Uninstall Indicators of Attack

Required Role: Administrator on the local machine.

To uninstall the Indicators of Attack (IoA) module, you run a command that creates a new Group Policy Object (GPO) called Tenable Identity Exposure cleaning.

The uninstallation process uses this new GPO by default to clean out previously installed GPOs and its SYSVOL files, the registry setting, the advanced logging policy, and the WMI filters.

Note: If you changed the name of the initial GPO, you must pass it to the uninstaller so that it knows which GPO to uninstall. To pass the new GPO name, use the parameter -GpoDisplayName.

  1. In the command line interface, run the following command to uninstall the IoA module:

    Copy 
    Register-TenableIOA.ps1 -Uninstall

  2. Replicate this new GPO over the entire domain. The script enforces a 4-hour delay for the replication to complete.

  3. Run the following command to delete the cleaning GPO:

    Copy 
    Remove-GPO -Guid <GUID> -Domain "<DOMAIN>"

  4. Optional: Run the following command to verify that the GPO no longer exists:

    Copy 
    (Get-ADDomainController -Filter *).Name | Foreach-Object {Get-GPO -Name "Tenable.ad cleaning"} | Select Displayname| measure

You have now completely uninstalled the IoAs. However, their registry entries may persist if another GPO doesn't define them. Below are the registry entries that the Massive Computers Recon IoA used (these may vary based on your specific IoA configuration):

  • HKLM\MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\AuditReceivingNTLMTraffic (value: 2)

  • HKLM\MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictSendingNTLMTraffic (value: 1)

  • HKLM\MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\AuditNTLMInDomain (value: 7)

To remove these registry entries, run the following PowerShell script on all your domain controllers:

Copy 
Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0" -Name "AuditReceivingNTLMTraffic"
Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0" -Name "RestrictSendingNTLMTraffic"
Remove-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters" -Name "AuditNTLMInDomain"

Manual Removal of Outdated GPO Folders from SYSVOL

In some cases, when reinstalling the IoA GPO, older folders may remain in the SYSVOL directory due to a Microsoft feature. If the Directory Listener recognizes these outdated folders as the IoA folder, it can lead to detection failures.

Perform the following procedure to ensure a clean removal of outdated IoA GPO folders, preventing detection issues during reinstallation.

  1. Identify the latest IoA GPO GUID: Determine the GUID (Globally Unique Identifier) of the latest installed IoA GPO.

  2. Review the logs (tenable_Ceti.log located in the directory C:\Tenable\Tenable.ad\DirectoryListener\logs) to identify which folder it recognizes as the IoA folder.

  3. Delete manually any outdated IoA folders from the SYSVOL directory that do not match the latest IoA GPO GUID.

  4. Restart the tenable_Ceti Service.

  5. Repeat steps 2-4 until the Directory Listener recognizes the correct IoA folder with the latest GUID.