.

Stop TermService

Run the winver command or the following PowerShell command to find your Windows build number:

Get-ComputerInfo | select WindowsProductName, WindowsVersion

In my case, Windows 10 build 22H2 is installed.

Then open the termsrv.dll file using any HEX editor (for example, Tiny Hexer). Depending on the build of Windows you are using, you will need to find and replace the string according to the table below:

Windows buildFind the stringReplace with
Windows 11 22H239 81 3C 06 00 00 0F 84 75 7A 01 00    B8 00 01 00 00 89 81 38 06 00 00 90 
Windows 10 22H239 81 3C 06 00 00 0F 84 85 45 01 00
Windows 11 21H2 (RTM)39 81 3C 06 00 00 0F 84 4F 68 01 00
Windows 10 x64 21H239 81 3C 06 00 00 0F 84 DB 61 01 00
Windows 10 x64 21H139 81 3C 06 00 00 0F 84 2B 5F 01 00
Windows 10 x64 20H239 81 3C 06 00 00 0F 84 21 68 01 00
Windows 10 x64 200439 81 3C 06 00 00 0F 84 D9 51 01 00
Windows 10 x64 190939 81 3C 06 00 00 0F 84 5D 61 01 00
Windows 10 x64 190339 81 3C 06 00 00 0F 84 5D 61 01 00
Windows 10 x64 180939 81 3C 06 00 00 0F 84 3B 2B 01 00 
Windows 10 x64 18038B 99 3C 06 00 00 8B B9 38 06 00 00 
Windows 10 x64 170939 81 3C 06 00 00 0F 84 B1 7D 02 00 

Tiny Hexer cannot edit termsvr.dll file directly from the system32 folder. Copy it to your desktop and replace the original file after modifying it.

For example, my build of Windows 10 x64 is 22H2 19045.2006 (termsrv.dll file version is 10.0.19041.1949). Open the termsrv.dll file in Tiny Hexer, then find the text:

39 81 3C 06 00 00 0F 84 75 7A 01 00

and replace it with:

B8 00 01 00 00 89 81 38 06 00 00 90

Tiny Hexer Editor

Save the file and start the TermService.

If something goes wrong and you experience some problems with the Remote Desktop service, stop the service and replace the modified termsrv.dll file with the original version:

copy termsrv.dll_backup c:\Windows\System32\termsrv.dll

To avoid manually editing the termsrv.dll file with a HEX editor, you can use the following PowerShell script to automatically patch the termsrv.dll file. The PowerShell script code is available in my GitHub repository at the following link:

https://github.com/maxbakhub/winposh/blob/main/termsrv_rdp_patch.ps1

This script was written for the Windows PowerShell version and does not work in modern PowerShell Core.

👍 The advantage of the method of enabling multiple RDP sessions in Windows 10 or 11 by replacing the termsrv.dll file is that antivirus software will not react to it (unlike RDPWrap, which is detected by many antivirus products as a malware/hack tool/trojan).

👎The disadvantage of this is that you will have to manually edit the file each time you update the Windows build (or if the monthly cumulative patches update the version of termsrv.dll).

Multiple Concurrent RDP Connections in Windows 10 Enterprise Multi-session

Microsoft has recently released a special edition of the operating system called Windows Enterprise Multi-Session (Previously known as Windows 10 Enterprise for Remote Sessions and Windows 10 Enterprise for Virtual Desktops)

The key feature of this edition is that it supports multiple concurrent RDP user sessions out of the box. Although the Windows multi-session edition is only allowed to be run in Azure VMs, you can install this edition on an on-premises network and use that computer as a terminal server (even though this would be against Microsoft’s licensing policies).

The Enterprise Multi-Session edition is available for both Windows 10 and Windows 11.

Next up, we’re going to show you how to upgrade a Windows 10 Pro edition to Windows 10 Enterprise for Virtual Desktop and use it for multiple RDP users simultaneously.

Open a command prompt and check your current edition of Windows (Professional in this example):

DISM /online /Get-CurrentEdition

dism: check windows edition

Upgrade your edition of Windows 10 from Pro to Enterprise with the command:

changepk.exe /ProductKey NPPR9-FWDCX-D2C8J-H872K-2YT43

Now install the GVLK key for Windows 10 Enterprise for Remote Sessions:

slmgr.vbs /ipk CPWHC-NT2C7-VYW78-DHDB2-PG3GK

upgrade windows pro to enterprise multi-session

Check that your edition of Windows 10 has now changed to ServerRdsh (Windows 10 Enterprise for Virtual Desktops).

windows 10 enterprise for virtual desktops

Activate your copy of Windows 10 Enterprise Multi-Session edition on your KMS server:

slmgr /skms kms-srv.woshub.local:1688
slmgr /ato

active windows 10 enterprise on kms

See the Key Management Service (KMS) Activation FAQ.

Open the Local GPO Editor (gpedit.msc) and enable Per-User licensing mode in the Set the Remote Desktop licensing mode  (Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Licensing).

GPO: set per-user remote desktop license mode

You must restart Windows after activation. Now try connecting to the computer using RDP with different user accounts. As you can see, Windows 10 Enterprise multi-session supports simultaneous RDP connections right out of the box.

Get-ComputerInfo | select WindowsProductName, WindowsVersion, OsHardwareAbstractionLayer

Windows 10 Enterprise for Virtual Desktops 2009           10.0.19041.2728

qwinsta

multiple rdp connections on windows 10 enterprise multisession

In this article, we have looked at a number of ways to get rid of the limit on the number of concurrent RDP user connections and run a free terminal server on desktop versions of Windows 10/11. Each method has its own advantages and disadvantages. Which one you choose is up to you.

Source :
https://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/

Configuring Azure AD Password Policy

July 12, 2023

The Azure Active Directory password policy defines the password requirements for tenant users, including password complexity, length, password expiration, account lockout settings, and some other parameters. In this article, we’ll take a look into how to manage a password policy in Azure AD.

Azure AD has a default password policy applied to all accounts that are created in the cloud (not synchronized from on-premises Active Directory via Azure AD Connect).

It defines the following settings that cannot be changed by the Azure/Microsoft 365 tenant administrator:

  • Allowed characters: A-Z , a-z , 0-9 , space and special symbols @ # $ % ^ & * – _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ ” ( )
  • Password complexity: at least 3 out of 4 character groups (uppercase, lowercase, numbers, and symbols)
  • Password length: minimum 8, maximum 256 characters
  • The user cannot use the previous password

Contents:

How to Change Password Expiration Policy in Azure AD

By default, a user’s password never expires in Azure AD (Microsoft 365). But you can enable the password expiration through the Microsoft 365 Admin Center:

  1. Go to Microsoft 365 Admin Center -> Settings -> Security & Privacy -> Password expiration policy;
  2. Disable the option Set password to never expire (recommended)Enable password expiration in Azure AD
  3. In this case:
    Password expiration set to 90 days
    The notification to change your password will start to be displayed 14 days before the expiry date.

Microsoft recommends that you do not enable password expiration if your Azure users use Multi-Factor Authentication (MFA).

You can use the MSOnline PowerShell module to change user password expiration settings. Just install the module (if needed) and connect to your tenant:

Install-Module MSOnline
Connect-MsolService

Check the current password expiration policy settings in Azure AD:

Get-MsolPasswordPolicy -DomainName woshub.com

ExtensionData NotificationDays ValidityPeriod
System.Runtime.Serialization.ExtensionDataObject 14 2147483647
Get-MsolPasswordPolicy: check password expiration settings powershell

You can change the password expiration policy and notification settings in Azure AD with PowerShell:

Set-MsolPasswordPolicy -DomainName woshub.com -ValidityPeriod 180 -NotificationDays 21

You can manage password expiration settings for a specific user using the Azure AD module:

Connect-AzureAD

Enable the Password never expires option for a specific user:

Set-AzureADUser -ObjectId "maxadm@woshub.com" -PasswordPolicies DisablePasswordExpiration

View the user’s password expiration date:

Get-AzureADUser -ObjectId "maxadm@woshub.com"|Select-Object @{N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}}

Set an individual user's password to never expire in Azure AD
PasswordNeverExpires
--------------------
True

Enable password expiration for the user:

Set-AzureADUser -ObjectId "maxadm@woshub.com" -PasswordPolicies None

Account Lockout Settings in Azure AD

One more parameter of the Azure password policy available for the administrator to configure is the user lockout rules in case of entering an incorrect password. By default, an account is locked for 1 minute after 10 failed attempts to authenticate using an incorrect password. Note that the lockout time is extended following each next unsuccessful sign-in attempt.

You can configure the lockout settings in the following section of the Azure Portal -> Azure Active Directory -> Security -> Authentication methods —> Password protection.

The options available for you to change are:

  • Lockout threshold – the number of unsuccessful sign-in attempts before the account is locked out (10 by default);
  • Lockout duration in seconds – 60 seconds by default.
Configure Password Protection in Azure

If their account is locked out, an Azure user will see the following notification:

Your account is temporarily locked to prevent unauthorized use. Try again later, and if you still have trouble, contact your admin.
Your Microsoft account is temporarily locked to prevent unauthorized use

Learn how to check user sign-in logs in Azure AD.

Prevent Using Weak and Popular Passwords in Azure AD

There is a separate Azure AD Password Protection feature that allows you to block the use of weak and popular passwords (such as P@ssw0rdPa$$word, etc.).

You can use the DSInternals PowerShell module to check the on-premises Active Directory for weak user passwords.

You can define your own list of weak passwords in Azure Active Directory -> Security -> Authentication methods —> Password protection. Enable the option Enforce custom list and add a list of passwords you want to ban (up to 1000 passwords).

When an Azure AD user attempts to change their password to one of the banned list, a notification is displayed:

Unfortunately, you can’t use that password because it contains words or characters that have been blocked by your administrator. Please try again with a different password.
Unfortunately, you can’t use that password because it contains words or characters that have been blocked by your administrator

These settings are applied by default only to cloud users in Azure.

If you want to apply a banned password list to the local Active Directory DS users, here’s what you need to do:

  1. Make sure you have Azure AD Premium P1 or P2 subscription;
  2. Enable the option Enable password protection on Windows Server Active Directory;
  3. The default configuration enables only the audit of the prohibited password use. So, after the testing, switch the Mode option to Enforced;
  4. Deploy the Azure AD Password Protection Proxy Service (AzureADPasswordProtectionProxySetup.msi) on one of the on-premises hosts;
  5. Install Azure AD Password Protection (AzureADPasswordProtectionDCAgentSetup.msi) on all the ADDS domain controllers.

If you want the Azure password policy to be applied to users synchronized from AD DS via Azure AD Connect, you must enable the option EnforceCloudPasswordPolicyForPasswordSyncedUsers:

Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers -Enable $true

Ensure that you have configured a sufficiently strong domain password policy in your on-premises Active Directory. Otherwise, synchronized users can set any password, including those that are weak and insecure.

In this case, when a user’s password is changed or reset in on-premises Active Directory, the user is checked against the list of banned passwords in Azure.

If you have Azure AD Connect sync enabled, you can use your own password policies from on-premises Active Directory to apply to cloud users. To do this, you need to create a Fine Grained Security password policy in the on-premises AD and link it to a group containing the users synchronized with the cloud. In this case, Azure Active Directory will follow the password policy of your local domain.

Source :
https://woshub.com/azure-ad-password-policy/

The five-day job: A BlackByte ransomware intrusion case study

July 6, 2023

As ransomware attacks continue to grow in number and sophistication, threat actors can quickly impact business operations if organizations are not well prepared. In a recent investigation by Microsoft Incident Response (previously known as Microsoft Detection and Response Team – DART) of an intrusion, we found that the threat actor progressed through the full attack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim organization.

