July 2023 - Appunti dalla rete

Delegate Control in Active Directory (Step-by-Step Guide)

Last Updated: July 20, 2023 by Robert Allen

How to delegate control in active directory

Do you need to give the helpdesk staff permissions to reset passwords and unlock user accounts?

Do you want to allow specific users to modify group membership?

No problem.

In this guide, you will learn how to use the delegation control wizard in Active Directory to grant users very specific permissions.

It is important to know how to correctly use the delegation of control in Active Directory to avoid giving users more rights than they need. Whatever you do, do not add users into highly privileged groups like Domain Admins.

Table of Contents:

Delegation of Control Best Practices

Here are my recommendations and tips for delegating permissions in Active Directory.

Good OU Design

Delegating permissions in Active Directory is done by using organizational units (OU), so it is critical to have a good OU design. The OU design will be different for every organization, but a simple design is to put all similar resources into their own OU.

Computer OU – All computers go here
Users OU – All user accounts go here
Servers OU – All server accounts go here
Groups – All groups go here.

You can then create sub-OUs to further organize your resources.

In the above screenshot, I have the “ADPRO Users” OU for all my user accounts. I then created sub-OUs for each department to further organize the user accounts. With this design, I can easily delegate control to all resources or resources in a specific sub-OU. For example, HR hired their own IT support person and they want to reset passwords for all HR users. I can delegate the password reset permissions to just the HR OU.

You can structure the sub-OUs any way that you like. For example, you could make them based on geographic locations, or by user type such as regular, privileged, and so on.

With a good OU design, it makes delegating permissions easy and helps to avoid delegating more permissions than needed.

To read more on OU design see the Microsoft guide Designing OU structures that work.

Don’t use Built-in Security Groups

When delegating control it is best to create new security groups rather than using built-in AD groups. For example, don’t use “Account Operators” or Backup Operators” when delegating permissions. These built-in AD groups have special permissions that can give users more rights than needed.

Delegate Control to Groups, NOT USERS

Do not delegate control to a user account. This will become a security nightmare as it will be very difficult to audit and manage. Assigning permissions to groups makes it easy to add and remove permissions.

Use Descriptive Group Names

Have you come across a group in Active Directory and have no idea what it is for? This happens a lot and drives me bonkers. Creating a descriptive name will make it easy for you and other admins to identify its use.

For example, if the helpdesk wants to reset user passwords I would create a group like this:

Helpdesk_password_reset

If a group of users needs to modify a specific AD attribute such as the telephone field I would create a group like this:

IT_modify_telephone

You can see that in the screenshot above, the group name and description make it easy for anyone to identify what the group is used for.

Tip: I also put details into the group description. I can then use PowerShell to search for all of the groups that have “delegate control” in the description.

get-adgroup -Properties * -filter {Description -like 'Delegate*'} | select name, description

Audit AD Delegated Controls Yearly

You should review the Active Directory ACL permissions each year. AD permissions can easily get out of control and the only true way to know who has what rights is to audit the ACL permissions.

See the last section in this guide for details on auditing Active Directory Permissions.

Don’t Over Delegate Control (Use lease Privilege)

Only delegate control to what is needed.

If another department wants to reset their own passwords don’t grant them this permission to all user objects, but instead to just their group or department.

If the helpdesk needs the rights to delete computer accounts, don’t grant this permission to all computer objects, but instead to just the ones the helpdesk manages (hint… not the servers).

Over delegating control can easily be avoided by having a good OU design.

Now let’s check out some examples on how to delegate permissions.

Delegate Password Reset and Unlock Permissions

In this example, I’ll use the delegation control wizard to give helpdesk users permissions to reset passwords and unlock user accounts. I’ll also demonstrate how to limit this to a specific group of users (department).

Step 1: Create a New Active Directory Group

I’m going to create a new group and name it “Helpdesk_password_reset”. Use whatever naming convention makes sense to you, I just recommend it to be descriptive. I also recommend using the description field to provide exact details on what the group is used for. With a descriptive name and the description filled out, there should be no confusion about what this group is used for, this will help you and other System Admins.

Next, I’ll add the helpdesk staff to this group. When the delegation is complete you can easily add or remove rights by changing the membership of this group.

Step 2: Use Delegation of Control Wizard

This is where good OU design is important. I want to grant this group permission to change the password for all users in the domain, and since I have all users in the “ADPro Users” OU this can easily be done. The delegated rights will apply to the root and all sub-OUs.

Right-click on the OU and select “Delegate Control”.

Click “Next”

Select the group you want to delegate control to.

Click “Next”

Select “Create a custom task to delegate”

Select “Only the following objects in the folder” then select “User objects”

Click “Next”

Select “General” and “Property-specific”

Then enable the following permissions:

Change password
Reset password
Read lockoutTime
Write lockoutTime

Click “Next”

Click “Finish”

Now any member of the “Helpdesk_password_reset” group can change/reset passwords and unlock user accounts for all users in the “ADPRO Users” OU.

What if you had a department that wanted to reset/unlock their own accounts? For example, the HR department wants to reset/unlock their own accounts without having to call IT support.

Here are the steps: (The steps are basically the same as above you just run the delegation control on a specific OU)

Create a new group for the HR users (example, HR_password_reset).
Use the delegation control wizard on the HR OU.
Select the HR group (example, HR_password_reset).
Set permissions (change password, reset password, read lockoutTime, write lockoutTime). See the above screenshots for more details.

If you delegated control to the entire domain or an OU with all users then you gave HR staff more permissions than they need. They could reset/unlock users for the entire domain, you want to avoid this.

Delegate Permissions to Modify Telephone Number

In this example, I want to give a group of users permission to only modify the Telephone number in Active Directory. You will see in the delegation of control wizard you can grant permissions to other user fields (address, zip, state, and so on).

Step 1: Create a group.

I created a group called “IT_Modify_Telephone”.

Step 2: Run delegation Control Wizard.

Run the delegation control wizard on the target OU.

Select the group.

Select “create a custom task to delegate”

Select “Only the following objects in the folder” then select “User Object”

Select “Property-specific”

Enable “Read Telephone Number” and “Write Telephone Number”

Click “Next” then “Finish” to complete.

Now any member of the group can modify the “Telephone Number” field in Active Directory. All other fields are read-only.

Delegate Permissions to Modify Group Membership

In this example, I will give a group of users permission to modify group membership (add/remove users to groups).

This one is easier than previous examples as Microsoft has a common task for it.

Step 1: Create AD Group

Step 2: Run Delegation Control Wizard

If you have all groups in a specific OU then run the delegation wizard on the OU. For example, all of my groups are in an OU called “ADPRO Groups”.

Select the group you want to delegate control to.

Click “Next”

Select “Modify the group membership of a group”

Click “Next” and click “Finish”.

Delegate Control to Delete Computer Accounts

Helpdesk or other IT staff will often need rights to delete computer accounts in Active Directory. Here is how to delegate those rights.

Step 1: Create AD Group

For example “IT_delete_computers”.

Step 2: Run delegation control wizard on OU.

Make sure you run the wizard on the OU that contains the computer objects.

Select the group to delegate control

Click “Next”

Select “Create a custom task to delegate”

Select “This folder, existing objects in this folder, and creation of new objects in this folder”.

Click “Next”

Select “creation/deletion of specific child objects”

Then select “Delete Computer objects”

Now members of the selected group can delete computer objects.

How to Audit Active Directory (ACL) Permissions

Over time Active Directory permissions can easily spiral out of control. It is recommended to audit your AD permissions at least once a year. How else are you going to know if someone gave unnecessary rights to a user or group?

Maybe someone used the delegation of control wizard and accidentally gave helpdesk the rights to delete servers. The only way to determine this, is to check the ACL permissions in Active Directory.

You can view the ACL on an OU by right-clicking the OU selecting properties and the Security tab. But this would take too long if you had a lot of OUs.

The best option I have found is the AD ACL Scanner PowerShell tool. This tool lets you choose what to scan and creates an easy-to-read report on Active Directory permissions.

In this example, I’m going to scan my ADPRO Users OU, and scan each Sub-OU.

When the tool is done scanning you will get a report like below.

In the report, I can see the AD groups that I delegated control to and what permissions they have. Very easy to use and saves a ton of time.

Summary

In this guide, I walked you through several examples of delegating control in Active Directory. The delegation of Control Wizard can be confusing as it’s not always clear where to find specific permissions. It’s best to use groups for delegating control and set very specific permissions. Lastly, I showed you how to audit Active Directory ACL permissions using the AD ACL scanner tool. Don’t forget to audit the ACL permissions at least once a year.

Recommended: Active Directory Permissions Reporting Tool

The ARM Permissions Reporting Tool helps you monitor, analyze, and report on the permissions assigned to users, groups, computers, and organizational units in your Active Directory

You can easily identify who has what permissions, where they came from, and when they were granted or revoked. You can also generate compliance-ready reports for various standards and regulations, such as HIPAA, PCI DSS, SOX, and GDPR

Try the Permissions Reporting Tool today and take control of your permissions management

Download Free Trial

Source :
https://activedirectorypro.com/delegate-control-in-active-directory/

Configure Windows LAPS (Local Administrator Passwords Solution) in AD

April 25, 2023

Windows LAPS (Local Administrator Password Solution) allows you to centrally manage the passwords for the local administrators on the computers in your AD domain. The current local administrator password is stored in the protected attributes of computer objects in Active Directory, is automatically changed on a regular basis, and can be viewed by authorized users.

In this guide, we’ll show you how to configure and use Windows LAPS to manage the local administrator password on computers joined to an AD domain.

Contents:

Until April 2023, you should manually download the LAPS MSI installation file, deploy the administrator or client components to computers, install ADMX GPO templates for LAPS, and extend the AD schema

Updates adding native support for the new version of LAPS in Windows were released in April 2023. You no longer need to manually download and install the MSI package to use LAPS.

New Built-in Windows LAPS Overview

The following cumulative updates in April 2023 added native support for Windows LAPS:

Windows 11 22H2 – KB5025239
Windows 11 21H2 – KB5025224
Windows 10 22H2 — KB5025221
Windows Server 2022 – KB5025230
Windows Server 2019 – KB5025229

What’s new in Windows LAPS?

All the components of the new LAPS are part of Windows;
Allows storing administrator passwords in on-premises Active Directory or in Azure AD;
DSRM (Directory Services Restore Mode) password management on AD domain controllers;
Support for password encryption;
Password history;
Allow the local administrator password to be automatically changed after it has been used to log on to the computer locally.

At least Windows Server 2016 domain functional level is required for the new version of Windows LAPS.

As we mentioned above, you no longer need to manually download and install the LAPS client or Group Policy client-side extension (CSE). All the necessary LAPS components are available in Windows after you install the April updates.

The following Windows LAPS management tools are available:

New ADMX group policy file;
A separate LAPS tab in computer properties in Active Directory Users and Computers (ADUC) console;
Windows LAPS PowerShell module;
Separate log in the Event Viewer: Application and Service Logs -> Microsoft -> Windows -> LAPS -> Operational.

Microsoft notes that you must disable the Group Policies and remove the settings from the previous version of LAPS (legacy MSI) before deploying the new LAPS GPO. To do this, stop new installations of legacy LAPS and remove all settings in the following registry key HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\State.

Events with the following Event IDs will appear in the Event Viewer if the legacy version of LAPS is not removed:

Event ID 10033, LAPS — The machine is configured with legacy LAPS policy settings, but legacy LAPS product appears to be installed. The configured account’s password will not be managed by Windows until the legacy product is uninstalled. Alternatively, you may consider configuring the newer LAPS policy settings.
Event 10031, LAPS — LAPS blocked an external request that tried to modify the password of the current manager account.

Deploying Local Administrator Password Solution in Active Directory Domain

You can start deploying the new version of LAPS after you have installed the new updates on all domain controllers.

To manage the Local Administrator Password Solution, use the PowerShell cmdlets from the LAPS module. You can use the following commands:

Get-Command -Module LAPS

Get-LapsAADPassword
Get-LapsDiagnostics
Find-LapsADExtendedRights
Get-LapsADPassword
Invoke-LapsPolicyProcessing
Reset-LapsPassword
Set-LapsADAuditing
Set-LapsADComputerSelfPermission
Set-LapsADPasswordExpirationTime
Set-LapsADReadPasswordPermission
Set-LapsADResetPasswordPermission
Update-LapsADSchema

After installing updates on DCs and clients, you must perform an AD schema update. This will add new attributes. Run the command:

Update-LapsADSchema

If not all DCs have been updated, the command will return an error:

Update-LapsADSchema : A local error occurred.

The following attributes will be added to the AD schema:

msLAPS-PasswordExpirationTime
msLAPS-Password
msLAPS-EncryptedPassword
msLAPS-EncryptedPasswordHistory
msLAPS-EncryptedDSRMPassword
msLAPS-EncryptedDSRMPasswordHistory

The attributes used in the previous version to store the password are not used in Windows LAPS (ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime).

Open the ADUC console (dsa.msc), select any computer in AD, and go to the AD object Attribute Editor tab. Check that the object now has new attributes available.

The msLAPS* attributes are not yet populated.

You must now allow computers in the specified Organizational Unit (OU) to update msLAPS* attributes in their AD account properties.

For example, I want to allow computers in a MUN container to update passwords stored in AD attributes.

Set-LapsADComputerSelfPermission -Identity "OU=Computers,OU=MUN,OU=DE,DC=woshub,DC=com"

Let’s use PowerShell to create a group that can view local administrator passwords on computers in this OU:

New-ADGroup MUN-LAPS-Admins -path 'OU=Groups,OU=MUN,OU=DE,DC=woshub,DC=com' -GroupScope local -PassThru –Verbose Add-AdGroupMember -Identity MUN-LAPS-Admins -Members a.morgan,b.krauz

We will allow this group to view and reset the local admin password:

$ComputerOU = "OU=Computers,OU=MUN,OU=DE,DC=woshub,DC=com" Set-LapsADReadPasswordPermission –Identity $ComputerOU –AllowedPrincipals MUN-LAPS-Admins Set-LapsADResetPasswordPermission -Identity $ComputerOU -AllowedPrincipals MUN-LAPS-Admins

By default, members of the Domain Admins group can view local administrator passwords on all AD computers.

Use the Find-LapsADExetendedRights command to check the current permissions to LAPS attributes in an OU.

Configure GPO to Change Local Administrator Passwords

A new set of administrative templates for managing the LAPS configuration via GPO will appear when you install the latest updates on Windows (%systemroot%\PolicyDefinitions\laps.admx).

Copy LAPS.admx to the following location if you are using a Central GPO store for the ADMX templates: \\woshub.com\SysVol\woshub.com\Policies\PolicyDefinitions .

The next GPO section contains the LAPS options: Computer Configuration -> Policies -> Administrative Templates -> System -> LAPS. The following LAPS group policy options are available here:

Enable password backup for DSRM accounts
Configure size of encrypted password history
Enable password encryption
Configure authorized password descriptors
Name of administrator account to manage
Configure password backup directory
Do not allow password expiration time longer than required by policy
Password Settings
Post-authentication actions

Configure Group Policy settings for Windows LAPS

Let’s try to enable the minimum Group Policy LAPS settings for the Active Directory domain

Open the Group Policy Management console (gpmc.msc), create a new GPO and link it to the OU containing the computers;
Open a new GPO and navigate to the section that contains the LAPS options;
Enable the Configure password backup directory policy and set Active Directory here. This policy allows the administrator password to be stored in the computer account attribute in the on-premises Active Directory;Windows LAPS also allows you to store passwords in the Azure Active Directory (AAD) instead of in the local ADDS.
Then enable the Password Settings option. Here you must specify the password complexity, length, and change frequency parameters;The following LAPS password settings are enabled by default: password complexity, 14-character password length, and password change every 30 days.
Specify the name of the local administrator account whose password you want to change in Name of administrator account to manage. If you are using the built-in Windows Administrator, type Administrator here.The LAPS GPO does not create any local administrator accounts. If you want to use another administrator account, create it on computers using GPO or PowerShell.
Restart your computer to apply the new GPO settings.

