SysAdmin MAGAZINE

Practical Guidance
for Fighting IT Monsters
 Contents SysAdmin Magazine October 2021

SysAdmin

Magazine Contents
3 How to prevent a data breach

68 October ‘21 5 Active Directory Certificate Services: Risky settings and how to remediate them
№
9 What is password spraying, and how can you spot and block attacks?

12 How to detect pass-the-hash attacks

SysAdmin Magazine is a free
source of knowledge for IT Pros
who are eager to keep a tight 21 How to defend against ransomware with effective change control
grip on network security and do
the job faster.
29 How to detect logons outside of trusted locations in Azure AD

30 Free tool of the month: Netwrix Auditor for Network Devices

The Sysadmin Magazine team

sysadmin.magazine@netwrix.com

2
 Contents SysAdmin Magazine October 2021

1. Look to Regulations for

How to Prevent
in their network: what data can be collected, how it must
be managed, the retention for each type of data, the level
Guidance of security controls required for each data type, and so on.

a Data Breach Data protection regulations like the Health Information

To implement this policy, you need automated data discov-
ery and classification. By identifying all sensitive informa-
Portability Act (HIPAA), the California Consumer Privacy Act
tion you create, process and store and classifying it by type,
Adam Stetson (CCPA), and the Payment Card Industry Data Security Stan-
you’ll be empowered to protect it according to its value and
Systems Engineer, Security Expert dard (PCI DSS) have specific requirements for how organi-
sensitivity.
zations must manage and protect sensitive data.

You should know which regulations your company is sub-

Data breach prevention is a top priority for organizations
ject to and use their requirements to inform decisions
of all sizes and across all sectors. A breach of sensitive in-
formation — whether it’s personal information like credit
about which data security controls to implement around 3. Create an Incident
card and Social Security numbers, or proprietary informa-
each type of data. For example, if your company keeps data
about credit card payments, you have to comply with PCI
Response Plan
tion like intellectual property or financial forecasts — can
DSS; therefore, you need to make sure that all files and da-
have serious consequences. Anyone whose personal data To respond effectively to security threats to your company’s
tabases that contain customers’ credit card numbers are
is breached is at increased risk of identity theft and other data, you need a written and tested data breach response
properly secured, and constantly monitor for suspicious ac-
misuse of the stolen data, and organizations that suffer a plan. NIST Special Publication 800-61 lays out the four fun-
tivity around that data.
cybersecurity incident are likely to suffer compliance fines damental steps that an incident response plan (IRP) needs
and other financial penalties, as well as loss of market share to cover:
and reputation damage.
• Preparation

As the volume of information increases and the threat land- 2. Establish a formal • Detection and analysis
• Containment, eradication and recovery
scape evolves, answering the question of how to prevent
a data breach can seem like an insurmountable challenge.
security policy • Post-incident handling

But it’s not. Here are 9 great tips for protecting your busi-
Every organization should have a written information secu-
ness against data breaches.
rity policy that covers all aspects how data is to be handled