Our investigation found that within those five days, the threat actor employed a range of tools and techniques, culminating in the deployment of BlackByte 2.0 ransomware, to achieve their objectives. These techniques included:

  • Exploitation of unpatched internet-exposed Microsoft Exchange Servers
  • Web shell deployment facilitating remote access
  • Use of living-off-the-land tools for persistence and reconnaissance
  • Deployment of Cobalt Strike beacons for command and control (C2)
  • Process hollowing and the use of vulnerable drivers for defense evasion
  • Deployment of custom-developed backdoors to facilitate persistence
  • Deployment of a custom-developed data collection and exfiltration tool
BlackByte 2.0 ransomware attack chain by order of stages: initial access and privilege escalation, persistence and command and control, reconnaissance, credential access, lateral movement, data staging and exfiltration, and impact.
Figure 1. BlackByte 2.0 ransomware attack chain

In this blog, we share details of our investigation into the end-to-end attack chain, exposing security weaknesses that the threat actor exploited to advance their attack. As we learned from Microsoft’s tracking of ransomware attacks and the cybercriminal economy that enables them, disrupting common attack patterns could stop many of the attacker activities that precede ransomware deployment. This case highlights that common security hygiene practices go a long way in preventing, identifying, and responding to malicious activity as early as possible to mitigate the impact of ransomware attacks. We encourage organizations to follow the outlined mitigation steps, including ensuring that internet-facing assets are up to date and configured securely. We also share indicators of compromise, detection details, and hunting guidance to help organizations identify and respond to these attacks in their environments.  

Forensic analysis

Initial access and privilege escalation

To obtain initial access into the victim’s environment, the threat actor was observed exploiting the ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 on unpatched Microsoft Exchange Servers. The exploitation of these vulnerabilities allowed the threat actor to:

  • Attain system-level privileges on the compromised Exchange host
  • Enumerate LegacyDN of users by sending Autodiscover requests, including SIDs of users
  • Construct a valid authentication token and use it against the Exchange PowerShell backend
  • Impersonate domain admin users and create a web shell by using the New-MailboxExportRequest cmdlet
  • Create web shells to obtain remote control on affected servers

The threat actor was observed operating from the following IP to exploit ProxyShell and access the web shell:

  • 185.225.73[.]244

Persistence

Backdoor

After gaining access to a device, the threat actor created the following registry run keys to run a payload each time a user signs in:

Registry keyValue nameValue data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run  MsEdgeMsErundll32 C:\Users\user\Downloads\api-msvc.dll,Default  
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run  MsEdgeMsErundll32 C:\temp\api-msvc.dll,Default  
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run  MsEdgeMsErundll32 C:\systemtest\api-system.png,Default

The file api-msvc.dll (SHA-256: 4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e) was determined to be a backdoor capable of collecting system information, such as the installed antivirus products, device name, and IP address. This information is then sent via HTTP POST request to the following C2 channel:

  • hxxps://myvisit[.]alteksecurity[.]org/t

The organization was not using Microsoft Defender Antivirus, which detects this malware as Trojan:Win32/Kovter!MSR, as the primary antivirus solution, and the backdoor was allowed to run.

An additional file, api-system.png, was identified to have similarities to api-msvc.dll. This file behaved like a DLL, had the same default export function, and also leveraged run keys for persistence.

Cobalt Strike Beacon

The threat actor leveraged Cobalt Strike to achieve persistence. The file sys.exe (SHA-256: 5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103), detected by Microsoft Defender Antivirus as Trojan:Win64/CobaltStrike!MSR, was determined to be a Cobalt Strike Beacon and was downloaded directly from the file sharing service temp[.]sh:

  • hxxps://temp[.]sh/szAyn/sys.exe

This beacon was configured to communicate with the following C2 channel:

  • 109.206.243[.]59:443

AnyDesk

Threat actors leverage legitimate remote access tools during intrusions to blend into a victim network. In this case, the threat actor utilized the remote administration tool AnyDesk, to maintain persistence and move laterally within the network. AnyDesk was installed as a service and was run from the following paths:

  • C:\systemtest\anydesk\AnyDesk.exe
  • C:\Program Files (x86)\AnyDesk\AnyDesk.exe
  • C:\Scripts\AnyDesk.exe

Successful connections were observed in the AnyDesk log file ad_svc.trace involving anonymizer service IP addresses linked to TOR and MULLVAD VPN, a common technique that threat actors employ to obscure their source IP ranges.

Reconnaissance

We found the presence and execution of the network discovery tool NetScan being used by the threat actor to perform network enumeration using the following file names:

  • netscan.exe (SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)
  • netapp.exe (SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)

Additionally, execution of AdFind (SHA-256: f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e), an Active Directory reconnaissance tool, was observed in the environment.

Credential access

Evidence of likely usage of the credential theft tool Mimikatzwas also uncovered through the presence of a related log file mimikatz.log. Microsoft IR assesses that Mimikatz was likely used to attain credentials for privileged accounts.

Lateral movement

Using compromised domain admin credentials, the threat actor used Remote Desktop Protocol (RDP) and PowerShell remoting to obtain access to other servers in the environment, including domain controllers.

Data staging and exfiltration

In one server where Microsoft Defender Antivirus was installed, a suspicious file named explorer.exe was identified, detected as Trojan:Win64/WinGoObfusc.LK!MT, and quarantined. However, because tamper protection wasn’t enabled on this server, the threat actor was able to disable the Microsoft Defender Antivirus service, enabling the threat actor to run the file using the following command:

explorer.exe P@$$w0rd

After reverse engineering explorer.exe, we determined it to be ExByte, a GoLang-based tool developed and commonly used in BlackByte ransomware attacks for collection and exfiltration of files from victim networks. This tool is capable of enumerating files of interest across the network and, upon execution, creates a log file containing a list of files and associated metadata. Multiple log files were uncovered during the investigation in the path:

  • C:\Exchange\MSExchLog.log

Analysis of the binary revealed a list of file extensions that are targeted for enumeration.

Figure-2.-Binary-analysis-showing-file-extensions-enumerated-by-explorer.exe_
Figure 2. Binary analysis showing file extensions enumerated by explorer.exe

Forensic analysis identified a file named data.txt that was created and later deleted after ExByte execution. This file contained obfuscated credentials that ExByte leveraged to authenticate to the popular file sharing platform Mega NZ using the platform’s API at:

  • hxxps://g.api.mega.co[.]nz
Figure 3. Binary analysis showing explorer.exe functionality for connecting to file sharing service MEGA NZ

We also determined that this version of Exbyte was crafted specifically for the victim, as it contained a hardcoded device name belonging to the victim and an internal IP address.

ExByte execution flow

Upon execution, ExByte decodes several strings and checks if the process is running with privileged access by reading \\.\PHYSICALDRIVE0:

  • If this check fails, ShellExecuteW is invoked with the IpOperation parameter RunAs, which runs explorer.exe with elevated privileges.

After this access check, explorer.exe attempts to read the data.txt file in the current location:

  • If the text file doesn’t exist, it invokes a command for self-deletion and exits from memory:
C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 10 > nul & Del <PATH>\explorer.exe /F /Q
  • If data.txt exists, explorer.exe reads the file, passes the buffer to Base64 decode function, and then decrypts the data using the key provided in the command line. The decrypted data is then parsed as JSON below and fed for login function:
{    “a”:”us0”,    “user”:”<CONTENT FROM data.txt>”}

Finally, it forms a URL for sign-in to the API of the service MEGA NZ:

  • hxxps://g.api.mega.co[.]nz/cs?id=1674017543

Data encryption and destruction

On devices where files were successfully encrypted, we identified suspicious executables, detected by Microsoft Defender Antivirus as Trojan:Win64/BlackByte!MSR, with the following names:

  • wEFT.exe
  • schillerized.exe

The files were analyzed and determined to be BlackByte 2.0 binaries responsible for encryption across the environment. The binaries require an 8-digit key number to encrypt files.

Two modes of execution were identified:

  • When the -s parameter is provided, the ransomware self-deletes and encrypts the machine it was executed on.
  • When the -a parameter is provided, the ransomware conducts enumeration and uses an Ultimate Packer Executable (UPX) packed version of PsExec to deploy across the network. Several domain admin credentials were hardcoded in the binary, facilitating the deployment of the binary across the network.

Depending on the switch (-s or -a), execution may create the following files:

  • C:\SystemData\M8yl89s7.exe (UPX-packed PsExec with a random name; SHA-256: ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f)
  • C:\SystemData\wEFT.exe (Additional BlackByte binary)
  • C:\SystemData\MsExchangeLog1.log (Log file)
  • C:\SystemData\rENEgOtiAtES (A vulnerable (CVE-2019-16098) driver RtCore64.sys used to evade detection by installed antivirus software; SHA-256: 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd)
  • C:\SystemData\iHu6c4.ico (Random name – BlackBytes icon)
  • C:\SystemData\BB_Readme_file.txt (BlackByte ReadMe file)
  • C:\SystemData\skip_bypass.txt (Unknown)

BlackByte 2.0 ransomware capabilities

Some capabilities identified for the BlackByte 2.0 ransomware were:

  • Antivirus bypass
    • The file rENEgOtiAtES created matches RTCore64.sys, a vulnerable driver (CVE-2049-16098) that allows any authenticated user to read or write to arbitrary memory
    • The BlackByte binary then creates and starts a service named RABAsSaa calling rENEgOtiAtES, and exploits this service to evade detection by installed antivirus software
  • Process hollowing
    • Invokes svchost.exe, injects to it to complete device encryption, and self-deletes by executing the following command:
      • cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del “PATH_TO_BLACKBYTE” /F /Q
  • Modification / disabling of Windows Firewall
    • The following commands are executed to either modify existing Windows Firewall rules, or to disable Windows Firewall entirely:
      • cmd /c netsh advfirewall set allprofiles state off
      • cmd /c netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes
      • cmd /c netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes
  • Modification of volume shadow copies
    • The following commands are executed to destroy volume shadow copies on the machine:
      • cmd /c vssadmin Resize ShadowStorge /For=B:\ /On=B:\ /MaxSize=401MB
      • cmd /c vssadmin Resize ShadowStorage /For=B:\ /On=B:\ /MaxSize=UNBOUNDED
  • Modification of registry keys/values
    • The following commands are executed to modify the registry, facilitating elevated execution on the device:
      • cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
      • cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
      • cmd /c reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
  • Additional functionality
    • Ability to terminate running services and processes
    • Ability to enumerate and mount volumes and network shares for encryption
    • Perform anti-forensics technique timestomping (sets the file time of encrypted and ReadMe file to 2000-01-01 00:00:00)
    • Ability to perform anti-debugging techniques

Recommendations

To guard against BlackByte ransomware attacks, Microsoft recommends the following:

  • Ensure that you have a patch management process in place and that patching for internet-exposed devices is prioritized; Understand and assess your cyber exposure with advanced vulnerability and configuration assessment tools like Microsoft Defender Vulnerability Management
  • Implement an endpoint detection and response (EDR) solution like Microsoft Defender for Endpoint to gain visibility into malicious activity in real time across your network
  • Ensure antivirus protections are updated regularly by turning on cloud-based protection and that your antivirus solution is configured to block threats
  • Enable tamper protection to prevent components of Microsoft Defender Antivirus from being disabled
  • Block inbound traffic from IPs specified in the indicators of compromise section of this report
  • Block inbound traffic from TOR exit nodes
  • Block inbound access from unauthorized public VPN services
  • Restrict administrative privileges to prevent authorized system changes

Conclusion

BlackByte ransomware attacks target organizations that have infrastructure with unpatched vulnerabilities.  As outlined in the Microsoft Digital Defense Report, common security hygiene practices, including keeping systems up to date, could protect against 98% of attacks.

As new tools are being developed by threat actors, a modern threat protection solution like Microsoft 365 Defender is necessary to prevent and detect the multiple techniques used in the attack chain, especially where the threat actor attempts to evade or disable specific defense mechanisms. Hunting for malicious behavior should be performed regularly in order to detect potential attacks that could evade detections, as a complementary activity for continuous monitoring from security tools alerts and incidents.