LAPS: Get a Local Administrator Password on Windows

After implementing LAPS group policies, Windows changes the local administrator password at startup and then writes it to the msLAPS-Password protected attribute on the computer object in AD. You can get the current password for the computer in the ADUC console or by using PowerShell.

Open the ADUC console and search for the computer for which you want to find out the current password of the local administrator. A new LAPS tab has appeared in the Computer object properties.

View LAPS password in computer properties in AD

The following info is displayed on this tab:

Current LAPS password expiration
LAPS local admin account name
LAPS local admin account password

You can also use PowerShell to get the computer’s current administrator password:

Get-LapsADPassword mun-pc221 -AsPlainText

ComputerName : mun-pc221
DistinguishedName : CN=mun-pc221,OU=…
Account : administrator
Password : 3f!lD1.23!l32
PasswordUpdateTime : 4/24/2023 11:14:26 AM
ExpirationTimestamp : 5/24/2023 11:14:26 AM
Source : EncryptedPassword
DecryptionStatus : Success
AuthorizedDecryptor : WOSHUB\Domain Admins

Get-LapsADPassword - laps powershell get admin password

Use this password to log on locally to this computer as an administrator.

In order to immediately rotate the LAPS password for the local admin account, run the command:

Reset-LapsPassword

This will force an immediate password change for the currently logged local administrator account and write the new password to AD.

Windows Local Administrator Password Solution is a simple, built-in feature that allows you to improve the security of using local administrator accounts on domain computers. LAPS stores the current administrator password in a secure AD attribute and changes it on all computers on a regular basis.

Source :
https://woshub.com/manage-local-administrator-passwords-with-laps/

How to Allow Multiple RDP Sessions on Windows 10 and 11

June 30, 2023

Remote users can connect to their Windows 10 and 11 computers through the Remote Desktop Services (RDP). All you need to do is enable Remote Desktop, grant the user RDP access permissions, and connect to the computer using any remote desktop client. However, the number of concurrent RDP sessions is limited in desktop versions of Windows. Only one active Remote Desktop user session is allowed.

A warning will appear asking you to disconnect the first user’s session if you try to establish a second RDP connection.

Another user is signed in. If you continue, they’ll be disconnected. Do you want to sign in anyway?

windows11 dosnt allow multiple rdp - Another user is signed in. If you continue, they’ll be disconnected. Do you want to sign in anyway?

Contents:

Number of Concurrent RDP Connections on Windows

There are a number of restrictions on the use of Remote Desktop Services in all desktop versions of Windows 10 and 11:

Only Windows Professional and Enterprise editions can accept remote desktop connections. RDP access is not allowed to Home/Single Language Windows editions;
Only one simultaneous RDP connection is available. Attempting to start a second RDP session will prompt the user to end the active session;
If the user is working at the computer console (locally), their local session is disconnected (locked) when they make a remote RDP connection. The remote RDP session will also be terminated if the user logs into Windows from the computer’s console.

The number of concurrent RDP connections on Windows is actually a license limitation. Microsoft prohibits the creation of a workstation-based Terminal RDP server for multiple users to work simultaneously.

If your tasks require the deployment of a terminal server, Microsoft suggests purchasing Windows Server (allows two simultaneous RDP connections by default). If you need more concurrent user sessions, you will need to purchase RDS CALs, install, and configure the Remote Desktop Session Host (RDSH) role or deploy an RDS farm.

Technically, any version of Windows with sufficient RAM and CPU resources can support dozens of remote user sessions simultaneously. On average, an RDP user session requires 150-200MB of memory (excluding running apps). This means that the maximum number of concurrent RDP sessions is limited only by the available resources of the computer.

In this article, we are going to show you three ways to remove the limit on the number of concurrent RDP connections in Windows 10 and 11:

RDP Wrapper
Modifying the termsrv.dll file
Upgrading Windows 10/11 edition to Enterprise for virtual desktops (multi-session)

Note. Any modifications to the operating system that are described in this article are considered a violation of the Windows License Agreement and may be used at your own risk.

Before you proceed, make sure that the Remote Desktop protocol is enabled in Windows.

Go to Settings -> System —> Remote Desktop -> Enable Remote Desktop;
Or use the classic Control Panel: run the command SystemPropertiesRemote and check the option Allow remote connection to this computer.

Find out how to enable and configure Remote Desktop on Windows.

RDP Wrapper: Enable Multiple RDP Sessions on Windows

The RDP Wrapper Library OpenSource project allows you to enable multiple RDP sessions on Windows 10/11 without replacing the termsrv.dll file. This tool acts as a layer between SCM (Service Control Manager) and the Remote Desktop Services. The RDP wrapper doesn’t make any changes to the termsrv.dll file, it simply loads the termsrv with the modified settings.

Thus, the RDPWrap will work even in the case of termsrv.dll file update. It allows you not to be afraid of Windows updates.

Important. Before installing the RDP Wrapper, it is important to make that you are using the original (unpatched) version of the termsrv.dll file. Otherwise, RDP Wrapper may become unstable or not start at all.

You can download the RDP Wrapper from the GitHub repository https://github.com/binarymaster/rdpwrap/releases (the latest available version of the RDP Wrapper Library is v1.6.2). The project hasn’t been updated since 2017, but it can be used in all new builds of Windows 10 and 11. To use the wrapper on modern versions of Windows, simply update the rdpwrap.ini configuration file.

RDP Wrapper is detected as a potentially dangerous program by most antivirus scanners. For example, it is classified as PUA:Win32/RDPWrap (Potentially Unwanted Software) with a low threat level by the built-in Microsoft Defender antivirus. If your antivirus settings are blocking the RDP Wrapper from starting, you will need to add it to the exceptions.

rdpwrap detected as potentially unwanted software

The RDPWrap-v1.6.2.zip archive contains some files:

RDPWinst.exe — used to install/uninstall an RDP wrapper library;
RDPConf.exe — RDP Wrapper configuration tool;
RDPCheck.exe —an RDP check tool (Local RDP Checker);
install.bat, uninstall.bat, update.bat — batch files to install, uninstall, and update RDP Wrapper.

To install RDPWrap, run the install.bat file as an administrator. The program is installed in the C:\Program Files\RDP Wrapper directory.

installing install RDP Wrapper Library in windows 10

Run RDPConfig.exe when the installation is complete.

windows 10: rdp wrapper not supported issue

Most likely, immediately after installation, the tool will show that the RDP wrapper is running (Installed, Running, Listening), but not working. Note the red [not supported] warning. It reports that this version of Windows 10 22H2 (ver. 10.0.19041.1949) is not supported by the RDPWrapper.

This is because the rdpwrap.ini configuration file does not contain settings for your Windows version (build). +

✅ Download the latest version of rdpwrap.ini here https://raw.githubusercontent.com/sebaxakerhtc/rdpwrap.ini/master/rdpwrap.ini

Manually copy the contents of this page into the C:\Program Files\RDP Wrapper\rdpwrap.ini file. Or download the INI file using the PowerShell cmdlet Invoke-WebRequest (you must first stop the Remote Desktop service):

Stop-Service termservice -Force Invoke-WebRequest https://raw.githubusercontent.com/sebaxakerhtc/rdpwrap.ini/master/rdpwrap.ini -outfile "C:\Program Files\RDP Wrapper\rdpwrap.ini"

You can create a scheduled task to check for changes to rdpwrap.ini and update it automatically.

This screenshot shows that the latest version of the rdpwrap.ini file (Updated=2023-06-26) is used on the computer.

Restart your computer and run the RDPConfig.exe tool. Check that all items in the Diagnostics section are green and that the [Fully supported] message is displayed. The RDP wrapper started successfully on Windows 11 22H2 in my case.

Now try to establish several concurrent RDP sessions with this computer under different user accounts (use your favorite RDP client: mstsc.exe, RDCMan, mRemoteNG, etc).

You can use saved RDP credentials to connect to a remote computer.

You can check that two (or more) RDP sessions are active on the computer at the same time by using the command:

qwinsta

rdp-tcp#0         user1                 1  Active
rdp-tcp#1         user2                 2  Active

The RDPWrap tool is supported in all Windows editions, so you can build your own terminal (RDS) server on any Windows device. So you can turn any version of Windows client into a full-featured terminal server.

The following options are available in the RDP Wrapper:

Enable Remote Desktop
RDP Port —change the default remote desktop port number (TCP 3389)
Hide users on logon screen – allow hide the list of users from the Windows Logon Screen;
Single session per user — allow several concurrent RDP sessions under the same user account. This option sets the fSingleSessionPerUser registry value to 0 (HKLM\SYSTEM\ CurrentControlSet\Control\Terminal Server\fSingleSessionPerUser). This parameter is also configured through the GPO option Restrict Remote Desktop Services to a single Remote Desktop Services session under Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections;
The Session Shadowing Mode allows you to configure the remote control (shadow) connection mode to the RDP users’ desktops

You can set limits on the duration of RDP user sessions using the Group Policy. This allows idle user sessions to be automatically disconnected.

RDP Wrapper Not Working on Windows

In some cases, the RDP Wrapper may not work as you expect it to and you may not be able to use more than one RDP connection on Windows.

The termsrv.dll file version can be updated during Windows Updates installation. If the description for your version of Windows is missing from the rdpwrap.ini file, then the RDP Wrapper will not be able to apply the necessary settings. In this case, the status [not supported]. will be displayed in the RDP Wrapper Configuration window.

✅ In this case, you must update the rdpwrap.ini file as described above.

If RDP Wrapper does not work after updating the rdpwrap.ini file, try to open the rdpwrap.ini file and look for the section for your version of Windows.

How to understand if your Windows version is supported in rdpwrapper config?

The screenshot below shows that for my version of Windows 11 (10.0.22621.317) there are two sections of settings:

[10.0.22621.317]
...
[10.0.22621.317-SLInit]
...

update rdpwrap.ini after installing windows updates

If there is no section in the rdpwrap configuration file for your version of Windows, try searching the web for the rdpwrap.ini file. Add the configuration settings you found to the end of the file.

If RDP Wrapper does not work after you install security updates or upgrade the Windows build, check that there is no Listener state: Not listening warning in the RDPWrap Diagnostics section.

Try updating the rdpwrap.ini file, and then reinstalling the rdpwrapper service:

rdpwinst.exe -u rdpwinst.exe -i

It can happen that when you try to make a second RDP connection as a different user, you will get an error message:

The number of connections to this computer is limited and all connections are in use right now. Try connecting later or contact your system administrator.

Windows 10 RDP warning:The number of connections to this computer is limited and all connections are in use right now

In this case, you can use the local Group Policy Editor (gpedit.msc) to enable the “Limit number of connections” option under Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections section. Increase the ‘RD maximum connection allowed’ value to 999999.

group policy: Limit the number of rdp connections

Restart your computer to update the local Group Policy and apply the settings.

Patch the Termsrv.dll to Enable Multiple Remote Desktop Sessions

To remove the limit on the number of concurrent RDP user connections in Windows without using rdpwrapper, you can replace the original termsrv.dll file. This is the main library file used by the Remote Desktop Service. The file is located in the C:\Windows\System32 directory.

It is advisable to make a backup copy of the termsrv.dll file before editing or replacing it. This will help you to revert to the original version of the file if necessary. Open an elevated command prompt and run the command:

copy c:\Windows\System32\termsrv.dll termsrv.dll_backup

Then you need to take ownership of the termsrv.dll file. To change a file’s owner from TrustedInstaller to the local Administrators group, use the command:

takeown /F c:\Windows\System32\termsrv.dll /A

SUCCESS: The file (or folder): c:\Windows\System32\termsrv.dll now owned by the administrators group

Now use the icacls.exe tool to grant Full Control permissions to the termsrv.dll file for the local Administrators group:

icacls c:\Windows\System32\termsrv.dll /grant Administrators:F

processed file: c:\Windows\System32\termsrv.dll Successfully processed 1 files; Failed processing 0 files.

termsrv.dll takeown and grant access permissions

Now you need to stop the Remote Desktop service (TermService) using the services.msc console or with the command:

net stop TermService

It also stops the Remote Desktop Services UserMode Port Redirector service.

Run the winver command or the following PowerShell command to find your Windows build number:

Get-ComputerInfo | select WindowsProductName, WindowsVersion

In my case, Windows 10 build 22H2 is installed.

Then open the termsrv.dll file using any HEX editor (for example, Tiny Hexer). Depending on the build of Windows you are using, you will need to find and replace the string according to the table below:

Windows build	Find the string	Replace with
Windows 11 22H2	39 81 3C 06 00 00 0F 84 75 7A 01 00	B8 00 01 00 00 89 81 38 06 00 00 90
Windows 10 22H2	39 81 3C 06 00 00 0F 84 85 45 01 00
Windows 11 21H2 (RTM)	39 81 3C 06 00 00 0F 84 4F 68 01 00
Windows 10 x64 21H2	39 81 3C 06 00 00 0F 84 DB 61 01 00
Windows 10 x64 21H1	39 81 3C 06 00 00 0F 84 2B 5F 01 00
Windows 10 x64 20H2	39 81 3C 06 00 00 0F 84 21 68 01 00
Windows 10 x64 2004	39 81 3C 06 00 00 0F 84 D9 51 01 00
Windows 10 x64 1909	39 81 3C 06 00 00 0F 84 5D 61 01 00
Windows 10 x64 1903	39 81 3C 06 00 00 0F 84 5D 61 01 00
Windows 10 x64 1809	39 81 3C 06 00 00 0F 84 3B 2B 01 00
Windows 10 x64 1803	8B 99 3C 06 00 00 8B B9 38 06 00 00
Windows 10 x64 1709	39 81 3C 06 00 00 0F 84 B1 7D 02 00

Tiny Hexer cannot edit termsvr.dll file directly from the system32 folder. Copy it to your desktop and replace the original file after modifying it.

For example, my build of Windows 10 x64 is 22H2 19045.2006 (termsrv.dll file version is 10.0.19041.1949). Open the termsrv.dll file in Tiny Hexer, then find the text:

39 81 3C 06 00 00 0F 84 75 7A 01 00

and replace it with:

B8 00 01 00 00 89 81 38 06 00 00 90

Save the file and start the TermService.

If something goes wrong and you experience some problems with the Remote Desktop service, stop the service and replace the modified termsrv.dll file with the original version:

copy termsrv.dll_backup c:\Windows\System32\termsrv.dll

To avoid manually editing the termsrv.dll file with a HEX editor, you can use the following PowerShell script to automatically patch the termsrv.dll file. The PowerShell script code is available in my GitHub repository at the following link:

https://github.com/maxbakhub/winposh/blob/main/termsrv_rdp_patch.ps1

This script was written for the Windows PowerShell version and does not work in modern PowerShell Core.

👍 The advantage of the method of enabling multiple RDP sessions in Windows 10 or 11 by replacing the termsrv.dll file is that antivirus software will not react to it (unlike RDPWrap, which is detected by many antivirus products as a malware/hack tool/trojan).

👎The disadvantage of this is that you will have to manually edit the file each time you update the Windows build (or if the monthly cumulative patches update the version of termsrv.dll).

Multiple Concurrent RDP Connections in Windows 10 Enterprise Multi-session

Microsoft has recently released a special edition of the operating system called Windows Enterprise Multi-Session (Previously known as Windows 10 Enterprise for Remote Sessions and Windows 10 Enterprise for Virtual Desktops)

The key feature of this edition is that it supports multiple concurrent RDP user sessions out of the box. Although the Windows multi-session edition is only allowed to be run in Azure VMs, you can install this edition on an on-premises network and use that computer as a terminal server (even though this would be against Microsoft’s licensing policies).

The Enterprise Multi-Session edition is available for both Windows 10 and Windows 11.

Next up, we’re going to show you how to upgrade a Windows 10 Pro edition to Windows 10 Enterprise for Virtual Desktop and use it for multiple RDP users simultaneously.

Open a command prompt and check your current edition of Windows (Professional in this example):

DISM /online /Get-CurrentEdition

Upgrade your edition of Windows 10 from Pro to Enterprise with the command:

changepk.exe /ProductKey NPPR9-FWDCX-D2C8J-H872K-2YT43

Now install the GVLK key for Windows 10 Enterprise for Remote Sessions:

slmgr.vbs /ipk CPWHC-NT2C7-VYW78-DHDB2-PG3GK

upgrade windows pro to enterprise multi-session

Check that your edition of Windows 10 has now changed to ServerRdsh (Windows 10 Enterprise for Virtual Desktops).

Activate your copy of Windows 10 Enterprise Multi-Session edition on your KMS server:

slmgr /skms kms-srv.woshub.local:1688 slmgr /ato

See the Key Management Service (KMS) Activation FAQ.

Open the Local GPO Editor (gpedit.msc) and enable Per-User licensing mode in the Set the Remote Desktop licensing mode (Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Licensing).

GPO: set per-user remote desktop license mode

You must restart Windows after activation. Now try connecting to the computer using RDP with different user accounts. As you can see, Windows 10 Enterprise multi-session supports simultaneous RDP connections right out of the box.

Get-ComputerInfo | select WindowsProductName, WindowsVersion, OsHardwareAbstractionLayer

Windows 10 Enterprise for Virtual Desktops 2009           10.0.19041.2728

qwinsta

multiple rdp connections on windows 10 enterprise multisession

In this article, we have looked at a number of ways to get rid of the limit on the number of concurrent RDP user connections and run a free terminal server on desktop versions of Windows 10/11. Each method has its own advantages and disadvantages. Which one you choose is up to you.

Source :
https://woshub.com/how-to-allow-multiple-rdp-sessions-in-windows-10/

Configuring Azure AD Password Policy

July 12, 2023

The Azure Active Directory password policy defines the password requirements for tenant users, including password complexity, length, password expiration, account lockout settings, and some other parameters. In this article, we’ll take a look into how to manage a password policy in Azure AD.

Azure AD has a default password policy applied to all accounts that are created in the cloud (not synchronized from on-premises Active Directory via Azure AD Connect).

It defines the following settings that cannot be changed by the Azure/Microsoft 365 tenant administrator:

Allowed characters: A-Z , a-z , 0-9 , space and special symbols @ # $ % ^ & * – _ ! + = [ ] { } | \ : ‘ , . ? / ` ~ ” ( )
Password complexity: at least 3 out of 4 character groups (uppercase, lowercase, numbers, and symbols)
Password length: minimum 8, maximum 256 characters
The user cannot use the previous password

Contents:

How to Change Password Expiration Policy in Azure AD

By default, a user’s password never expires in Azure AD (Microsoft 365). But you can enable the password expiration through the Microsoft 365 Admin Center:

Go to Microsoft 365 Admin Center -> Settings -> Security & Privacy -> Password expiration policy;
Disable the option Set password to never expire (recommended);
In this case:
Password expiration set to 90 days
The notification to change your password will start to be displayed 14 days before the expiry date.

Microsoft recommends that you do not enable password expiration if your Azure users use Multi-Factor Authentication (MFA).

You can use the MSOnline PowerShell module to change user password expiration settings. Just install the module (if needed) and connect to your tenant:

Install-Module MSOnline Connect-MsolService

Check the current password expiration policy settings in Azure AD:

Get-MsolPasswordPolicy -DomainName woshub.com

ExtensionData NotificationDays ValidityPeriod
System.Runtime.Serialization.ExtensionDataObject 14 2147483647

Get-MsolPasswordPolicy: check password expiration settings powershell

You can change the password expiration policy and notification settings in Azure AD with PowerShell:

Set-MsolPasswordPolicy -DomainName woshub.com -ValidityPeriod 180 -NotificationDays 21

You can manage password expiration settings for a specific user using the Azure AD module:

Connect-AzureAD

Enable the Password never expires option for a specific user:

Set-AzureADUser -ObjectId "maxadm@woshub.com" -PasswordPolicies DisablePasswordExpiration

View the user’s password expiration date:

Get-AzureADUser -ObjectId "maxadm@woshub.com"|Select-Object @{N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}}

Set an individual user's password to never expire in Azure AD

PasswordNeverExpires
--------------------
True

Enable password expiration for the user:

Set-AzureADUser -ObjectId "maxadm@woshub.com" -PasswordPolicies None

Account Lockout Settings in Azure AD

One more parameter of the Azure password policy available for the administrator to configure is the user lockout rules in case of entering an incorrect password. By default, an account is locked for 1 minute after 10 failed attempts to authenticate using an incorrect password. Note that the lockout time is extended following each next unsuccessful sign-in attempt.

You can configure the lockout settings in the following section of the Azure Portal -> Azure Active Directory -> Security -> Authentication methods —> Password protection.

The options available for you to change are:

Lockout threshold – the number of unsuccessful sign-in attempts before the account is locked out (10 by default);
Lockout duration in seconds – 60 seconds by default.

If their account is locked out, an Azure user will see the following notification:

Your account is temporarily locked to prevent unauthorized use. Try again later, and if you still have trouble, contact your admin.

Your Microsoft account is temporarily locked to prevent unauthorized use

Learn how to check user sign-in logs in Azure AD.

Prevent Using Weak and Popular Passwords in Azure AD

There is a separate Azure AD Password Protection feature that allows you to block the use of weak and popular passwords (such as P@ssw0rd, Pa$$word, etc.).

You can use the DSInternals PowerShell module to check the on-premises Active Directory for weak user passwords.

You can define your own list of weak passwords in Azure Active Directory -> Security -> Authentication methods —> Password protection. Enable the option Enforce custom list and add a list of passwords you want to ban (up to 1000 passwords).

When an Azure AD user attempts to change their password to one of the banned list, a notification is displayed:

Unfortunately, you can’t use that password because it contains words or characters that have been blocked by your administrator. Please try again with a different password.

Unfortunately, you can’t use that password because it contains words or characters that have been blocked by your administrator

These settings are applied by default only to cloud users in Azure.

If you want to apply a banned password list to the local Active Directory DS users, here’s what you need to do:

Make sure you have Azure AD Premium P1 or P2 subscription;
Enable the option Enable password protection on Windows Server Active Directory;
The default configuration enables only the audit of the prohibited password use. So, after the testing, switch the Mode option to Enforced;
Deploy the Azure AD Password Protection Proxy Service (AzureADPasswordProtectionProxySetup.msi) on one of the on-premises hosts;
Install Azure AD Password Protection (AzureADPasswordProtectionDCAgentSetup.msi) on all the ADDS domain controllers.

If you want the Azure password policy to be applied to users synchronized from AD DS via Azure AD Connect, you must enable the option EnforceCloudPasswordPolicyForPasswordSyncedUsers:

Set-MsolDirSyncFeature -Feature EnforceCloudPasswordPolicyForPasswordSyncedUsers -Enable $true

Ensure that you have configured a sufficiently strong domain password policy in your on-premises Active Directory. Otherwise, synchronized users can set any password, including those that are weak and insecure.

In this case, when a user’s password is changed or reset in on-premises Active Directory, the user is checked against the list of banned passwords in Azure.

If you have Azure AD Connect sync enabled, you can use your own password policies from on-premises Active Directory to apply to cloud users. To do this, you need to create a Fine Grained Security password policy in the on-premises AD and link it to a group containing the users synchronized with the cloud. In this case, Azure Active Directory will follow the password policy of your local domain.

Source :
https://woshub.com/azure-ad-password-policy/

The five-day job: A BlackByte ransomware intrusion case study

July 6, 2023

As ransomware attacks continue to grow in number and sophistication, threat actors can quickly impact business operations if organizations are not well prepared. In a recent investigation by Microsoft Incident Response (previously known as Microsoft Detection and Response Team – DART) of an intrusion, we found that the threat actor progressed through the full attack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim organization.

Our investigation found that within those five days, the threat actor employed a range of tools and techniques, culminating in the deployment of BlackByte 2.0 ransomware, to achieve their objectives. These techniques included:

Exploitation of unpatched internet-exposed Microsoft Exchange Servers
Web shell deployment facilitating remote access
Use of living-off-the-land tools for persistence and reconnaissance
Deployment of Cobalt Strike beacons for command and control (C2)
Process hollowing and the use of vulnerable drivers for defense evasion
Deployment of custom-developed backdoors to facilitate persistence
Deployment of a custom-developed data collection and exfiltration tool

BlackByte 2.0 ransomware attack chain by order of stages: initial access and privilege escalation, persistence and command and control, reconnaissance, credential access, lateral movement, data staging and exfiltration, and impact. — Figure 1. BlackByte 2.0 ransomware attack chain

In this blog, we share details of our investigation into the end-to-end attack chain, exposing security weaknesses that the threat actor exploited to advance their attack. As we learned from Microsoft’s tracking of ransomware attacks and the cybercriminal economy that enables them, disrupting common attack patterns could stop many of the attacker activities that precede ransomware deployment. This case highlights that common security hygiene practices go a long way in preventing, identifying, and responding to malicious activity as early as possible to mitigate the impact of ransomware attacks. We encourage organizations to follow the outlined mitigation steps, including ensuring that internet-facing assets are up to date and configured securely. We also share indicators of compromise, detection details, and hunting guidance to help organizations identify and respond to these attacks in their environments.

Forensic analysis

Initial access and privilege escalation

To obtain initial access into the victim’s environment, the threat actor was observed exploiting the ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 on unpatched Microsoft Exchange Servers. The exploitation of these vulnerabilities allowed the threat actor to:

Attain system-level privileges on the compromised Exchange host
Enumerate LegacyDN of users by sending Autodiscover requests, including SIDs of users
Construct a valid authentication token and use it against the Exchange PowerShell backend
Impersonate domain admin users and create a web shell by using the New-MailboxExportRequest cmdlet
Create web shells to obtain remote control on affected servers

The threat actor was observed operating from the following IP to exploit ProxyShell and access the web shell:

185.225.73[.]244

Persistence

Backdoor

After gaining access to a device, the threat actor created the following registry run keys to run a payload each time a user signs in:

Registry key	Value name	Value data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	MsEdgeMsE	rundll32 C:\Users\user\Downloads\api-msvc.dll,Default
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	MsEdgeMsE	rundll32 C:\temp\api-msvc.dll,Default
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	MsEdgeMsE	rundll32 C:\systemtest\api-system.png,Default

The file api-msvc.dll (SHA-256: 4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e) was determined to be a backdoor capable of collecting system information, such as the installed antivirus products, device name, and IP address. This information is then sent via HTTP POST request to the following C2 channel:

hxxps://myvisit[.]alteksecurity[.]org/t

The organization was not using Microsoft Defender Antivirus, which detects this malware as Trojan:Win32/Kovter!MSR, as the primary antivirus solution, and the backdoor was allowed to run.

An additional file, api-system.png, was identified to have similarities to api-msvc.dll. This file behaved like a DLL, had the same default export function, and also leveraged run keys for persistence.

Cobalt Strike Beacon

The threat actor leveraged Cobalt Strike to achieve persistence. The file sys.exe (SHA-256: 5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103), detected by Microsoft Defender Antivirus as Trojan:Win64/CobaltStrike!MSR, was determined to be a Cobalt Strike Beacon and was downloaded directly from the file sharing service temp[.]sh:

hxxps://temp[.]sh/szAyn/sys.exe

This beacon was configured to communicate with the following C2 channel:

109.206.243[.]59:443

AnyDesk

Threat actors leverage legitimate remote access tools during intrusions to blend into a victim network. In this case, the threat actor utilized the remote administration tool AnyDesk, to maintain persistence and move laterally within the network. AnyDesk was installed as a service and was run from the following paths:

C:\systemtest\anydesk\AnyDesk.exe
C:\Program Files (x86)\AnyDesk\AnyDesk.exe
C:\Scripts\AnyDesk.exe

Successful connections were observed in the AnyDesk log file ad_svc.trace involving anonymizer service IP addresses linked to TOR and MULLVAD VPN, a common technique that threat actors employ to obscure their source IP ranges.

Reconnaissance

We found the presence and execution of the network discovery tool NetScan being used by the threat actor to perform network enumeration using the following file names:

netscan.exe (SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)
netapp.exe (SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)

Additionally, execution of AdFind (SHA-256: f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e), an Active Directory reconnaissance tool, was observed in the environment.

Credential access

Evidence of likely usage of the credential theft tool Mimikatzwas also uncovered through the presence of a related log file mimikatz.log. Microsoft IR assesses that Mimikatz was likely used to attain credentials for privileged accounts.

Lateral movement

Using compromised domain admin credentials, the threat actor used Remote Desktop Protocol (RDP) and PowerShell remoting to obtain access to other servers in the environment, including domain controllers.

Data staging and exfiltration

In one server where Microsoft Defender Antivirus was installed, a suspicious file named explorer.exe was identified, detected as Trojan:Win64/WinGoObfusc.LK!MT, and quarantined. However, because tamper protection wasn’t enabled on this server, the threat actor was able to disable the Microsoft Defender Antivirus service, enabling the threat actor to run the file using the following command:

explorer.exe P@$$w0rd

After reverse engineering explorer.exe, we determined it to be ExByte, a GoLang-based tool developed and commonly used in BlackByte ransomware attacks for collection and exfiltration of files from victim networks. This tool is capable of enumerating files of interest across the network and, upon execution, creates a log file containing a list of files and associated metadata. Multiple log files were uncovered during the investigation in the path:

C:\Exchange\MSExchLog.log

Analysis of the binary revealed a list of file extensions that are targeted for enumeration.

Figure-2.-Binary-analysis-showing-file-extensions-enumerated-by-explorer.exe_ — Figure 2. Binary analysis showing file extensions enumerated by *explorer.exe*

Forensic analysis identified a file named data.txt that was created and later deleted after ExByte execution. This file contained obfuscated credentials that ExByte leveraged to authenticate to the popular file sharing platform Mega NZ using the platform’s API at:

hxxps://g.api.mega.co[.]nz

Figure 3. Binary analysis showing explorer.exe functionality for connecting to file sharing service MEGA NZ

We also determined that this version of Exbyte was crafted specifically for the victim, as it contained a hardcoded device name belonging to the victim and an internal IP address.

ExByte execution flow

Upon execution, ExByte decodes several strings and checks if the process is running with privileged access by reading \\.\PHYSICALDRIVE0:

If this check fails, ShellExecuteW is invoked with the IpOperation parameter RunAs, which runs explorer.exe with elevated privileges.

After this access check, explorer.exe attempts to read the data.txt file in the current location:

If the text file doesn’t exist, it invokes a command for self-deletion and exits from memory:

C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 10 > nul & Del <PATH>\explorer.exe /F /Q

If data.txt exists, explorer.exe reads the file, passes the buffer to Base64 decode function, and then decrypts the data using the key provided in the command line. The decrypted data is then parsed as JSON below and fed for login function:

{ “a”:”us0”, “user”:”<CONTENT FROM data.txt>”}

Finally, it forms a URL for sign-in to the API of the service MEGA NZ:

hxxps://g.api.mega.co[.]nz/cs?id=1674017543

Data encryption and destruction

On devices where files were successfully encrypted, we identified suspicious executables, detected by Microsoft Defender Antivirus as Trojan:Win64/BlackByte!MSR, with the following names:

wEFT.exe
schillerized.exe

The files were analyzed and determined to be BlackByte 2.0 binaries responsible for encryption across the environment. The binaries require an 8-digit key number to encrypt files.

Two modes of execution were identified:

When the -s parameter is provided, the ransomware self-deletes and encrypts the machine it was executed on.
When the -a parameter is provided, the ransomware conducts enumeration and uses an Ultimate Packer Executable (UPX) packed version of PsExec to deploy across the network. Several domain admin credentials were hardcoded in the binary, facilitating the deployment of the binary across the network.

Depending on the switch (-s or -a), execution may create the following files:

C:\SystemData\M8yl89s7.exe (UPX-packed PsExec with a random name; SHA-256: ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f)
C:\SystemData\wEFT.exe (Additional BlackByte binary)
C:\SystemData\MsExchangeLog1.log (Log file)
C:\SystemData\rENEgOtiAtES (A vulnerable (CVE-2019-16098) driver RtCore64.sys used to evade detection by installed antivirus software; SHA-256: 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd)
C:\SystemData\iHu6c4.ico (Random name – BlackBytes icon)
C:\SystemData\BB_Readme_file.txt (BlackByte ReadMe file)
C:\SystemData\skip_bypass.txt (Unknown)

BlackByte 2.0 ransomware capabilities

Some capabilities identified for the BlackByte 2.0 ransomware were:

Antivirus bypass
- The file rENEgOtiAtES created matches RTCore64.sys, a vulnerable driver (CVE-2049-16098) that allows any authenticated user to read or write to arbitrary memory
- The BlackByte binary then creates and starts a service named RABAsSaa calling rENEgOtiAtES, and exploits this service to evade detection by installed antivirus software
Process hollowing
- Invokes svchost.exe, injects to it to complete device encryption, and self-deletes by executing the following command:
  - cmd.exe /c ping 1.1.1.1 -n 10 > Nul & Del “PATH_TO_BLACKBYTE” /F /Q
Modification / disabling of Windows Firewall
- The following commands are executed to either modify existing Windows Firewall rules, or to disable Windows Firewall entirely:
  - cmd /c netsh advfirewall set allprofiles state off
- - cmd /c netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=Yes
  - cmd /c netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes
Modification of volume shadow copies
- The following commands are executed to destroy volume shadow copies on the machine:
  - cmd /c vssadmin Resize ShadowStorge /For=B:\ /On=B:\ /MaxSize=401MB
  - cmd /c vssadmin Resize ShadowStorage /For=B:\ /On=B:\ /MaxSize=UNBOUNDED
Modification of registry keys/values
- The following commands are executed to modify the registry, facilitating elevated execution on the device:
  - cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
- - cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  - cmd /c reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
Additional functionality
- Ability to terminate running services and processes
- Ability to enumerate and mount volumes and network shares for encryption
- Perform anti-forensics technique timestomping (sets the file time of encrypted and ReadMe file to 2000-01-01 00:00:00)
- Ability to perform anti-debugging techniques

Recommendations

To guard against BlackByte ransomware attacks, Microsoft recommends the following:

Ensure that you have a patch management process in place and that patching for internet-exposed devices is prioritized; Understand and assess your cyber exposure with advanced vulnerability and configuration assessment tools like Microsoft Defender Vulnerability Management
Implement an endpoint detection and response (EDR) solution like Microsoft Defender for Endpoint to gain visibility into malicious activity in real time across your network
Ensure antivirus protections are updated regularly by turning on cloud-based protection and that your antivirus solution is configured to block threats
Enable tamper protection to prevent components of Microsoft Defender Antivirus from being disabled
Block inbound traffic from IPs specified in the indicators of compromise section of this report
Block inbound traffic from TOR exit nodes
Block inbound access from unauthorized public VPN services
Restrict administrative privileges to prevent authorized system changes

Conclusion

BlackByte ransomware attacks target organizations that have infrastructure with unpatched vulnerabilities. As outlined in the Microsoft Digital Defense Report, common security hygiene practices, including keeping systems up to date, could protect against 98% of attacks.

As new tools are being developed by threat actors, a modern threat protection solution like Microsoft 365 Defender is necessary to prevent and detect the multiple techniques used in the attack chain, especially where the threat actor attempts to evade or disable specific defense mechanisms. Hunting for malicious behavior should be performed regularly in order to detect potential attacks that could evade detections, as a complementary activity for continuous monitoring from security tools alerts and incidents.

To understand how Microsoft can help you secure your network and respond to network compromise, visit https://aka.ms/MicrosoftIR.

Microsoft 365 Defender detections

Microsoft Defender Antivirus

Microsoft Defender Antivirus detects this threat as the following malware:

Trojan:Win32/Kovter!MSR
Trojan:Win64/WinGoObfusc.LK!MT
Trojan:Win64/BlackByte!MSR
HackTool:Win32/AdFind!MSR
Trojan:Win64/CobaltStrike!MSR

Microsoft Defender for Endpoint

The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.

‘CVE-2021-31207’ exploit malware was detected
An active ‘NetShDisableFireWall’ malware in a command line was prevented from executing.
Suspicious registry modification.
‘Rtcore64’ hacktool was detected
Possible ongoing hands-on-keyboard activity (Cobalt Strike)
A file or network connection related to a ransomware-linked emerging threat activity group detected
Suspicious sequence of exploration activities
A process was injected with potentially malicious code
Suspicious behavior by cmd.exe was observed
‘Blackbyte’ ransomware was detected

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:

CVE-2021-34473
CVE-2021-34523
CVE-2021-31207
CVE-2019-16098

Hunting queries

Microsoft 365 Defender

Microsoft 365 Defender customers can run the following query to find related activity in their networks:

ProxyShell web shell creation events

DeviceProcessEvents

| where ProcessCommandLine has_any ("ExcludeDumpster","New-ExchangeCertificate") and ProcessCommandLine has_any ("-RequestFile","-FilePath")

Suspicious vssadmin events

DeviceProcessEvents

| where ProcessCommandLine has_any ("vssadmin","vssadmin.exe") and ProcessCommandLine has "Resize ShadowStorage" and ProcessCommandLine has_any ("MaxSize=401MB"," MaxSize=UNBOUNDED")

Detection for persistence creation using Registry Run keys

DeviceRegistryEvents | where ActionType == "RegistryValueSet" | where (RegistryKey has @"Microsoft\Windows\CurrentVersion\RunOnce" and RegistryValueName == "MsEdgeMsE") or (RegistryKey has @"Microsoft\Windows\CurrentVersion\RunOnceEx" and RegistryValueName == "MsEdgeMsE") or (RegistryKey has @"Microsoft\Windows\CurrentVersion\Run" and RegistryValueName == "MsEdgeMsE")| where RegistryValueData startswith @"rundll32"| where RegistryValueData endswith @".dll,Default"| project Timestamp,DeviceId,DeviceName,ActionType,RegistryKey,RegistryValueName,RegistryValueData

Microsoft Sentinel

Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy

Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.

Indicators of compromise

The table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.

Indicator	Type	Description
4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e	SHA-256	api-msvc.dll (Backdoor installed through RunKeys)
5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103	SHA-256	sys.exe (Cobalt Strike Beacon)
01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd	SHA-256	rENEgOtiAtES (Vulnerable driver RtCore64.sys created by BlackByte binary)
ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f	SHA-256	[RANDOM_NAME].exe (UPX Packed PsExec created by BlackByte binary)
1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e	SHA-256	“netscan.exe”, “netapp.exe (Netscan network discovery tool)
f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e	SHA-256	AdFind.exe (Active Directory information gathering tool)
hxxps://myvisit[.]alteksecurity[.]org/t	URL	C2 for backdoor api-msvc.dll
hxxps://temp[.]sh/szAyn/sys.exe	URL	Download URL for sys.exe
109.206.243[.]59	IP Address	C2 for Cobalt Strike Beacon sys.exe
185.225.73[.]244	IP Address	Originating IP address for ProxyShell exploitation and web shell interaction

NOTE: These indicators should not be considered exhaustive for this observed activity.

Appendix

File extensions targeted by BlackByte binary for encryption:

.4dd	.4dl	.accdb	.accdc	.accde	.accdr	.accdt	.accft
.adb	.ade	.adf	.adp	.arc	.ora	.alf	.ask
.btr	.bdf	.cat	.cdb	.ckp	.cma	.cpd	.dacpac
.dad	.dadiagrams	.daschema	.db	.db-shm	.db-wal	.db3	.dbc
.dbf	.dbs	.dbt	.dbv	. dbx	. dcb	. dct	. dcx
. ddl	. dlis	. dp1	. dqy	. dsk	. dsn	. dtsx	. dxl
. eco	. ecx	. edb	. epim	. exb	. fcd	. fdb	. fic
. fmp	. fmp12	. fmpsl	. fol	.fp3	. fp4	. fp5	. fp7
. fpt	. frm	. gdb	. grdb	. gwi	. hdb	. his	. ib
. idb	. ihx	. itdb	. itw	. jet	. jtx	. kdb	. kexi
. kexic	. kexis	. lgc	. lwx	. maf	. maq	. mar	. masmav
. mdb	. mpd	. mrg	. mud	. mwb	. myd	. ndf	. nnt
. nrmlib	. ns2	. ns3	. ns4	. nsf	. nv	. nv2	. nwdb
. nyf	. odb	. ogy	. orx	. owc	. p96	. p97	. pan
. pdb	. pdm	. pnz	. qry	. qvd	. rbf	. rctd	. rod
. rodx	. rpd	. rsd	. sas7bdat	. sbf	. scx	. sdb	. sdc
. sdf	. sis	. spg	. sql	. sqlite	. sqlite3	. sqlitedb	. te
. temx	. tmd	. tps	. trc	. trm	. udb	. udl	. usr
. v12	. vis	. vpd	. vvv	. wdb	. wmdb	. wrk	. xdb
. xld	. xmlff	. abcddb	. abs	. abx	. accdw	. and	. db2
. fm5	. hjt	. icg	. icr	. kdb	. lut	. maw	. mdn
. mdt

Shared folders targeted for encryption (Example: \\[IP address]\Downloads):

Users	Backup	Veeam	homes	home
media	common	Storage Server	Public	Web
Images	Downloads	BackupData	ActiveBackupForBusiness	Backups
NAS-DC	DCBACKUP	DirectorFiles	share

File extensions ignored:

.ini	.url	.msilog	.log	.ldf	.lock	.theme	.msi
.sys	.wpx	.cpl	.adv	.msc	.scr	.key	.ico
.dll	.hta	.deskthemepack	.nomedia	.msu	.rtp	.msp	.idx
.ani	.386	.diagcfg	.bin	.mod	.ics	.com	.hlp
.spl	.nls	.cab	.exe	.diagpkg	.icl	.ocx	.rom
.prf	.thempack	.msstyles	.icns	.mpa	.drv	.cur	.diagcab
.cmd	.shs

Folders ignored:

windows	boot	program files (x86)	windows.old	programdata
intel	bitdefender	trend micro	windowsapps	appdata
application data	system volume information	perflogs	msocache

Files ignored:

bootnxt	ntldr	bootmgr	thumbs.db
ntuser.dat	bootsect.bak	autoexec.bat	iconcache.db
bootfont.bin

Processes terminated:

teracopy	teamviewer	nsservice	nsctrl	uranium
processhacker	procmon	pestudio	procmon64	x32dbg
x64dbg	cff explorer	procexp	pslist	tcpview
tcpvcon	dbgview	rammap	rammap64	vmmap
ollydbg	autoruns	autorunssc	filemon	regmon
idaq	idaq64	immunitydebugger	wireshark	dumpcap
hookexplorer	importrec	petools	lordpe	sysinspector
proc_analyzer	sysanalyzer	sniff_hit	windbg	joeboxcontrol
joeboxserver	resourcehacker	fiddler	httpdebugger	dumpit
rammap	rammap64	vmmap	agntsvc	cntaosmgr
dbeng50	dbsnmp	encsvc	infopath	isqlplussvc
mbamtray	msaccess	msftesql	mspub	mydesktopqos
mydesktopservice	mysqld	mysqld-nt	mysqld-opt	Ntrtscan
ocautoupds	ocomm	ocssd	onenote	oracle
outlook	PccNTMon	powerpnt	sqbcoreservice	sql
sqlagent	sqlbrowser	sqlservr	sqlwriter	steam
synctime	tbirdconfig	thebat	thebat64	thunderbird
tmlisten	visio	winword	wordpad	xfssvccon
zoolz

Services terminated:

CybereasonRansomFree	vnetd	bpcd	SamSs	TeraCopyService
msftesql	nsService	klvssbridge64	vapiendpoint	ShMonitor
Smcinst	SmcService	SntpService	svcGenericHost	Swi_
TmCCSF	tmlisten	TrueKey	TrueKeyScheduler	TrueKeyServiceHelper
WRSVC	McTaskManager	OracleClientCache80	mfefire	wbengine
mfemms	RESvc	mfevtp	sacsvr	SAVAdminService
SepMasterService	PDVFSService	ESHASRV	SDRSVC	FA_Scheduler
KAVFS	KAVFS_KAVFSGT	kavfsslp	klnagent	macmnsvc
masvc	MBAMService	MBEndpointAgent	McShield	audioendpointbuilder
Antivirus	AVP	DCAgent	bedbg	EhttpSrv
MMS	ekrn	EPSecurityService	EPUpdateService	ntrtscan
EsgShKernel	msexchangeadtopology	AcrSch2Svc	MSOLAP$TPSAMA	Intel(R) PROSet Monitoring
msexchangeimap4	ARSM	unistoresvc_1af40a	ReportServer$TPS	MSOLAP$SYSTEM_BGC
W3Svc	MSExchangeSRS	ReportServer$TPSAMA	Zoolz 2 Service	MSOLAP$TPS
aphidmonitorservice	SstpSvc	MSExchangeMTA	ReportServer$SYSTEM_BGC	Symantec System Recovery
UI0Detect	MSExchangeSA	MSExchangeIS	ReportServer	MsDtsServer110
POP3Svc	MSExchangeMGMT	SMTPSvc	MsDtsServer	IisAdmin
MSExchangeES	EraserSvc11710	Enterprise Client Service	MsDtsServer100	NetMsmqActivator
stc_raw_agent	VSNAPVSS	PDVFSService	AcrSch2Svc	Acronis
CASAD2DWebSvc	CAARCUpdateSvc	McAfee	avpsus	DLPAgentService
mfewc	BMR Boot Service	DefWatch	ccEvtMgr	ccSetMgr
SavRoam	RTVsc screenconnect	ransom	sqltelemetry	msexch
vnc	teamviewer	msolap	veeam	backup
sql	memtas	vss	sophos	svc$
mepocs	wuauserv

Drivers that Blackbyte can bypass:

360avflt.sys	360box.sys	360fsflt.sys	360qpesv.sys	5nine.cbt.sys
a2acc.sys	a2acc64.sys	a2ertpx64.sys	a2ertpx86.sys	a2gffi64.sys
a2gffx64.sys	a2gffx86.sys	aaf.sys	aalprotect.sys	abrpmon.sys
accessvalidator.sys	acdriver.sys	acdrv.sys	adaptivaclientcache32.sys	adaptivaclientcache64.sys
adcvcsnt.sys	adspiderdoc.sys	aefilter.sys	agentrtm64.sys	agfsmon.sys
agseclock.sys	agsyslock.sys	ahkamflt.sys	ahksvpro.sys	ahkusbfw.sys
ahnrghlh.sys	aictracedrv_am.sys	airship-filter.sys	ajfsprot.sys	alcapture.sys
alfaff.sys	altcbt.sys	amfd.sys	amfsm.sys	amm6460.sys
amm8660.sys	amsfilter.sys	amznmon.sys	antileakfilter.sys	antispyfilter.sys
anvfsm.sys	apexsqlfilterdriver.sys	appcheckd.sys	appguard.sys	appvmon.sys
arfmonnt.sys	arta.sys	arwflt.sys	asgard.sys	ashavscan.sys
asiofms.sys	aswfsblk.sys	aswmonflt.sys	aswsnx.sys	aswsp.sys
aszfltnt.sys	atamptnt.sys	atc.sys	atdragent.sys	atdragent64.sys
aternityregistryhook.sys	atflt.sys	atrsdfw.sys	auditflt.sys	aupdrv.sys
avapsfd.sys	avc3.sys	avckf.sys	avfsmn.sys	avgmfi64.sys
avgmfrs.sys	avgmfx64.sys	avgmfx86.sys	avgntflt.sys	avgtpx64.sys
avgtpx86.sys	avipbb.sys	avkmgr.sys	avmf.sys	awarecore.sys
axfltdrv.sys	axfsysmon.sys	ayfilter.sys	b9kernel.sys	backupreader.sys
bamfltr.sys	bapfecpt.sys	bbfilter.sys	bd0003.sys	bddevflt.sys
bdfiledefend.sys	bdfilespy.sys	bdfm.sys	bdfsfltr.sys	bdprivmon.sys
bdrdfolder.sys	bdsdkit.sys	bdsfilter.sys	bdsflt.sys	bdsvm.sys
bdsysmon.sys	bedaisy.sys	bemk.sys	bfaccess.sys	bfilter.sys
bfmon.sys	bhdrvx64.sys	bhdrvx86.sys	bhkavka.sys	bhkavki.sys
bkavautoflt.sys	bkavsdflt.sys	blackbirdfsa.sys	blackcat.sys	bmfsdrv.sys
bmregdrv.sys	boscmflt.sys	bosfsfltr.sys	bouncer.sys	boxifier.sys
brcow_x_x_x_x.sys	brfilter.sys	brnfilelock.sys	brnseclock.sys	browsermon.sys
bsrfsflt.sys	bssaudit.sys	bsyaed.sys	bsyar.sys	bsydf.sys
bsyirmf.sys	bsyrtm.sys	bsysp.sys	bsywl.sys	bwfsdrv.sys
bzsenspdrv.sys	bzsenth.sys	bzsenyaradrv.sys	caadflt.sys	caavfltr.sys
cancelsafe.sys	carbonblackk.sys	catflt.sys	catmf.sys	cbelam.sys
cbfilter20.sys	cbfltfs4.sys	cbfsfilter2017.sys	cbfsfilter2020.sys	cbsampledrv.sys
cdo.sys	cdrrsflt.sys	cdsgfsfilter.sys	centrifyfsf.sys	cfrmd.sys
cfsfdrv	cgwmf.sys	change.sys	changelog.sys	chemometecfilter.sys
ciscoampcefwdriver.sys	ciscoampheurdriver.sys	ciscosam.sys	clumiochangeblockmf.sys	cmdccav.sys
cmdcwagt.sys	cmdguard.sys	cmdmnefs.sys	cmflt.sys	code42filter.sys
codex.sys	conduantfsfltr.sys	containermonitor.sys	cpavfilter.sys	cpavkernel.sys
cpepmon.sys	crexecprev.sys	crncache32.sys	crncache64.sys	crnsysm.sys
cruncopy.sys	csaam.sys	csaav.sys	csacentr.sys	csaenh.sys
csagent.sys	csareg.sys	csascr.sys	csbfilter.sys	csdevicecontrol.sys
csfirmwareanalysis.sys	csflt.sys	csmon.sys	cssdlp.sys	ctamflt.sys
ctifile.sys	ctinet.sys	ctrpamon.sys	ctx.sys	cvcbt.sys
cvofflineflt32.sys	cvofflineflt64.sys	cvsflt.sys	cwdriver.sys	cwmem2k64.sys
cybkerneltracker.sys	cylancedrv64.sys	cyoptics.sys	cyprotectdrv32.sys	cyprotectdrv64.sys
cytmon.sys	cyverak.sys	cyvrfsfd.sys	cyvrlpc.sys	cyvrmtgn.sys
datanow_driver.sys	dattofsf.sys	da_ctl.sys	dcfafilter.sys	dcfsgrd.sys
dcsnaprestore.sys	deepinsfs.sys	delete_flt.sys	devmonminifilter.sys	dfmfilter.sys
dgedriver.sys	dgfilter.sys	dgsafe.sys	dhwatchdog.sys	diflt.sys
diskactmon.sys	dkdrv.sys	dkrtwrt.sys	dktlfsmf.sys	dnafsmonitor.sys
docvmonk.sys	docvmonk64.sys	dpmfilter.sys	drbdlock.sys	drivesentryfilterdriver2lite.sys
drsfile.sys	drvhookcsmf.sys	drvhookcsmf_amd64.sys	drwebfwflt.sys	drwebfwft.sys
dsark.sys	dsdriver.sys	dsfemon.sys	dsflt.sys	dsfltfs.sys
dskmn.sys	dtdsel.sys	dtpl.sys	dwprot.sys	dwshield.sys
dwshield64.sys	eamonm.sys	easeflt.sys	easyanticheat.sys	eaw.sys
ecatdriver.sys	edevmon.sys	ednemfsfilter.sys	edrdrv.sys	edrsensor.sys
edsigk.sys	eectrl.sys	eetd32.sys	eetd64.sys	eeyehv.sys
eeyehv64.sys	egambit.sys	egfilterk.sys	egminflt.sys	egnfsflt.sys
ehdrv.sys	elock2fsctldriver.sys	emxdrv2.sys	enigmafilemondriver.sys	enmon.sys
epdrv.sys	epfw.sys	epfwwfp.sys	epicfilter.sys	epklib.sys
epp64.sys	epregflt.sys	eps.sys	epsmn.sys	equ8_helper.sys
eraser.sys	esensor.sys	esprobe.sys	estprmon.sys	estprp.sys
estregmon.sys	estregp.sys	estrkmon.sys	estrkr.sys	eventmon.sys
evmf.sys	evscase.sys	excfs.sys	exprevdriver.sys	failattach.sys
failmount.sys	fam.sys	fangcloud_autolock_driver.sys	fapmonitor.sys	farflt.sys
farwflt.sys	fasdriver	fcnotify.sys	fcontrol.sys	fdrtrace.sys
fekern.sys	fencry.sys	ffcfilt.sys	ffdriver.sys	fildds.sys
filefilter.sys	fileflt.sys	fileguard.sys	filehubagent.sys	filemon.sys
filemonitor.sys	filenamevalidator.sys	filescan.sys	filesharemon.sys	filesightmf.sys
filesystemcbt.sys	filetrace.sys	file_monitor.sys	file_protector.sys	file_tracker.sys
filrdriver.sys	fim.sys	fiometer.sys	fiopolicyfilter.sys	fjgsdis2.sys
fjseparettifilterredirect.sys	flashaccelfs.sys	flightrecorder.sys	fltrs329.sys	flyfs.sys
fmdrive.sys	fmkkc.sys	fmm.sys	fortiaptfilter.sys	fortimon2.sys
fortirmon.sys	fortishield.sys	fpav_rtp.sys	fpepflt.sys	fsafilter.sys
fsatp.sys	fsfilter.sys	fsgk.sys	fshs.sys	fsmon.sys
fsmonitor.sys	fsnk.sys	fsrfilter.sys	fstrace.sys	fsulgk.sys
fsw31rj1.sys	gagsecurity.sys	gbpkm.sys	gcffilter.sys	gddcv.sys
gefcmp.sys	gemma.sys	geprotection.sys	ggc.sys	gibepcore.sys
gkff.sys	gkff64.sys	gkpfcb.sys	gkpfcb64.sys	gofsmf.sys
gpminifilter.sys	groundling32.sys	groundling64.sys	gtkdrv.sys	gumhfilter.sys
gzflt.sys	hafsnk.sys	hbflt.sys	hbfsfltr.sys	hcp_kernel_acq.sys
hdcorrelatefdrv.sys	hdfilemon.sys	hdransomoffdrv.sys	hdrfs.sys	heimdall.sys
hexisfsmonitor.sys	hfileflt.sys	hiofs.sys	hmpalert.sys	hookcentre.sys
hooksys.sys	hpreg.sys	hsmltmon.sys	hsmltwhl.sys	hssfwhl.sys
hvlminifilter.sys	ibr2fsk.sys	iccfileioad.sys	iccfilteraudit.sys	iccfiltersc.sys
icfclientflt.sys	icrlmonitor.sys	iderafilterdriver.sys	ielcp.sys	ieslp.sys
ifs64.sys	ignis.sys	iguard.sys	iiscache.sys	ikfilesec.sys
im.sys	imffilter.sys	imfilter.sys	imgguard.sys	immflex.sys
immunetprotect.sys	immunetselfprotect.sys	inisbdrv64.sys	ino_fltr.sys	intelcas.sys
intmfs.sys	inuse.sys	invprotectdrv.sys	invprotectdrv64.sys	ionmonwdrv.sys
iothorfs.sys	ipcomfltr.sys	ipfilter.sys	iprotect.sys	iridiumswitch.sys
irongatefd.sys	isafekrnl.sys	isafekrnlmon.sys	isafermon	isecureflt.sys
isedrv.sys	isfpdrv.sys	isirmfmon.sys	isregflt.sys	isregflt64.sys
issfltr.sys	issregistry.sys	it2drv.sys	it2reg.sys	ivappmon.sys
iwdmfs.sys	iwhlp.sys	iwhlp2.sys	iwhlpxp.sys	jdppsf.sys
jdppwf.sys	jkppob.sys	jkppok.sys	jkpppf.sys	jkppxk.sys
k7sentry.sys	kavnsi.sys	kawachfsminifilter.sys	kc3.sys	kconv.sys
kernelagent32.sys	kewf.sys	kfac.sys	kfileflt.sys	kisknl.sys
klam.sys	klbg.sys	klboot.sys	kldback.sys	kldlinf.sys
kldtool.sys	klfdefsf.sys	klflt.sys	klgse.sys	klhk.sys
klif.sys	klifaa.sys	klifks.sys	klifsm.sys	klrsps.sys
klsnsr.sys	klupd_klif_arkmon.sys	kmkuflt.sys	kmnwch.sys	kmxagent.sys
kmxfile.sys	kmxsbx.sys	ksfsflt.sys	ktfsfilter.sys	ktsyncfsflt.sys
kubwksp.sys	lafs.sys	lbd.sys	lbprotect.sys	lcgadmon.sys
lcgfile.sys	lcgfilemon.sys	lcmadmon.sys	lcmfile.sys	lcmfilemon.sys
lcmprintmon.sys	ldsecdrv.sys	libwamf.sys	livedrivefilter.sys	llfilter.sys
lmdriver.sys	lnvscenter.sys	locksmith.sys	lragentmf.sys	lrtp.sys
magicbackupmonitor.sys	magicprotect.sys	majoradvapi.sys	marspy.sys	maxcryptmon.sys
maxproc64.sys	maxprotector.sys	mbae64.sys	mbam.sys	mbamchameleon.sys
mbamshuriken.sys	mbamswissarmy.sys	mbamwatchdog.sys	mblmon.sys	mcfilemon32.sys
mcfilemon64.sys	mcstrg.sys	mearwfltdriver.sys	message.sys	mfdriver.sys
mfeaack.sys	mfeaskm.sys	mfeavfk.sys	mfeclnrk.sys	mfeelamk.sys
mfefirek.sys	mfehidk.sys	mfencbdc.sys	mfencfilter.sys	mfencoas.sys
mfencrk.sys	mfeplk.sys	mfewfpk.sys	miniicpt.sys	minispy.sys
minitrc.sys	mlsaff.sys	mmpsy32.sys	mmpsy64.sys	monsterk.sys
mozycorpfilter.sys	mozyenterprisefilter.sys	mozyentfilter.sys	mozyhomefilter.sys	mozynextfilter.sys
mozyoemfilter.sys	mozyprofilter.sys	mpfilter.sys	mpkernel.sys	mpksldrv.sys
mpxmon.sys	mracdrv.sys	mrxgoogle.sys	mscan-rt.sys	msiodrv4.sys
msixpackagingtoolmonitor.sys	msnfsflt.sys	mspy.sys	mssecflt.sys	mtsvcdf.sys
mumdi.sys	mwac.sys	mwatcher.sys	mwfsmfltr.sys	mydlpmf.sys
namechanger.sys	nanoavmf.sys	naswsp.sys	ndgdmk.sys	neokerbyfilter
netaccctrl.sys	netaccctrl64.sys	netguard.sys	netpeeker.sys	ngscan.sys
nlcbhelpi64.sys	nlcbhelpx64.sys	nlcbhelpx86.sys	nlxff.sys	nmlhssrv01.sys
nmpfilter.sys	nntinfo.sys	novashield.sys	nowonmf.sys	npetw.sys
nprosec.sys	npxgd.sys	npxgd64.sys	nravwka.sys	nrcomgrdka.sys
nrcomgrdki.sys	nregsec.sys	nrpmonka.sys	nrpmonki.sys	nsminflt.sys
nsminflt64.sys	ntest.sys	ntfsf.sys	ntguard.sys	ntps_fa.sys
nullfilter.sys	nvcmflt.sys	nvmon.sys	nwedriver.sys	nxfsmon.sys
nxrmflt.sys	oadevice.sys	oavfm.sys	oczminifilter.sys	odfsfilter.sys
odfsfimfilter.sys	odfstokenfilter.sys	offsm.sys	omfltlh.sys	osiris.sys
ospfile_mini.sys	ospmon.sys	parity.sys	passthrough.sys	path8flt.sys
pavdrv.sys	pcpifd.sys	pctcore.sys	pctcore64.sys	pdgenfam.sys
pecfilter.sys	perfectworldanticheatsys.sys	pervac.sys	pfkrnl.sys	pfracdrv.sys
pgpfs.sys	pgpwdefs.sys	phantomd.sys	phdcbtdrv.sys	pkgfilter.sys
pkticpt.sys	plgfltr.sys	plpoffdrv.sys	pointguardvista64f.sys	pointguardvistaf.sys
pointguardvistar32.sys	pointguardvistar64.sys	procmon11.sys	proggerdriver.sys	psacfileaccessfilter.sys
pscff.sys	psgdflt.sys	psgfoctrl.sys	psinfile.sys	psinproc.sys
psisolator.sys	pwipf6.sys	pwprotect.sys	pzdrvxp.sys	qdocumentref.sys
qfapflt.sys	qfilter.sys	qfimdvr.sys	qfmon.sys	qminspec.sys
qmon.sys	qqprotect.sys	qqprotectx64.sys	qqsysmon.sys	qqsysmonx64.sys
qutmdrv.sys	ranpodfs.sys	ransomdefensexxx.sys	ransomdetect.sys	reaqtor.sys
redlight.sys	regguard.sys	reghook.sys	regmonex.sys	repdrv.sys
repmon.sys	revefltmgr.sys	reveprocprotection.sys	revonetdriver.sys	rflog.sys
rgnt.sys	rmdiskmon.sys	rmphvmonitor.sys	rpwatcher.sys	rrmon32.sys
rrmon64.sys	rsfdrv.sys	rsflt.sys	rspcrtw.sys	rsrtw.sys
rswctrl.sys	rswmon.sys	rtologon.sys	rtw.sys	ruaff.sys
rubrikfileaudit.sys	ruidiskfs.sys	ruieye.sys	ruifileaccess.sys	ruimachine.sys
ruiminispy.sys	rvsavd.sys	rvsmon.sys	rw7fsflt.sys	rwchangedrv.sys
ryfilter.sys	ryguard.sys	safe-agent.sys	safsfilter.sys	sagntflt.sys
sahara.sys	sakfile.sys	sakmfile.sys	samflt.sys	samsungrapidfsfltr.sys
sanddriver.sys	santa.sys	sascan.sys	savant.sys	savonaccess.sys
scaegis.sys	scauthfsflt.sys	scauthiodrv.sys	scensemon.sys	scfltr.sys
scifsflt.sys	sciptflt.sys	sconnect.sys	scred.sys	sdactmon.sys
sddrvldr.sys	sdvfilter.sys	se46filter.sys	secdodriver.sys	secone_filemon10.sys
secone_proc10.sys	secone_reg10.sys	secone_usb.sys	secrmm.sys	secufile.sys
secure_os.sys	secure_os_mf.sys	securofsd_x64.sys	sefo.sys	segf.sys
segiraflt.sys	segmd.sys	segmp.sys	sentinelmonitor.sys	serdr.sys
serfs.sys	sfac.sys	sfavflt.sys	sfdfilter.sys	sfpmonitor.sys
sgresflt.sys	shdlpmedia.sys	shdlpsf.sys	sheedantivirusfilterdriver.sys	sheedselfprotection.sys
shldflt.sys	si32_file.sys	si64_file.sys	sieflt.sys	simrep.sys
sisipsfilefilter	sk.sys	skyamdrv.sys	skyrgdrv.sys	skywpdrv.sys
slb_guard.sys	sld.sys	smbresilfilter.sys	smdrvnt.sys	sndacs.sys
snexequota.sys	snilog.sys	snimg.sys	snscore.sys	snsrflt.sys
sodatpfl.sys	softfilterxxx.sys	soidriver.sys	solitkm.sys	sonar.sys
sophosdt2.sys	sophosed.sys	sophosntplwf.sys	sophossupport.sys	spbbcdrv.sys
spellmon.sys	spider3g.sys	spiderg3.sys	spiminifilter.sys	spotlight.sys
sprtdrv.sys	sqlsafefilterdriver.sys	srminifilterdrv.sys	srtsp.sys	srtsp64.sys
srtspit.sys	ssfmonm.sys	ssrfsf.sys	ssvhook.sys	stcvsm.sys
stegoprotect.sys	stest.sys	stflt.sys	stkrnl64.sys	storagedrv.sys
strapvista.sys	strapvista64.sys	svcbt.sys	swcommfltr.sys	swfsfltr.sys
swfsfltrv2.sys	swin.sys	symafr.sys	symefa.sys	symefa64.sys
symefasi.sys	symevent.sys	symevent64x86.sys	symevnt.sys	symevnt32.sys
symhsm.sys	symrg.sys	sysdiag.sys	sysmon.sys	sysmondrv.sys
sysplant.sys	szardrv.sys	szdfmdrv.sys	szdfmdrv_usb.sys	szedrdrv.sys
szpcmdrv.sys	taniumrecorderdrv.sys	taobserveflt.sys	tbfsfilt.sys	tbmninifilter.sys
tbrdrv.sys	tdevflt.sys	tedrdrv.sys	tenrsafe2.sys	tesmon.sys
tesxnginx.sys	tesxporter.sys	tffregnt.sys	tfsflt.sys	tgfsmf.sys
thetta.sys	thfilter.sys	threatstackfim.sys	tkdac2k.sys	tkdacxp.sys
tkdacxp64.sys	tkfsavxp.sys	tkfsavxp64.sys	tkfsft.sys	tkfsft64.sys
tkpcftcb.sys	tkpcftcb64.sys	tkpl2k.sys	tkpl2k64.sys	tksp2k.sys
tkspxp.sys	tkspxp64.sys	tmactmon.sys	tmcomm.sys	tmesflt.sys
tmevtmgr.sys	tmeyes.sys	tmfsdrv2.sys	tmkmsnsr.sys	tmnciesc.sys
tmpreflt.sys	tmumh.sys	tmums.sys	tmusa.sys	tmxpflt.sys
topdogfsfilt.sys	trace.sys	trfsfilter.sys	tritiumfltr.sys	trpmnflt.sys
trufos.sys	trustededgeffd.sys	tsifilemon.sys	tss.sys	tstfilter.sys
tstfsredir.sys	tstregredir.sys	tsyscare.sys	tvdriver.sys	tvfiltr.sys
tvmfltr.sys	tvptfile.sys	tvspfltr.sys	twbdcfilter.sys	txfilefilter.sys
txregmon.sys	uamflt.sys	ucafltdriver.sys	ufdfilter.sys	uncheater.sys
upguardrealtime.sys	usbl_ifsfltr.sys	usbpdh.sys	usbtest.sys	uvmcifsf.sys
uwfreg.sys	uwfs.sys	v3flt2k.sys	v3flu2k.sys	v3ift2k.sys
v3iftmnt.sys	v3mifint.sys	varpffmon.sys	vast.sys	vcdriv.sys
vchle.sys	vcmfilter.sys	vcreg.sys	veeamfct.sys	vfdrv.sys
vfilefilter.sys	vfpd.sys	vfsenc.sys	vhddelta.sys	vhdtrack.sys
vidderfs.sys	vintmfs.sys	virtfile.sys	virtualagent.sys	vk_fsf.sys
vlflt.sys	vmwvvpfsd.sys	vollock.sys	vpdrvnt.sys	vradfil2.sys
vraptdef.sys	vraptflt.sys	vrarnflt.sys	vrbbdflt.sys	vrexpdrv.sys
vrfsftm.sys	vrfsftmx.sys	vrnsfilter.sys	vrsdam.sys	vrsdcore.sys
vrsdetri.sys	vrsdetrix.sys	vrsdfmx.sys	vrvbrfsfilter.sys	vsepflt.sys
vsscanner.sys	vtsysflt.sys	vxfsrep.sys	wats_se.sys	wbfilter.sys
wcsdriver.sys	wdcfilter.sys	wdfilter.sys	wdocsafe.sys	wfp_mrt.sys
wgfile.sys	whiteshield.sys	windbdrv.sys	windd.sys	winfladrv.sys
winflahdrv.sys	winfldrv.sys	winfpdrv.sys	winload.sys	winteonminifilter.sys
wiper.sys	wlminisecmod.sys	wntgpdrv.sys	wraekernel.sys	wrcore.sys
wrcore.x64.sys	wrdwizfileprot.sys	wrdwizregprot.sys	wrdwizscanner.sys	wrdwizsecure64.sys
wrkrn.sys	wrpfv.sys	wsafefilter.sys	wscm.sys	xcpl.sys
xendowflt.sys	xfsgk.sys	xhunter1.sys	xhunter64.sys	xiaobaifs.sys
xiaobaifsr.sys	xkfsfd.sys	xoiv8x64.sys	xomfcbt8x64.sys	yahoostorage.sys
yfsd.sys	yfsd2.sys	yfsdr.sys	yfsrd.sys	zampit_ml.sys
zesfsmf.sys	zqfilter.sys	zsfprt.sys	zwasatom.sys	zwpxesvr.sys
zxfsfilt.sys	zyfm.sys	zzpensys.sys