3
 Contents
4. Separate Business
Accounts from Personal
Accounts
Don’t allow employees to store or access corporate data
using their personal accounts, especially when it comes to
cloud services like Dropbox and OneDrive. Ensure that all
services used within the organization are controlled by the
IT team, not individual users, so you can ensure proper
protection measures, including authentication and back-
ups, are in place.
5. Enforce Restrictive Data
Permissions
Only authorized personnel should have access to private
data. Strictly enforcing the principle of least privilege —
restricting the access rights of each employee, contrac-
tor and other user to the minimum required for them to
do their job — helps you minimize your risk from both
malicious insiders and attackers who compromise a user
account.
4
6. Use Encryption
Data encryption is an often overlooked data security best
practice, but it’s incredibly effective because it makes stolen
data useless to thieves. Encryption can be software-based
or hardware-based. It’s essential to encrypt data both at
rest and in transit; in particular, make sure that all portable
devices that could hold sensitive data are encrypted.
7. Regularly Audit Your
Infrastructure
Periodic audits help you evaluate the effectiveness of your
security controls and identify security risks. Experts recom-
mend conducting audits at least twice a year, but they may
be more frequent, such as quarterly or monthly. In addition
to improving security, internal audits help you prepare for
compliance audits.
8. Educate Employees
Cybersecurity is not solely the responsibility of IT and se-
curity teams. Every user needs to know about best prac-
SysAdmin Magazine October 2021
tices for identifying threats and preventing data breaches.
Indeed, a significant number of breaches are the direct re-
sult of someone inside the company making a mistake, like
clicking on a phishing link or copying unencrypted data to a
personal laptop. When MediaPro asked business users how
they would handle various security-related scenarios, 75%
of respondents “struggled with identifying best practices re-
lated to correct behaviors in cybersecurity and data priva-
cy.” Educating users about how to protect sensitive data is
critical to preventing breaches.
9. Perform Vulnerability
Assessment
Vulnerability management must be part of your security strat-
egy. Catalog all assets in your IT infrastructure, such as serv-
ers, computers and databases, and assign a value to each.
Then identify the vulnerabilities and threats to each asset
using techniques like vulnerability scanning and penetration
testing. By assessing the likelihood and potential impact of
each risk, you can prioritize measures for mitigating the most
serious vulnerabilities for your most valuable resources.
 Contents
Active Directory
Certificate
Services: Risky
Settings and How
to Remediate
Joe Dibley
Security Researcher at Stealthbits, now part of Netwrix
Active Directory Certificate Services has been around for a
long time, but resources for learning it are not great. As a
result, it often has misconfigurations that are an increasing
vector for attacks. In fact, SpecterOps released a whitepaper
detailing a number of misconfigurations and potential
attacks and providing hardening advice. In this blog, I cover
several of the settings that be misconfigured and how to
spot them, offer several options for further hardening
security, and explain how to use a free tool to check your
environment.
5
Background
When an authentication-based certificate is issued to an
identity, the certificate can be used to authenticate as the
identity set in the Subject Alternative Name (SAN); this is
usually a UPN or DNS name. The certificate is then used in
lieu of a password for initial authentication. The technical
reference for this initial authentication is RFC4556 if you
want to find out more detail.
Once an authenticated-based certificate has been issued, it
can be used to authenticate as the subject until it is revoked
or expired. This will circumvent incident response plans that
rely on strategies like resetting the user’s password to kick
out an attacker; the attacker can have persistent access to
the account unless the certificates are also revoked.
Risky Template Settings
Here are some of the certificate template settings that can
lead to misconfigurations.
SysAdmin Magazine October 2021
Authentication Based EKUs
First, look for Enhanced Key Usages (EKUs) that enable any
kind of domain-level authentication. Here is a brief list:
• Any Purpose (2.5.29.37.0)
• SubCA (None)
• Client Authentication (1.3.6.1.5.5.7.3.2)
• PKINIT Client Authentication (1.3.6.1.5.2.3.4)
• Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
The easiest way to manually find all of your certificate
templates that allow this is to open the Certificate Authority
MMC Snap-in, connect to your Certificate Authority, look
at the Certificate Template section and scan the Intended
Purpose Column for any of these authentication EKUs. For
example, the figure below shows that the Computer, Copy
of Smartcard Logon and both Domain Controller templates
contain at least one of the PKUs.
After you address the templates you find, be sure to keep
in mind that there are ways to abuse normal certificates as
well. For example, PoshADCS’s Get-SmartCardCertificate
function can modify a template, request certificates for it
and then revert the changes to the template.
 Contents SysAdmin Magazine October 2021

Alternatively, you can use a PowerShell command like the

following to get the templates from AD and check whether
the flag is set in the certificate:

Get-ADobject -Filter { ObjectClass -eq

"PKIcertificateTemplate" } -SearchBase
(Get-ADRootDSE).ConfigurationNamingCon-
text -prop * | Select Name, mspki-certifi-
cate-name-flag, @{ Name = "SupplyInRequest"
; Expression = { $_.'mspki-certifi-
“Enrollee Supplies Subject” Flag cate-name-flag' -band 0x00000001 } }

When the flag CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is present in the mspki-certificate-name-flag property, the enrollee of the
certificate can supply their own alternative Subject Name in the certificate signing request. This means that any user who is allowed
to enroll in a certificate with this setting can request a certificate as any user in the network, including a privileged user.

You can check this flag in the Certificate Template console; it’s under the Subject Name tab as the “Supply in the request” radio
option:
Further Reducing Risk
In addition to correcting certificate misconfigurations, consider
using the following options to control the issuing of certificates.

CA Certificate Manager Approval or

Authorized Signatures
First and probably most important, look at the Issuance

6
 Contents SysAdmin Magazine October 2021

Requirements tab on each certificate to see if it requires

approval from the Certificate Authority (CA) manager or
you find them, consider revoking their Enroll or AutoEnroll
permissions.
EDITF_ATTRIBUTESU
one or more authorized BJECTALTNAME2 Registry
Key
Last, check the EDITF_ATTRIBUTESUBJECALTNAME2 registry
setting. This setting is one of the most interesting: If is
enabled on the CA, then any authenticated-based certificate
that is issued (including certificates where the subject is
automatically built from Active Directory) can have user-
defined values in the SAN.
Enabling one or both of these settings can greatly reduce
risk by requiring checks before certificates are issued. If you
To check this setting, you can run this command:
are unsure about requiring authorized signatures, at least
require CA certificate manager approval; then every time a
certificate is requested, it will go to the Certificate Authority certutil –getreg policy\EditFlags
for manual review before being issued.

If EDITF_ATTRIBUTESUBJECALTNAME2 is in the output list,

you should remove it using this command:
Enrollment Permissions
Second, look at the enrollment permissions in each certutil -config "CA CONNECTION STRING"
template, which can be found on the Security tab. Many -setreg policy\EditFlags - EDITF_ATTRI-
misconfigurations are critical only when generic principals BUTESUBJECTALTNAME2м
or large groups have these permissions. In particular, check
for Authenticated Users, Domain Users and any large group
Further guidance on this setting can be found here.
of users who shouldn’t be able to request certificates; if

7
 Contents SysAdmin Magazine October 2021

Checking for Risky

Settings using PSPKIAudit
The PSPKIAudit tool can help you audit your PKI
GUIDE
infrastructure. To use PSPKIAudit, simply download the
FREE GUIDE
tool from GitHub, import the module and run the Invoke-
PKIAudit command. This will enumerate the Certificate
Authority from Active Directory and then query it for some
of the default options.
Active Directory
Below are a couple of screenshots showing the output
Security Best
of this tool, which reveals a misconfigured certificate and
misconfigurations on the CA. If PSPKIAudit picks up any
Practices
misconfigurations not covered in this post, check the
SpecterOps paper for remediation advice. Free Download

8
 Contents
What Is Password
Spraying, and How
Can You Spot and
Block Attacks?
Ryan Brooks
Cybersecurity Expert, Netwrix Product Evangelist
In 2019, a data heist at Citrix shook the cybersecurity world.
The attackers stole business documents from a shared net-
work drive and from a drive associated with a web-based
tool used in Citrix’s consulting practice. The hackers gained
this access to Citrix’s IT infrastructure through a password
spraying attack, a technique that exploits weak passwords,
leading to criticism that the software giant needlessly com-
promised its clients by failing to establish a sound password
strategy.
9
Citrix is far from the only enterprise that falls short with
password security. When a threat research team scanned
all Microsoft user accounts in early 2019, they discovered
that 44 million users were using the same usernames and
passwords that had already been leaked online after securi-
ty breaches at other online services. This tendency is alarm-
ing, as the 2020 Data Breach Investigations Report reveals
that over 80 percent of hacking-related breaches involve ei-
ther stolen (or lost) credentials or brute-force attacks.
Password spraying attacks cannot be prevented, but they
can be detected and even stopped in their tracks. In this
article, we explain how this type of attack unfolds, how you
can spot attacks in progress and how you can mitigate your
risk of becoming the next victim.
What Is a Password
Spraying Attack?
Typical brute-force attacks target a single account, testing
multiple passwords to try to gain access. Modern cyberse-
curity protocols can detect this suspicious activity and lock
out an account when too many failed login attempts occur
in a short period of time.
SysAdmin Magazine October 2021
Password spraying flips the conventional strategy by at-
tempting to log on to multiple user accounts using many
common passwords. Trying a single password on many
different accounts before attempting another password
on the same accounts circumvents normal lockout proto-
cols, enabling the attacker to keep trying more and more
passwords.
Unfortunately, password spray attacks are frequently suc-
cessful because so many users fail to follow password best
practices. In fact, the 200 most common passwords leaked
in data breaches in 2019 included obvious number combi-
nations such as “12345”, common female first names, and
the word “password” itself. Any attacker who targets a suf-
ficiently large number of usernames and works with a large
enough bank of common passwords is bound to be able to
compromise some accounts.
While casting a wide net is likely to return at least a few
successes, today’s savvy hackers rely on a more precise ap-
proach. They set their sights on users who use single sign-
on (SSO) authentication, hoping to guess credentials that
will give them access to multiple systems or applications.
They also commonly target users that use cloud services
and applications utilizing federated authentication. This ap-
proach can enable attackers to move laterally, since feder-
ated authentication can help mask malicious traffic.
 Contents
Once an account has been compromised in a password
spraying attack, the victim may suffer temporary or perma-
nent loss of sensitive information. For organizations, a suc-
cessful attack might also mean disrupted operations, signif-
icant revenue losses and reputational damage.
How to Detect a Password
Spraying Attack
Although conventional countermeasures might not auto-
matically detect password spraying attacks, there are sev-
eral reliable indicators to look for. The most obvious is a
high number of authentication attempts, especially failed
attempts due to incorrect passwords, within a short period
of time. Naturally, a closely related indicator is a spike in
account lockouts.
In many cases, password spraying leads to a sudden spike
in attempted logins involving SSO portals or cloud applica-
tions. Malicious parties may use automated tools to attempt
thousands of logons within a brief period of time. Often,
these attempts come from a single IP address or a single
device.
10
How to Mitigate the Risk
of Falling Victim to a
Password Spraying Attack
While it’s critical to be able to promptly detect successful at-
tacks, allowing attackers even brief access to sensitive data
can prove devastating. A sound cybersecurity strategy re-
quires a comprehensive, proactive approach that ensures
layered protection to block as many attacks as possible. Be
sure to follow these best practices:
▪ Require multi-factor authentication for all users.
▪ Ensure all passwords abide by National Institute of Stan-
dards and Technology (NIST) guidelines.
▪ Establish sound policies for resetting passwords after ac-
count lockouts.
▪ Develop a defensible password strategy for shared ac-
counts.
▪ Conduct regular user training to ensure all users under-
stand the threat of password spraying and how they can
devise and maintain secure passwords.
SysAdmin Magazine October 2021
How Netwrix Solutions Can
Help
The best way to defend your organization against password
spraying attacks is to invest in an IT security tool that can
reliably detect and block these attacks with comprehensive
auditing, alerting and reporting.
Netwrix Auditor can alert you to a wide variety of suspicious
activity, including events indicative of a password spraying
attack, so you can respond immediately to protect your sys-
tems and data. Moreover, it delivers powerful auditing and
reporting. Key features include:
▪ Active Directory auditing and alerting. Netwrix Audi-
tor tracks Active Directory logins and other user activ-
ity, including all successful and failed logon attempts.
You can set up alerts on activity you deem suspicious,
including single actions like a user gaining admin privi-
leges or a sequence of actions within a specified time-
frame, such as more than 4 failed login attempts within
1 minute. You can also easily review the full logon his-
tory of any user.
▪ User behavior analytics. A consolidated view of un-
usual activity and ranking of risk actors makes it easier
to spot compromised accounts and malicious insiders
 Contents SysAdmin Magazine October 2021

