Uninstall Indicators of Attack

1. In the command line interface, run the following command to uninstall the IoA module:

   Copy

   Register-TenableIOA.ps1 -Uninstall

2. Replicate this new GPO over the entire domain. The script enforces a 4-hour delay for the replication to complete.

3. Run the following command to delete the cleaning GPO:

   Copy

   Remove-GPO -Guid <GUID> -Domain "<DOMAIN>"

4. Optional: Run the following command to verify that the GPO no longer exists:

   Copy

   (Get-ADDomainController -Filter *).Name | Foreach-Object {Get-GPO -Name "Tenable.ad cleaning"} | Select Displayname| measure

You have now completely uninstalled the IoAs. However, their registry entries may persist if another GPO doesn't define them. Below are the registry entries that the Massive Computers Recon IoA used (these may vary based on your specific IoA configuration):

• HKLM\MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\AuditReceivingNTLMTraffic (value: 2)

• HKLM\MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictSendingNTLMTraffic (value: 1)

• HKLM\MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\AuditNTLMInDomain (value: 7)

To remove these registry entries, run the following PowerShell script on all your domain controllers:

Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0" -Name "AuditReceivingNTLMTraffic"
Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0" -Name "RestrictSendingNTLMTraffic"
Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters" -Name "AuditNTLMInDomain"

Manually delete any outdated IoA folders from the SYSVOL directory that do not correspond to the latest IoA GPO GUID. Ensuring that only the most current Group Policy Object (GPO) remains maintains consistency and prevent potential policy conflicts.

If you require further guidance or encounter any issues, please reach out to support for assistance.