Identifying Group Policy attacks

In this post we will be discussing Group Policy attacks, basing the threat hunt on a ransomware investigation undertaken by the Sophos X-Ops Incident Response team earlier this year. We will cover malicious behaviors associated with Active Directory and Group Policy attacks, showing you how to investigate and remediate some of these threats.  

Much of the material in this post is also covered in the video “Identifying Group Policy Attacks,” now showing on our new Sophos X-Ops YouTube channel. The video shows a hunt and remediation (using Sophos Live Response — a key feature of Sophos Intercept X Advanced with XDR, our standard investigation tool, though hunters can replicate these steps on any Windows shell).

This post walks through the same material, but provides the onscreen information in a reader-friendly format. 

The case 

In the Cyclops ransomware case under discussion, the threat actor gained initial access to the environment by leveraging a ProxyShell vulnerability to breach an unpatched Exchange server. Four days after achieving initial access, the threat actor began executing their attack using encoded PowerShell commands from the web shell on the Exchange server. 

The attacker proceeded to disable endpoint protection as a defense evasion technique, and to clear Windows event logs and internet browser history. The attacker then leveraged Remote Desktop Protocol (RDP) to perform lateral movement to additional machines on the network. Both Cobalt Strike command-and-control malware as well as AnyDesk remote access software were installed on multiple machines to maintain access. A day later, the attacker used their network access to exfiltrate data to multiple cloud storage hosting providers. 

After that, the attacker leveraged Active Directory Group Policy to distribute the Cyclops ransomware binary to machines on the domain, also creating a Group Policy to execute the ransomware binary using scheduled tasks. In the final stage of the attack, the attacker deleted volume shadow copy backups. Machines on the domain ran the scheduled task, executing the Cyclops ransomware binary, encrypting files, and leaving ransom notes.  

Why target Group Policy? 

Group Policy attacks are an indication of a larger Active Directory attack. In a Group Policy attack, threat actors may leverage existing Group Policy Objects, such as UNC path, to execute malicious payloads from less-secure locations preset on a GPO, or the interception of user passwords set via Group Policy with the vulnerable cpassword attribute. 

Once a threat actor has escalated privileges, they often create GPOs to accomplish goals at scale, such as disabling of core security software and features including firewalls, antivirus, security updates, and logging. They may also use GPOs for deployment of malicious tools through the creation of scheduled tasks, startup or login scripts, or services to maintain persistence and execute malware. 

Happy hunting 

Investigators begin a ransomware investigation-and-remediation process by collecting whatever victim testimonies and forensic data are available. Using the tools at hand, they search for indicators of compromise in the standard forensic artifacts, such as Windows event logs, PowerShell history, startup items, shellbags, scheduled tasks, shim cache, and so forth. 

When performing an analysis, if synchronized or reoccurring evidence is found, it may be a key indication of a Group Policy attack. For example, when a scheduled task or file execution is seen on multiple machines, it indicates remote execution or the use of Group Policy. When system logs indicating the use of software deployment tools or Windows Management Instrumentation are not present, it serves as an indication that Group Policy was likely compromised. This use of malicious synchronizing is especially evident during triage, when persistent scheduled tasks reappear on systems after being removed.  

Once a Group Policy attack is suspected, investigators should look at the Group Policy objects on the domain controller, using the PowerShell command get-GPO -All to list them all. Filtering those results

Get-GPO -All Sort-Object ModificationTime -Descending