early, so you can take action to avoid security

▪ User behavior and blind spot analysis. Spot mali-

cious actor sneaking around your environment by eas-
ily scrutinizing user activity outside of standard hours,
logon attempts by multiple users from a single end- FREE GUIDE
point, and logon attempts by a single user from multi-

Password Policy
ple endpoints.

Best Practices for

Netwrix Auditor also helps you fortify your security pos-
ture so you are less vulnerable to password spraying at-
tacks in the first place. In particular, you can:

▪ Enforce password policy best practices with complete

StrongSecurity
visibility into policy settings and alerts on changes.
▪ Track Azure AD password resets to maintain strong se-
in AD
curity in the cloud.
▪ Discover and secure accounts that do not require pass-
words or whose passwords are set to never expire. Free Download
▪ Identify and disable inactive accounts before they can
be exploited by attackers.

In short, with Netwrix Auditor, it’s possible to catch mali-

cious players early on — and proactively block them from
getting into your network in the first place.

11
 Contents SysAdmin Magazine October 2021

How to Detect Sqlcmd –S [IP ADDRESS]

Pass-the-Hash So, before we look at how to detect pass-the-hash, let’s get a baseline of what events are normally generated when performing
NTLM logon activity. To do that from my PC workstation, I’ll first launch a new command prompt as an administrative user by

Attacks using their actual password:

Jeff Warren
Security Expert, SVP of Products at Netwrix

Now in the new command prompt, I will use Sqlcmd to connect to a SQL host. For good measure I will run the SELECT SYSTEM_
USER command to show the user I am authenticated as:

Baselining Normal Events

To understand how to detect pass the hash we need to
come up with a good scenario that will work reliably. Pass-
the-Hash relies on NTLM authentication so we need a
method that will leverage NTLM.

To reliably create NTLM authentication I used the Sqlcmd utili-

ty to connect to a Microsoft server by its IP address. This com-
mand will generate NTLM authentication to the SQL database: Great! That worked. Now let’s see what logs get generated.

12
 Contents SysAdmin Magazine October 2021

Workstation Logs 4624 – An account was successfully logged on.

The 4624 event gets logged to show a Logon Type of 2,

On my local workstation I will see the following events. which means an Interactive logon. This aligns with the way
4648 – A logon was attempted using explicit credentials. I used runas where I typed in the credentials interactively.