To understand how Microsoft can help you secure your network and respond to network compromise, visit https://aka.ms/MicrosoftIR.

Microsoft 365 Defender detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

  • Trojan:Win32/Kovter!MSR
  • Trojan:Win64/WinGoObfusc.LK!MT
  • Trojan:Win64/BlackByte!MSR
  • HackTool:Win32/AdFind!MSR
  • Trojan:Win64/CobaltStrike!MSR

Microsoft Defender for Endpoint

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

  • ‘CVE-2021-31207’ exploit malware was detected
  • An active ‘NetShDisableFireWall’ malware in a command line was prevented from executing.
  • Suspicious registry modification.
  • ‘Rtcore64’ hacktool was detected
  • Possible ongoing hands-on-keyboard activity (Cobalt Strike)
  • A file or network connection related to a ransomware-linked emerging threat activity group detected
  • Suspicious sequence of exploration activities
  • A process was injected with potentially malicious code
  • Suspicious behavior by cmd.exe was observed
  • ‘Blackbyte’ ransomware was detected

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

  • CVE-2021-34473
  • CVE-2021-34523
  • CVE-2021-31207
  • CVE-2019-16098

Hunting queries

Microsoft 365 Defender

Microsoft 365 Defender customers can run the following query to find related activity in their networks:

ProxyShell web shell creation events

DeviceProcessEvents| where ProcessCommandLine has_any ("ExcludeDumpster","New-ExchangeCertificate") and ProcessCommandLine has_any ("-RequestFile","-FilePath")

Suspicious vssadmin events

DeviceProcessEvents| where ProcessCommandLine has_any ("vssadmin","vssadmin.exe") and ProcessCommandLine has "Resize ShadowStorage" and ProcessCommandLine has_any ("MaxSize=401MB"," MaxSize=UNBOUNDED")

Detection for persistence creation using Registry Run keys

DeviceRegistryEvents | where ActionType == "RegistryValueSet" | where (RegistryKey has @"Microsoft\Windows\CurrentVersion\RunOnce" and RegistryValueName == "MsEdgeMsE")      or (RegistryKey has @"Microsoft\Windows\CurrentVersion\RunOnceEx" and RegistryValueName == "MsEdgeMsE")    or (RegistryKey has @"Microsoft\Windows\CurrentVersion\Run" and RegistryValueName == "MsEdgeMsE")| where RegistryValueData startswith @"rundll32"| where RegistryValueData endswith @".dll,Default"| project Timestamp,DeviceId,DeviceName,ActionType,RegistryKey,RegistryValueName,RegistryValueData

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:  https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.

Indicators of compromise

The table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

IndicatorTypeDescription
4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3eSHA-256api-msvc.dll (Backdoor installed through RunKeys)
5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103SHA-256sys.exe (Cobalt Strike Beacon)
01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fdSHA-256rENEgOtiAtES (Vulnerable driver RtCore64.sys created by BlackByte binary)
ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098fSHA-256[RANDOM_NAME].exe (UPX Packed PsExec created by BlackByte binary)
1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738eSHA-256“netscan.exe”, “netapp.exe (Netscan network discovery tool)
f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455eSHA-256AdFind.exe (Active Directory information gathering tool)
hxxps://myvisit[.]alteksecurity[.]org/tURLC2 for backdoor api-msvc.dll
hxxps://temp[.]sh/szAyn/sys.exeURLDownload URL for sys.exe
109.206.243[.]59IP AddressC2 for Cobalt Strike Beacon sys.exe
185.225.73[.]244IP AddressOriginating IP address for ProxyShell exploitation and web shell interaction

NOTE: These indicators should not be considered exhaustive for this observed activity.

Appendix

File extensions targeted by BlackByte binary for encryption:

.4dd.4dl.accdb.accdc.accde.accdr.accdt.accft
.adb.ade.adf.adp.arc.ora.alf.ask
.btr.bdf.cat.cdb.ckp.cma.cpd.dacpac
.dad.dadiagrams.daschema.db.db-shm.db-wal.db3.dbc
.dbf.dbs.dbt.dbv. dbx. dcb. dct. dcx
. ddl. dlis. dp1. dqy. dsk. dsn. dtsx. dxl
. eco. ecx. edb. epim. exb. fcd. fdb. fic
. fmp. fmp12. fmpsl. fol.fp3. fp4. fp5. fp7
. fpt. frm. gdb. grdb. gwi. hdb. his. ib
. idb. ihx. itdb. itw. jet. jtx. kdb. kexi
. kexic. kexis. lgc. lwx. maf. maq. mar. masmav
. mdb. mpd. mrg. mud. mwb. myd. ndf. nnt
. nrmlib. ns2. ns3. ns4. nsf. nv. nv2. nwdb
. nyf. odb. ogy. orx. owc. p96. p97. pan
. pdb. pdm. pnz. qry. qvd. rbf. rctd. rod
. rodx. rpd. rsd. sas7bdat. sbf. scx. sdb. sdc
. sdf. sis. spg. sql. sqlite. sqlite3. sqlitedb. te
. temx. tmd. tps. trc. trm. udb. udl. usr
. v12. vis. vpd. vvv. wdb. wmdb. wrk. xdb
. xld. xmlff. abcddb. abs. abx. accdw. and. db2
. fm5. hjt. icg. icr. kdb. lut. maw. mdn
. mdt       

Shared folders targeted for encryption (Example: \\[IP address]\Downloads):

UsersBackupVeeamhomeshome
mediacommonStorage ServerPublicWeb
ImagesDownloadsBackupDataActiveBackupForBusinessBackups
NAS-DCDCBACKUPDirectorFilesshare 

File extensions ignored:

.ini.url.msilog.log.ldf.lock.theme.msi
.sys.wpx.cpl.adv.msc.scr.key.ico
.dll.hta.deskthemepack.nomedia.msu.rtp.msp.idx
.ani.386.diagcfg.bin.mod.ics.com.hlp
 .spl.nls.cab.exe.diagpkg.icl.ocx.rom
.prf.thempack.msstyles.icns.mpa.drv.cur.diagcab
.cmd.shs      

Folders ignored:

windowsbootprogram files (x86)windows.oldprogramdata
intelbitdefendertrend microwindowsappsappdata
application datasystem volume informationperflogsmsocache 

Files ignored:

bootnxtntldrbootmgrthumbs.db
ntuser.datbootsect.bakautoexec.baticoncache.db
bootfont.bin   

Processes terminated:

teracopyteamviewernsservicensctrluranium
processhackerprocmonpestudioprocmon64x32dbg
x64dbgcff explorerprocexppslisttcpview
tcpvcondbgviewrammaprammap64vmmap
ollydbgautorunsautorunsscfilemonregmon
idaqidaq64immunitydebuggerwiresharkdumpcap
hookexplorerimportrecpetoolslordpesysinspector
proc_analyzersysanalyzersniff_hitwindbgjoeboxcontrol
joeboxserverresourcehackerfiddlerhttpdebuggerdumpit
rammaprammap64vmmapagntsvccntaosmgr
dbeng50dbsnmpencsvcinfopathisqlplussvc
mbamtraymsaccessmsftesqlmspubmydesktopqos
mydesktopservicemysqldmysqld-ntmysqld-optNtrtscan
ocautoupdsocommocssdonenoteoracle
outlookPccNTMonpowerpntsqbcoreservicesql
sqlagentsqlbrowsersqlservrsqlwritersteam
synctimetbirdconfigthebatthebat64thunderbird
tmlistenvisiowinwordwordpadxfssvccon
zoolz    

Services terminated:

CybereasonRansomFreevnetdbpcdSamSsTeraCopyService
msftesqlnsServiceklvssbridge64vapiendpointShMonitor
SmcinstSmcServiceSntpServicesvcGenericHostSwi_
TmCCSFtmlistenTrueKeyTrueKeySchedulerTrueKeyServiceHelper
WRSVCMcTaskManagerOracleClientCache80mfefirewbengine
mfemmsRESvcmfevtpsacsvrSAVAdminService
SepMasterServicePDVFSServiceESHASRVSDRSVCFA_Scheduler
KAVFSKAVFS_KAVFSGTkavfsslpklnagentmacmnsvc
masvcMBAMServiceMBEndpointAgentMcShieldaudioendpointbuilder
AntivirusAVPDCAgentbedbgEhttpSrv
MMSekrnEPSecurityServiceEPUpdateServicentrtscan
EsgShKernelmsexchangeadtopologyAcrSch2SvcMSOLAP$TPSAMAIntel(R) PROSet Monitoring
msexchangeimap4ARSMunistoresvc_1af40aReportServer$TPSMSOLAP$SYSTEM_BGC
W3SvcMSExchangeSRSReportServer$TPSAMAZoolz 2 ServiceMSOLAP$TPS
aphidmonitorserviceSstpSvcMSExchangeMTAReportServer$SYSTEM_BGCSymantec System Recovery
UI0DetectMSExchangeSAMSExchangeISReportServerMsDtsServer110
POP3SvcMSExchangeMGMTSMTPSvcMsDtsServerIisAdmin
MSExchangeESEraserSvc11710Enterprise Client ServiceMsDtsServer100NetMsmqActivator
stc_raw_agentVSNAPVSSPDVFSServiceAcrSch2SvcAcronis
CASAD2DWebSvcCAARCUpdateSvcMcAfeeavpsusDLPAgentService
mfewcBMR Boot ServiceDefWatchccEvtMgrccSetMgr
SavRoamRTVsc screenconnectransomsqltelemetrymsexch
vncteamviewermsolapveeambackup
sqlmemtasvsssophossvc$
mepocswuauserv   

Drivers that Blackbyte can bypass:

360avflt.sys360box.sys360fsflt.sys360qpesv.sys5nine.cbt.sys
a2acc.sysa2acc64.sysa2ertpx64.sysa2ertpx86.sysa2gffi64.sys
a2gffx64.sysa2gffx86.sysaaf.sysaalprotect.sysabrpmon.sys
accessvalidator.sysacdriver.sysacdrv.sysadaptivaclientcache32.sysadaptivaclientcache64.sys
adcvcsnt.sysadspiderdoc.sysaefilter.sysagentrtm64.sysagfsmon.sys
agseclock.sysagsyslock.sysahkamflt.sysahksvpro.sysahkusbfw.sys
ahnrghlh.sysaictracedrv_am.sysairship-filter.sysajfsprot.sysalcapture.sys
alfaff.sysaltcbt.sysamfd.sysamfsm.sysamm6460.sys
amm8660.sysamsfilter.sysamznmon.sysantileakfilter.sysantispyfilter.sys
anvfsm.sysapexsqlfilterdriver.sysappcheckd.sysappguard.sysappvmon.sys
arfmonnt.sysarta.sysarwflt.sysasgard.sysashavscan.sys
asiofms.sysaswfsblk.sysaswmonflt.sysaswsnx.sysaswsp.sys
aszfltnt.sysatamptnt.sysatc.sysatdragent.sysatdragent64.sys
aternityregistryhook.sysatflt.sysatrsdfw.sysauditflt.sysaupdrv.sys
avapsfd.sysavc3.sysavckf.sysavfsmn.sysavgmfi64.sys
avgmfrs.sysavgmfx64.sysavgmfx86.sysavgntflt.sysavgtpx64.sys
avgtpx86.sysavipbb.sysavkmgr.sysavmf.sysawarecore.sys
axfltdrv.sysaxfsysmon.sysayfilter.sysb9kernel.sysbackupreader.sys
bamfltr.sysbapfecpt.sysbbfilter.sysbd0003.sysbddevflt.sys
bdfiledefend.sysbdfilespy.sysbdfm.sysbdfsfltr.sysbdprivmon.sys
bdrdfolder.sysbdsdkit.sysbdsfilter.sysbdsflt.sysbdsvm.sys
bdsysmon.sysbedaisy.sysbemk.sysbfaccess.sysbfilter.sys
bfmon.sysbhdrvx64.sysbhdrvx86.sysbhkavka.sysbhkavki.sys
bkavautoflt.sysbkavsdflt.sysblackbirdfsa.sysblackcat.sysbmfsdrv.sys
bmregdrv.sysboscmflt.sysbosfsfltr.sysbouncer.sysboxifier.sys
brcow_x_x_x_x.sysbrfilter.sysbrnfilelock.sysbrnseclock.sysbrowsermon.sys
bsrfsflt.sysbssaudit.sysbsyaed.sysbsyar.sysbsydf.sys
bsyirmf.sysbsyrtm.sysbsysp.sysbsywl.sysbwfsdrv.sys
bzsenspdrv.sysbzsenth.sysbzsenyaradrv.syscaadflt.syscaavfltr.sys
cancelsafe.syscarbonblackk.syscatflt.syscatmf.syscbelam.sys
cbfilter20.syscbfltfs4.syscbfsfilter2017.syscbfsfilter2020.syscbsampledrv.sys
cdo.syscdrrsflt.syscdsgfsfilter.syscentrifyfsf.syscfrmd.sys
cfsfdrvcgwmf.syschange.syschangelog.syschemometecfilter.sys
ciscoampcefwdriver.sysciscoampheurdriver.sysciscosam.sysclumiochangeblockmf.syscmdccav.sys
cmdcwagt.syscmdguard.syscmdmnefs.syscmflt.syscode42filter.sys
codex.sysconduantfsfltr.syscontainermonitor.syscpavfilter.syscpavkernel.sys
cpepmon.syscrexecprev.syscrncache32.syscrncache64.syscrnsysm.sys
cruncopy.syscsaam.syscsaav.syscsacentr.syscsaenh.sys
csagent.syscsareg.syscsascr.syscsbfilter.syscsdevicecontrol.sys
csfirmwareanalysis.syscsflt.syscsmon.syscssdlp.sysctamflt.sys
ctifile.sysctinet.sysctrpamon.sysctx.syscvcbt.sys
cvofflineflt32.syscvofflineflt64.syscvsflt.syscwdriver.syscwmem2k64.sys
cybkerneltracker.syscylancedrv64.syscyoptics.syscyprotectdrv32.syscyprotectdrv64.sys
cytmon.syscyverak.syscyvrfsfd.syscyvrlpc.syscyvrmtgn.sys
datanow_driver.sysdattofsf.sysda_ctl.sysdcfafilter.sysdcfsgrd.sys
dcsnaprestore.sysdeepinsfs.sysdelete_flt.sysdevmonminifilter.sysdfmfilter.sys
dgedriver.sysdgfilter.sysdgsafe.sysdhwatchdog.sysdiflt.sys
diskactmon.sysdkdrv.sysdkrtwrt.sysdktlfsmf.sysdnafsmonitor.sys
docvmonk.sysdocvmonk64.sysdpmfilter.sysdrbdlock.sysdrivesentryfilterdriver2lite.sys
drsfile.sysdrvhookcsmf.sysdrvhookcsmf_amd64.sysdrwebfwflt.sysdrwebfwft.sys
dsark.sysdsdriver.sysdsfemon.sysdsflt.sysdsfltfs.sys
dskmn.sysdtdsel.sysdtpl.sysdwprot.sysdwshield.sys
dwshield64.syseamonm.syseaseflt.syseasyanticheat.syseaw.sys
ecatdriver.sysedevmon.sysednemfsfilter.sysedrdrv.sysedrsensor.sys
edsigk.syseectrl.syseetd32.syseetd64.syseeyehv.sys
eeyehv64.sysegambit.sysegfilterk.sysegminflt.sysegnfsflt.sys
ehdrv.syselock2fsctldriver.sysemxdrv2.sysenigmafilemondriver.sysenmon.sys
epdrv.sysepfw.sysepfwwfp.sysepicfilter.sysepklib.sys
epp64.sysepregflt.syseps.sysepsmn.sysequ8_helper.sys
eraser.sysesensor.sysesprobe.sysestprmon.sysestprp.sys
estregmon.sysestregp.sysestrkmon.sysestrkr.syseventmon.sys
evmf.sysevscase.sysexcfs.sysexprevdriver.sysfailattach.sys
failmount.sysfam.sysfangcloud_autolock_driver.sysfapmonitor.sysfarflt.sys
farwflt.sysfasdriverfcnotify.sysfcontrol.sysfdrtrace.sys
fekern.sysfencry.sysffcfilt.sysffdriver.sysfildds.sys
filefilter.sysfileflt.sysfileguard.sysfilehubagent.sysfilemon.sys
filemonitor.sysfilenamevalidator.sysfilescan.sysfilesharemon.sysfilesightmf.sys
filesystemcbt.sysfiletrace.sysfile_monitor.sysfile_protector.sysfile_tracker.sys
filrdriver.sysfim.sysfiometer.sysfiopolicyfilter.sysfjgsdis2.sys
fjseparettifilterredirect.sysflashaccelfs.sysflightrecorder.sysfltrs329.sysflyfs.sys
fmdrive.sysfmkkc.sysfmm.sysfortiaptfilter.sysfortimon2.sys
fortirmon.sysfortishield.sysfpav_rtp.sysfpepflt.sysfsafilter.sys
fsatp.sysfsfilter.sysfsgk.sysfshs.sysfsmon.sys
fsmonitor.sysfsnk.sysfsrfilter.sysfstrace.sysfsulgk.sys
fsw31rj1.sysgagsecurity.sysgbpkm.sysgcffilter.sysgddcv.sys
gefcmp.sysgemma.sysgeprotection.sysggc.sysgibepcore.sys
gkff.sysgkff64.sysgkpfcb.sysgkpfcb64.sysgofsmf.sys
gpminifilter.sysgroundling32.sysgroundling64.sysgtkdrv.sysgumhfilter.sys
gzflt.syshafsnk.syshbflt.syshbfsfltr.syshcp_kernel_acq.sys
hdcorrelatefdrv.syshdfilemon.syshdransomoffdrv.syshdrfs.sysheimdall.sys
hexisfsmonitor.syshfileflt.syshiofs.syshmpalert.syshookcentre.sys
hooksys.syshpreg.syshsmltmon.syshsmltwhl.syshssfwhl.sys
hvlminifilter.sysibr2fsk.sysiccfileioad.sysiccfilteraudit.sysiccfiltersc.sys
icfclientflt.sysicrlmonitor.sysiderafilterdriver.sysielcp.sysieslp.sys
ifs64.sysignis.sysiguard.sysiiscache.sysikfilesec.sys
im.sysimffilter.sysimfilter.sysimgguard.sysimmflex.sys
immunetprotect.sysimmunetselfprotect.sysinisbdrv64.sysino_fltr.sysintelcas.sys
intmfs.sysinuse.sysinvprotectdrv.sysinvprotectdrv64.sysionmonwdrv.sys
iothorfs.sysipcomfltr.sysipfilter.sysiprotect.sysiridiumswitch.sys
irongatefd.sysisafekrnl.sysisafekrnlmon.sysisafermonisecureflt.sys
isedrv.sysisfpdrv.sysisirmfmon.sysisregflt.sysisregflt64.sys
issfltr.sysissregistry.sysit2drv.sysit2reg.sysivappmon.sys
iwdmfs.sysiwhlp.sysiwhlp2.sysiwhlpxp.sysjdppsf.sys
jdppwf.sysjkppob.sysjkppok.sysjkpppf.sysjkppxk.sys
k7sentry.syskavnsi.syskawachfsminifilter.syskc3.syskconv.sys
kernelagent32.syskewf.syskfac.syskfileflt.syskisknl.sys
klam.sysklbg.sysklboot.syskldback.syskldlinf.sys
kldtool.sysklfdefsf.sysklflt.sysklgse.sysklhk.sys
klif.sysklifaa.sysklifks.sysklifsm.sysklrsps.sys
klsnsr.sysklupd_klif_arkmon.syskmkuflt.syskmnwch.syskmxagent.sys
kmxfile.syskmxsbx.sysksfsflt.sysktfsfilter.sysktsyncfsflt.sys
kubwksp.syslafs.syslbd.syslbprotect.syslcgadmon.sys
lcgfile.syslcgfilemon.syslcmadmon.syslcmfile.syslcmfilemon.sys
lcmprintmon.sysldsecdrv.syslibwamf.syslivedrivefilter.sysllfilter.sys
lmdriver.syslnvscenter.syslocksmith.syslragentmf.syslrtp.sys
magicbackupmonitor.sysmagicprotect.sysmajoradvapi.sysmarspy.sysmaxcryptmon.sys
maxproc64.sysmaxprotector.sysmbae64.sysmbam.sysmbamchameleon.sys
mbamshuriken.sysmbamswissarmy.sysmbamwatchdog.sysmblmon.sysmcfilemon32.sys
mcfilemon64.sysmcstrg.sysmearwfltdriver.sysmessage.sysmfdriver.sys
mfeaack.sysmfeaskm.sysmfeavfk.sysmfeclnrk.sysmfeelamk.sys
mfefirek.sysmfehidk.sysmfencbdc.sysmfencfilter.sysmfencoas.sys
mfencrk.sysmfeplk.sysmfewfpk.sysminiicpt.sysminispy.sys
minitrc.sysmlsaff.sysmmpsy32.sysmmpsy64.sysmonsterk.sys
mozycorpfilter.sysmozyenterprisefilter.sysmozyentfilter.sysmozyhomefilter.sysmozynextfilter.sys
mozyoemfilter.sysmozyprofilter.sysmpfilter.sysmpkernel.sysmpksldrv.sys
mpxmon.sysmracdrv.sysmrxgoogle.sysmscan-rt.sysmsiodrv4.sys
msixpackagingtoolmonitor.sysmsnfsflt.sysmspy.sysmssecflt.sysmtsvcdf.sys
mumdi.sysmwac.sysmwatcher.sysmwfsmfltr.sysmydlpmf.sys
namechanger.sysnanoavmf.sysnaswsp.sysndgdmk.sysneokerbyfilter
netaccctrl.sysnetaccctrl64.sysnetguard.sysnetpeeker.sysngscan.sys
nlcbhelpi64.sysnlcbhelpx64.sysnlcbhelpx86.sysnlxff.sysnmlhssrv01.sys
nmpfilter.sysnntinfo.sysnovashield.sysnowonmf.sysnpetw.sys
nprosec.sysnpxgd.sysnpxgd64.sysnravwka.sysnrcomgrdka.sys
nrcomgrdki.sysnregsec.sysnrpmonka.sysnrpmonki.sysnsminflt.sys
nsminflt64.sysntest.sysntfsf.sysntguard.sysntps_fa.sys
nullfilter.sysnvcmflt.sysnvmon.sysnwedriver.sysnxfsmon.sys
nxrmflt.sysoadevice.sysoavfm.sysoczminifilter.sysodfsfilter.sys
odfsfimfilter.sysodfstokenfilter.sysoffsm.sysomfltlh.sysosiris.sys
ospfile_mini.sysospmon.sysparity.syspassthrough.syspath8flt.sys
pavdrv.syspcpifd.syspctcore.syspctcore64.syspdgenfam.sys
pecfilter.sysperfectworldanticheatsys.syspervac.syspfkrnl.syspfracdrv.sys
pgpfs.syspgpwdefs.sysphantomd.sysphdcbtdrv.syspkgfilter.sys
pkticpt.sysplgfltr.sysplpoffdrv.syspointguardvista64f.syspointguardvistaf.sys
pointguardvistar32.syspointguardvistar64.sysprocmon11.sysproggerdriver.syspsacfileaccessfilter.sys
pscff.syspsgdflt.syspsgfoctrl.syspsinfile.syspsinproc.sys
psisolator.syspwipf6.syspwprotect.syspzdrvxp.sysqdocumentref.sys
qfapflt.sysqfilter.sysqfimdvr.sysqfmon.sysqminspec.sys
qmon.sysqqprotect.sysqqprotectx64.sysqqsysmon.sysqqsysmonx64.sys
qutmdrv.sysranpodfs.sysransomdefensexxx.sysransomdetect.sysreaqtor.sys
redlight.sysregguard.sysreghook.sysregmonex.sysrepdrv.sys
repmon.sysrevefltmgr.sysreveprocprotection.sysrevonetdriver.sysrflog.sys
rgnt.sysrmdiskmon.sysrmphvmonitor.sysrpwatcher.sysrrmon32.sys
rrmon64.sysrsfdrv.sysrsflt.sysrspcrtw.sysrsrtw.sys
rswctrl.sysrswmon.sysrtologon.sysrtw.sysruaff.sys
rubrikfileaudit.sysruidiskfs.sysruieye.sysruifileaccess.sysruimachine.sys
ruiminispy.sysrvsavd.sysrvsmon.sysrw7fsflt.sysrwchangedrv.sys
ryfilter.sysryguard.syssafe-agent.syssafsfilter.syssagntflt.sys
sahara.syssakfile.syssakmfile.syssamflt.syssamsungrapidfsfltr.sys
sanddriver.syssanta.syssascan.syssavant.syssavonaccess.sys
scaegis.sysscauthfsflt.sysscauthiodrv.sysscensemon.sysscfltr.sys
scifsflt.syssciptflt.syssconnect.sysscred.syssdactmon.sys
sddrvldr.syssdvfilter.sysse46filter.syssecdodriver.syssecone_filemon10.sys
secone_proc10.syssecone_reg10.syssecone_usb.syssecrmm.syssecufile.sys
secure_os.syssecure_os_mf.syssecurofsd_x64.syssefo.syssegf.sys
segiraflt.syssegmd.syssegmp.syssentinelmonitor.sysserdr.sys
serfs.syssfac.syssfavflt.syssfdfilter.syssfpmonitor.sys
sgresflt.sysshdlpmedia.sysshdlpsf.syssheedantivirusfilterdriver.syssheedselfprotection.sys
shldflt.syssi32_file.syssi64_file.syssieflt.syssimrep.sys
sisipsfilefiltersk.sysskyamdrv.sysskyrgdrv.sysskywpdrv.sys
slb_guard.syssld.syssmbresilfilter.syssmdrvnt.syssndacs.sys
snexequota.syssnilog.syssnimg.syssnscore.syssnsrflt.sys
sodatpfl.syssoftfilterxxx.syssoidriver.syssolitkm.syssonar.sys
sophosdt2.syssophosed.syssophosntplwf.syssophossupport.sysspbbcdrv.sys
spellmon.sysspider3g.sysspiderg3.sysspiminifilter.sysspotlight.sys
sprtdrv.syssqlsafefilterdriver.syssrminifilterdrv.syssrtsp.syssrtsp64.sys
srtspit.sysssfmonm.sysssrfsf.sysssvhook.sysstcvsm.sys
stegoprotect.sysstest.sysstflt.sysstkrnl64.sysstoragedrv.sys
strapvista.sysstrapvista64.syssvcbt.sysswcommfltr.sysswfsfltr.sys
swfsfltrv2.sysswin.syssymafr.syssymefa.syssymefa64.sys
symefasi.syssymevent.syssymevent64x86.syssymevnt.syssymevnt32.sys
symhsm.syssymrg.syssysdiag.syssysmon.syssysmondrv.sys
sysplant.sysszardrv.sysszdfmdrv.sysszdfmdrv_usb.sysszedrdrv.sys
szpcmdrv.systaniumrecorderdrv.systaobserveflt.systbfsfilt.systbmninifilter.sys
tbrdrv.systdevflt.systedrdrv.systenrsafe2.systesmon.sys
tesxnginx.systesxporter.systffregnt.systfsflt.systgfsmf.sys
thetta.systhfilter.systhreatstackfim.systkdac2k.systkdacxp.sys
tkdacxp64.systkfsavxp.systkfsavxp64.systkfsft.systkfsft64.sys
tkpcftcb.systkpcftcb64.systkpl2k.systkpl2k64.systksp2k.sys
tkspxp.systkspxp64.systmactmon.systmcomm.systmesflt.sys
tmevtmgr.systmeyes.systmfsdrv2.systmkmsnsr.systmnciesc.sys
tmpreflt.systmumh.systmums.systmusa.systmxpflt.sys
topdogfsfilt.systrace.systrfsfilter.systritiumfltr.systrpmnflt.sys
trufos.systrustededgeffd.systsifilemon.systss.syststfilter.sys
tstfsredir.syststregredir.systsyscare.systvdriver.systvfiltr.sys
tvmfltr.systvptfile.systvspfltr.systwbdcfilter.systxfilefilter.sys
txregmon.sysuamflt.sysucafltdriver.sysufdfilter.sysuncheater.sys
upguardrealtime.sysusbl_ifsfltr.sysusbpdh.sysusbtest.sysuvmcifsf.sys
uwfreg.sysuwfs.sysv3flt2k.sysv3flu2k.sysv3ift2k.sys
v3iftmnt.sysv3mifint.sysvarpffmon.sysvast.sysvcdriv.sys
vchle.sysvcmfilter.sysvcreg.sysveeamfct.sysvfdrv.sys
vfilefilter.sysvfpd.sysvfsenc.sysvhddelta.sysvhdtrack.sys
vidderfs.sysvintmfs.sysvirtfile.sysvirtualagent.sysvk_fsf.sys
vlflt.sysvmwvvpfsd.sysvollock.sysvpdrvnt.sysvradfil2.sys
vraptdef.sysvraptflt.sysvrarnflt.sysvrbbdflt.sysvrexpdrv.sys
vrfsftm.sysvrfsftmx.sysvrnsfilter.sysvrsdam.sysvrsdcore.sys
vrsdetri.sysvrsdetrix.sysvrsdfmx.sysvrvbrfsfilter.sysvsepflt.sys
vsscanner.sysvtsysflt.sysvxfsrep.syswats_se.syswbfilter.sys
wcsdriver.syswdcfilter.syswdfilter.syswdocsafe.syswfp_mrt.sys
wgfile.syswhiteshield.syswindbdrv.syswindd.syswinfladrv.sys
winflahdrv.syswinfldrv.syswinfpdrv.syswinload.syswinteonminifilter.sys
wiper.syswlminisecmod.syswntgpdrv.syswraekernel.syswrcore.sys
wrcore.x64.syswrdwizfileprot.syswrdwizregprot.syswrdwizscanner.syswrdwizsecure64.sys
wrkrn.syswrpfv.syswsafefilter.syswscm.sysxcpl.sys
xendowflt.sysxfsgk.sysxhunter1.sysxhunter64.sysxiaobaifs.sys
xiaobaifsr.sysxkfsfd.sysxoiv8x64.sysxomfcbt8x64.sysyahoostorage.sys
yfsd.sysyfsd2.sysyfsdr.sysyfsrd.syszampit_ml.sys
zesfsmf.syszqfilter.syszsfprt.syszwasatom.syszwpxesvr.sys
zxfsfilt.syszyfm.syszzpensys.sys  

