
Cyberstorm Unleashed: The Exploitation of PHP Vulnerability to Deploy ShellBot
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1003 - OS Credential Dumping
For OS Credential Dumping, manage the access control list for "Replicating Directory Changes" and associated permissions. Add users to the "Protected Users" group in Active Directory to limit plaintext credential caching. Enable Attack Surface Reduction (ASR) rules on Windows 10 to secure LSASS and prevent credential theft. Implement Credential Guard in Windows 10 to protect LSA secrets, though it requires specific hardware and firmware. Secure Domain Controller backups and consider disabling NTLM and WDigest authentication. Use complex, unique passwords for local admin accounts across the network. Unless strictly controlled, avoid placing user or admin domain accounts in local admin groups. Enable Protected Process Light for LSA on Windows 8.1 and Server 2012 R2. Train users to avoid credential overlap across accounts.
T1027 - Obfuscated Files or Information
Deploy anti-virus software to detect and quarantine suspicious files, and utilize AMSI on Windows 10+ for command analysis. Regularly audit fileless storage locations like the Registry and WMI repository for abnormal data. Enable ASR rules on Windows 10+ to prevent obfuscated payload execution. Restrict access to software deployment systems and limit ingress points to necessary personnel.
T1056 - Input Capture & T1057 - Process Discovery
These techniques rely on system features and cannot be easily mitigated with preventive controls. To detect and respond to these threats, focus on continuous monitoring and a robust incident response strategy.
T1071 - Application Layer Protocol
Use network appliances to filter ingress and egress traffic, performing protocol-based filtering. Configure endpoint software to filter network traffic. Implement network intrusion detection and prevention systems with network signatures to identify malware traffic.
T1082 - System Information Discovery
Like Input Capture and Process Discovery, preventive controls cannot easily mitigate this technique. Employ continuous monitoring and a strong incident response strategy.
T1091 - Replication Through Removable Media
Enable ASR rules on Windows 10 to block unsigned or untrusted executable files from USB drives. Disable Autorun if unnecessary, and restrict removable media use at the organizational policy level. Limit the use of USB devices within the network.
T1112 - Modify Registry
Set proper permissions for Registry hives to prevent unauthorized key modifications that could lead to privilege escalation.
T1120 - Peripheral Device Discovery & T1547 - Boot or Logon Autostart Execution
These techniques cannot be easily mitigated with preventive controls. Implement continuous monitoring and an effective incident response strategy.
T1571 - Non-Standard Port
Use network intrusion detection and prevention systems with network signatures to identify malware traffic. Configure firewalls and proxies to limit outgoing traffic to necessary ports for the network segment.
By implementing these targeted remediations, organizations can enhance their security posture and protect against various cyber attack techniques.