Post-Incident Configuration Hardening

EradicationP2180 min

🔒 Ransomware 🎣 Phishing 📤 Data Exfiltration 👤 Insider Threat 🌐 Web Application Compromise ☁️ Cloud & Identity Compromise 📧 Business Email Compromise 🔑 Credential Theft

IR AnalystSwitch roles in the top navigation to see different perspectives.

Implement targeted configuration changes to close the security gaps exploited during the incident and raise the bar against similar future attacks.

Actions

1.Disable legacy authentication protocols exploited during the attack: NTLMv1, LLMNR, NBT-NS, WPAD, SMBv1, and unencrypted LDAP binds
2.Enable Windows Attack Surface Reduction (ASR) rules relevant to the observed TTPs: block Office macro child processes, block credential theft from LSASS, block unsigned/untrusted executables from USB
3.Harden Azure AD conditional access: enforce MFA on all accounts, block legacy auth, require compliant devices, implement sign-in risk and user risk policies
4.Tighten network segmentation: restrict lateral movement paths exploited during the incident by implementing micro-segmentation or updated firewall rules between VLANs
5.Review and restrict PowerShell execution policies: enable Constrained Language Mode for standard users, enable PowerShell ScriptBlock and Module logging, deploy PowerShell v2 removal
6.Implement application whitelisting (AppLocker/WDAC) on critical systems identified as pivot points during the attack

Queries

// PowerShell -- Enable ASR rules
$rules = @(
  "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550", # Block Office child processes
  "D4F940AB-401B-4EFC-AADC-AD5F3C50688A", # Block Office macro Win32 API calls
  "3B576869-A4EC-4529-8536-B80A7769E899", # Block Office from creating exec content
  "9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2"  # Block credential theft from LSASS
)
foreach ($rule in $rules) {
  Set-MpPreference -AttackSurfaceReductionRules_Ids $rule -AttackSurfaceReductionRules_Actions Enabled
}

// KQL -- Verify hardening changes took effect
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType startswith "Asr"
| summarize BlockCount=count() by ActionType, DeviceName
| sort by BlockCount desc

// PowerShell -- Disable legacy protocols
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
# Disable LLMNR via GPO:
# Computer Config > Admin Templates > Network > DNS Client > Turn off multicast name resolution = Enabled

Notes

Hardening changes should be tested in a staging environment first to avoid breaking production services
Document all configuration changes made as part of the hardening effort for change management tracking
Coordinate with IT operations to schedule hardening changes during a maintenance window to minimize business impact

Where to Go Next

Hardening complete, proceed to verification

Verify eradication

Eradication Verification

Hardening complete, ready for recovery

Begin recovery

Service Restoration

Lessons learned from hardening effort

Document improvements

Detection Improvement

Related Artifacts

Conditional Access Policy Logs

Azure Portal > Entra ID > Monitoring > Sign-in logs > Conditional Access tab

Firewall Logs (Allow/Deny)

Firewall management console or syslog server (vendor-specific: Palo Alto, Fortinet, pfSense, iptables)

Suggested Acquisition

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical