a quick review for Detection, Prevention, and respond on last year's most common Threats based on Red Caary Reports

1. T1059.003: Windows Command Shell 2

Detection:

• Monitor for command shell activity, particularly for unusual or unauthorized commands.
• Monitor for the use of known malicious command-line arguments.
• Monitor for the execution of commands from suspicious or unexpected locations.

Prevention:

• Limit access to the command shell to only authorized users.
• Use whitelisting to restrict the execution of commands from unauthorized locations.
• Use endpoint detection and response (EDR) tools to monitor and block suspicious activity.

Response:

• Disable any compromised accounts or systems to prevent further damage.
• Collect and analyze logs to identify the extent of the attack.
• Restore affected systems from known-good backups.

2. T1059.001: PowerShell

Detection:

• Monitor for PowerShell activity, particularly for unusual or unauthorized commands.
• Monitor for the use of known malicious PowerShell scripts or modules.
• Monitor for the use of PowerShell to download or execute suspicious files.

Prevention:

• Limit access to PowerShell to only authorized users.
• Use whitelisting to restrict the execution of PowerShell scripts or modules.
• Use EDR tools to monitor and block suspicious activity.

Response:

• Disable any compromised accounts or systems to prevent further damage.
• Collect and analyze logs to identify the extent of the attack.
• Restore affected systems from known-good backups.

3. T1047: Windows Management Instrumentation

Detection:

• Monitor for WMI activity, particularly for unusual or unauthorized commands.
• Monitor for the use of known malicious WMI queries or scripts.
• Monitor for the use of WMI to download or execute suspicious files.

Prevention:

• Limit access to WMI to only authorized users.
• Use whitelisting to restrict the execution of WMI queries or scripts.
• Use EDR tools to monitor and block suspicious activity.

Response:

• Disable any compromised accounts or systems to prevent further damage.
• Collect and analyze logs to identify the extent of the attack.
• Restore affected systems from known-good backups.

4. T1027: Obfuscated Files or Information

Detection:

• Use advanced security tools to detect and analyze obfuscated code or files.
• Monitor for suspicious file activity, particularly for files with unusual file extensions or encryption.
• Monitor for the use of known malicious obfuscation techniques.

Prevention:

• Use EDR tools to detect and block suspicious file activity.
• Use advanced security tools that can detect and analyze obfuscated code or files.
• Use employee training to raise awareness of the risks associated with obfuscated files.

Response:

• Disable any compromised accounts or systems to prevent further damage.
• Collect and analyze logs to identify the extent of the attack.
• Restore affected systems from known-good backups.

5. T1218.011: Rundll32

Detection:

• Monitor for Rundll32 activity, particularly for unusual or unauthorized commands.
• Monitor for the use of known malicious Rundll32 commands or arguments.
• Monitor for the use of Rundll32 to download or execute suspicious files.

Prevention:

• Limit access to Rundll32 to only authorized users.
• Use whitelisting to restrict the execution of Rundll32 commands or arguments.
• Use EDR tools to monitor and block suspicious activity.

Response:

• Disable any compromised accounts or systems to prevent further damage.
• Collect and analyze logs to identify the extent of the attack.
• Restore affected systems from known-good backups.

6. T1105: Ingress Tool Transfer

Detection:

• Monitor for suspicious file activity, particularly for files with known malicious file extensions.
• Use advanced security tools to detect and block known malicious files.
• Monitor for the use of known malicious file transfer techniques, such as FTP or SSH.

Prevention:

• Use EDR tools to detect and block known malicious files.
• Implement network segmentation to limit the spread of attacks.
• Use employee training to raise awareness of the risks associated with file transfers.

Response:

• Disable any compromised accounts or systems to prevent further damage.
• Collect and analyze logs to identify the extent of the attack.
• Restore affected systems from known-good backups.

7. T1055: Process Injection

Detection:

• Monitor for suspicious process activity, particularly for processes that are injecting code into other processes.
• Monitor for the use of known malicious injection techniques.
• Monitor for the use of known malicious DLLs.

Prevention:

• Use EDR tools to detect and block suspicious process activity.
• Use application control or whitelisting to prevent the execution of known malicious DLLs.
• Use employee training to raise awareness of the risks associated with process injection.

Response:

• Disable any compromised accounts or systems to prevent further damage.
• Collect and analyze logs to identify the extent of the attack.
• Restore affected systems from known-good backups.

8. T1569.002: Service Execution

Detection:

• Monitor for the creation of new services, particularly for those with unusual or unauthorized names.
• Monitor for the use of known malicious services.
• Monitor for changes to service settings or configurations.

Prevention:

• Use EDR tools to detect and block the creation of unauthorized services.
• Use application control or whitelisting to prevent the execution of known malicious services.
• Use employee training to raise awareness of the risks associated with service execution.

Response:

• Disable any compromised accounts or systems to prevent further damage.
• Collect and analyze logs to identify the extent of the attack.
• Restore affected systems from known-good backups.

9. T1036.003: Rename System Utilities

Detection:

• Monitor for changes to the names or locations of system utilities, particularly those commonly used by attackers.
• Monitor for the use of known malicious system utilities.
• Monitor for suspicious activity associated with system utilities.

Prevention:

• Use EDR tools to detect and block suspicious activity associated with system utilities.
• Use application control or whitelisting to prevent the execution of known malicious system utilities.
• Use employee training to raise awareness of the risks associated with system utility renaming.

Response:

• Disable any compromised accounts or systems to prevent further damage.
• Collect and analyze logs to identify the extent of the attack.
• Restore affected systems from known-good backups.

10. T1003.001: LSASS Memory

Detection:

• Monitor for suspicious LSASS activity, particularly for processes attempting to dump LSASS memory.
• Monitor for the use of known malicious tools or scripts used to extract LSASS memory.
• Monitor for the use of LSASS memory in authentication bypass or credential theft attacks.

Prevention:

• Use EDR tools to detect and block suspicious LSASS activity.
• Use application control or whitelisting to prevent the execution of known malicious tools or scripts.
• Use employee training to raise awareness of the risks associated with LSASS memory attacks.

Response:

• Disable any compromised accounts or systems to prevent further damage.
• Collect and analyze logs to identify the extent of the attack.
• Implement credential rotation and other security measures to prevent credential theft attacks.

In summary, detecting and preventing cyber attacks involving these tactics and techniques requires a multi-layered security approach, including advanced security tools, employee training, and proactive monitoring. Additionally, having a robust incident response plan in place is critical to minimizing the impact of a successful attack and quickly restore operations.