Analysis of Storm-0558 techniques for unauthorized email access

July 14, 2023

Executive summary
On July 11, 2023, Microsoft published two blogs detailing a malicious campaign by a threat actor tracked as Storm-0558 that targeted customer email that we’ve detected and mitigated: Microsoft Security Response Center and Microsoft on the Issues. As we continue our investigation into this incident and deploy defense in depth measures to harden all systems involved, we’re providing this deeper analysis of the observed actor techniques for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics.

As described in more detail in our July 11 blogs, Storm-0558 is a China-based threat actor with espionage objectives. Beginning May 15, 2023, Storm-0558 used forged authentication tokens to access user email from approximately 25 organizations, including government agencies and related consumer accounts in the public cloud. No other environment was impacted. Microsoft has successfully blocked this campaign from Storm-0558. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.

Since identification of this malicious campaign on June 16, 2023, Microsoft has identified the root cause, established durable tracking of the campaign, disrupted malicious activities, hardened the environment, notified every impacted customer, and coordinated with multiple government entities. We continue to investigate and monitor the situation and will take additional steps to protect customers.

Actor overview

Microsoft Threat Intelligence assesses with moderate confidence that Storm-0558 is a China-based threat actor with activities and methods consistent with espionage objectives. While we have discovered some minimal overlaps with other Chinese groups such as Violet Typhoon (ZIRCONIUM, APT31), we maintain high confidence that Storm-0558 operates as its own distinct group.

Figure 1 shows Storm-0558 working patterns from April to July 2023; the actor’s core working hours are consistent with working hours in China, Monday through Friday from 12:00 AM UTC (8:00 AM China Standard time) through 09:00 AM UTC (5:00 PM China Standard Time).

Heatmap showing observed Storm-0558 activity by day of the week (x-axis) and hour (y-axis). — Figure 1. Heatmap of observed Stom-0558 activity by day of week and hour (UTC).

In past activity observed by Microsoft, Storm-0558 has primarily targeted US and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests.

Historically, this threat actor has displayed an interest in targeting media companies, think tanks, and telecommunications equipment and service providers. The objective of most Storm-0558 campaigns is to obtain unauthorized access to email accounts belonging to employees of targeted organizations. Storm-0558 pursues this objective through credential harvesting, phishing campaigns, and OAuth token attacks. This threat actor has displayed an interest in OAuth applications, token theft, and token replay against Microsoft accounts since at least August 2021. Storm-0558 operates with a high degree of technical tradecraft and operational security. The actors are keenly aware of the target’s environment, logging policies, authentication requirements, policies, and procedures. Storm-0558’s tooling and reconnaissance activity suggests the actor is technically adept, well resourced, and has an in-depth understanding of many authentication techniques and applications.

In the past, Microsoft has observed Storm-0558 obtain credentials for initial access through phishing campaigns. The actor has also exploited vulnerabilities in public-facing applications to gain initial access to victim networks. These exploits typically result in web shells, including China Chopper, being deployed on compromised servers. One of the most prevalent malware families used by Storm-0558 is a shared tool tracked by Microsoft as Cigril. This family exists in several variants and is launched using dynamic-link library (DLL) search order hijacking.

After gaining access to a compromised system, Storm-0558 accesses credentials from a variety of sources, including the LSASS process memory and Security Account Manager (SAM) registry hive. Microsoft assesses that once Storm-0558 has access to the desired user credentials, the actor signs into the compromised user’s cloud email account with the valid account credentials. The actor then collects information from the email account over the web service.

Initial discovery and analysis of current activity

On June 16, 2023, Microsoft was notified by a customer of anomalous Exchange Online data access. Microsoft analysis attributed the activity to Storm-0558 based on established prior TTPs. We determined that Storm-0558 was accessing the customer’s Exchange Online data using Outlook Web Access (OWA). Microsoft’s investigative workflow initially assumed the actor was stealing correctly issued Azure Active Directory (Azure AD) tokens, most probably using malware on infected customer devices. Microsoft analysts later determined that the actor’s access was utilizing Exchange Online authentication artifacts, which are typically derived from Azure AD authentication tokens (Azure AD tokens). Further in-depth analysis over the next several days led Microsoft analysts to assess that the internal Exchange Online authentication artifacts did not correspond to Azure AD tokens in Microsoft logs.

Microsoft analysts began investigating the possibility that the actor was forging authentication tokens using an acquired Azure AD enterprise signing key. In-depth analysis of the Exchange Online activity discovered that in fact the actor was forging Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key. This was made possible by a validation error in Microsoft code. The use of an incorrect key to sign the requests allowed our investigation teams to see all actor access requests which followed this pattern across both our enterprise and consumer systems. Use of the incorrect key to sign this scope of assertions was an obvious indicator of the actor activity as no Microsoft system signs tokens in this way. Use of acquired signing material to forge authentication tokens to access customer Exchange Online data differs from previously observed Storm-0558 activity. Microsoft’s investigations have not detected any other use of this pattern by other actors and Microsoft has taken steps to block related abuse.

Actor techniques

Token forgery

Authentication tokens are used to validate the identity of entities requesting access to resources – in this case, email. These tokens are issued to the requesting entity (such as a user’s browser) by identity providers like Azure AD. To prove authenticity, the identity provider signs the token using a private signing key. The relying party validates the token presented by the requesting entity by using a public validation key. Any request whose signature is correctly validated by the published public validation key will be trusted by the relying party. An actor that can acquire a private signing key can then create falsified tokens with valid signatures that will be accepted by relying parties. This is called token forgery.

Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com. All MSA keys active prior to the incident – including the actor-acquired MSA signing key – have been invalidated. Azure AD keys were not impacted. The method by which the actor acquired the key is a matter of ongoing investigation. Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected.

As part of defense in depth, we continuously update our systems. We have substantially hardened key issuance systems since the acquired MSA key was initially issued. This includes increased isolation of the systems, refined monitoring of system activity, and moving to the hardened key store used for our enterprise systems. We have revoked all previously active keys and issued new keys using these updated systems. Our active investigation indicates these hardening and isolation improvements disrupt the mechanisms we believe the actor could have used to acquire MSA signing keys. No key-related actor activity has been observed since Microsoft invalidated the actor-acquired MSA signing key. Further, we have seen Storm-0558 transition to other techniques, which indicates that the actor is not able to utilize or access any signing keys. We continue to explore other ways the key may have been acquired and add additional defense in depth measures.

Identity techniques for access

Once authenticated through a legitimate client flow leveraging the forged token, the threat actor accessed the OWA API to retrieve a token for Exchange Online from the GetAccessTokenForResource API used by OWA. The actor was able to obtain new access tokens by presenting one previously issued from this API due to a design flaw. This flaw in the GetAccessTokenForResourceAPI has since been fixed to only accept tokens issued from Azure AD or MSA respectively. The actor used these tokens to retrieve mail messages from the OWA API.

Actor tooling

Microsoft Threat Intelligence routinely identifies threat actor capabilities and leverages file intelligence to facilitate our protection of Microsoft customers. During this investigation, we identified several distinct Storm-0558 capabilities that facilitate the threat actor’s intrusion techniques. The capabilities described in this section are not expected to be present in the victim environment.

Storm-0558 uses a collection of PowerShell and Python scripts to perform REST API calls against the OWA Exchange Store service. For example, Storm-0558 has the capability to use minted access tokens to extract email data such as:

Download emails
Download attachments
Locate and download conversations
Get email folder information

The generated web requests can be routed through a Tor proxy or several hardcoded SOCKS5 proxy servers. The threat actor was observed using several User-Agents when issuing web requests, for example:

Client=REST;Client=RESTSystem;;
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.52
“Microsoft Edge”;v=”113″, “Chromium”;v=”113″, “Not-A.Brand”;v=”24″

The scripts contain highly sensitive hardcoded information such as bearer access tokens and email data, which the threat actor uses to perform the OWA API calls. The threat actor has the capability to refresh the access token for use in subsequent OWA commands.

Screenshot of Python code snippet of the token refresh functionality — Figure 2. Python code snippet of the token refresh functionality used by the threat actor.

Screenshot of PowerShell code snippet of OWA REST API — Figure 3. PowerShell code snippet of OWA REST API call to GetConversationItems.

Actor infrastructure

During significant portions of Storm-0558’s malicious activities, the threat actor leveraged dedicated infrastructure running the SoftEther proxy software. Proxy infrastructure complicates detection and attribution of Storm-0558 activities. During our response, Microsoft Threat Intelligence identified a unique method of profiling this proxy infrastructure and correlated with behavioral characteristics of the actor intrusion techniques. Our profile was based on the following facets:

Hosts operating as part of this network present a JARM fingerprint consistent with SoftEther VPN: 06d06d07d06d06d06c42d42d000000cdb95e27fd8f9fee4a2bec829b889b8b.
Presented x509 certificate has expiration date of December 31, 2037.
Subject information within the x509 certificate does not contain “softether”.

Over the course of the campaign, the IPs listed in the table below were used during the corresponding timeframes.

IP address	First seen	Last seen	Description
51.89.156[.]153	3/9/2023	7/10/2023	SoftEther proxy
176.31.90[.]129	3/28/2023	6/29/2023	SoftEther proxy
137.74.181[.]100	3/31/2023	7/11/2023	SoftEther proxy
193.36.119[.]45	4/19/2023	7/7/2023	SoftEther proxy
185.158.248[.]159	4/24/2023	7/6/2023	SoftEther proxy
131.153.78[.]188	5/6/2023	6/29/2023	SoftEther proxy
37.143.130[.]146	5/12/2023	5/19/2023	SoftEther proxy
146.70.157[.]45	5/12/2023	6/8/2023	SoftEther proxy
185.195.200[.]39	5/15/2023	6/29/2023	SoftEther proxy
185.38.142[.]229	5/15/2023	7/12/2023	SoftEther proxy
146.70.121[.]44	5/17/2023	6/29/2023	SoftEther proxy
31.42.177[.]181	5/22/2023	5/23/2023	SoftEther proxy
185.51.134[.]52	6/7/2023	7/11/2023	SoftEther proxy
173.44.226[.]70	6/9/2023	7/11/2023	SoftEther proxy
45.14.227[.]233	6/12/2023	6/26/2023	SoftEther proxy
185.236.231[.]109	6/12/2023	7/3/2023	SoftEther proxy
178.73.220[.]149	6/16/2023	7/12/2023	SoftEther proxy
45.14.227[.]212	6/19/2023	6/29/2023	SoftEther proxy
91.222.173[.]225	6/20/2023	7/1/2023	SoftEther proxy
146.70.35[.]168	6/22/2023	6/29/2023	SoftEther proxy
146.70.157[.]213	6/26/2023	6/30/2023	SoftEther proxy
31.42.177[.]201	6/27/2023	6/29/2023	SoftEther proxy
5.252.176[.]8	7/1/2023	7/1/2023	SoftEther proxy
80.85.158[.]215	7/1/2023	7/9/2023	SoftEther proxy
193.149.129[.]88	7/2/2023	7/12/2023	SoftEther proxy
5.252.178[.]68	7/3/2023	7/11/2023	SoftEther proxy
116.202.251[.]8	7/4/2023	7/7/2023	SoftEther proxy
185.158.248[.]93	6/25/2023	06/26/2023	SoftEther proxy
20.108.240[.]252	6/25/2023	7/5/2023	SoftEther proxy
146.70.135[.]182	5/18/2023	6/22/2023	SoftEther proxy

As early as May 15, 2023, Storm-0558 shifted to using a separate series of dedicated infrastructure servers specifically for token replay and interaction with Microsoft services. It is likely that the dedicated infrastructure and supporting services configured on this infrastructure offered a more efficient manner of facilitating the actor’s activities. The dedicated infrastructure would host an actor-developed web panel that presented an authentication page at URI /#/login. The observed sign-in pages had one of two SHA-1 hashes: 80d315c21fc13365bba5b4d56357136e84ecb2d4 and 931e27b6f1a99edb96860f840eb7ef201f6c68ec.