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

Source :
https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/

Analysis of Storm-0558 techniques for unauthorized email access

July 14, 2023

Executive summary

On July 11, 2023, Microsoft published two blogs detailing a malicious campaign by a threat actor tracked as Storm-0558 that targeted customer email that we’ve detected and mitigated: Microsoft Security Response Center and Microsoft on the Issues. As we continue our investigation into this incident and deploy defense in depth measures to harden all systems involved, we’re providing this deeper analysis of the observed actor techniques for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics. 

As described in more detail in our July 11 blogs, Storm-0558 is a China-based threat actor with espionage objectives. Beginning May 15, 2023, Storm-0558 used forged authentication tokens to access user email from approximately 25 organizations, including government agencies and related consumer accounts in the public cloud. No other environment was impacted. Microsoft has successfully blocked this campaign from Storm-0558. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.

Since identification of this malicious campaign on June 16, 2023, Microsoft has identified the root cause, established durable tracking of the campaign, disrupted malicious activities, hardened the environment, notified every impacted customer, and coordinated with multiple government entities. We continue to investigate and monitor the situation and will take additional steps to protect customers.

Actor overview

Microsoft Threat Intelligence assesses with moderate confidence that Storm-0558 is a China-based threat actor with activities and methods consistent with espionage objectives. While we have discovered some minimal overlaps with other Chinese groups such as Violet Typhoon (ZIRCONIUM, APT31), we maintain high confidence that Storm-0558 operates as its own distinct group.

Figure 1 shows Storm-0558 working patterns from April to July 2023; the actor’s core working hours are consistent with working hours in China, Monday through Friday from 12:00 AM UTC (8:00 AM China Standard time) through 09:00 AM UTC (5:00 PM China Standard Time).

Heatmap showing observed Storm-0558 activity by day of the week (x-axis) and hour (y-axis).
Figure 1. Heatmap of observed Stom-0558 activity by day of week and hour (UTC).

In past activity observed by Microsoft, Storm-0558 has primarily targeted US and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests. 

Historically, this threat actor has displayed an interest in targeting media companies, think tanks, and telecommunications equipment and service providers. The objective of most Storm-0558 campaigns is to obtain unauthorized access to email accounts belonging to employees of targeted organizations. Storm-0558 pursues this objective through credential harvesting, phishing campaigns, and OAuth token attacks. This threat actor has displayed an interest in OAuth applications, token theft, and token replay against Microsoft accounts since at least August 2021. Storm-0558 operates with a high degree of technical tradecraft and operational security. The actors are keenly aware of the target’s environment, logging policies, authentication requirements, policies, and procedures. Storm-0558’s tooling and reconnaissance activity suggests the actor is technically adept, well resourced, and has an in-depth understanding of many authentication techniques and applications.

In the past, Microsoft has observed Storm-0558 obtain credentials for initial access through phishing campaigns. The actor has also exploited vulnerabilities in public-facing applications to gain initial access to victim networks. These exploits typically result in web shells, including China Chopper, being deployed on compromised servers. One of the most prevalent malware families used by Storm-0558 is a shared tool tracked by Microsoft as Cigril. This family exists in several variants and is launched using dynamic-link library (DLL) search order hijacking.

After gaining access to a compromised system, Storm-0558 accesses credentials from a variety of sources, including the LSASS process memory and Security Account Manager (SAM) registry hive. Microsoft assesses that once Storm-0558 has access to the desired user credentials, the actor signs into the compromised user’s cloud email account with the valid account credentials. The actor then collects information from the email account over the web service.

Initial discovery and analysis of current activity

On June 16, 2023, Microsoft was notified by a customer of anomalous Exchange Online data access. Microsoft analysis attributed the activity to Storm-0558 based on established prior TTPs. We determined that Storm-0558 was accessing the customer’s Exchange Online data using Outlook Web Access (OWA). Microsoft’s investigative workflow initially assumed the actor was stealing correctly issued Azure Active Directory (Azure AD) tokens, most probably using malware on infected customer devices. Microsoft analysts later determined that the actor’s access was utilizing Exchange Online authentication artifacts, which are typically derived from Azure AD authentication tokens (Azure AD tokens). Further in-depth analysis over the next several days led Microsoft analysts to assess that the internal Exchange Online authentication artifacts did not correspond to Azure AD tokens in Microsoft logs.

Microsoft analysts began investigating the possibility that the actor was forging authentication tokens using an acquired Azure AD enterprise signing key. In-depth analysis of the Exchange Online activity discovered that in fact the actor was forging Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key. This was made possible by a validation error in Microsoft code. The use of an incorrect key to sign the requests allowed our investigation teams to see all actor access requests which followed this pattern across both our enterprise and consumer systems. Use of the incorrect key to sign this scope of assertions was an obvious indicator of the actor activity as no Microsoft system signs tokens in this way. Use of acquired signing material to forge authentication tokens to access customer Exchange Online data differs from previously observed Storm-0558 activity. Microsoft’s investigations have not detected any other use of this pattern by other actors and Microsoft has taken steps to block related abuse.

