Ryuk

DarkSide (hacking group)

WannaCry

<p>Ensures that the domain implemented hardening measures to protect against ransomware.</p>


<p>Ransomware is the most disruptive global cyberthreat we face today. This threat affects virtually every industry and stems from a variety of root causes, which security teams must consider in their defender strategies.</p>


Insufficient Hardening Against Ransomware

Parameters used for configuring default file associations (OpenWith) for dangerous extensions are not being used in the environment.

Lack of GPO for configuring default file associations (OpenWith) for dangerous extensions

Parameters used for configuring VBA (macros) default deactivation configuration that impacts all Office applications are not being used in the environment.

Lack of GPO for configuring VBA (macros) default deactivation configuration that impacts all Office applications

Parameters used for configuring a strong PowerShell Execution Policy are not being used in the environment.

Lack of GPO for configuring a strong PowerShell Execution Policy

Parameters used for configuring deactivation of WSH are not being used in the environment.

Lack of GPO for configuring deactivation of WSH

Parameters used for configuring AppLocker Executable rule enforcement are not being used in the environment.

Lack of GPO for configuring AppLocker Executable rule enforcement

Parameters used for configuring AppLocker Script rule enforcement are not being used in the environment.

Lack of GPO for configuring AppLocker Script rule enforcement

Parameters used for configuring default file associations (OpenWith) for dangerous extensions do not match the expected value.

Unsafe configuration of dangerous file associations

Parameters used for configuring PowerShell Execution Policy do not match the expected value.

Unsafe configuration of PowerShell Execution Policy

Deactivation of WSH is not enforced on all containers that contain computers.

Safe configuration of settings disabling WSH is not applied on all computers

Macros contained in Office documents are not sent to the registered AMSI engine.

Unsafe configuration of macros runtime scan scope

Parameters used for configuring VBA (macros) default deactivation configuration that impacts all Office applications do not match the expected value.

Unsafe configuration of VBA (macros) default deactivation configuration that impacts all Office applications

Parameters used for configuring WSH do not match the expected value.

Unsafe configuration of WSH deactivation

Parameters used for configuring AppLocker rule enforcement do not match the expected value.

Unsafe configuration of AppLocker rule enforcement

PowerShell Constrained Language Mode(CLM) is enforced via an environment variable, which is not recommended by Microsoft (cf. IoE description for more details). This configuration is dangerous because an attacker can easily change the environment variable to remove the enforcement of Constrained Language Mode.

Unsafe configuration of PowerShell Constrained Language Mode(CLM)

Default file associations for dangerous extensions settings are not applied on all containers that contain users.

Safe configuration of dangerous file associations not applied on all users

VBA (macros) default deactivation configuration that impacts all Office applications are not configured on all containers that contain computers.

Safe configuration of VBA (macros) default deactivation not applied on all computers

PowerShell Execution Policy setting is not enforced on all containers that contain computers.

Detections

Analytics

Insufficient Hardening Against Ransomware

medium

Description

Solution

See Also

Indicator Details

Attacker Known Tools