13
 Contents
4672 – Special privileges assigned to new logon.
Because the Franklin Bluth account I am using is an admin-
istrative account, 4672 gets logged to show what privileges
are being assigned. This is a useful way to track adminis-
trative account activity.
14
SysAdmin Magazine October 2021
Target Server Logs More importantly, this shows the Authentication Package
used was NTLM. This confirms that we are performing NTLM
authentication using this approach.
On my SQL server I see the following events:
4624 – An account was successfully logged on.
On the SQL Server now you see a similar 4624 event, how-
ever this one has a Logon Type of 3 which is a Network
logon.
We also will see a 4672 event because the user account we
are leveraging is a privileged account.
 Contents SysAdmin Magazine October 2021

Domain Controller Logs This shows a request for a TGT from the domain controller
for our user we are impersonating.
4776 – The computer attempted to validate the creden-
tials for an account.
The 4776 event is specific to NTLM and will come last. This
On the domain controller I will see signs of the user Franklin
4769 – A Kerberos service ticket was requested. occurs when we execute the command using Sqlcmd which
Bluth being authenticated. In this case, I will see artifacts of
Once we have our TGT we request a TGS for the host we forces NTLM authentication.
both Kerberos and NTLM authentication. The Kerberos au-
are impersonating the user on. With this, our user Frank-
thentication happens first, which is the default authentication
lin can now interact with the PC to launch the command
method for Active Directory. That will generate two events:
prompt.
4768 – A Kerberos authentication ticket (TGT) was re-
quested.

Here is a summary of the logs we see when performing

NTLM authentication without using pass-the-hash. This
gives us a baseline for normal behavior.

15
 Contents SysAdmin Magazine October 2021

Now that I have that I will perform a pass-the-hash with the

following command:

Sekurlsa::pth /user:Franklin.Bluth /
ntlm:[ntlm] /domain:jefflab.local

A new command window will open and if I use the same Sqlc-
md command to connect to the IP address of my SQL Server,
you can see I am now authenticated there as Franklin Bluth:

Now, let's take a look at what we see when we Paass-the-Hash.

Pass-the-Hash Events
To perform a pass-the-hash test, we are going to do the same exercise, only this time instead of using Runas to launch a process as a
user we’re going to use Mimikatz and the pass-the-hash command.

I can easily get the NTLM hash for the user Franklin from memory with the mimikatz command of:

Now that I have that I will perform a pass-the-hash with the following command:

sekurlsa::logonpasswords So, let’s take a look at what events get generated after doing
this pass-the-hash:

16
 Contents SysAdmin Magazine October 2021

Workstation Logs Logon Type 9 is very rare. However, I was able to generate some false positives running applications that use impersonation.
The main difference to key off of is the Logon Process will always be “seclogo” for pass-the-hash (from my tests), so you can filter
on that to reduce false positive rates. You can see here I was able to get StealthAUDIT to generate the Logon Type 9 events but
On my local workstation I will see events 4648, 4624, and
it uses the Advapi logon process.
4672 the same as if I was doing legitimate NTLM authentica-
tion. However, there are a few key differences.

First, the 4624 event will have a Logon Type of 9. This is a

NewCredential logon type and a very useful way to identify
that a pass-the-hash took place. This was identified by a se-
curity researcher, and I reliably reproduced it in my lab.

17
 Contents
Also, I noticed a difference in the 4672 event. Previously, this
identified a privileged logon for my impersonated account
Franklin Bluth. In this case, this registers for the user I am
logged into my workstation as.
18
SysAdmin Magazine October 2021
Outside of that, the logs on the SQL server are identical. On the domain controller the key difference is that you will not see Kerberos
authentication. However, that isn’t a very reliable way to detect pass-the-hash because it can happen for lots of valid reasons like
authentications originating from non-trusted domains.
So here is a summary of what we see when doing pass-the-hash.
 Contents SysAdmin Magazine October 2021

Sysmon for the Win Building Detections for

To conclusively detect pass-the-hash I used Sysmon, which helps to monitor process access events. We used this in the honeypot Pass-the-Hash
detection as well so you can read up on how to set that up in that post.
Now that we’ve looked at all the evidence, the simplest way
With Sysmon in place when a pass-the-hash occurs you will see Event ID 10 showing access to the LSASS process from Mimikatz or to build detections for pass the hash is to look for:
your pass-the-hash tool of choice.
• 4624 events on your workstations
- Logon Type = 9
- Authentication Package = Negotiate
- Logon Process = seclogo

• Associated Sysmon 10 events for LSASS process access

With a custom event log filter you can easily see when these
two things happen at the same exact time, you’ve got pass-
the-hash activity on your network!

19
 Contents SysAdmin Magazine October 2021

Hopefully that helps to shine some light on how to de-

tect pass-the-hash using event logs. This does require
enabling logging on all endpoints. For simpler detections
of pass-the-hash that use more advanced techniques you
may want to look at a third-party threat detection product
like StealthDEFEND.

Here is a custom event filter you can use to surface that specific information.