Screenshot of the token web panel sign-in page — Figure 4. Token web panel sign-in page with SHA-1 hashes.

As part of the intelligence-driven response to this campaign, and in support of tracking, analyzing, and disrupting actor activity, analytics were developed to proactively track the dedicated infrastructure. Through this tracking, we identified the following dedicated infrastructure.

IP address	First seen	Last seen	Description
195.26.87[.]219	5/15/2023	6/25/2023	Token web panel
185.236.228[.]183	5/24/2023	6/11/2023	Token web panel
85.239.63[.]160	6/7/2023	6/11/2023	Token web panel
193.105.134[.]58	6/24/2023	6/25/2023	Token web panel
146.0.74[.]16	6/28/2023	7/4/2023	Token web panel
91.231.186[.]226	6/29/2023	7/4/2023	Token web panel
91.222.174[.]41	6/29/2023	7/3/2023	Token web panel
185.38.142[.]249	6/29/2023	7/2/2023	Token web panel

The last observed dedicated token replay infrastructure associated with this activity was stood down on July 4, 2023, roughly one day following the coordinated mitigation conducted by Microsoft.

Post-compromise activity

Our telemetry and investigations indicate that post-compromise activity was limited to email access and exfiltration for targeted users.

Mitigation and hardening

No customer action is required to mitigate the token forgery technique or validation error in OWA or Outlook.com. Microsoft has mitigated this issue on customers’ behalf as follows:

On June 26, OWA stopped accepting tokens issued from GetAccessTokensForResource for renewal, which mitigated the token renewal being abused.
On June 27, Microsoft blocked the usage of tokens signed with the acquired MSA key in OWA preventing further threat actor enterprise mail activity.
On June 29, Microsoft completed replacement of the key to prevent the threat actor from using it to forge tokens. Microsoft revoked all MSA signing which were valid at the time of the incident, including the actor-acquired MSA key. The new MSA signing keys are issued in substantially updated systems which benefit from hardening not present at issuance of the actor-acquired MSA key:
- Microsoft has increased the isolation of these systems from corporate environments, applications, and users.Microsoft has refined monitoring of all systems related to key activity, and increased automated alerting related to this monitoring.
- Microsoft has moved the MSA signing keys to the key store used for our enterprise systems.
On July 3, Microsoft blocked usage of the key for all impacted consumer customers to prevent use of previously-issued tokens.

Ongoing monitoring indicates that all actor activity related to this incident has been blocked. Microsoft will continue to monitor Storm-0558 activity and implement protections for our customers.

Recommendations

Microsoft has mitigated this activity on our customers’ behalf for Microsoft services. No customer action is required to prevent threat actors from using the techniques described above to access Exchange Online and Outlook.com.

Indicators of compromise

Indicator	Type	First seen	Last seen	Description
d4b4cccda9228624656bff33d8110955779632aa	Thumbprint			Thumbprint of acquired signing key
195.26.87[.]219	IPv4	5/15/2023	6/25/2023	Token web panel
185.236.228[.]183	IPv4	5/24/2023	6/11/2023	Token web panel
85.239.63[.]160	IPv4	6/7/2023	6/11/2023	Token web panel
193.105.134[.]58	IPv4	6/24/2023	6/25/2023	Token web panel
146.0.74[.]16	IPv4	6/28/2023	7/4/2023	Token web panel
91.231.186[.]226	IPv4	6/29/2023	7/4/2023	Token web panel
91.222.174[.]41	IPv4	6/29/2023	7/3/2023	Token web panel
185.38.142[.]249	IPv4	6/29/2023	7/2/2023	Token web panel
51.89.156[.]153	IPv4	3/9/2023	7/10/2023	SoftEther proxy
176.31.90[.]129	IPv4	3/28/2023	6/29/2023	SoftEther proxy
137.74.181[.]100	IPv4	3/31/2023	7/11/2023	SoftEther proxy
193.36.119[.]45	IPv4	4/19/2023	7/7/2023	SoftEther proxy
185.158.248[.]159	IPv4	4/24/2023	7/6/2023	SoftEther proxy
131.153.78[.]188	IPv4	5/6/2023	6/29/2023	SoftEther proxy
37.143.130[.]146	IPv4	5/12/2023	5/19/2023	SoftEther proxy
146.70.157[.]45	IPv4	5/12/2023	6/8/2023	SoftEther proxy
185.195.200[.]39	IPv4	5/15/2023	6/29/2023	SoftEther proxy
185.38.142[.]229	IPv4	5/15/2023	7/12/2023	SoftEther proxy
146.70.121[.]44	IPv4	5/17/2023	6/29/2023	SoftEther proxy
31.42.177[.]181	IPv4	5/22/2023	5/23/2023	SoftEther proxy
185.51.134[.]52	IPv4	6/7/2023	7/11/2023	SoftEther proxy
173.44.226[.]70	IPv4	6/9/2023	7/11/2023	SoftEther proxy
45.14.227[.]233	IPv4	6/12/2023	6/26/2023	SoftEther proxy
185.236.231[.]109	IPv4	6/12/2023	7/3/2023	SoftEther proxy
178.73.220[.]149	IPv4	6/16/2023	7/12/2023	SoftEther proxy
45.14.227[.]212	IPv4	6/19/2023	6/29/2023	SoftEther proxy
91.222.173[.]225	IPv4	6/20/2023	7/1/2023	SoftEther proxy
146.70.35[.]168	IPv4	6/22/2023	6/29/2023	SoftEther proxy
146.70.157[.]213	IPv4	6/26/2023	6/30/2023	SoftEther proxy
31.42.177[.]201	IPv4	6/27/2023	6/29/2023	SoftEther proxy
5.252.176[.]8	IPv4	7/1/2023	7/1/2023	SoftEther proxy
80.85.158[.]215	IPv4	7/1/2023	7/9/2023	SoftEther proxy
193.149.129[.]88	IPv4	7/2/2023	7/12/2023	SoftEther proxy
5.252.178[.]68	IPv4	7/3/2023	7/11/2023	SoftEther proxy
116.202.251[.]8	IPv4	7/4/2023	7/7/2023	SoftEther proxy

How to Disable NTLM Authentication in Windows Domain

February 28, 2023

NTLM (NT LAN Manager) is a legacy Microsoft authentication protocol that dates back to Windows NT. Although Microsoft introduced the more secure Kerberos authentication protocol back in Windows 2000, NTLM (mostly NTLMv2) is still widely used for authentication on Windows domain networks. In this article, we will look at how to disable the NTLMv1 and NTLMv2 protocols, and switch to Kerberos in an Active Directory domain.

Contents:

The key NTLMv1 problems:

weak encryption;
storing password hash in the memory of the LSA service, which can be extracted from Windows memory in plain text using various tools (such as Mimikatz) and used for further attacks using pass-the-has scripts;
the lack of mutual authentication between a server and a client, leading to data interception and unauthorized access to resources (some tools such as Responder can capture NTLM data sent over the network and use them to access the network resources);
and other vulnerabilities.

Some of these have been in the next version NTLMv2 which uses more secure encryption algorithms and allows to prevent of common NTLM attacks. NTLMv1 and LM authentication protocols are disabled by default starting with Windows 7 and Windows Server 2008 R2.

How to Enable NTLM Authentication Audit Logging?

Before completely disabling NTLM in a domain and switching to Kerberos, it is a good idea to ensure that there are no applications in the domain that require and use NTLM auth. There may be legacy devices or services on your network that still use NTLMv1 authentication instead of NTLMv2 (or Kerberos).

To track accounts or apps that use NTLM authentication, you can enable audit logging policies on all computers using GPO. Open the Default Domain Controller Policy, navigate to the Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options section, find and enable the Network Security: Restrict NTLM: Audit NTLM authentication in this domain policy and set its value to Enable all.

Network Security: Restrict NTLM: Audit NTLM authentication in this domain

In the same way, enable the following policies in the Default Domain Policy:

Network Security: Restrict NTLM: Audit Incoming NTLM Traffic – set its value to Enable auditing for domain accounts
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers: set Audit all

Network Security: Restrict NTLM: Audit Incoming NTLM Traffic

Once these policies are enabled, events related to the use of NTLM authentication will appear in the Application and Services Logs-> Microsoft -> Windows -> NTLM section of the Event Viewer.

You can analyze the events on each server or collect them to the central Windows Event Log Collector.

You need to search for the events from the source Microsoft-Windows-Security-Auditing with the Event ID 4624 – “An Account was successfully logged on“. Note the information in the “Detailed Authentication Information” section. If there is NTLM in the Authentication Package value, then the NTLM protocol was used to authenticate this user.

Look at the value of Package Name (NTLM only). This line shows which protocol (LM, NTLMv1, or NTLMv2) was used for authentication. So you need to identify any servers/applications that are using the legacy protocol.

eventid 4624 source Microsoft-Windows-Security-Auditing ntlm usage

Also, if NTLM is used for authentication instead of Kerberos, Event ID 4776 will appear in the log:

The computer attempted to validate the credentials for an account
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

For example, to search for all NTLMv1 authentication events on all domain controllers, you can use the following PowerShell script:

$ADDCs = Get-ADDomainController -filter $Now = Get-Date $Yesterday = $Now.AddDays(-1) $NewOutputFile = "c:\Events\$($Yesterday.ToString('yyyyddMM'))_AD_NTLMv1_events.log" function GetEvents($DC){ Write-Host "Searching log on " $DC.HostName $Events = Get-EventLog "Security" -After $Yesterday.Date -Before $Now.Date -ComputerName $DC.HostName -Message "*NTLM V1*" -instanceid 4624 foreach($Event in $Events){ Write-Host $DC.HostName $Event.EventID $Event.TimeGenerated Out-File -FilePath $NewOutputFile -InputObject "$($Event.EventID), $($Event.MachineName), $($Event.TimeGenerated), $($Event.ReplacementStrings),($Event.message)" -Append } } foreach($DC in $ADDCs){GetEvents($DC)}

Once you have identified the users and applications that use NTLM in your domain, try switching them to use Kerberos (possibly using SPN). To use Kerberos authentication, some applications need to be slightly reconfigured (Kerberos Authentication in IIS, Configure different browsers for Kerberos authentication, Create a Keytab File Using Kerberos Auth). From my own experience, I see that even large commercial products are still using NTLM instead of Kerberos, some products require updates or configuration changes. The idea is to identify which applications use NTLM authentication, and now you have a way to identify that software and devices.

Small open-source products, old models of various network scanners (which store scans in shared network folders), some NAS devices and other old hardware, legacy software and operating systems are likely to have authentication problems when NTLMv1 is disabled.

Those apps that cannot use Kerberos can be added to the exceptions. This allows them to use NTLM authentication even if it is disabled at the domain level. To do it, the Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain policy is used. Add the names of the servers (NetBIOS names, IP addresses, or FQDN), on which NTLM authentication can be used, to the list of exceptions as well. Ideally, this exception list should be empty. You can use the wildcard character *.

GPO: Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain

To use Kerberos authentication in an application, you must specify the DNS name of the server, instead of its IP address. If you specify an IP address when connecting to your resources, NTLM authentication will be used.

Configuring Active Directory to Force NTLMv2 via GPO

Before completely disabling NTLM in an AD domain, it is recommended that you first disable its more vulnerable version, NTLMv1. The domain administrator needs to make sure that their network does not allow the use of NTLM or LM for authentication, as in some cases an attacker can use special requests to get a response to an NTLM/LM request.

You can set the preferred authentication type using the domain GPO. Open the Group Policy Management Editor (gpmc.msc) and edit the Default Domain Controllers Policy. Go to the GPO section Computer Configurations -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options and find the policy Network Security: LAN Manager authentication level.

Network Security: LAN Manager authentication level - disable ntlm v1 and lm

There are 6 options to choose from in the policy settings::

Send LM & NTLM responses;
Send LM & NTLM responses – use NTLMv2 session security if negotiated;
Send NTLM response only;
Send NTLMv2 response only;
Send NTLMv2 response only. Refuse LM;
Send NTLMv2 response only. Refuse LM& NTLM.

The NTLM authentication options are listed in the order of their security improvement. By default, Windows 7 and later operating systems use the option Send NTLMv2 response only. If this option is enabled, client computers use NTLMv2 authentication, but AD domain controllers accept LM, NTLM, and NTLMv2 requests.

NTLMv2 can be used where the Kerberos protocol has failed and for some operations (for example, managing local groups and accounts on the domain-joined computers) or in workgroups.

You can change the policy value to the most secure option 6 : “Send NTLMv2 response only. Refuse LM & NTLM”. This policy causes domain controllers to reject LM and NTLM requests as well.

You can also disable NTLMv1 through the registry. To do this, create a DWORD parameter with the name LmCompatibilityLevel with a value between 0 and 5 under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. Value 5 corresponds to the policy option “Send NTLMv2 response only. Refuse LM NTLM”.

Make sure that the Network security: Do not store LAN Manager hash value on next password change policy is enabled in the same GPO section. It is enabled by default starting with Windows Vista / Windows Server 2008 and prevents the creation of an LM hash.

Once you have ensured that you are not using NTLMv1, you can go further and try to disable NTLMv2. NTLMv2 is a more secure authentication protocol but loses significantly to Kerberos in terms of security (although there are fewer vulnerabilities in NTLMv2 than in the NTLMv1, but there is still a chance of capturing and reusing data, as well as it doesn’t support mutual authentication).

The main risk of disabling NTLM is the potential use of legacy or misconfigured applications that may still be using NTLM authentication. If this is the case, they will need to be updated or specially configured to switch to Kerberos.

If you have a Remote Desktop Gateway server on your network, you will need to make an additional configuration to prevent clients from connecting using NTLMv1. Create a registry entry:

REG add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core" /v EnforceChannelBinding /t REG_DWORD /d 1 /f

Restrict NTLM Completely and Use Kerberos Authentication in an AD

To check how authentication works in different applications in a domain without using NTLM, you can add the accounts of the required users to the Protected Users domain group (it is available since the Windows Server 2012 R2 release). Members of this security group can only authenticate using Kerberos (NTLM, Digest Authentication, or CredSSP are not allowed). This allows you to verify that Kerberos user authentication is working correctly in different apps.

Then you can completely disable NTLM on the Active Directory domain using the Network Security: Restrict NTLM: NTLM authentication in this domain policy.

The policy has 5 options:

Disable: the policy is disabled (NTLM authentication is allowed in the domain);
Deny for domain accounts to domain servers: the domain controllers reject NTLM authentication attempts for all servers under the domain accounts, and the “NTLM is blocked” error message is displayed;
Deny for domain accounts: the domain controllers are preventing NTLM authentication attempts for all domain accounts, and the “NTLM is blocked” error appears;
Deny for domain servers: NTLM authentication requests are denied for all servers unless the server name is on the exception list in the “Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain” policy;
Deny all: the domain controllers block all NTLM requests for all domain servers and accounts.

GPO: Network Security: Restrict NTLM: NTLM authentication in this domain

Although NTLM is now disabled on the domain, it is still used to process local logins to computers (NTLM is always used for local user logons).

