Ensuring the security of an organization's Domain Controller (DC) is paramount, recognizing it as a critical asset that must be protected at all costs. The compromise of a DC can lead to various detrimental outcomes. This article focuses on a specific consequence of DC compromise: the delivery and execution of ransomware on systems through the Windows Group Policy Update.
Microsoft manages domain servers and computer configurations through a feature known as Microsoft's Group Policy Objects (GPOs). GPOs dictate the settings that define the system. When an administrator assigns a GPO to a system, that system automatically consults with a domain controller and implements the settings specified in the GPO. Occasionally, administrators may need to make policy changes outside of regular schedules. To address this, Microsoft provides a PowerShell cmdlet utility called GPUpdate, enabling the system to manually check in with the domain controller for an update and immediately apply the changes. The Lockbit Ransomware group has employed the GPUpdate technique in their attacks. For more detailed information, you can refer to the following resource: https://www.cisa.gov/sites/default/files/2023-03/aa23-075a-stop-ransomware-lockbit.pdf
For scenarios where administrators need to force a GPUpdate on multiple servers or computers, a clever workaround involves leveraging other PowerShell cmdlets. The Get-ADComputer cmdlet proves invaluable in this context, allowing administrators to identify a list of domain systems. This provides an efficient means to ensure that policy updates are uniformly applied across multiple servers or computers, ensuring the attackers deliver their ransomware to all domain joined systems.
powershell Get-ADComputer -filter * -Searchbase '%s' | Foreach-Object { Invoke GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}
The output from the initial part of the command, which is the list of servers, is then passed to another cmdlet, Foreach-Object. This cmdlet iterates through each server in the list and executes the specified action.
powershell Get-ADComputer -filter * -Searchbase '%s' | Foreach-Object { Invoke GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}
The addition of the "-force" switch compels the client side to contact the nearest Domain Controller (DC) and update all Group Policy Objects (GPOs). If omitted, the client side will solely update GPOs that are new or have changed since the last check. Moreover, the "-RandomDelayinMinutes" switch allows administrators to set a time interval to prevent simultaneous updates. However, ransomware operators desire quick execution of the ransomware encryption, so in those cases, the switch is set to zero.
Comments