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID='4624')]
and
FREE GUIDE
EventData[Data[@Name='LogonType']='9']

Network Security
and
EventData[Data[@Name='LogonProcessName']='seclogo']
and
EventData[Data[@Name='AuthenticationPackageName']='Negotiate']
]
Best Practices
</Select>
</Query> Free Download
<Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
<Select Path="Microsoft-Windows-Sysmon/Operational">
*[System[(EventID=10)]]
and
*[EventData[Data[@Name='GrantedAccess'] and (Data='0x1010' or Data='0x1038')]]
</Select>

20
 Contents SysAdmin Magazine October 2021

How to Defend Leg 1: Initial encounter:

Ransomware is a pressing threat for every organization
today, regardless of size or sector. Attackers can slip ran-
The distribution phase
Against
somware into your network through email messages,
malicious websites and more.
The first stage of a ransomware infection is distribution,

Ransomware with
While there are many different strains of ransomware, and Halloween provides a perfect metaphor:
from the venerable WannaCry to today’s REvil and Conti,

Effective Change
attacks follow a common pattern:

Distribution → Infiltration → Preparation → Inspection → Halloween was confusing.

Control All my life my parents said,

Encryption & Extortion

Understanding each of these stages is critical to minimiz- 'Never take candy from
ing your risk of falling victim to a successful ransomware
attack. As we’ll see, the most important technical control
strangers.' And then they
Dirk Schrader
CISSP, CISM, ISO27001 Practitioner
to implement is change control. dressed me up and said, 'Go
This article explains all 5 Halloween-ish legs of the ran-
beg for it
somware monster and details how Change Tracker can Rita Rudner
help you:

I would like, if I may, to take ▪ Avoid being infected in the first place Parents say “Never take candy from strangers” but ma-
▪ Detect an attack in progress licious strangers know that candy is almost irresistible
you on a strange journey ▪ Block an attack from progressing further to children. Similarly, security experts say “Never open
strange emails and never click on unknown links” — but
The Criminologist, cybercriminals know exactly how to make emails and
Rocky Horror Picture Show links so enticing that people can’t seem to resist open-
ing them or clicking on them. That simple act is all that’s
needed for successful ransomware delivery.

21
 Contents SysAdmin Magazine October 2021

Attackers use two different strategies to distribute the ▪ Use of stolen or weak credentials (RDP credentials are the most recent favorite)
initial ransomware payload (“dropper”): ▪ Fake software like the infamous fake Adobe Flash Updater distributed using malverts (malicious advertisements)

▪ Casting a wide net. Some attacks try to reach as

many possible victims as possible in the hope that some
of them fall for the bait. For example, many phishing
emails send emails to a broad swath of recipients, pre-
tending to be from major vendors, such as Microsoft
and financial institutions. GandCrab, REvil’s predeces-
sor, is an example of a ransomware strain that relied
heavily on phishing.

▪ Cast a narrow net. Other attacks target a more spe-

cific set of individuals using tactics like spear-phishing.
For instance, attackers might send an email to all em-
ployees of a particular organization that’s designed to
look like an official corporate communication, such as
an urgent benefit enrollment messages or full mailbox CT Tracking PrintNightmare Vulnerability
notification. Conti, a ransomware-as-a-service (RaaS)
threat, is often distributed through spear-phishing
campaigns.

Of course, email is by no means the only ransomware

distribution technique. Others include:
▪ Watering-hole attacks, which are a specific form of a
drive-by-download in which an attacker compromises
a website often used by a group of targets
▪ Exploit kits that attack critical system vulnerabilities
Essential Defense Strategies
How to avoid being an easy victim for ransomware distribution
Know your estate and harden it. Using a software solution like Change Tracker, you can establish a secure baseline for all
your IT assets and closely monitor them for any drift away from that baseline that could allow a ransomware dropper to take
root. For example, by hardening the configuration settings of your Microsoft Word software, you can prevent malicious Word
macros from distributing ransomware into your network.

22
 Contents SysAdmin Magazine October 2021

Baseline hardening / Compliance / Drift

In addition, you should use threat intelligence or DNS

filtering to block known malicious IP addresses used by SIEM integration
ransomware attackers.

How to detect ransomware distribution

An effective detection strategy involves tapping into

several sources:

▪ The consolidated data of all your systems logs in a SIEM

▪ Threat intelligence
▪ Regular discussions with your peers
▪ A software solution like Change Tracker, which can
detect the presence of a malicious dropper on your IT
assets and alert you immediately Malicious file drop

23
 Contents SysAdmin Magazine October 2021

How to block ransomware from progressing to
the next stage (infiltration)
As soon as ransomware is detected in your IT ecosystem,
the IT team needs to isolate each affected asset, remove
the dropper, and verify the asset is no longer a threat
before reconnecting it to the rest of the network.
Leg 2: There is more to
Once ransomware has been distributed, the attack proceeds to the infiltration stage. Often, the dropper will “call home”
to download additional resources, such as DLLs or EXEs, by connecting to specific IP addresses. Or it might use existing
resources to “live off the land.” Sometimes, it is a combination of both. Conti, for example, loads additional malware like
Trickbot or Cobalt to prepare for the subsequent stages of the attack.
Essential Defense Strategies
How to detect ransomware infiltration
Know your estate and harden it. Using a software solution like Change Tracker, you can establish a secure baseline for all
your IT assets and closely monitor them for any drift away from that baseline that could allow a ransomware dropper to take

come: The infiltration root. For example, by hardening the configuration settings of your Microsoft Word software, you can prevent malicious Word
macros from distributing ransomware into your network.
phase

