Ransomware Prevention

Go based Ransomware/Malware

BlackCat
RobbinHood
Nefilim
EKANS
Zebrocy - Russian state-sponsored group APT28 created a Go-based version of their Zebrocy malware last year.
WellMess - Russian state-sponsored group APT29 deployed new upgraded versions of their Go-based WellMess malware last year.
Godlike12 - A Chinese state-sponsored group deployed Go-based backdoors for attacks on the Tibetan community last year.
Go Loader - The China-linked Mustang Panda APT deployed a new Go-based loader last year for their attacks.
GOSH - The infamous Carbanak group deployed a new RAT named GOSH written in Go last August.
Glupteba - New versions of the Glupteba loader were seen in 2020, more advanced than ever.

Nim based Ransomware/Malware

Rust based Ransomware/Malware

Buer

Dlang based Ransomware/Malware

C++

.NET

Java

Objective-c

Python

Perl

Javascript

Powershell

WebAssembly

Delphi

RAT (Remote Access Trojans)

Cobalstrike
Remcos
Nanocore

Crypto Miners

Data exfiltration

Rclone
7zip

Malicious behavior

deleting backups and logs
Changing firewall
Azure Credentials

Which programming languages are hard to reverse engineer

Analyzing ELF files and PE

Win32 API's

References:

Wazuh

- HIDS

- OSSEC

MISP

- Threat Intellegence

Zeek/Suricata/Snort

- IDS/IPS

PFSense

- Firewall

Perimeter security logs collected from PFsense and Zeek (span port )

using file beat to forward data to Elkstack(log stash)

AD/DC

- Winlog Beat

- Metric Beat

Linux server

- Audit Beat

- Metric Beat

- File Beat

SOAR

- The Hive

Siemplify

SoC Architectures

Log Collection

Log Parsing

Events

Threat Intel (ingest)

Threat detection

Alerts

Threat investigation

Incident Response

Forensics

Netflow

Switch spanport -> zeek ids - different logs

Switch spanport -> suricata -> json (Event.log)

Switch spanport -> Moloch/arkime -> pcap

NSM distribution

Security onion
SELKS
CAPESStack
HELK
ROCK NSM

Host Data collections

Event Generation

OSSEC
Sysdig for container security
Windows sysinternals
- sysmon
Osquery
Wazuh

Data Shippers/aggregators

Beats
- Filebeat
- Winlogbeat
- Audit beat
- Packetbeat
- Journalbeat
- Functionbeat
- Heartbeat
- DIY beats

LogStash
Nxlog
Fluentd
Nifi

SIEM

Graylog

Apache metron

Alien vault

Sigma

Jupyter

Sguil

Evebox

Incident management

TheHive

Sigma

Preparation:

Offline backups availability and integrity check
Maintain and Audit golden images and build templates
Use of Infrastructure as a code to deploy images
Manage IaC in versions for audit purpose
Storing application source code or executables as backup
Removing and replacing outdated hardware
Using multi cloud solutions and maintaining cloud backups, using immutable storage solutions
Audit cloud environment
Develop and audit incident response, communication and breach notification plan
Develop Cyber incident response playbook
Build and implement Zero Trust Architecture

Prevention and Mitigating:

Develop surface discovery plan and audit attack finding
- Monitor deep web notification/credential monitoring services
Periodical vulnerability Scans (review CISA Know vulnerability list)
- External
- Internal
- VPN Infra
Periodical patch management
Assets security
- BYOD
- All devices on hybrid infrastructure
Protocol, port and service usage metrics
- RDP
Have visibility to configuration and change management
Implement MFA
Disable weak protocols
- SMB v 1 and v 2
- Audit SMB traffic
- Implement SMB signing and audit
Blocking external access
- SMB
- - TCP 445
  - UDP 137
  - UDP 138
  - TCP 139
- Implement SMB encryption with Universal Naming Convention (UNC) hardening
- Log and monitor SMB and RDP traffic

Initial Access:

