# Bee-Ware of Trigona, An Emerging Ransomware Strain **unit42.paloaltonetworks.com/trigona-ransomware-update/** Frank Lee, Scott Roland March 16, 2023 By [Frank Lee and](https://unit42.paloaltonetworks.com/author/frank-lee/) [Scott Roland](https://unit42.paloaltonetworks.com/author/scott-roland/) March 16, 2023 at 6:00 AM [Category: Ransomware,](https://unit42.paloaltonetworks.com/category/ransomware/) [Threat Briefs and Assessments](https://unit42.paloaltonetworks.com/category/threat-briefs-assessments/) Tags: [ALPHV,](https://unit42.paloaltonetworks.com/tag/alphv/) [BlackCat ransomware,](https://unit42.paloaltonetworks.com/tag/blackcat-ransomware/) [Cortex XDR,](https://unit42.paloaltonetworks.com/tag/cortex-xdr/) [CryLock,](https://unit42.paloaltonetworks.com/tag/crylock/) [next-generation firewall,](https://unit42.paloaltonetworks.com/tag/next-generation-firewall/) [Prisma Cloud,](https://unit42.paloaltonetworks.com/tag/prisma-cloud/) [threat assessment,](https://unit42.paloaltonetworks.com/tag/threat-assessment/) [Trigona,](https://unit42.paloaltonetworks.com/tag/trigona/) [WildFire](https://unit42.paloaltonetworks.com/tag/wildfire/) This post is also available in: 日本語 [(Japanese)](https://unit42.paloaltonetworks.jp/trigona-ransomware-update/) ## Executive Summary Trigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident response, we determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised. Affected organizations are in the manufacturing, finance, construction, agriculture, marketing and high technology industries. Unit 42 researchers identified two new Trigona ransom notes in January 2023 and two in February 2023. Trigona’s ransom notes are unique; rather than the usual text file, they are instead presented in an HTML Application with embedded JavaScript containing unique computer IDs (CID) and victim IDs (VID). [Palo Alto Networks helps detect and prevent Trigona ransomware with the following products and services: Cortex XDR,](https://docs-cortex.paloaltonetworks.com/p/XDR) [Prisma Cloud and](https://docs.paloaltonetworks.com/prisma/prisma-cloud) [Next-Generation Firewalls (including cloud-delivered security subscriptions such as WildFire) and through incident response.](https://docs.paloaltonetworks.com/ngfw) **Related Unit 42 Topics** **[Ransomware,](https://unit42.paloaltonetworks.com/category/ransomware/)** **[Ransomware Threat Report,](https://unit42.paloaltonetworks.com/tag/ransomware-threat-report/)** **[CryLock](https://unit42.paloaltonetworks.com/tag/crylock/)** ## Table of Contents Trigona Overview Ransomware Analysis Ransomware Binary Ransom Note Victimology Leak Site Analysis Similarities to CryLock Ransomware Tools and Techniques TTPs ----- Co c us o Indicators of Compromise Additional Resources Product Protection Guide ## Trigona Overview [The first mention of Trigona, also the name of a family of stingless bees, comes from a tweet by security researchers in late October 2022.](https://twitter.com/malwrhunterteam/status/1587581807595249666) [Malware samples were passed to BleepingComputer, which in turn published a blog post on the ransomware on Nov. 29, 2022. Unit 42](https://www.bleepingcomputer.com/news/security/trigona-ransomware-spotted-in-increasing-attacks-worldwide/) consultants also have seen Trigona firsthand in the course of incident response. Unit 42 researchers have observed Trigona’s threat operator engaging in behavior such as obtaining initial access to a target’s environment, conducting reconnaissance, transferring malware via remote monitoring and management (RMM) software, creating new user accounts and deploying ransomware. ## Ransomware Analysis ### Ransomware Binary Unit 42 obtained and analyzed a sample of the Trigona ransomware binary, named svhost.exe. Upon execution, the ransomware binary uses TDCP_rijndael (a Delphi AES library) to encrypt files. The ransomware then appends the ._locked file extension, modifies registry keys to maintain persistence, and drops ransom notes. The ransomware binary supports the following command line arguments: **Argument** **Description** /full Performs all functions of the ransomware. Encrypts both local and network files. Creates two registry keys for persistence, one for the ransomware binary and another for the ransom note. /!autorun Skips creation of registry keys for persistence /test_cid “test” /test_vid “test” /p, /path “path” Overwrites default victim generated CID and replace with “test” value Overwrites default VID and replace with “test” value Encrypts only files contained within specified path /!local Does not encrypt local system files, only encrypts files on local network /!lan Does not encrypt local network files, only encrypts files on local system /autorun_only “path” Creates registry key for persistence only. Allows for optional “path” to be provided to override default path, does not encrypt files The ransomware establishes persistence through the creation of two keys in CurrentVersion\Run. Keys found in CurrentVersion\Run contain references to programs that will execute when a user logs in. One key executes the ransomware binary whenever the user logs in, ensuring that the encryption process would resume upon reboot. The other key ensures that the ransom note is opened every time the user logs in. ### Ransom Note Trigona’s ransom note is dropped to the system with the name how_to_decrypt.hta. The HTML code in this file contains embedded JavaScript functionality, which displays ransom note details as shown below in Figure 1. ----- Figure 1. Sample Trigona ransom note. Unit 42 researchers observed that the JavaScript within the ransom note contains the following information: A uniquely generated CID and VID A link to the negotiation Tor portal An email address to contact. The contact email shown below in Figure 2 is phandaledr@onionmail[.]org. We have also seen farusbig@tutanota[.]com used as the contact email in other Trigona ransom notes. Figure 2. Embedded JavaScript containing campaign ID and victim ID. ### Victimology By looking at the victim ID in the embedded JavaScript in the Trigona ransom notes, we were able to identify at least 15 potential victims that were compromised in December 2022. We also identified two new Trigona ransom notes in January 2023 and two in February 2023. Trigona ransomware has been linked to compromises impacting multiple organizations worldwide, in sectors including manufacturing, finance, construction, agriculture, marketing and high technology. The companies impacted were in the United States, Italy, France, Germany, Australia and New Zealand. ### Leak Site Analysis When Trigona was first observed, there was no evidence of this group using a leak site for double extortion. Their ransom note pointed the victims to their negotiation portal instead. During the investigation of this ransomware family, we observed that a researcher identified a leak site attributed to Trigona hosted on the IP address 45.227.253[.]99. Unit 42 researchers pivoted on the SSH key for 45.227.253[.]99 and identified three other IP addresses related to Trigona’s infrastructure: 45.227.253[.]106 45.227.253[.]98 45.227.253[.]107 Each IP shares the same SSH key of ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMjqeyIfJyuimtE414TBCxN+lHleN5/P3CNiD4uln5xyHjyw4muLePQj2y3yOJ7 ----- s 5 53[ ]99 a d 5 53[ ] 06 osted eb se e s o po t 8000, e 5 53[ ]98 a d 5 53[ ] 0 osted o eb services. We identified that 45.227.253[.]99 hosted a web server between Dec. 6, 2022, and Jan. 27, 2023. On Feb. 13, 2023, 45.227.253[.]106 started hosting a web server with the HTML title Trigona Leaks that was active until March 3, 2023. As shown in Figure 3, each post contained the following information: A description of the company The victim’s ZoomInfo page A description of the stolen data Links to screenshots of example files A countdown timer A button to bid for the data. The “@ Place a bid” button contained a mailto link to auction@mailthink[.]net. Mailthink is a service that allows users to create temporary, disposable email addresses. Figure 3. Trigona leak site. While the leak site was active, there were four victims: [Victim 1 has a near-duplicate post on the BlackCat (ALPHV) leak site and a countdown timer of over 300 days. Security researchers at](https://unit42.paloaltonetworks.com/blackcat-ransomware/) Arete Incident Response recently observed Trigona leveraging BlackCat’s reputation and data leak site to pressure and extort victims. It’s **unclear whether Victim 1 was impacted by Trigona.** Victim 2 has a duplicate post on the BlackCat (ALPHV) leak site and a countdown timer of over 300 days. It’s unclear whether Victim 2 was impacted by Trigona. Victim 3 has an associated ransom note on VirusTotal and a countdown timer of just over 30 days. Unit 42 assesses with high confidence that Victim 3 was impacted by Trigona ----- ct s ot e t o ed o a y ot e a so a e ga g s ea s te a d as a cou tdo t e o o e 300 days U t d d ot de t y any associated ransom notes and it’s unclear whether Victim 4 was impacted by Trigona. The countdown timers of over 300 days for Victims 1, 2 and 4 were well beyond the usual timeframe that we have observed in incident response cases where attackers demand payment, which is between two and four weeks. Given the following features, the Unit 42 team believes with moderate confidence that the surface web leak page was a development environment to test out features before a possible move to the dark web: Several posts appear to be duplicates from the BlackCat leak site (as shown in Figure 4) Several of the countdown timers are considerably longer The leak site is no longer available on the surface web Figure 4. Comparison between Trigona leak site (left) and BlackCat (ALPHV) leak site (right). ## Similarities to CryLock Ransomware Trigona operators share overlap in tactics, techniques and procedures (TTPs) with CryLock ransomware operators, suggesting that ransomware threat actors that once deployed CryLock ransomware might have moved on to deploying Trigona ransomware. The email associated with Trigona ransom notes analyzed by Unit 42 (phandaledr@onionmail[.]org) was mentioned in an online forum discussing CryLock ransomware, as shown below in Figure 5. ----- Figure 5. A user on SafeZone, a Russian anti-malware forum, seeking help for Crylock ransomware. Both ransomware families also drop ransom notes in HTML Application format, named how_to_decrypt.hta. There are also similarities in the ransom message, including: Their claim that all “documents, databases, backups, and other critical” files and data were encrypted AES as their choice of cryptographic algorithm Their statement that “the price depends on how soon you will contact us” ## Tools and Techniques Unit 42 has seen evidence of malicious activity associated with Trigona originating from a compromised Windows 2003 server, followed by the threat operators executing NetScan for internal reconnaissance. ### NetScan Unit 42 analysts recovered the NetScan output and noticed that it contained Cyrillic characters, as shown below in Figure 6. Changing the default language of NetScan to Russian is an option that can be configured upon initial installation. Figure 6. NetScan output that operator(s) left on disk containing Cyrillic characters. After conducting reconnaissance, Trigona operators used Splashtop – a remote access and management (RMM) tool – to transfer the following malware into the target’s environment. Threat actors often abuse, take advantage of or subvert legitimate products for malicious purposes. This does not necessarily imply a flaw or malicious quality to the legitimate product being abused. ### Start.bat Start.bat is a batch script that performs the following activities: It creates a new folder at C:\temp It copies other malicious batch and EXE files from a compromised internal Server Message Block (SMB) server to the newly created temp folder It executes Turnoff.bat ----- ### u o bat Turnoff.bat is a cleanup script used to remove evidence of the attack on a system. It does so by performing the following activities: Clearing the Recycle Bin of any mounted drive Attempting to use sc stop and taskkill to stop over 100 services related to various areas ranging from remote desktop tools to Windows Defender Attempting to stop services related to VMware, Hyper-V and SQL Ending several running tasks related to the stopped services mentioned above Clear Windows Event Logs (using wevutil cl) Deleting Volume Shadow Copies Disconnecting all network drives Unit 42 researchers have observed that cleanup scripts from other threat actors are usually smaller and more specific to the tools used by that actor. The scattershot variety of services and tasks that turnoff.bat stops could suggest that the tool is attempting to ensure that a wider variety of systems are encrypted. ### Newuser.bat Newuser.bat is a batch script that creates a new user with the name fredla and the password Qw123456. It then adds the fredla user to the local groups Administrator and Remote Desktop Users. Threat actors sometimes create privileged user accounts to keep access to target systems without having to install persistent remote access tools on the system. ### DC2.exe DC2.exe contains a password protected version of Mimikatz, which is a tool used for extracting sensitive information such as passwords and authentication credentials from a Windows operating system. This version of Mimikatz has been compressed using UPX. While UPX is often legitimately used to reduce file size, we have observed threat actors utilizing UPX and other packing programs to evade static detection of the underlying payload. The tool is also password protected, which adds an extra layer of complexity when ascertaining the program’s functionality. When the executable is run, the threat actor is prompted for a password to continue. The MD5 hash of the password is then calculated, and if it is equal to 4dbf44c6b1be736ee92ef90090452fc2, the program will continue running. The password required to achieve the MD5 hash is boris. Among its many legitimate uses, Unit 42 researchers have most often observed Mimikatz being leveraged maliciously by threat actors in the following ways: Credential Loading Mimikatz loads credentials from various sources such as Windows memory, Local Security Authority Subsystem Service (LSASS) process and the Windows registry. Credential Dumping The tool then extracts and dumps the credentials, including usernames and passwords, hashes, and Kerberos tickets to the screen or to a file. Credential Manipulation Mimikatz allows the user to manipulate the dumped credentials, such as changing passwords, creating new user accounts and adding users to groups. Credential Injection The tool can also inject the manipulated credentials into other processes, allowing the user to impersonate another user and gain access to restricted resources. ### DC4.exe DC4.exe is a small, UPX-packed password protected binary that generates and executes an embedded batch file. Like DC2.exe, the password to allow the binary to run is boris. Upon execution, the batch file makes the following changes to the system: 1. Disables the User Account Control (UAC) and sets cmd.exe as a debugger for HelpPane.exe, utilman.exe, Magnify.exe and sethc.exe. This is a common method of creating a “Sticky Keys backdoor” that allows for the creation of a command prompt with NT AUTHORITY\SYSTEM privileges. 2. Opens specific ports on the firewall to allow remote desktop connections using the netsh command. 3. Modifies the Windows registry to allow remote desktop connections. ----- C eates a e use accou t t t e use a e sys a d pass o d 5 806, a d adds t s use to t e d st ato a d e ote Desktop Users groups. ### DC6.exe DC6.exe is an installer for the publicly available tool Advanced Port Scanner, wrapped up in an Inno Setup installer package. Inno Setup is a free software installer for Windows programs. Advanced Port Scanner is a tool that is commonly abused by threat actors for network scanning and mapping, for lateral movement and discovery purposes. Wrapping Advanced Port Scanner in Inno Setup adds an additional layer of obfuscation to the code, and it is likely to evade static signature detection, forcing dynamic analysis to determine functionality rather than relying on traditional static code signatures. ## TTPs **Tactic / Technique** **Notes** **TA0002 Execution** T1072. Software Deployment Tools **TA0003 Persistence** T1546.008. Accessibility Features Trigona operators use Splashtop to move laterally and transfer malware between compromised hosts in the victim’s environment. DC4.exe creates a batch script that, when executed, creates a “Sticky Keys backdoor” that allows for creation of a command prompt with NT AUTHORITY\SYSTEM privileges. T1136. Create Account Newuser.bat creates a new user with the username fredla and password Qw123456. T1098. Account Manipulation **TA0005 Defense Evasion** T1027. Obfuscated Files or Information Trigona operators compromise administrator accounts and use them to conduct malicious activities, such as executing NetScan. Trigona operators use UPX to pack DC2.exe and DC4.exe to avoid static signature detection. For DC6.exe, Trigona hid the installer for Advanced Port Scanner within Inno Setup installer to evade static signature detection. T1112. Modify Registry DC4.exe creates a batch script that, when executed, modifies the Windows Registry to allow remote desktop connections. T1562.004. Disable or Modify System Firewall T1070.001. Indicator Removal: Clear Windows Event Logs T1070.004. Indicator Removal: File Deletion T1036.004. Masquerade Task or Service **TA0006 Credential Access** T1555. Credentials from Password Stores T1003.001. OS Credential Duping: LSASS Memory **TA0007 Discovery** T1046. Network Service Discovery T1069. Permission Groups Discovery T1021.001. Remote Desktop Protocol **TA0008 Lateral Movement** T1570. Lateral Tool Transfer Trigona operators open up an Remote Desktop Protocol (RDP) port in the firewall with DC4.exe. Trigona operators use turnoff.bat to clear event logs via wevtutil cl. Trigona operators delete files such as mim.exe, mim32.exe, zam.exe and zam.bat to cover their tracks. Mim32.exe is associated with Mimikatz while zam.exe and zam.bat are associated with NetScan. Trigona’s ransomware binary was named svhost.exe to mimic the legitimate Windows binary svchost.exe. Trigona operators use Mimikatz to dump passwords. Trigona operators use Mimikatz to dump passwords from LSASS. Trigona operators use NetScan to enumerate hosts within victims’ domains that might be vulnerable to remote software exploitation. Trigona operators use NetScan to enumerate the security-enabled local group membership of the Administrators group. Trigona operators utilize RDP to move laterally in the victim’s environment. Trigona operators use Splashtop to transfer malicious tools from computer to computer in the victim’s environment. ----- **TA0011 Command and** **Control** T1105. Ingress Tool Transfer T1219. Remote Access Software **TA0040 Impact** T1486. Data Encrypted for Impact Trigona operators utilize Splashtop to transfer netscan.exe, netscan.lic, netscan.xml, newuser.bat, start.bat and turnoff.bat. Trigona operators install and execute remote access tools such as Splashtop on targeted systems. Trigona ransomware encrypts files with the ._locked file extension. T1489. Service Stop Turnoff.bat uses sc stop and taskkill to stop services related to remote desktop tools (e.g., ScreenConnect, LogMeIn and TeamViewer), as well as VMware, Hyper-V and SQL. T1490. Inhibit System Recovery ## Conclusion Trigona operators use Turnoff.bat to delete Volume Shadow Copies. Trigona is a newer strain of ransomware that, to date, has had minimal coverage by security news articles. This lack of security community awareness allows Trigona to discreetly attack victims while other higher-profile ransomware operations dominate the news headlines. We hope that shining a light on Trigona and its uncommon technique of using password-protected executables to obfuscate malware helps defenders better protect their organizations against this threat. Due to the stream of victims identified by the Unit 42 team and Trigona’s currently developing leak site, the operator and/or affiliates behind the ransomware likely will continue (and possibly even ramp up) its malicious activity. Palo Alto Networks customers receive protections from Trigona threats through the following products: [WildFire currently lists all known binaries of Trigona as malicious, which will trigger alerting within Prisma Cloud and](https://docs.paloaltonetworks.com/wildfire) [Cortex XDR.](https://docs-cortex.paloaltonetworks.com/p/XDR) Prisma Cloud will detect any instance of this malware being executed through properly configured Defender agents using Wildfire. Additionally, Prisma Cloud Defender agents can be installed on Windows 2016 and 2019 servers, as well as on Windows Docker Container hosts. If you think you may have been compromised or have an urgent matter, get in touch with the [Unit 42 Incident Response team or call:](https://start.paloaltonetworks.com/contact-unit42.html) North America Toll-Free: 866.486.4842 (866.4.UNIT42) EMEA: +31.20.299.3130 APAC: +65.6983.8730 Japan: +81.50.1790.0200 Palo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious [cyber actors. Learn more about the Cyber Threat Alliance.](https://www.cyberthreatalliance.org/) ## Indicators of Compromise **IoC** **Note** bef87e4d9fcaed0d8b53bce84ff5c5a70a8a30542100ca6d7822cbc8b76fef13 svhost.exe (Ransomware Binary) 853909af98031c125a351dad804317c323599233e9b14b79ae03f9de572b014e Splashtop 24123421dd5b78b79abca07bf2dac683e574bf9463046a1d6f84d1177c55f5e5 Netscan 4724EE7274C31C8D418904EE7E600D92680A54FECDAC28606B1D73A28ECB0B1E Netscan e22008893c91cf5bfe9f0f41e5c9cdafae178c0558728e9dfabfc11c34769936 Netscan 8d069455c913b1b2047026ef290a664cef2a2e14cbf1c40dce6248bd31ab0067 Netscan 544a4621cba59f3cc2aeb3fe34c2ee4522593377232cd9f78addfe537e988ddc start.bat a15c7b264121a7c202c74184365ca13b561fb303fb8699299039a59ab376adc6 turnoff.bat b7fba3abee8fd3bdac2d05c47ab75fdaa0796722451bed974fb72e442ab4fefd newuser.bat e5cf252041045b037b9a358f5412ae004423ad23eac17f3b03ebef7c8147a3bb Mimikatz ----- 5603d4035201a9e6d0e130c561bdb91f44d8f21192c8e2842def4649333757ab Mimikatz 69f245dc5e505d2876e2f2eec87fa565c707e7c391845fa8989c14acabc2d3f6 Mimikatz phandaledr@onionmail[.]org Ransom note contact email farusbig@tutanota[.]com Ransom note contact email how_to_decrypt.hta Ransom note name 94979b61bba5685d038b4d66dd5e4e0ced1bba4c41ac253104a210dd517581b8 DC2.exe 9c8a4159166062333f2f74dd9d3489708c35b824986b73697d5c34869b2f7853 DC4.exe c5d09435d428695ce41526b390c17557973ee9e7e1cf6ca451e5c0ae443470ca DC6.exe 3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad[.]onion Trigona TOR negotiation portal 45.227.253[.]99 IP address associated with Trigona activity 45.227.253[.]106 IP address currently hosting Trigona leak site 45.227.253[.]98 IP address associated with Trigona activity 45.227.253[.]107 IP address associated with Trigona activity ## Additional Resources ### Product Protection Guide **Product/Service** **Course of** **Action** **Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement** The below courses of action mitigate the following techniques: [Command and Scripting Interpreter [T1059], Create Account [T1136], Account Manipulation [T1098], Local Account](https://attack.mitre.org/techniques/T1059) [[T1136.001], File Deletion [T1070.004], Modify Registry [T1112], Disable or Modify Tools [T1562.001], Disable or Modify](https://attack.mitre.org/techniques/T1136/001) [System Firewall [T1562.004], Deobfuscate/Decode Files or Information [T1140], Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1562/004) [[T1036.005], Disable