You can’t argue with

Zombies. They just keep
coming at you.
Clive Barker

FAST Threat Intel

24
 Contents
How to block the attack from progressing to the
next stage (preparation)
Automation of your security operations is critical to
blocking download of the additional resources that the
ransomware requires to progress to the next stage. The
central element here is to contextualize information and
events. Once the drop of a malicious file on a device is
detected, the outside IP address should be added to
your blacklist of IPs and the device should receive extra
monitoring. It’s worth mentioning that, since ransomware
usually starts within the context of a particular user’s
rights, maintaining strict adherence to the least-privilege
model is vital to limiting its ability to assemble the
resources it needs.
25
Leg 3: Settling in: The
preparation phase
Just because I cannot see
it, doesn't mean I can't
believe it!
Jack Skellington,
The Nightmare Before Christmas
Next, ransomware seeks to harden its foothold on the first
infected machine and begin the privilege escalation required
for smooth operation of the remaining stages. The malware
usually tries to be invisible by camouflaging its activities.
Conti, for instance, has a wide range of built-in mechanisms
to evade common detection methods. You might not see it,
but you should certainly believe it’s happening.
Specifically, ransomware often makes use of modified
DLLs, the command line or Windows PowerShell. In
addition, it is not unusual for ransomware strains to
attempt to disable known antivirus engines running on
the infiltrated host.
SysAdmin Magazine October 2021
Essential Defense Strategies
How to detect preparation activities
Watch for the use of modified or encrypted DLLs. Change
Tracker can monitor changes to file integrity that can
indicate an attempt to replace a known DLL with a
compromised one. It can also detect and alert on activity
indicative of ransomware preparation, including use of
the command shell.
How to block ransomware from progressing to
next stage (inspection)
Segregate your network into zones, with internal, perhaps
virtual, firewalls in place. So called flat networks, where
any device can see all other devices, are making it easy
for attackers to inspect the infrastructure. The firewall
configurations can be verified with Change Tracker so
that any unwanted change to allowed and blocked ports
(as an example) is not unnoticed.
 Contents
In addition, consider restricting the network access of any
device where potential preparation activities are detected
in order to limit the ransomware’s ability to communicate
and expand. This can be an automated measure within
your security operations.
26
Leg 4: Infighting: The
inspection phase
Find the enemy. Don’t
let the enemy find
you. Reconnaissance!
Reconnaissance!
Tom Clancy
You might assume that this stage lasts for just a few seconds,
just enough time to check whether there is any chance to
propagate across the network and get to the encryption
stage before being detected. With modern ransomware,
however, the opposite is actually true — this stage can last
days or even weeks.
Attackers have learned that roaming around to identify
networking devices, files shares, databases and backup
systems is well worth the time and effort, since the
information gained can be invaluable in determining the
best way to complete the attack. The good news is that it
SysAdmin Magazine October 2021
gives the victim organization additional opportunities to
detect and block the attack.
Essential Defense Strategies
How to detect ransomware in the inspection
stage
As attackers attempt to learn as much as possible about
your infrastructure, they try to operate as stealthily as
possible. Therefore, organizations need sensitive detection
capabilities that can spot signs of suspicious activity in the
vast sea of normal, legitimate activity. In particular, watch
for unusual file operations; this is a particular strength
of Change Tracker. A superior system and file integrity
monitoring technology will distinguish between planned
and unplanned, expected and unexpected, and benign
and suspicious change patterns.
How to block ransomware from progressing to
the final stages (encryption and extortion)
In most cases, the encryption phase is triggered by the
ransomware’s command and control (C&C). Threat
intelligence feeds and detailed monitoring of IP connections
can help you identify that C&C center, even if the data
is encrypted. SSL proxies can support that approach. By
 Contents
blocking the communication with the C&C center at your
internal and external boundaries (i.e., firewalls) using
the intelligence gathered about IP addresses used by the
attackers, you might be able to prevent progression to
the final stages of the ransomware infection.
27
Leg 5: Endgame: The
encryption & extortion
stages
Every day is Halloween,
isn't it? For some of us
Tim Burton
If ransomware hasn’t been detected and blocked in one of
the earlier stages, it proceeds to encrypt your IT assets and
demand a ransom for the decryption key.
Essential Defense Strategies
At this stage, detection is simple: You’ll be presented
with the ransomware demand. Unfortunately, paying
the ransom does not guarantee you’ll get your data back
(one report finds that just 8% do), and it can actually put
your organization’s name at the top of the hacker’s list
SysAdmin Magazine October 2021
for future attacks (80% of victims who paid a ransom
suffered another ransomware attack and nearly half of
them think it was the same attackers).
Therefore, the best defense in this stage is having a
solid backup & recovery process that includes regular
generation of backups that are stored offline, out of the
reach of ransomware. In addition, you need forensics
tools that help you determine how the infection took root
and spread, so that you can take appropriate steps to
mitigate those vulnerabilities and avoid a repeat attack.
Your last hope, as seen in recent past, is a universal
decryptor. But I must emphasize: Do not build your
ransomware mitigation plan based on the hope that you
can get one when you need it. If it were easy to decrypt
data and traffic, then VPNs, internet banking everything
else that uses encryption for good reason would not be
there. It takes time to develop universal decrpytors, and
they work only on older versions of the ransomware;
strains evolve on the fly by loading new encryption logic
from the C&C center.
 Contents SysAdmin Magazine October 2021

