Ransomware and malware in general is harder to detect and defend against than ever before. Understand the threat and what can be done to mitigate it.
Sorebrecht is an example of the types of threats that a lot of organizations are trying to create an effective way to mitigate now.
A lot of fileless ransomware and malware is traversing systems, using mimikatz to exploit credentials, injecting its malicious code into otherwise legit processes.
There is a huge pile of effort involved in setting up logging and analysis of events such as 4798 and 4799.
But getting that system in place is becoming a necessity even in the smallest organizations due to the impact of the malware and the lack of detecting the malicious activities in any other way.
Sorebrecht is also extremely stealthy in that it deletes traces of its activity and presence.
It is worth noting that the source of the infection could have completely been stopped by a few items:
- Using LAPS on a network
- Preventing the compromise of domain admin credentials by NOT allowing DA creds to logon to non-servers
- It could have also been stopped at the server level by setting up restrictions that disable WMI and WinRM unless the traffic is coming from an appropriate source. There is no reason for inbound WMI and WinRM traffic to servers from non-server or non-management subnets. This is MORE reason why your network must be segmented and properly designed.
Credentials on remote systems can be brute forced if there is no account lockout and/or no tracking of account logon failures.
Use of MFA can eliminate this threat.
RDP can also be used to install malware as well as PSExec using compromised credentials.
RDP from non-management LANs should not be allowed.
As an admin, you need to restrict access to these inputs based upon IP space restrictions at the host-based firewall level.
The Rise of Fileless Threats that Abuse PowerShell
Enable PowerShell Logging - Heading Off Malicious Code
Enabling PowerShell Logging
Windows PowerShell - Heading Off Malicious Code
Hardening via execution policies
Network solutions to ransomware - stopping and containing its spread
- Command and control