Skip to content
.ca
sign in
8 minhigh

Proactive Preparation and Hardening Against Destructive Attacks: 2026 Edition

This comprehensive guide outlines proactive hardening strategies to defend against destructive cyberattacks, such as ransomware and wipers. It provides actionable recommendations for securing external-facing assets, segmenting IT/OT and virtualization infrastructure, restricting lateral movement, and protecting privileged credentials across on-premises and cloud environments.

Conf:highAnalyzed:2026-03-06reports

Authors: Matthew McWhirt, Bhavesh Dhake, Emilio Oropeza, Gautam Krishnan, Stuart Carrera, Greg Blaum, Michael Rudden

ActorsRansomwareDestructive MalwareWipers
Lateral MovementActive DirectoryZero TrustRansomwareHardening

Source:Mandiant

IOCs · 4

Key Takeaways

  • Implement strict network and identity segmentation between IT, OT, and Virtualization environments to limit blast radius.
  • Harden Windows endpoints by restricting lateral movement protocols (SMB, RDP, WinRM) and disabling administrative shares.
  • Protect privileged credentials by disabling WDigest, enforcing Restricted Admin mode for RDP, and utilizing the Protected Users security group.
  • Secure Active Directory Certificate Services (AD CS) by auditing vulnerable templates and enforcing strong mappings.
  • Protect CI/CD pipelines and Kubernetes clusters by isolating the control plane, enforcing strict RBAC, and using immutable backups.

Affected Systems

  • Windows Server
  • Windows 10/11
  • Active Directory
  • VMware vSphere
  • Microsoft Hyper-V
  • Kubernetes
  • CI/CD Pipelines
  • Cloud Infrastructure (GCP, AWS, Azure)

Attack Chain

Threat actors typically gain initial access via external-facing assets or compromised credentials. They then perform reconnaissance to identify privileged accounts, vulnerable AD CS templates, or virtualization infrastructure. Lateral movement is executed using native protocols like SMB, RDP, WinRM, or tools like PsExec. Finally, attackers escalate privileges, extract sensitive data, and deploy destructive malware or ransomware to disrupt operations and inhibit recovery.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Google Security Operations (SecOps)

The article states that Google SecOps customers have access to detection rules under the Mandiant Intel Emerging Threats, Mandiant Frontline Threats, Mandiant Hunting Rules, and CDIR SCC Enhanced Data Destruction Alerts rule packs.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can monitor process creation, registry modifications, command-line execution, and LSASS memory access, which are critical for detecting the lateral movement and credential theft techniques described. Network Visibility: Medium — Network visibility is crucial for detecting anomalous SMB, RDP, and WinRM traffic, as well as external connections to malicious IPs, though encrypted traffic may limit deep packet inspection. Detection Difficulty: Moderate — While many techniques generate specific event IDs (e.g., 4662 for DCSync, 4768 for AS-REP roasting), distinguishing malicious administrative activity from legitimate IT operations requires well-established baselines.

Required Log Sources

  • Windows Event Logs (Security, System, Operational)
  • Sysmon
  • Active Directory Audit Logs
  • Firewall Logs
  • Cloud Audit Logs (GCP, AWS, Azure)
  • Kubernetes API Audit Logs
  • vCenter/ESXi Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Search for anomalous process creation events involving PsExec or WMI originating from non-administrative workstations.EDR/Process CreationLateral MovementMedium
Monitor for Kerberos authentication requests using RC4 encryption (Event ID 4768) for accounts with preauthentication disabled, indicating potential AS-REP roasting.Windows Security LogsCredential AccessLow
Detect modifications to the Windows Registry disabling WDigest authentication or Restricted Admin mode, indicating potential defense evasion.EDR/RegistryDefense EvasionLow
Identify bulk deletion operations targeting Kubernetes resources or cloud compute instances deviating from normal change management baselines.Cloud/Kubernetes Audit LogsImpactMedium
Monitor for non-domain-controller sources issuing directory replication requests (Event ID 4662), indicating a potential DCSync attack.Windows Security LogsCredential AccessLow

Control Gaps

  • Lack of MFA on external-facing assets
  • Unsegmented IT/OT and virtualization networks
  • Overly permissive Active Directory Certificate Services (AD CS) templates
  • Standing privileges in cloud environments

Key Behavioral Indicators

  • Event ID 4662 from non-DCs
  • Event ID 4768 with RC4 encryption
  • Sysmon Event ID 10 targeting LSASS by non-system processes
  • Event IDs 4886/4887 with mismatched SANs

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Enforce MFA on all external-facing applications and VPNs.
  • Disable WDigest authentication and enable Restricted Admin mode for RDP.
  • Review and restrict membership in highly privileged Active Directory groups.

Infrastructure Hardening

  • Implement strict network segmentation between IT, OT, and virtualization environments.
  • Harden Windows Firewalls to block inbound SMB, RDP, and WinRM from non-administrative subnets.
  • Secure AD CS by auditing templates and enforcing strong certificate mappings.

User Protection

  • Deploy Local Administrator Password Solution (LAPS) to randomize local admin passwords.
  • Implement Privileged Access Workstations (PAWs) for administrative tasks.
  • Enforce Windows Defender Application Control (WDAC) and Attack Surface Reduction (ASR) rules.

Security Awareness

  • Train users to report suspicious MFA push notifications to prevent MFA fatigue attacks.
  • Conduct regular recovery validation exercises using immutable backups.
  • Establish out-of-band communication channels for incident response.

MITRE ATT&CK Mapping

  • T1110 - Brute Force
  • T1078 - Valid Accounts
  • T1557 - Adversary-in-the-Middle
  • T1490 - Inhibit System Recovery
  • T1046 - Network Service Scanning
  • T1212 - Exploitation for Credential Access
  • T1021.004 - Remote Services: SSH
  • T1529 - System Shutdown/Reboot
  • T1486 - Data Encrypted for Impact
  • T1562.001 - Impair Defenses: Disable or Modify Tools
  • T1021.002 - Remote Services: SMB/Windows Admin Shares
  • T1187 - Forced Authentication
  • T1047 - Windows Management Instrumentation
  • T1021.001 - Remote Services: Remote Desktop Protocol
  • T1049 - System Network Connections Discovery
  • T1135 - Network Share Discovery
  • T1021.006 - Remote Services: Windows Remote Management
  • T1569.002 - System Services: Service Execution
  • T1021.003 - Remote Services: Distributed Component Object Model
  • T1068 - Exploitation for Privilege Escalation
  • T1219 - Remote Access Software
  • T1069 - Permission Groups Discovery
  • T1484.001 - Domain Policy Modification: Group Policy Modification
  • T1003.006 - OS Credential Dumping: DCSync
  • T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
  • T1558.004 - Steal or Forge Kerberos Tickets: AS-REP Roasting
  • T1003.002 - OS Credential Dumping: LSASS Memory
  • T1649 - Steal or Forge Authentication Certificates
  • T1485 - Data Destruction
  • T1525 - Implant Internal Image
  • T1552.007 - Unsecured Credentials: Container API
  • T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
  • T1611 - Escape to Host

Additional IOCs

  • Registry Keys:
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\LocalAccountTokenFilterPolicy - Controls UAC token filtering for local accounts during network logons.
    • HKLM\SYSTEM\CurrentControlSet\Control\Lsa\TokenLeakDetectDelaySecs - Configures the delay before clearing credentials in memory of logged-off users.
    • HKLM\System\CurrentControlSet\Control\Lsa\Security Packages - Lists LSA security packages. WDigest should be removed from this list on older Windows versions.
    • HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation\RestrictedRemoteAdministration - GPO-enforced registry key requiring Restricted Admin mode for RDP connections.
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken - Enforces Admin Approval Mode for the built-in local Administrator account.
  • File Paths:
    • %systemroot%\system32\LogFiles\Firewall\pfirewall.log - Default log file path for Windows Firewall dropped and successful connections.
    • C:\Windows\SYSVOL - Active Directory SYSVOL directory, a critical target for backups and potential ransomware encryption.
    • %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Authentication%4ProtectedUserSuccesses-DomainController.evtx - Event log file storing successful logons for members of the Protected Users security group.
  • Command Lines:
    • Purpose: Initiate a system state backup of a domain controller. | Tools: wbadmin | Stage: Defense Evasion / Recovery | wbadmin start systemstatebackup -backuptarget:
    • Purpose: Disable inbound SMB (File and Printer Sharing) via Windows Firewall. | Tools: netsh | Stage: Lateral Movement (Defense)
    • Purpose: Disable PowerShell Remoting on an endpoint. | Tools: PowerShell | Stage: Lateral Movement (Defense) | Disable-PSRemoting -Force
    • Purpose: Stop and disable the Windows Remote Management (WinRM) service. | Tools: PowerShell | Stage: Lateral Movement (Defense) | Stop-Service WinRM -PassThruSet-Service WinRM -StartupType Disabled
    • Purpose: Identify noncomputer accounts configured with a Service Principal Name (SPN) for Kerberoasting mitigation. | Tools: PowerShell, Active Directory module | Stage: Credential Access (Defense)
    • Purpose: Initiate an RDP session using Restricted Admin mode to prevent credential exposure. | Tools: mstsc.exe | Stage: Lateral Movement (Defense) | mstsc.exe /RestrictedAdmin

Related