Actor techniques

Token forgery

Authentication tokens are used to validate the identity of entities requesting access to resources – in this case, email. These tokens are issued to the requesting entity (such as a user’s browser) by identity providers like Azure AD. To prove authenticity, the identity provider signs the token using a private signing key. The relying party validates the token presented by the requesting entity by using a public validation key. Any request whose signature is correctly validated by the published public validation key will be trusted by the relying party. An actor that can acquire a private signing key can then create falsified tokens with valid signatures that will be accepted by relying parties. This is called token forgery.

Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com. All MSA keys active prior to the incident – including the actor-acquired MSA signing key – have been invalidated. Azure AD keys were not impacted. The method by which the actor acquired the key is a matter of ongoing investigation. Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected.

As part of defense in depth, we continuously update our systems. We have substantially hardened key issuance systems since the acquired MSA key was initially issued. This includes increased isolation of the systems, refined monitoring of system activity, and moving to the hardened key store used for our enterprise systems. We have revoked all previously active keys and issued new keys using these updated systems. Our active investigation indicates these hardening and isolation improvements disrupt the mechanisms we believe the actor could have used to acquire MSA signing keys. No key-related actor activity has been observed since Microsoft invalidated the actor-acquired MSA signing key. Further, we have seen Storm-0558 transition to other techniques, which indicates that the actor is not able to utilize or access any signing keys. We continue to explore other ways the key may have been acquired and add additional defense in depth measures.

Identity techniques for access

Once authenticated through a legitimate client flow leveraging the forged token, the threat actor accessed the OWA API to retrieve a token for Exchange Online from the GetAccessTokenForResource API used by OWA. The actor was able to obtain new access tokens by presenting one previously issued from this API due to a design flaw. This flaw in the GetAccessTokenForResourceAPI has since been fixed to only accept tokens issued from Azure AD or MSA respectively. The actor used these tokens to retrieve mail messages from the OWA API. 

Actor tooling

Microsoft Threat Intelligence routinely identifies threat actor capabilities and leverages file intelligence to facilitate our protection of Microsoft customers. During this investigation, we identified several distinct Storm-0558 capabilities that facilitate the threat actor’s intrusion techniques. The capabilities described in this section are not expected to be present in the victim environment.

Storm-0558 uses a collection of PowerShell and Python scripts to perform REST API calls against the OWA Exchange Store service. For example, Storm-0558 has the capability to use minted access tokens to extract email data such as:

  • Download emails
  • Download attachments
  • Locate and download conversations
  • Get email folder information

The generated web requests can be routed through a Tor proxy or several hardcoded SOCKS5 proxy servers. The threat actor was observed using several User-Agents when issuing web requests, for example:

  • Client=REST;Client=RESTSystem;;
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.52
  • “Microsoft Edge”;v=”113″, “Chromium”;v=”113″, “Not-A.Brand”;v=”24″

The scripts contain highly sensitive hardcoded information such as bearer access tokens and email data, which the threat actor uses to perform the OWA API calls. The threat actor has the capability to refresh the access token for use in subsequent OWA commands.

Screenshot of Python code snippet of the token refresh functionality
Figure 2. Python code snippet of the token refresh functionality used by the threat actor.
Screenshot of PowerShell code snippet of OWA REST API
Figure 3. PowerShell code snippet of OWA REST API call to GetConversationItems.

Actor infrastructure

During significant portions of Storm-0558’s malicious activities, the threat actor leveraged dedicated infrastructure running the SoftEther proxy software. Proxy infrastructure complicates detection and attribution of Storm-0558 activities. During our response, Microsoft Threat Intelligence identified a unique method of profiling this proxy infrastructure and correlated with behavioral characteristics of the actor intrusion techniques. Our profile was based on the following facets:

  1. Hosts operating as part of this network present a JARM fingerprint consistent with SoftEther VPN: 06d06d07d06d06d06c42d42d000000cdb95e27fd8f9fee4a2bec829b889b8b.
  2. Presented x509 certificate has expiration date of December 31, 2037.
  3. Subject information within the x509 certificate does not contain “softether”.

Over the course of the campaign, the IPs listed in the table below were used during the corresponding timeframes.

IP addressFirst seenLast seenDescription
51.89.156[.]1533/9/20237/10/2023SoftEther proxy
176.31.90[.]1293/28/20236/29/2023SoftEther proxy
137.74.181[.]1003/31/20237/11/2023SoftEther proxy
193.36.119[.]454/19/20237/7/2023SoftEther proxy
185.158.248[.]1594/24/20237/6/2023SoftEther proxy
131.153.78[.]1885/6/20236/29/2023SoftEther proxy
37.143.130[.]1465/12/20235/19/2023SoftEther proxy
146.70.157[.]455/12/20236/8/2023SoftEther proxy
185.195.200[.]395/15/20236/29/2023SoftEther proxy
185.38.142[.]2295/15/20237/12/2023SoftEther proxy
146.70.121[.]445/17/20236/29/2023SoftEther proxy
31.42.177[.]1815/22/20235/23/2023SoftEther proxy
185.51.134[.]526/7/20237/11/2023SoftEther proxy
173.44.226[.]706/9/20237/11/2023SoftEther proxy
45.14.227[.]2336/12/20236/26/2023SoftEther proxy
185.236.231[.]1096/12/20237/3/2023SoftEther proxy
178.73.220[.]1496/16/20237/12/2023SoftEther proxy
45.14.227[.]2126/19/20236/29/2023SoftEther proxy
91.222.173[.]2256/20/20237/1/2023SoftEther proxy
146.70.35[.]1686/22/20236/29/2023SoftEther proxy
146.70.157[.]2136/26/20236/30/2023SoftEther proxy
31.42.177[.]2016/27/20236/29/2023SoftEther proxy
5.252.176[.]87/1/20237/1/2023SoftEther proxy
80.85.158[.]2157/1/20237/9/2023SoftEther proxy
193.149.129[.]887/2/20237/12/2023SoftEther proxy
5.252.178[.]687/3/20237/11/2023SoftEther proxy
116.202.251[.]87/4/20237/7/2023SoftEther proxy
185.158.248[.]936/25/202306/26/2023SoftEther proxy
20.108.240[.]2526/25/20237/5/2023SoftEther proxy
146.70.135[.]1825/18/20236/22/2023SoftEther proxy

As early as May 15, 2023, Storm-0558 shifted to using a separate series of dedicated infrastructure servers specifically for token replay and interaction with Microsoft services. It is likely that the dedicated infrastructure and supporting services configured on this infrastructure offered a more efficient manner of facilitating the actor’s activities. The dedicated infrastructure would host an actor-developed web panel that presented an authentication page at URI /#/login. The observed sign-in pages had one of two SHA-1 hashes: 80d315c21fc13365bba5b4d56357136e84ecb2d4 and 931e27b6f1a99edb96860f840eb7ef201f6c68ec.

Screenshot of the token web panel sign-in page
Figure 4. Token web panel sign-in page with SHA-1 hashes.

As part of the intelligence-driven response to this campaign, and in support of tracking, analyzing, and disrupting actor activity, analytics were developed to proactively track the dedicated infrastructure. Through this tracking, we identified the following dedicated infrastructure.

IP addressFirst seenLast seenDescription
195.26.87[.]2195/15/20236/25/2023Token web panel
185.236.228[.]1835/24/20236/11/2023Token web panel
85.239.63[.]1606/7/20236/11/2023Token web panel
193.105.134[.]586/24/20236/25/2023Token web panel
146.0.74[.]166/28/20237/4/2023Token web panel
91.231.186[.]2266/29/20237/4/2023Token web panel
91.222.174[.]416/29/20237/3/2023Token web panel
185.38.142[.]2496/29/20237/2/2023Token web panel

The last observed dedicated token replay infrastructure associated with this activity was stood down on July 4, 2023, roughly one day following the coordinated mitigation conducted by Microsoft. 

Post-compromise activity

Our telemetry and investigations indicate that post-compromise activity was limited to email access and exfiltration for targeted users.

Mitigation and hardening

No customer action is required to mitigate the token forgery technique or validation error in OWA or Outlook.com. Microsoft has mitigated this issue on customers’ behalf as follows:

  • On June 26, OWA stopped accepting tokens issued from GetAccessTokensForResource for renewal, which mitigated the token renewal being abused.
  • On June 27, Microsoft blocked the usage of tokens signed with the acquired MSA key in OWA preventing further threat actor enterprise mail activity.
  • On June 29, Microsoft completed replacement of the key to prevent the threat actor from using it to forge tokens. Microsoft revoked all MSA signing which were valid at the time of the incident, including the actor-acquired MSA key. The new MSA signing keys are issued in substantially updated systems which benefit from hardening not present at issuance of the actor-acquired MSA key:
    • Microsoft has increased the isolation of these systems from corporate environments, applications, and users.Microsoft has refined monitoring of all systems related to key activity, and increased automated alerting related to this monitoring.
    • Microsoft has moved the MSA signing keys to the key store used for our enterprise systems.
  • On July 3, Microsoft blocked usage of the key for all impacted consumer customers to prevent use of previously-issued tokens.

Ongoing monitoring indicates that all actor activity related to this incident has been blocked. Microsoft will continue to monitor Storm-0558 activity and implement protections for our customers.

Recommendations

Microsoft has mitigated this activity on our customers’ behalf for Microsoft services. No customer action is required to prevent threat actors from using the techniques described above to access Exchange Online and Outlook.com.

Indicators of compromise

IndicatorTypeFirst seenLast seenDescription
d4b4cccda9228624656bff33d8110955779632aaThumbprint  Thumbprint of acquired signing key
195.26.87[.]219IPv45/15/20236/25/2023Token web panel
185.236.228[.]183IPv45/24/20236/11/2023Token web panel
85.239.63[.]160IPv46/7/20236/11/2023Token web panel
193.105.134[.]58IPv46/24/20236/25/2023Token web panel
146.0.74[.]16IPv46/28/20237/4/2023Token web panel
91.231.186[.]226IPv46/29/20237/4/2023Token web panel
91.222.174[.]41IPv46/29/20237/3/2023Token web panel
185.38.142[.]249IPv46/29/20237/2/2023Token web panel
51.89.156[.]153IPv43/9/20237/10/2023SoftEther proxy
176.31.90[.]129IPv43/28/20236/29/2023SoftEther proxy
137.74.181[.]100IPv43/31/20237/11/2023SoftEther proxy
193.36.119[.]45IPv44/19/20237/7/2023SoftEther proxy
185.158.248[.]159IPv44/24/20237/6/2023SoftEther proxy
131.153.78[.]188IPv45/6/20236/29/2023SoftEther proxy
37.143.130[.]146IPv45/12/20235/19/2023SoftEther proxy
146.70.157[.]45IPv45/12/20236/8/2023SoftEther proxy
185.195.200[.]39IPv45/15/20236/29/2023SoftEther proxy
185.38.142[.]229IPv45/15/20237/12/2023SoftEther proxy
146.70.121[.]44IPv45/17/20236/29/2023SoftEther proxy
31.42.177[.]181IPv45/22/20235/23/2023SoftEther proxy
185.51.134[.]52IPv46/7/20237/11/2023SoftEther proxy
173.44.226[.]70IPv46/9/20237/11/2023SoftEther proxy
45.14.227[.]233IPv46/12/20236/26/2023SoftEther proxy
185.236.231[.]109IPv46/12/20237/3/2023SoftEther proxy
178.73.220[.]149IPv46/16/20237/12/2023SoftEther proxy
45.14.227[.]212IPv46/19/20236/29/2023SoftEther proxy
91.222.173[.]225IPv46/20/20237/1/2023SoftEther proxy
146.70.35[.]168IPv46/22/20236/29/2023SoftEther proxy
146.70.157[.]213IPv46/26/20236/30/2023SoftEther proxy
31.42.177[.]201IPv46/27/20236/29/2023SoftEther proxy
5.252.176[.]8IPv47/1/20237/1/2023SoftEther proxy
80.85.158[.]215IPv47/1/20237/9/2023SoftEther proxy
193.149.129[.]88IPv47/2/20237/12/2023SoftEther proxy
5.252.178[.]68IPv47/3/20237/11/2023SoftEther proxy
116.202.251[.]8IPv47/4/20237/7/2023SoftEther proxy

Further reading

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on Twitter at https://twitter.com/MsftSecIntel.

Source :
https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/

How to Disable NTLM Authentication in Windows Domain

February 28, 2023

NTLM (NT LAN Manager) is a legacy Microsoft authentication protocol that dates back to Windows NT. Although Microsoft introduced the more secure Kerberos authentication protocol back in Windows 2000, NTLM (mostly NTLMv2) is still widely used for authentication on Windows domain networks. In this article, we will look at how to disable the NTLMv1 and NTLMv2 protocols, and switch to Kerberos in an Active Directory domain.

Contents:

The key NTLMv1 problems:

  • weak encryption;
  • storing password hash in the memory of the LSA service, which can be extracted from Windows memory in plain text using various tools (such as Mimikatz) and used for further attacks using pass-the-has scripts;
  • the lack of mutual authentication between a server and a client, leading to data interception and unauthorized access to resources (some tools such as Responder can capture NTLM data sent over the network and use them to access the network resources);
  • and other vulnerabilities.

Some of these have been in the next version NTLMv2 which uses more secure encryption algorithms and allows to prevent of common NTLM attacks. NTLMv1 and LM authentication protocols are disabled by default starting with Windows 7 and Windows Server 2008 R2.

How to Enable NTLM Authentication Audit Logging?

Before completely disabling NTLM in a domain and switching to Kerberos, it is a good idea to ensure that there are no applications in the domain that require and use NTLM auth. There may be legacy devices or services on your network that still use NTLMv1 authentication instead of NTLMv2 (or Kerberos).

To track accounts or apps that use NTLM authentication, you can enable audit logging policies on all computers using GPO. Open the Default Domain Controller Policy, navigate to the Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options section, find and enable the Network Security: Restrict NTLM: Audit NTLM authentication in this domain policy and set its value to Enable all.

Network Security: Restrict NTLM: Audit NTLM authentication in this domain

In the same way, enable the following policies in the Default Domain Policy:

  • Network Security: Restrict NTLM: Audit Incoming NTLM Traffic – set its value to Enable auditing for domain accounts
  • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers: set Audit all
Network Security: Restrict NTLM: Audit Incoming NTLM Traffic

Once these policies are enabled, events related to the use of NTLM authentication will appear in the Application and Services Logs-> Microsoft -> Windows -> NTLM section of the Event Viewer.

You can analyze the events on each server or collect them to the central Windows Event Log Collector.

You need to search for the events from the source Microsoft-Windows-Security-Auditing with the Event ID 4624 – “An Account was successfully logged on“. Note the information in the “Detailed Authentication Information” section. If there is NTLM in the Authentication Package value, then the NTLM protocol was used to authenticate this user.

Look at the value of Package Name (NTLM only). This line shows which protocol (LM, NTLMv1, or NTLMv2) was used for authentication. So you need to identify any servers/applications that are using the legacy protocol.

eventid 4624 source Microsoft-Windows-Security-Auditing ntlm usage

Also, if NTLM is used for authentication instead of Kerberos, Event ID 4776 will appear in the log:

The computer attempted to validate the credentials for an account
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

For example, to search for all NTLMv1 authentication events on all domain controllers, you can use the following PowerShell script:

$ADDCs = Get-ADDomainController -filter
$Now = Get-Date
$Yesterday = $Now.AddDays(-1)
$NewOutputFile = "c:\Events\$($Yesterday.ToString('yyyyddMM'))_AD_NTLMv1_events.log"
function GetEvents($DC){
Write-Host "Searching log on " $DC.HostName
$Events = Get-EventLog "Security" -After $Yesterday.Date -Before $Now.Date -ComputerName $DC.HostName -Message "*NTLM V1*" -instanceid 4624
foreach($Event in $Events){
Write-Host $DC.HostName $Event.EventID $Event.TimeGenerated
Out-File -FilePath $NewOutputFile -InputObject "$($Event.EventID), $($Event.MachineName), $($Event.TimeGenerated), $($Event.ReplacementStrings),($Event.message)" -Append
}
}
foreach($DC in $ADDCs){GetEvents($DC)}

Once you have identified the users and applications that use NTLM in your domain, try switching them to use Kerberos (possibly using SPN). To use Kerberos authentication, some applications need to be slightly reconfigured (Kerberos Authentication in IISConfigure different browsers for Kerberos authenticationCreate a Keytab File Using Kerberos Auth). From my own experience, I see that even large commercial products are still using NTLM instead of Kerberos, some products require updates or configuration changes. The idea is to identify which applications use NTLM authentication, and now you have a way to identify that software and devices.

Small open-source products, old models of various network scanners (which store scans in shared network folders), some NAS devices and other old hardware, legacy software and operating systems are likely to have authentication problems when NTLMv1 is disabled.

Those apps that cannot use Kerberos can be added to the exceptions. This allows them to use NTLM authentication even if it is disabled at the domain level. To do it, the Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain policy is used. Add the names of the servers (NetBIOS names, IP addresses, or FQDN), on which NTLM authentication can be used, to the list of exceptions as well. Ideally, this exception list should be empty. You can use the wildcard character *.

GPO: Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain

To use Kerberos authentication in an application, you must specify the DNS name of the server, instead of its IP address. If you specify an IP address when connecting to your resources, NTLM authentication will be used.

Configuring Active Directory to Force NTLMv2 via GPO

Before completely disabling NTLM in an AD domain, it is recommended that you first disable its more vulnerable version, NTLMv1. The domain administrator needs to make sure that their network does not allow the use of NTLM or LM for authentication, as in some cases an attacker can use special requests to get a response to an NTLM/LM request.

You can set the preferred authentication type using the domain GPO. Open the Group Policy Management Editor (gpmc.msc) and edit the Default Domain Controllers Policy. Go to the GPO section Computer Configurations -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options and find the policy Network Security: LAN Manager authentication level.

Network Security: LAN Manager authentication level - disable ntlm v1 and lm

There are 6 options to choose from in the policy settings::

  • Send LM & NTLM responses;
  • Send LM & NTLM responses – use NTLMv2 session security if negotiated;
  • Send NTLM response only;
  • Send NTLMv2 response only;
  • Send NTLMv2 response only. Refuse LM;
  • Send NTLMv2 response only. Refuse LM& NTLM.

The NTLM authentication options are listed in the order of their security improvement. By default, Windows 7 and later operating systems use the option Send NTLMv2 response only. If this option is enabled, client computers use NTLMv2 authentication, but AD domain controllers accept LM, NTLM, and NTLMv2 requests.

NTLMv2 can be used where the Kerberos protocol has failed and for some operations (for example, managing local groups and accounts on the domain-joined computers) or in workgroups.

You can change the policy value to the most secure option 6 : “Send NTLMv2 response only. Refuse LM & NTLM”. This policy causes domain controllers to reject LM and NTLM requests as well.

You can also disable NTLMv1 through the registry. To do this, create a DWORD parameter with the name LmCompatibilityLevel with a value between 0 and 5 under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. Value 5 corresponds to the policy option “Send NTLMv2 response only. Refuse LM NTLM”.

Make sure that the Network security: Do not store LAN Manager hash value on next password change policy is enabled in the same GPO section. It is enabled by default starting with Windows Vista / Windows Server 2008 and prevents the creation of an LM hash.

Network security: Do not store LAN Manager hash value on next password change

Once you have ensured that you are not using NTLMv1, you can go further and try to disable NTLMv2. NTLMv2 is a more secure authentication protocol but loses significantly to Kerberos in terms of security (although there are fewer vulnerabilities in NTLMv2 than in the NTLMv1, but there is still a chance of capturing and reusing data, as well as it doesn’t support mutual authentication).

The main risk of disabling NTLM is the potential use of legacy or misconfigured applications that may still be using NTLM authentication. If this is the case, they will need to be updated or specially configured to switch to Kerberos.

If you have a Remote Desktop Gateway server on your network, you will need to make an additional configuration to prevent clients from connecting using NTLMv1. Create a registry entry:

REG add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core" /v EnforceChannelBinding /t REG_DWORD /d 1 /f

Restrict NTLM Completely and Use Kerberos Authentication in an AD

To check how authentication works in different applications in a domain without using NTLM, you can add the accounts of the required users to the Protected Users domain group (it is available since the Windows Server 2012 R2 release). Members of this security group can only authenticate using Kerberos (NTLM, Digest Authentication, or CredSSP are not allowed). This allows you to verify that Kerberos user authentication is working correctly in different apps.

Then you can completely disable NTLM on the Active Directory domain using the Network Security: Restrict NTLM: NTLM authentication in this domain policy.

The policy has 5 options:

  • Disable: the policy is disabled (NTLM authentication is allowed in the domain);
  • Deny for domain accounts to domain servers: the domain controllers reject NTLM authentication attempts for all servers under the domain accounts, and the “NTLM is blocked” error message is displayed;
  • Deny for domain accounts: the domain controllers are preventing NTLM authentication attempts for all domain accounts, and the “NTLM is blocked” error appears;
  • Deny for domain servers: NTLM authentication requests are denied for all servers unless the server name is on the exception list in the “Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain” policy;
  • Deny all: the domain controllers block all NTLM requests for all domain servers and accounts.
GPO: Network Security: Restrict NTLM: NTLM authentication in this domain

Although NTLM is now disabled on the domain, it is still used to process local logins to computers (NTLM is always used for local user logons).

You can also disable incoming and outgoing NTLM traffic on domain computers using separate Default Domain Policy options:

  • Network security: Restrict NTLM: Incoming NTLM traffic = Deny all accounts
  • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Deny all

After enabling auditing, Event Viewer will also display EventID 6038 from the LsaSRV source when using NTLM for authentication:

Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
NTLM is a weaker authentication mechanism. Please check:
Which applications are using NTLM authentication?
Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
If NTLM must be supported, is Extended Protection configured?
eventid 6038 from lsasrv source: NTLM authentication is presently being used between clients and this server

You can check that Kerberos is used for user authentication with the command:

klist sessions

klist session - check authentication protocol used

This command shows that all users are Kerberos-authenticated (except the built-in local Administrator, who is always authenticated using NTLM).

If you are experiencing a lot of user account lockout events after disabling NTLM, take a close look at the events with ID 4771 (Kerberos pre-authentication failed). Check the Failure Code in the error description. This will indicate the reason and source of the lock.

To further improve Active Directory security, I recommend reading these articles:


Source :
https://woshub.com/disable-ntlm-authentication-windows/

8 Essential Tips for Data Protection and Cybersecurity in Small Businesses

Michelle Quill — June 6, 2023

Small businesses are often targeted by cybercriminals due to their lack of resources and security measures. Protecting your business from cyber threats is crucial to avoid data breaches and financial losses.

Why is cyber security so important for small businesses?

Small businesses are particularly in danger of cyberattacks, which can result in financial loss, data breaches, and damage to IT equipment. To protect your business, it’s important to implement strong cybersecurity measures.

Here are some tips to help you get started:

One important aspect of data protection and cybersecurity for small businesses is controlling access to customer lists. It’s important to limit access to this sensitive information to only those employees who need it to perform their job duties. Additionally, implementing strong password policies and regularly updating software and security measures can help prevent unauthorized access and protect against cyber attacks. Regular employee training on cybersecurity best practices can also help ensure that everyone in the organization is aware of potential threats and knows how to respond in the event of a breach.