Conclusion: Putting the

Pieces Together
No system is absolutely safe, and no IT solution or set
of solutions can ensure perfect security. Nevertheless,
by understanding the stages of a ransomware attack
and taking the steps detailed here, you can dramatically
mitigate your cybersecurity risks.

Change Tracker can be an invaluable part of your

Ransomware
ransomware strategy by empowering you to you
implement and automate many of the tasks involved.
Mitigation Kit
In particular, it will constantly monitor your IT assets —
including desktops, servers, infrastructure devices and
Free Download
cloud instances — for suspicious changes that could
weaken your security posture or indicate a ransomware
attack in progress. You can tune it, create your own
tracking templates that will help you to check for detailed
indicators of compromise that indicate a malware attack
in progress. To see Change Tracker in action for yourself,
request a free trial.

28
 Contents SysAdmin Magazine October 2021

How-to for IT Pro 5. Filter by trusted locations (or IP addresses) using the “Location” (or “IP address”) column.

6. Review the results:

HOW TO DETECT LOGONS OUTSIDE OF TRUSTED
LOCATIONS IN AZURE AD

1. Open portal.azure.com -> Click “Azure Active Directory”.

2. In the Monitoring section, click “Sign-ins”.

3. Click Download -> CSV.

4. Import the resulting file into Microsoft Excel:

• In Excel, click File -> Open –> Choose the file you
just downloaded.
• In the Text Import Wizard, choose Data Type =
“Delimited” and tick the “My data has headers”
box -> Click Next.
• In the Delimiters section, tick “Comma” -> Click
Next.
• Scroll through the fields preview and choose “Do
not import column (skip)”, leaving only following
columns: Date (UTC), User, Username, IP address,
Location, Status. (For more logon details, you can
also leave the “Application”, “Resource”, “Authen-
tication requirement”, “Browser”, “Operating Sys-
tem” fields checked.) -> Click “Finish”.

29
 Contents SysAdmin Magazine October 2021

This free network audit software that keeps you current of what’s happening on your network devices Netwrix Auditor for
Network Devices monitors network devices for configuration changes and logon attempts; catches scanning threats before
FREE TOOL OF THE MONTH attackers can take control of the network; and simplifies detection of hardware failures so you can quickly troubleshoot net-
work traffic issues.

Netwrix Auditor
for Network
Devices
Download Free Tool

30
 Contents SysAdmin Magazine October 2021

[On-Demand Webinar]

3 Modern Active The threat landscape is ever-changing and, in this deeply technical webinar, Microsoft MVP
Randy Franklin Smith and STEALTHbits SVP Jeff Warren show you three Modern Active Direc-

Directory Attack tory Attacks and what you can do to detect them:

▪ Extracting Passwords through the Active Directory database (NTDS.dit)

Scenarios and How to ▪ Kerberoasting

▪ DCSync

Detect Them
Rendy Franklin Smith Jeff Warren
Watch Now
CEO, Monterey Technology SVP, Products
Group, Inc.

31

What did you think
of this issue?
What did you think of this content?
About Netwrix
Netwrix is a software company that enables information security and governance professionals to reclaim control over
sensitive, regulated and business-critical data, regardless of where it resides.
Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of
enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and
knowledge workers.

For more information visit www.netwrix.com

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608 Switzerland: +41 43 508 3472 Hong Kong: +852 5808 1306
Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Italy: +39 02 947 53539
Netherlands: +31 858 887 804 France: +33 9 75 18 11 19

Sweden: +46 8 525 03487 Germany: +49 711 899 89 187

565 Metro Place S, Suite 400 1-201-490-8840
Dublin, OH 43017

5 New Street Square +44 (0) 203 588 3023 SOCIAL: netwrix.com/social
London EC4A 3TW