You can also disable incoming and outgoing NTLM traffic on domain computers using separate Default Domain Policy options:

Network security: Restrict NTLM: Incoming NTLM traffic = Deny all accounts
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Deny all

After enabling auditing, Event Viewer will also display EventID 6038 from the LsaSRV source when using NTLM for authentication:

Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
NTLM is a weaker authentication mechanism. Please check:
Which applications are using NTLM authentication?
Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
If NTLM must be supported, is Extended Protection configured?

eventid 6038 from lsasrv source: NTLM authentication is presently being used between clients and this server

You can check that Kerberos is used for user authentication with the command:

klist sessions

klist session - check authentication protocol used

This command shows that all users are Kerberos-authenticated (except the built-in local Administrator, who is always authenticated using NTLM).

If you are experiencing a lot of user account lockout events after disabling NTLM, take a close look at the events with ID 4771 (Kerberos pre-authentication failed). Check the Failure Code in the error description. This will indicate the reason and source of the lock.

To further improve Active Directory security, I recommend reading these articles:

Securing administrator accounts in Active Directory
How to Disable LLMNR and NetBIOS over TCP/IP?

Source :
https://woshub.com/disable-ntlm-authentication-windows/

8 Essential Tips for Data Protection and Cybersecurity in Small Businesses

Michelle Quill — June 6, 2023

Small businesses are often targeted by cybercriminals due to their lack of resources and security measures. Protecting your business from cyber threats is crucial to avoid data breaches and financial losses.

Why is cyber security so important for small businesses?

Small businesses are particularly in danger of cyberattacks, which can result in financial loss, data breaches, and damage to IT equipment. To protect your business, it’s important to implement strong cybersecurity measures.

Here are some tips to help you get started:

One important aspect of data protection and cybersecurity for small businesses is controlling access to customer lists. It’s important to limit access to this sensitive information to only those employees who need it to perform their job duties. Additionally, implementing strong password policies and regularly updating software and security measures can help prevent unauthorized access and protect against cyber attacks. Regular employee training on cybersecurity best practices can also help ensure that everyone in the organization is aware of potential threats and knows how to respond in the event of a breach.

When it comes to protecting customer credit card information in small businesses, there are a few key tips to keep in mind. First and foremost, it’s important to use secure payment processing systems that encrypt sensitive data. Additionally, it’s crucial to regularly update software and security measures to stay ahead of potential threats. Employee training and education on cybersecurity best practices can also go a long way in preventing data breaches. Finally, having a plan in place for responding to a breach can help minimize the damage and protect both your business and your customers.

Small businesses are often exposed to cyber attacks, making data protection and cybersecurity crucial. One area of particular concern is your company’s banking details. To protect this sensitive information, consider implementing strong passwords, two-factor authentication, and regular monitoring of your accounts. Additionally, educate your employees on safe online practices and limit access to financial information to only those who need it. Regularly backing up your data and investing in cybersecurity software can also help prevent data breaches.

Small businesses are often at high risk of cyber attacks due to their limited resources and lack of expertise in cybersecurity. To protect sensitive data, it is important to implement strong passwords, regularly update software and antivirus programs, and limit access to confidential information.

It is also important to have a plan in place in case of a security breach, including steps to contain the breach and notify affected parties. By taking these steps, small businesses can better protect themselves from cyber threats and ensure the safety of their data.

Tips for protecting your small business from cyber threats and data breaches are crucial in today’s digital age. One of the most important steps is to educate your employees on cybersecurity best practices, such as using strong passwords and avoiding suspicious emails or links.

It’s also important to regularly update your software and systems to ensure they are secure and protected against the latest threats. Additionally, implementing multi-factor authentication and encrypting sensitive data can add an extra layer of protection. Finally, having a plan in place for responding to a cyber-attack or data breach can help minimize the damage and get your business back on track as quickly as possible.

Small businesses are attackable to cyber-attacks and data breaches, which can have devastating consequences. To protect your business, it’s important to implement strong cybersecurity measures. This includes using strong passwords, regularly updating software and systems, and training employees on how to identify and avoid phishing scams.

It’s also important to have a data backup plan in place and to regularly test your security measures to ensure they are effective. By taking these steps, you can help protect your business from cyber threats and safeguard your valuable data.

To protect against cyber threats, it’s important to implement strong data protection and cybersecurity measures. This can include regularly updating software and passwords, using firewalls and antivirus software, and providing employee training on safe online practices. Additionally, it’s important to have a plan in place for responding to a cyber attack, including backing up data and having a designated point person for handling the situation.

In today’s digital age, small businesses must prioritize data protection and cybersecurity to safeguard their operations and reputation. With the rise of remote work and cloud-based technology, businesses are more vulnerable to cyber attacks than ever before. To mitigate these risks, it’s crucial to implement strong security measures for online meetings, advertising, transactions, and communication with customers and suppliers. By prioritizing cybersecurity, small businesses can protect their data and prevent unauthorized access or breaches.

Here are 8 essential tips for data protection and cybersecurity in small businesses.

1. Train Your Employees on Cybersecurity Best Practices

Your employees are the first line of defense against cyber threats. It’s important to train them on cybersecurity best practices to ensure they understand the risks and how to prevent them. This includes creating strong passwords, avoiding suspicious emails and links, and regularly updating software and security systems. Consider providing regular training sessions and resources to keep your employees informed and prepared.

2. Use Strong Passwords and Two-Factor Authentication

One of the most basic yet effective ways to protect your business from cyber threats is to use strong passwords and two-factor authentication. Encourage your employees to use complex passwords that include a mix of letters, numbers, and symbols, and to avoid using the same password for multiple accounts. Two-factor authentication adds an extra layer of security by requiring a second form of verification, such as a code sent to a mobile device, before granting access to an account. This can help prevent unauthorized access even if a password is compromised.

3. Keep Your Software and Systems Up to Date

One of the easiest ways for cybercriminals to gain access to your business’s data is through outdated software and systems. Hackers are constantly looking for vulnerabilities in software and operating systems, and if they find one, they can exploit it to gain access to your data. To prevent this, make sure all software and systems are kept up-to-date with the latest security patches and updates. This includes not only your computers and servers but also any mobile devices and other connected devices used in your business. Set up automatic updates whenever possible to ensure that you don’t miss any critical security updates.

4. Use Antivirus and Anti-Malware Software

Antivirus and anti-malware software are essential tools for protecting your small business from cyber threats. These programs can detect and remove malicious software, such as viruses, spyware, and ransomware before they can cause damage to your systems or steal your data. Make sure to install reputable antivirus and anti-malware software on all devices used in your business, including computers, servers, and mobile devices. Keep the software up-to-date and run regular scans to ensure that your systems are free from malware.

5. Backup Your Data Regularly

One of the most important steps you can take to protect your small business from data loss is to back up your data regularly. This means creating copies of your important files and storing them in a secure location, such as an external hard drive or cloud storage service. In the event of a cyber-attack or other disaster, having a backup of your data can help you quickly recover and minimize the impact on your business. Make sure to test your backups regularly to ensure that they are working properly and that you can restore your data if needed.

6. Carry out a risk assessment

Small businesses are especially in peril of cyber attacks, making it crucial to prioritize data protection and cybersecurity. One important step is to assess potential risks that could compromise your company’s networks, systems, and information. By identifying and analyzing possible threats, you can develop a plan to address security gaps and protect your business from harm.

For Small businesses making data protection and cybersecurity is a crucial part. To start, conduct a thorough risk assessment to identify where and how your data is stored, who has access to it, and potential threats. If you use cloud storage, consult with your provider to assess risks. Determine the potential impact of breaches and establish risk levels for different events. By taking these steps, you can better protect your business from cyber threats

7. Limit access to sensitive data

One effective strategy is to limit access to critical data to only those who need it. This reduces the risk of a data breach and makes it harder for malicious insiders to gain unauthorized access. To ensure accountability and clarity, create a plan that outlines who has access to what information and what their roles and responsibilities are. By taking these steps, you can help safeguard your business against cyber threats.

8. Use a firewall

For Small businesses, it’s important to protect the system from cyber attacks by making data protection and reducing cybersecurity risk. One effective measure is implementing a firewall, which not only protects hardware but also software. By blocking or deterring viruses from entering the network, a firewall provides an added layer of security. It’s important to note that a firewall differs from an antivirus, which targets software affected by a virus that has already infiltrated the system.

Small businesses can take steps to protect their data and ensure cybersecurity. One important step is to install a firewall and keep it updated with the latest software or firmware. Regularly checking for updates can help prevent potential security breaches.

Conclusion

Small businesses are particularly vulnerable to cyber attacks, so it’s important to take steps to protect your data. One key tip is to be cautious when granting access to your systems, especially to partners or suppliers. Before granting access, make sure they have similar cybersecurity practices in place. Don’t hesitate to ask for proof or to conduct a security audit to ensure your data is safe.

Source :
https://onlinecomputertips.com/support-categories/networking/tips-for-cybersecurity-in-small-businesses/

Change Your Windows Folder Colors and Icons

Cindy Thomas — June 19, 2023

As you probably know, Windows keeps your files into folders that can also contain subfolders. By using folders, you can keep your computer organized by placing files of certain types in their own folders, such as files for a school project or sales meeting. And of course you can create these folders and subfolders as needed and copy or move your files in and out of them.

You have probably also noticed that all of these folders look the same with the exception of the Windows user folders for Documents, Downloads, Pictures and so on as seen below.

Another thing that will affect how your folders look is the view that you have applied to them. You can set your folder views to show them as a list or as icons of various sizes. When you use one of the icon views, you might see a file preview icon on the folder based on what types of files are in the folder itself. This icon can also change when you add or remove files from the folder. Empty folders will not have any file preview icons on them.

If you are looking for some extra customization, then you can try out the free Folder Marker software which will allow you to apply colors to specific folders as well as custom icons. Once you download and install the software, you can apply color and icon changes by either adding folders to the main interface or by using the new right click context menu item that you will now have on your computer.

Change Your Windows Folder Colors and Icons

If you use the first method where you add or drag folders into the app itself, any changes you make will be applied to all folders in the list so you might want to use the right click method to apply changes to single folders.

If you would rather apply a custom icon to your folder rather than change its color, then you can do so from the Main tab in the app or simply by clicking the icon you like from the right click menu. The User Icons section is used to add your own custom icons if you happen to know how to create those.

The image below shows the same folders with some colors and icons applied to them. As you can see, they stand out much better than they did before the changes were made. If you were to move or copy a folder to a new location, its color or custom icon will stay with it so you don’t need to worry about having to change its appearance again.

If you change your mind and what to revert a folder back to its original look, you can do so by right clicking on it and choosing the Restore Default option. To revert all of your changes, you can open the app itself and then go to the Action menu and click on Rollback All Changes.

As you can see, Folder Marker is easy to use and is a quick way to customize your Windows folders and can really help with your file management tasks. You can download the program from their website here.

Source :
https://onlinecomputertips.com/support-categories/windows/change-your-windows-folder-colors-and-icons/

Export Your Google Sites Website to Your Computer

Preston Mason — January 12, 2023

Everyone who uses a computer knows that Google has a service or an app for just about anything you think of. And for those who want an easy way to create websites, they also have their free online website creation tool called Google Sites which doesn’t require any coding skills or HTML knowledge to use. But if you want to backup your website, you will notice that there is no option to do so. In this article, we will show you how to export your google sites website to your computer.

If you are using traditional website development tools or software, you would generally be working on your individual HTML files and also be backing them up as needed. But with Google Sites, you are working within the Sites interface online and your website it stored in your Google Drive account.

The Backup Process

When you go to your Google Drive account and find your website, you will see that it appears as a single file just like a document or spreadsheet would appear. Then if you right click on it, there is no download option like you would see for other files.

To backup your Sites website, you will first need to make a copy of it within your Google Drive account and move to a different folder. Within Drive, click on the New button and then choose New folder. Name this folder something like Website Backup or whatever you would like.

Next, go to your website file in Drive, right click it and then choose the Make a copy option. This will make a copy of your website in the same location and will add copy of in front of the existing name.

Google Drive file right click options make a copy

You can then drag the copy to your new folder or right click on the copy and choose the Move to option and then choose your new folder. You can also move your original website file to this new folder if you don’t want to make the copy for the backup.

Using Google Takeout

After this copy is created, you can go to the Google Takeout website and just make sure you are logged in with the same Google account that you use for your website. Then the first thing you want to do is click on Deselect all since all of the checkboxes will be selected by default.

Then scroll down the list and look for Drive (not Classic Sites) and check the box and then click on All Drive data included.

Next you will uncheck the box that says Include all files and folders in Drive and check only the box next to the folder name that contains your website file and click OK.

Export Your Google Sites Website to Your Computer

Then you will need to scroll to the bottom of the page and click on the button that says Next step. Now you will be able to configure the export to either send a download link to your email address or add your backup to your Drive, OneDrive, Dropbox or Box account. I prefer the email option.

You can also setup this backup as a one time export or have it be exported every 2 months for the next year. For the export file type you can choose between zip and tgz file formats. If you have a really large website then the export will be split into 2GB files but your website is most likely much smaller than 2GB.

Once you have everything set correctly, you can click on the Create export button.

You will then be shown an export progress screen telling you that your will be sent an email when the export is complete. Even though it says it can possibly take days to complete, its usually fairly quick and might only take a few minutes.

Once you receive the email, you can click on the Download your files button or the Mange exports button to be taken back to the Google Takeout website to download your files.

After you download the zip file, you can then extract it and navigate to the location of your website files.

Source :
https://onlinecomputertips.com/support-categories/software/export-your-google-sites-website-to-your-computer/

Delegation of Control Best Practices

Good OU Design

Don’t use Built-in Security Groups

Delegate Control to Groups, NOT USERS

Use Descriptive Group Names

Audit AD Delegated Controls Yearly

Don’t Over Delegate Control (Use lease Privilege)

Delegate Password Reset and Unlock Permissions

Step 1: Create a New Active Directory Group

Step 2: Use Delegation of Control Wizard

Delegate Permissions to Modify Telephone Number

Delegate Permissions to Modify Group Membership

Delegate Control to Delete Computer Accounts

How to Audit Active Directory (ACL) Permissions

Summary

Recommended: Active Directory Permissions Reporting Tool

New Built-in Windows LAPS Overview

Deploying Local Administrator Password Solution in Active Directory Domain

Configure GPO to Change Local Administrator Passwords

LAPS: Get a Local Administrator Password on Windows

Number of Concurrent RDP Connections on Windows

RDP Wrapper: Enable Multiple RDP Sessions on Windows

RDP Wrapper Not Working on Windows

Patch the Termsrv.dll to Enable Multiple Remote Desktop Sessions

Multiple Concurrent RDP Connections in Windows 10 Enterprise Multi-session

How to Change Password Expiration Policy in Azure AD

Account Lockout Settings in Azure AD

Prevent Using Weak and Popular Passwords in Azure AD

Forensic analysis

Initial access and privilege escalation

Persistence

Reconnaissance

Credential access

Lateral movement

Data staging and exfiltration

Data encryption and destruction

Recommendations

Conclusion

Microsoft 365 Defender detections

Hunting queries

Indicators of compromise

Appendix

Further reading

Actor overview

Initial discovery and analysis of current activity

Actor techniques

Token forgery

Identity techniques for access

Actor tooling

Actor infrastructure

Post-compromise activity

Mitigation and hardening

Recommendations

Indicators of compromise

Further reading

How to Enable NTLM Authentication Audit Logging?

Configuring Active Directory to Force NTLMv2 via GPO

Restrict NTLM Completely and Use Kerberos Authentication in an AD

Why is cyber security so important for small businesses?

Here are some tips to help you get started:

Here are 8 essential tips for data protection and cybersecurity in small businesses.

1. Train Your Employees on Cybersecurity Best Practices

2. Use Strong Passwords and Two-Factor Authentication

3. Keep Your Software and Systems Up to Date

4. Use Antivirus and Anti-Malware Software

5. Backup Your Data Regularly

6. Carry out a risk assessment

7. Limit access to sensitive data

8. Use a firewall

Conclusion

The Backup Process

Using Google Takeout