Implement
- Phishing resistant MFA and password less MFA
- IAM
- PAM
Change default creds
Restrict use of root or system admin users s
Password minimum length and policies
- Password rotation
- Password management tools
Failed login attempts metrics and audit
Disabling saving passwords to browser using Group Policy
Local Administrator Password solution (LAPS)
LSASS : implement attack surface reduction rule
Windows credential guard
Use Windows PowerShell Remoting, Remote Credential Guard, or RDP with restricted

Admin Mode

Separation of admin and user accounts
Conduct security awareness training
Email attachments known bad
Disable office macros
Disable Windows Script Host (WSH)
Review malware infections
- Ex: s QakBot, Bumblebee, and Emotet
Phishing email metrics and BEC scams
- How many blocked
- How many bypassed
EDR implementation
- Windows Defender Application Control (WDAC), AppLocker
- Application allow listing
- Implement of EDR on cloud
Threat intel and feed into security stack
Security awareness training
Protective DNS
Sandboxed browsers
Monitor
- Seo poisoning
- Drive by download
- Malvertising
Restricting PowerShell usage and alerts

Keywords:

CISA

MSISAC

FBI IC3

NSA

ZTA

References:

PreviousWindows Logs NextAPT Groups

Last updated 1 year ago

Was this helpful?

Ransomware Prevention

Go based Ransomware/Malware

BlackCat
RobbinHood
Nefilim
EKANS
Zebrocy - Russian state-sponsored group APT28 created a Go-based version of their Zebrocy malware last year.
WellMess - Russian state-sponsored group APT29 deployed new upgraded versions of their Go-based WellMess malware last year.
Godlike12 - A Chinese state-sponsored group deployed Go-based backdoors for attacks on the Tibetan community last year.
Go Loader - The China-linked Mustang Panda APT deployed a new Go-based loader last year for their attacks.
GOSH - The infamous Carbanak group deployed a new RAT named GOSH written in Go last August.
Glupteba - New versions of the Glupteba loader were seen in 2020, more advanced than ever.

Nim based Ransomware/Malware

Rust based Ransomware/Malware

Buer

Dlang based Ransomware/Malware

C++

.NET

Java

Objective-c

Python

Perl

Javascript

Powershell

WebAssembly

Delphi

RAT (Remote Access Trojans)

Cobalstrike
Remcos
Nanocore

Crypto Miners

Data exfiltration

Rclone
7zip

Malicious behavior

deleting backups and logs
Changing firewall
Azure Credentials

Which programming languages are hard to reverse engineer

Analyzing ELF files and PE

Win32 API's

References:

Wazuh

- HIDS

- OSSEC

MISP

- Threat Intellegence

Zeek/Suricata/Snort

- IDS/IPS

PFSense

- Firewall

Perimeter security logs collected from PFsense and Zeek (span port )

using file beat to forward data to Elkstack(log stash)

AD/DC

- Winlog Beat

- Metric Beat

Linux server

- Audit Beat

- Metric Beat

- File Beat

SOAR

- The Hive

Siemplify

SoC Architectures

Log Collection

Log Parsing

Events

Threat Intel (ingest)

Threat detection

Alerts

Threat investigation

Incident Response

Forensics

Netflow

Switch spanport -> zeek ids - different logs

Switch spanport -> suricata -> json (Event.log)

Switch spanport -> Moloch/arkime -> pcap

NSM distribution

Security onion
SELKS
CAPESStack
HELK
ROCK NSM

Host Data collections

Event Generation

OSSEC
Sysdig for container security
Windows sysinternals
- sysmon
Osquery
Wazuh

Data Shippers/aggregators

Beats
- Filebeat
- Winlogbeat
- Audit beat
- Packetbeat
- Journalbeat
- Functionbeat
- Heartbeat
- DIY beats

LogStash
Nxlog
Fluentd
Nifi

SIEM

Graylog

Apache metron

Alien vault

Sigma

Jupyter

Sguil

Evebox

Incident management

TheHive

Sigma

Preparation:

Offline backups availability and integrity check
Maintain and Audit golden images and build templates
Use of Infrastructure as a code to deploy images
Manage IaC in versions for audit purpose
Storing application source code or executables as backup
Removing and replacing outdated hardware
Using multi cloud solutions and maintaining cloud backups, using immutable storage solutions
Audit cloud environment
Develop and audit incident response, communication and breach notification plan
Develop Cyber incident response playbook
Build and implement Zero Trust Architecture

Prevention and Mitigating:

Develop surface discovery plan and audit attack finding
- Monitor deep web notification/credential monitoring services
Periodical vulnerability Scans (review CISA Know vulnerability list)
- External
- Internal
- VPN Infra
Periodical patch management
Assets security
- BYOD
- All devices on hybrid infrastructure
Protocol, port and service usage metrics
- RDP
Have visibility to configuration and change management
Implement MFA
Disable weak protocols
- SMB v 1 and v 2
- Audit SMB traffic
- Implement SMB signing and audit
Blocking external access
- SMB
- - TCP 445
  - UDP 137
  - UDP 138
  - TCP 139
- Implement SMB encryption with Universal Naming Convention (UNC) hardening
- Log and monitor SMB and RDP traffic

Initial Access:

Implement
- Phishing resistant MFA and password less MFA
- IAM
- PAM
Change default creds
Restrict use of root or system admin users s
Password minimum length and policies
- Password rotation
- Password management tools
Failed login attempts metrics and audit
Disabling saving passwords to browser using Group Policy
Local Administrator Password solution (LAPS)
LSASS : implement attack surface reduction rule
Windows credential guard
Use Windows PowerShell Remoting, Remote Credential Guard, or RDP with restricted

Admin Mode

Separation of admin and user accounts
Conduct security awareness training
Email attachments known bad
Disable office macros
Disable Windows Script Host (WSH)
Review malware infections
- Ex: s QakBot, Bumblebee, and Emotet
Phishing email metrics and BEC scams
- How many blocked
- How many bypassed
EDR implementation
- Windows Defender Application Control (WDAC), AppLocker
- Application allow listing
- Implement of EDR on cloud
Threat intel and feed into security stack
Security awareness training
Protective DNS
Sandboxed browsers
Monitor
- Seo poisoning
- Drive by download
- Malvertising
Restricting PowerShell usage and alerts

Keywords:

CISA

MSISAC

FBI IC3

NSA

ZTA

References:

download:

Stop Ransomware | CISA:

Cross-Sector Cybersecurity Performance Goals | CISA:

Public-Power-Cyber-Incident-Response-Playbook.pdf:

Zero Trust Maturity Model | CISA:

CSI-MITIGATING-CLOUD-VULNERABILITIES_20200121.PDF:

KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) - Microsoft Support:

Overview of Server Message Block signing - Windows Server | Microsoft Learn:

Manage Windows Defender Credential Guard (Windows) | Microsoft Learn:

Exchange Online Protection feature details - Service Descriptions | Microsoft Learn:

CISA Insights - Cyber: Enhance Email & Web Security:

How DMARC Advances Email Security:

Malicious Domain Blocking and Reporting (MDBR):

Macros from the internet are blocked by default in Office - Deploy Office | Microsoft Learn:

CSI_Selecting a Protective DNS Service_U00117652-21.PDF:

Microsoft Office 365 Security Recommendations | CISA:

csi_keeping_powershell_security_measures_to_use_and_embrace_20220622.pdf:

Best Practices for Securing Active Directory | Microsoft Learn:

BloodHound, Software S0521 | MITRE ATT&CK®:

Securing Active Directory Administrative Groups and Accounts | Microsoft Learn:

Albert Network Monitoring and Management:

KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) - Microsoft Support:

download:

6 Incident Response Steps to Take After a Security Event:

Election Security Spotlight – Malware Analysis:

PreviousWindows Logs NextAPT Groups

Last updated 1 year ago

Was this helpful?