The Post Ransomware Brain Dump

30th July 2024

The environment:
Windows 10+, VMware 8u2, SentinelOne, Fortigate Fw 7.0.15, Unsecured VPN tunnels to biz partners

The Good:
+Cove backup w Cloud really good. Attackers will wipe local backup repo. Caveat; when restoring we had problems with the Virtual Disaster Recovery, it would recover disks but many of the files were “In Use” & unreadable. Instead VDR the Boot drive, Install the recovery software, create a new (thin provisioned) disk in VmWare and do a “Files & Folders” restore to the new disk. The files we restored were larger than the drive they were backed up on, we had some NAS devices grafted into the NTFS tree.
+SentinelOne; didn’t find malware on any PCs. made an alert about lateral movement
+Tailscale unaffected, doesn’t require ports open from internet
+FreeMyIp.com dynamic DNS makes great poor-mans MFA

Needs Improvement:
+Upgrade VmWare vCenter to 8u3 latest build
+enable AV on all VPN connectors and -limit their scope. Off for short term.
+Wazuh server deploy Script not OVA. install agent on workstations. Use a DNS name.
+Remove all users from local admin, make domain group, add users temporarily for self-service +U
+Deploy HoneyPot OpenCanary, how 2 setup email alerts? TPot-ce, can’t login
+Logon script; Winget Upgrade –all (doesn’t run as a user with authority)
+Mgt interfaces unreachable from workstations. Router ACL’s configured VLan 1,111,121
+Vuln Scanner, gvm https://www.youtube.com/watch?v=egiJ9A7oq3U
+NiNite installer makes it difficult to upgrade or uninstall software. 2 versions of VLC a 32bit+64bit
+Tailscale+Terminal Server. OR RdWeb + Dyn dns from freeMyIp.com
++use Unifi to eject all the cellphones from the Corp network. Make them use the Guest network
+netbios Disable via Group Policy Powershell script, audit w NirSoft util
…Automate Windows updates via Group Policy 1/w. Verify no sleep
…Windows firewall servers p135, 3389 only from servers+mgt vlan.
…SMB1 Disable via Group Policy. audit w nmap –script smb-protocols.nse
-Windows firewall forced ON in group policy, allow server + mgt networks. Breaks scan to local share.
-Stronger password policy, expires yearly, reminder notes go in wallet. Start w exp 999d
…Harden servers, disable unused services / tcp ports. Run IISCrypto +Best Practices(breaks SentinelOne?)
-DB config uses IP, change to DNS name
-arpwatch / DHCP log alert on new MAC addresses seen. Wazuh? UnifiClientCheck
-Segment departments from each other, new edge switches vlans up 1 level
-Document the network OR buy Unifi switches
-Reboot Workstations nightly / have PCs BIOS power-on every morn 1h b4 work start, do updates etc.

Backup/Restore:
+TrueNas Storage Snapshots daily +U +T +V
+Extra backups to external drives that power off daily. -auto, sync changes
-Extra backups at a driveable offsite location
-UPS shutdown automation, easy install via Home Assistant

Blue Team;
-Verify you get alerts for creating a new account on server, workstation. not just in the Wazuh console
+NMAP scan all servers for open tcp port. Question everything. monitor required services

Outside Improvements:
-MFA on for all Office365, +Rules to allow your country only.
-DKIM enable for all outbound email
-Investigate sublime.security for alternate/additional email filtering

The Really Bad:
+vCenter assumes everyone in the domain group ESX Admins is an administrator.
+Wazuh .OVA install, changing the password breaks it. Install from script
–Windows firewall is stoopidly complex to configure and make exceptions