The Post Ransomware Brain Dump

30th July 2024

The environment:
Windows 10+, VMware 8u2, SentinelOne, Fortigate Fw 7.0.15, Unsecured VPN tunnels to biz partners

The Good:
+Cove backup w Cloud really good. Attackers will wipe local backup repo. Caveat; when restoring we had problems with the Virtual Disaster Recovery, it would recover disks but many of the files were “In Use” & unreadable. Instead VDR the Boot drive, Install the recovery software, create a new (thin provisioned) disk in VmWare and do a “Files & Folders” restore to the new disk. The files we restored were larger than the drive they were backed up on, we had some NAS devices grafted into the NTFS tree.
+SentinelOne; didn’t find malware on any PCs. made an alert about lateral movement
+Tailscale unaffected, doesn’t require ports open from internet
+FreeMyIp.com dynamic DNS makes great poor-mans MFA

Needs Improvement:
+Upgrade VmWare to 8u3, turn on firewall
+enable AV on all VPN connectors and -limit their scope. Off for short term.
+Wazuh server deploy Script not OVA. install agent on workstations. Use a DNS name.
+Remove all users from local admin, make domain group, add users temporarily for self-service +U
+Deploy HoneyPot OpenCanary, how 2 setup email alerts? TPot-ce, can’t login
+Logon script; Winget Upgrade –all (doesn’t run as a user with authority)
+Mgt interfaces unreachable from workstations. Router ACL’s configured VLan 1,111,121
+Vuln Scanner, gvm https://www.youtube.com/watch?v=egiJ9A7oq3U
+NiNite installer makes it difficult to upgrade or uninstall software. 2 versions of VLC a 32bit+64bit
+Tailscale+Terminal Server. OR RdWeb + Dyn dns from freeMyIp.com
+Windows firewall servers p135, 3389 only from servers+mgt vlan.
++use Unifi to eject all the cellphones from the Corp network. Make them use the Guest network
…Disable netbios via Group Policy Powershell script
…Disable SMB1 this will break things so communicate. Or ON but firewalled
-Windows firewall forced ON in group policy, allow server + mgt networks. Breaks scan to local share.
-arpwatch / DHCP log alert on new MAC addresses seen. Wazuh?
-Stronger password policy, expires yearly, reminder notes go in wallet. Start w exp 999d
-Harden servers, disable unused services / tcp ports
-DB config uses IP, change to DNS name
-Segment departments from each other
-Document the network OR buy Unifi switches
-Reboot Workstations nightly / have PCs BIOS power-on every morn 1h b4 work start, do updates etc.

Backup/Restore:
+TrueNas Storage Snapshots daily +U +T +V
+Extra backups to external drives that power off daily. -auto, sync changes
-Extra backups at a driveable offsite location

Blue Team;
-Verify you get alerts for creating a new account on server, workstation. not just in the Wazuh console
+NMAP scan all ur servers for open tcp port. Question everything. monitor required services

Outside Improvements:
-MFA on for all Office365, +Rules to allow our country only.
-DKIM enable for all outbound email
-UPS shutdown automation, easy install via Home Assistant
-Investigate sublime.security for alternate/additional email filtering

The Really Bad:
–vCenter assumes everyone in the domain group ESX Admins is an administrator.
–Wazuh .OVA install, changing the password breaks it
–Windows firewall is stoopidly complex to configure and make exceptions