Windows Event Logging [T1562.002], Obfuscated Files or Information [T1027], Clear Windows](https://attack.mitre.org/techniques/T1036/005) [Event Logs [T1070.001], Masquerade Task or Service [T1036.004], Credentials from Password Stores [T1555], OS](https://attack.mitre.org/techniques/T1070/001) [Credential Dumping [T1003], LSASS Memory [T1003.001], System Network Configuration Discovery [T1016], System](https://attack.mitre.org/techniques/T1003) [Information Discovery [T1082], Network Service Discovery [T1046], Permission Groups Discovery [T1069], Remote](https://attack.mitre.org/techniques/T1082) [Desktop Protocol [T1021.001], Lateral Tool Transfer [T1570], Software Deployment Tools [T1072], Registry Run Keys /](https://attack.mitre.org/techniques/T1021/001) [Startup Folder [T1547.001], Accessibility Features [T1546.008], Bypass User Account Control [T1548.002]](https://attack.mitre.org/techniques/T1547/001) **Next-Generation Firewalls** Ensure that the User-ID Agent has minimal permissions if User-ID is enabled Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones Ensure that the User-ID service account does not have interactive logon rights Ensure that 'Include/Exclude Networks' is used if User-ID is enabled Ensure remote access capabilities for the User-ID service account are forbidden. Ensure that User-ID is only enabled for internal trusted interfaces Define at least one 'Include Network'. Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actions Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone ----- **Cortex XSOAR** Deploy XSOAR Playbook Access Investigation Playbook Deploy XSOAR Playbook - Block Account Generic Deploy XSOAR Playbook - Impossible Traveler Deploy XSOAR Playbook - Port Scan Deploy XSOAR Playbook Cortex XDR - Isolate Endpoint **Cortex XDR Prevent** Configure Behavioral Threat Protection under the Malware Security Profile Enable Anti-Exploit Protection Configure Restrictions Security Profile Enable Anti-Malware Protection Configure Host Firewall Profile **Threat Prevention** Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3' Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats Ensure a secure antivirus profile is applied to all relevant security policies **Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement** The below courses of action mitigate the following techniques: [Create Account [T1136], Account Manipulation [T1098], Local Account [T1136.001], File Deletion [T1070.004], Modify](https://attack.mitre.org/techniques/T1136) [Registry [T1112], Disable or Modify Tools [T1562.001], Disable or Modify System Firewall [T1562.004],](https://attack.mitre.org/techniques/T1112) [Deobfuscate/Decode Files or Information [T1140], Match Legitimate Name or Location [T1036.005], Disable Windows](https://attack.mitre.org/techniques/T1140) [Event Logging [T1562.002], Obfuscated Files or Information [T1027], Clear Windows Event Logs [T1070.001],](https://attack.mitre.org/techniques/T1562/002) [Masquerade Task or Service [T1036.004], Credentials from Password Stores [T1555], OS Credential Dumping [T1003],](https://attack.mitre.org/techniques/T1036/004) [LSASS Memory [T1003.001], System Network Configuration Discovery [T1016], System Information Discovery [T1082],](https://attack.mitre.org/techniques/T1003/001) [Network Service Discovery [T1046], Permission Groups Discovery [T1069], Remote Desktop Protocol [T1021.001],](https://attack.mitre.org/techniques/T1046) [Lateral Tool Transfer [T1570], Software Deployment Tools [T1072], Registry Run Keys / Startup Folder [T1547.001],](https://attack.mitre.org/techniques/T1570) [Accessibility Features [T1546.008], Bypass User Account Control [T1548.002]](https://attack.mitre.org/techniques/T1546/008) **Next-Generation Firewalls** Ensure that the User-ID Agent has minimal permissions if User-ID is enabled Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones Ensure that the User-ID service account does not have interactive logon rights Ensure that 'Include/Exclude Networks' is used if User-ID is enabled Ensure remote access capabilities for the User-ID service account are forbidden. Ensure that User-ID is only enabled for internal trusted interfaces Define at least one 'Include Network'. Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actions Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists ----- Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone **Cortex XSOAR** Deploy XSOAR Playbook Access Investigation Playbook Deploy XSOAR Playbook - Block Account Generic Deploy XSOAR Playbook - Impossible Traveler Deploy XSOAR Playbook - Port Scan Deploy XSOAR Playbook Cortex XDR - Isolate Endpoint **Cortex XDR Prevent** Configure Behavioral Threat Protection under the Malware Security Profile Enable Anti-Exploit Protection Configure Restrictions Security Profile Enable Anti-Malware Protection Configure Host Firewall Profile **Threat Prevention** Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3' Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats Ensure a secure antivirus profile is applied to all relevant security policies **Persistence, Privilege Escalation, Defense Evasion** The below courses of action mitigate the following techniques: [Create Account [T1136], Account Manipulation [T1098], Local Account [T1136.001], File Deletion [T1070.004], Modify](https://attack.mitre.org/techniques/T1136) [Registry [T1112], Disable or Modify Tools [T1562.001], Disable or Modify System Firewall [T1562.004],](https://attack.mitre.org/techniques/T1112) [Deobfuscate/Decode Files or Information [T1140], Match Legitimate Name or Location [T1036.005], Disable Windows](https://attack.mitre.org/techniques/T1140) [Event Logging [T1562.002], Obfuscated Files or Information [T1027], Clear Windows Event Logs [T1070.001],](https://attack.mitre.org/techniques/T1562/002) [Masquerade Task or Service [T1036.004], Registry Run Keys / Startup Folder [T1547.001], Accessibility Features](https://attack.mitre.org/techniques/T1036/004) [[T1546.008], Bypass User Account Control [T1548.002]](https://attack.mitre.org/techniques/T1546/008) **Next-Generation Firewalls** Ensure that the User-ID Agent has minimal permissions if User-ID is enabled Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones Ensure that the User-ID service account does not have interactive logon rights Ensure that 'Include/Exclude Networks' is used if User-ID is enabled Ensure remote access capabilities for the User-ID service account are forbidden. Ensure that User-ID is only enabled for internal trusted interfaces Define at least one 'Include Network'. **Cortex XSOAR** Deploy XSOAR Playbook Access Investigation Playbook Deploy XSOAR Playbook - Block Account Generic ----- Deploy XSOAR Playbook - Impossible Traveler **Cortex XDR Prevent** Configure Behavioral Threat Protection under the Malware Security Profile Enable Anti-Exploit Protection Configure Restrictions Security Profile Enable Anti-Malware Protection **Persistence, Privilege Escalation, Defense Evasion** The below courses of action mitigate the following techniques: [File Deletion [T1070.004], Modify Registry [T1112], Disable or Modify Tools [T1562.001], Disable or Modify System](https://attack.mitre.org/techniques/T1070/004) [Firewall [T1562.004], Deobfuscate/Decode Files or Information [T1140], Match Legitimate Name or Location [T1036.005],](https://attack.mitre.org/techniques/T1562/004) [Disable Windows Event Logging [T1562.002], Obfuscated Files or Information [T1027], Clear Windows Event Logs](https://attack.mitre.org/techniques/T1562/002) [[T1070.001], Masquerade Task or Service [T1036.004], Registry Run Keys / Startup Folder [T1547.001], Accessibility](https://attack.mitre.org/techniques/T1070/001) [Features [T1546.008], Bypass User Account Control [T1548.002]](https://attack.mitre.org/techniques/T1546/008) **Cortex XDR Prevent** Configure Behavioral Threat Protection under the Malware Security Profile Enable Anti-Exploit Protection Configure Restrictions Security Profile Enable Anti-Malware Protection **Privilege Escalation, Defense Evasion** The below courses of action mitigate the following techniques: [File Deletion [T1070.004], Modify Registry [T1112], Disable or Modify Tools [T1562.001], Disable or Modify System](https://attack.mitre.org/techniques/T1070/004) [Firewall [T1562.004], Deobfuscate/Decode Files or Information [T1140], Match Legitimate Name or Location [T1036.005],](https://attack.mitre.org/techniques/T1562/004) [Disable Windows Event Logging [T1562.002], Obfuscated Files or Information [T1027], Clear Windows Event Logs](https://attack.mitre.org/techniques/T1562/002) [[T1070.001], Masquerade Task or Service [T1036.004], Bypass User Account Control [T1548.002]](https://attack.mitre.org/techniques/T1070/001) **Cortex XDR Prevent** Configure Behavioral Threat Protection under the Malware Security Profile Enable Anti-Exploit Protection Configure Restrictions Security Profile Enable Anti-Malware Protection **Defense Evasion** The below courses of action mitigate the following techniques: [File Deletion [T1070.004], Modify Registry [T1112], Disable or Modify Tools [T1562.001], Disable or Modify System](https://attack.mitre.org/techniques/T1070/004) [Firewall [T1562.004], Deobfuscate/Decode Files or Information [T1140], Match Legitimate Name or Location [T1036.005],](https://attack.mitre.org/techniques/T1562/004) [Disable Windows Event Logging [T1562.002], Obfuscated Files or Information [T1027], Clear Windows Event Logs](https://attack.mitre.org/techniques/T1562/002) [[T1070.001], Masquerade