When it comes to protecting customer credit card information in small businesses, there are a few key tips to keep in mind. First and foremost, it’s important to use secure payment processing systems that encrypt sensitive data. Additionally, it’s crucial to regularly update software and security measures to stay ahead of potential threats. Employee training and education on cybersecurity best practices can also go a long way in preventing data breaches. Finally, having a plan in place for responding to a breach can help minimize the damage and protect both your business and your customers.

Small businesses are often exposed to cyber attacks, making data protection and cybersecurity crucial. One area of particular concern is your company’s banking details. To protect this sensitive information, consider implementing strong passwords, two-factor authentication, and regular monitoring of your accounts. Additionally, educate your employees on safe online practices and limit access to financial information to only those who need it. Regularly backing up your data and investing in cybersecurity software can also help prevent data breaches.

Small businesses are often at high risk of cyber attacks due to their limited resources and lack of expertise in cybersecurity. To protect sensitive data, it is important to implement strong passwords, regularly update software and antivirus programs, and limit access to confidential information.

It is also important to have a plan in place in case of a security breach, including steps to contain the breach and notify affected parties. By taking these steps, small businesses can better protect themselves from cyber threats and ensure the safety of their data.

Tips for protecting your small business from cyber threats and data breaches are crucial in today’s digital age. One of the most important steps is to educate your employees on cybersecurity best practices, such as using strong passwords and avoiding suspicious emails or links.

It’s also important to regularly update your software and systems to ensure they are secure and protected against the latest threats. Additionally, implementing multi-factor authentication and encrypting sensitive data can add an extra layer of protection. Finally, having a plan in place for responding to a cyber-attack or data breach can help minimize the damage and get your business back on track as quickly as possible.

Small businesses are attackable to cyber-attacks and data breaches, which can have devastating consequences. To protect your business, it’s important to implement strong cybersecurity measures. This includes using strong passwords, regularly updating software and systems, and training employees on how to identify and avoid phishing scams.

It’s also important to have a data backup plan in place and to regularly test your security measures to ensure they are effective. By taking these steps, you can help protect your business from cyber threats and safeguard your valuable data.

To protect against cyber threats, it’s important to implement strong data protection and cybersecurity measures. This can include regularly updating software and passwords, using firewalls and antivirus software, and providing employee training on safe online practices. Additionally, it’s important to have a plan in place for responding to a cyber attack, including backing up data and having a designated point person for handling the situation.

In today’s digital age, small businesses must prioritize data protection and cybersecurity to safeguard their operations and reputation. With the rise of remote work and cloud-based technology, businesses are more vulnerable to cyber attacks than ever before. To mitigate these risks, it’s crucial to implement strong security measures for online meetings, advertising, transactions, and communication with customers and suppliers. By prioritizing cybersecurity, small businesses can protect their data and prevent unauthorized access or breaches.

Here are 8 essential tips for data protection and cybersecurity in small businesses.

8 Essential Tips for Data Protection and Cybersecurity in Small Businesses

1. Train Your Employees on Cybersecurity Best Practices

Your employees are the first line of defense against cyber threats. It’s important to train them on cybersecurity best practices to ensure they understand the risks and how to prevent them. This includes creating strong passwords, avoiding suspicious emails and links, and regularly updating software and security systems. Consider providing regular training sessions and resources to keep your employees informed and prepared.

2. Use Strong Passwords and Two-Factor Authentication

One of the most basic yet effective ways to protect your business from cyber threats is to use strong passwords and two-factor authentication. Encourage your employees to use complex passwords that include a mix of letters, numbers, and symbols, and to avoid using the same password for multiple accounts. Two-factor authentication adds an extra layer of security by requiring a second form of verification, such as a code sent to a mobile device, before granting access to an account. This can help prevent unauthorized access even if a password is compromised.

3. Keep Your Software and Systems Up to Date

One of the easiest ways for cybercriminals to gain access to your business’s data is through outdated software and systems. Hackers are constantly looking for vulnerabilities in software and operating systems, and if they find one, they can exploit it to gain access to your data. To prevent this, make sure all software and systems are kept up-to-date with the latest security patches and updates. This includes not only your computers and servers but also any mobile devices and other connected devices used in your business. Set up automatic updates whenever possible to ensure that you don’t miss any critical security updates.

4. Use Antivirus and Anti-Malware Software

Antivirus and anti-malware software are essential tools for protecting your small business from cyber threats. These programs can detect and remove malicious software, such as viruses, spyware, and ransomware before they can cause damage to your systems or steal your data. Make sure to install reputable antivirus and anti-malware software on all devices used in your business, including computers, servers, and mobile devices. Keep the software up-to-date and run regular scans to ensure that your systems are free from malware.

5. Backup Your Data Regularly

One of the most important steps you can take to protect your small business from data loss is to back up your data regularly. This means creating copies of your important files and storing them in a secure location, such as an external hard drive or cloud storage service. In the event of a cyber-attack or other disaster, having a backup of your data can help you quickly recover and minimize the impact on your business. Make sure to test your backups regularly to ensure that they are working properly and that you can restore your data if needed.

6. Carry out a risk assessment

Small businesses are especially in peril of cyber attacks, making it crucial to prioritize data protection and cybersecurity. One important step is to assess potential risks that could compromise your company’s networks, systems, and information. By identifying and analyzing possible threats, you can develop a plan to address security gaps and protect your business from harm.

For Small businesses making data protection and cybersecurity is a crucial part. To start, conduct a thorough risk assessment to identify where and how your data is stored, who has access to it, and potential threats. If you use cloud storage, consult with your provider to assess risks. Determine the potential impact of breaches and establish risk levels for different events. By taking these steps, you can better protect your business from cyber threats

7. Limit access to sensitive data

One effective strategy is to limit access to critical data to only those who need it. This reduces the risk of a data breach and makes it harder for malicious insiders to gain unauthorized access. To ensure accountability and clarity, create a plan that outlines who has access to what information and what their roles and responsibilities are. By taking these steps, you can help safeguard your business against cyber threats.

8. Use a firewall

For Small businesses, it’s important to protect the system from cyber attacks by making data protection and reducing cybersecurity risk. One effective measure is implementing a firewall, which not only protects hardware but also software. By blocking or deterring viruses from entering the network, a firewall provides an added layer of security. It’s important to note that a firewall differs from an antivirus, which targets software affected by a virus that has already infiltrated the system.

Small businesses can take steps to protect their data and ensure cybersecurity. One important step is to install a firewall and keep it updated with the latest software or firmware. Regularly checking for updates can help prevent potential security breaches.

Conclusion

Small businesses are particularly vulnerable to cyber attacks, so it’s important to take steps to protect your data. One key tip is to be cautious when granting access to your systems, especially to partners or suppliers. Before granting access, make sure they have similar cybersecurity practices in place. Don’t hesitate to ask for proof or to conduct a security audit to ensure your data is safe.

Source :
https://onlinecomputertips.com/support-categories/networking/tips-for-cybersecurity-in-small-businesses/

Change Your Windows Folder Colors and Icons

Cindy Thomas — June 19, 2023

As you probably know, Windows keeps your files into folders that can also contain subfolders. By using folders, you can keep your computer organized by placing files of certain types in their own folders, such as files for a school project or sales meeting. And of course you can create these folders and subfolders as needed and copy or move your files in and out of them.

You have probably also noticed that all of these folders look the same with the exception of the Windows user folders for Documents, Downloads, Pictures and so on as seen below.

Windows User Folders

Another thing that will affect how your folders look is the view that you have applied to them. You can set your folder views to show them as a list or as icons of various sizes. When you use one of the icon views, you might see a file preview icon on the folder based on what types of files are in the folder itself. This icon can also change when you add or remove files from the folder. Empty folders will not have any file preview icons on them.

Windows Folders

If you are looking for some extra customization, then you can try out the free Folder Marker software which will allow you to apply colors to specific folders as well as custom icons. Once you download and install the software, you can apply color and icon changes by either adding folders to the main interface or by using the new right click context menu item that you will now have on your computer.

Folder Marker Software
Change Your Windows Folder Colors and Icons

If you use the first method where you add or drag folders into the app itself, any changes you make will be applied to all folders in the list so you might want to use the right click method to apply changes to single folders.

If you would rather apply a custom icon to your folder rather than change its color, then you can do so from the Main tab in the app or simply by clicking the icon you like from the right click menu. The User Icons section is used to add your own custom icons if you happen to know how to create those.

Change Your Windows Folder Colors and Icons

The image below shows the same folders with some colors and icons applied to them. As you can see, they stand out much better than they did before the changes were made. If you were to move or copy a folder to a new location, its color or custom icon will stay with it so you don’t need to worry about having to change its appearance again.

Change Your Windows Folder Colors and Icons

If you change your mind and what to revert a folder back to its original look, you can do so by right clicking on it and choosing the Restore Default option. To revert all of your changes, you can open the app itself and then go to the Action menu and click on Rollback All Changes.

As you can see, Folder Marker is easy to use and is a quick way to customize your Windows folders and can really help with your file management tasks. You can download the program from their website here.

Source :
https://onlinecomputertips.com/support-categories/windows/change-your-windows-folder-colors-and-icons/

Export Your Google Sites Website to Your Computer

Preston Mason — January 12, 2023

Everyone who uses a computer knows that Google has a service or an app for just about anything you think of. And for those who want an easy way to create websites, they also have their free online website creation tool called Google Sites which doesn’t require any coding skills or HTML knowledge to use. But if you want to backup your website, you will notice that there is no option to do so. In this article, we will show you how to export your google sites website to your computer.

If you are using traditional website development tools or software, you would generally be working on your individual HTML files and also be backing them up as needed. But with Google Sites, you are working within the Sites interface online and your website it stored in your Google Drive account.

The Backup Process

When you go to your Google Drive account and find your website, you will see that it appears as a single file just like a document or spreadsheet would appear. Then if you right click on it, there is no download option like you would see for other files.

Google Drive right click options

To backup your Sites website, you will first need to make a copy of it within your Google Drive account and move to a different folder. Within Drive, click on the New button and then choose New folder. Name this folder something like Website Backup or whatever you would like.

Next, go to your website file in Drive, right click it and then choose the Make a copy option. This will make a copy of your website in the same location and will add copy of in front of the existing name.

Google Drive file right click options make a copy

You can then drag the copy to your new folder or right click on the copy and choose the Move to option and then choose your new folder. You can also move your original website file to this new folder if you don’t want to make the copy for the backup.

Using Google Takeout

After this copy is created, you can go to the Google Takeout website and just make sure you are logged in with the same Google account that you use for your website. Then the first thing you want to do is click on Deselect all since all of the checkboxes will be selected by default.

Google Takeout website

Then scroll down the list and look for Drive (not Classic Sites) and check the box and then click on All Drive data included.

Google Takeout website

Next you will uncheck the box that says Include all files and folders in Drive and check only the box next to the folder name that contains your website file and click OK.

Export Your Google Sites Website to Your Computer

Then you will need to scroll to the bottom of the page and click on the button that says Next step. Now you will be able to configure the export to either send a download link to your email address or add your backup to your Drive, OneDrive, Dropbox or Box account. I prefer the email option.

You can also setup this backup as a one time export or have it be exported every 2 months for the next year. For the export file type you can choose between zip and tgz file formats. If you have a really large website then the export will be split into 2GB files but your website is most likely much smaller than 2GB.

Once you have everything set correctly, you can click on the Create export button.

Export Your Google Sites Website to Your Computer

You will then be shown an export progress screen telling you that your will be sent an email when the export is complete. Even though it says it can possibly take days to complete, its usually fairly quick and might only take a few minutes.

Export Your Google Sites Website to Your Computer

Once you receive the email, you can click on the Download your files button or the Mange exports button to be taken back to the Google Takeout website to download your files.

Export Your Google Sites Website to Your Computer
Google Takeout Mange Exports

After you download the zip file, you can then extract it and navigate to the location of your website files.

Export Your Google Sites Website to Your Computer

Source :
https://onlinecomputertips.com/support-categories/software/export-your-google-sites-website-to-your-computer/