You may have caught the recent article about a new malware variant, called SwiftSlicer–attributed to a Russian APT group–that is making its way around Active Directory environments. There’s not a ton of details about how this malware is delivered, but the one detail we did get, was that it used “Group Policy” to deploy the ransomware within target organizations. This is not a new approach and indeed I blogged about this mechanism for hijacking GPOs as a malware deliver system 6 years ago. That said, given the scant information we have about how Group Policy was compromised in this particular case, I’ve seen a bunch of vendor blogs rush to conclude that the attacker “compromised the domain controller” or “compromised Active Directory” in order to infect Group Policy. I think it’s super important to understand that compromising a GPO does not require domain dominance within AD. Indeed, an attacker only needs to get write access to a single GPO that is linked to the environment with broad scope (e.g. linked at the domain level or at an OU that is processed by most computers or users) in order to deliver their malware payload. In typical organizations that I see, this is not a high bar to have to reach. In fact, it’s generally a much lower bar than trying to get to Domain Admin on a domain, because most organizations have many, many GPOs linked at the domain level, with varying levels of delegation control. One need only compromise a low-level desktop admin account in many organizations, to get write access to such a GPO. And once an attacker has that access, it is fairly easy with existing tooling, to stealthily inject settings into a GPO to deliver the malware. The problem with using GP as a malware delivery system is that’s it’s incredibly efficient at doing so. GP processing runs as localSystem on a given computer, providing it with instant privileged access to that computer. And, once a payload is stuck into a GPO, delivery across an entire organization, regardless of size, takes minutes, given that the default background refresh interval for computer is every 90 minutes plus some randomized offset.
Delegation is Still, the Key
Bottom line here is that GPO delegation control is a key part of the strategy for preventing these types of attacks from leveraging your own infrastructure against you. I’ve collected a few of the resources I’ve written around this here, starting with a whitepaper around “tiered” administration of GP management. Hopefully these provide a good basis for hardening your GPO infrastructure against these types of attacks:
GP Admin Tiering Whitepaper and Tiered Administration Blog Post
Group Policy Delegation and “information exposure”
I’ve said it before and I’ll say it again, “Harden your GPOs!”