Task or Service [T1036.004]](https://attack.mitre.org/techniques/T1070/001) **Cortex XDR Prevent** Configure Behavioral Threat Protection under the Malware Security Profile Enable Anti-Exploit Protection Configure Restrictions Security Profile ----- Enable Anti-Malware Protection **Credential Access** The below courses of action mitigate the following techniques: [Credentials from Password Stores [T1555], OS Credential Dumping [T1003], LSASS Memory [T1003.001]](https://attack.mitre.org/techniques/T1555) **Cortex XDR Prevent** Enable AntiExploit Protection Enable Anti-Malware Protection **Discovery** The below courses of action mitigate the following techniques: [System Network Configuration Discovery [T1016], System Information Discovery [T1082], Network Service Discovery](https://attack.mitre.org/techniques/T1016) [[T1046], Permission Groups Discovery [T1069]](https://attack.mitre.org/techniques/T1046) **Next-Generation Firewalls** Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actions Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone **Cortex XSOAR** Deploy XSOAR Playbook - Port Scan **Lateral Movement** The below courses of action mitigate the following techniques: [Remote Desktop Protocol [T1021.001], Lateral Tool Transfer [T1570]](https://attack.mitre.org/techniques/T1021/001) **Next-Generation Firewalls** Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist Ensure remote access capabilities for the User-ID service account are forbidden. Ensure that the User-ID Agent has minimal permissions if User-ID is enabled Ensure that User-ID is only enabled for internal trusted interfaces Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone Ensure that the User-ID service account does not have interactive logon rights Ensure that all zones have Zone Protection Profiles with all Reconnaissance Protection settings enabled, tuned, and set to appropriate actions Ensure that 'Include/Exclude Networks' is used if User-ID is enabled Ensure that security policies restrict User-ID Agent traffic from crossing into untrusted zones Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists **Cortex XDR Prevent** Configure Host Firewall Profile ----- **Cortex XSOAR** Deploy XSOAR Playbook Access Investigation Playbook Deploy XSOAR Playbook - Block Account Generic **Threat Prevention** Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3' Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats Ensure a secure antivirus profile is applied to all relevant security policies **Command and Control** The below courses of action mitigate the following techniques: [Remote Access Software [T1219], Ingress Tool Transfer [T1105]](https://attack.mitre.org/techniques/T1219) **Next-Generation Firewalls** Ensure that the Certificate used for Decryption is Trusted Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone Ensure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists Ensure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured Ensure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers using SSL or TLS Ensure 'Service setting of ANY' in a security policy allowing traffic does not exist Setup File Blocking **Threat Prevention** Ensure DNS sinkholing is configured on all anti-spyware profiles in use Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet Ensure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3' Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats Ensure a secure antivirus profile is applied to all relevant security policies **URL Filtering** Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet Ensure all HTTP Header Logging options are enabled Ensure that PAN-DB URL Filtering is used Ensure that URL Filtering uses the action of “block” or “override” on the URL categories Ensure that access to every URL is logged **Cortex XSOAR** Deploy XSOAR Playbook - PANOS Query Logs for Indicators Deploy XSOAR Playbook - Hunting C&C Communication Playbook (Deprecated) ----- Deploy XSOAR Playbook - Block URL Deploy XSOAR Playbook - Block IP **Cortex XDR Prevent** XDR BIOCs / ABIOCs **Impact** The below courses of action mitigate the following techniques: [Data Encrypted for Impact [T1486], Service Stop [T1489], Inhibit System Recovery [T1490]](https://attack.mitre.org/techniques/T1486) **Cortex XSOAR** Deploy XSOAR Playbook Ransomware Manual for incident response. Deploy XSOAR Playbook - Palo Alto Networks Endpoint Malware Investigation ### Table 1. Product Protection Guide. _Updated March 16, 2023, at 10:13 a.m. PT._ **Get updates from** **Palo Alto** **Networks!** Sign up to receive the latest news, cyber threat intelligence and research from us [By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.](https://www.paloaltonetworks.com/legal-notices/terms-of-use) -----