Truebot Mitigations Checklist

Private Matrix recommends that organizations implement the following mitigations which include mandating phishing resistant multifactor authentication (MFA) for all staff and services.

  1. Apply patches to CVE-2022-31199.
  2. Update Netwrix Auditor to version 10.5.

Netwrix recommends using their Auditor application only on internally facing networks. System owners who disregard this recommendation and use the application on externally facing instances are at an increased risk of CVE-2022-31199 exploitation on their systems.

To reduce the threat of malicious actors using remote access tools, implement the following measures:

  • Implement application controls to manage and control the execution of software, including allowing only authorized remote access programs.
    • Application controls should prevent the installation and execution of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
    • Refer to the National Security Agency’s Cybersecurity Information sheet, “Enforce Signed Software Execution Policies,” for additional guidance.
  • Strictly limit the use of RDP (Remote Desktop Protocol) and other remote desktop services. If RDP is necessary, rigorously apply best practices, such as:
    • Auditing the network for systems using RDP.
    • Closing unused RDP ports.
    • Enforcing account lockouts after a specified number of attempts.
    • Applying phishing resistant multifactor authentication (MFA).
    • Logging RDP login attempts.
  • Disable command line and scripting activities and permissions.
  • Restrict the use of PowerShell by using Group Policy, and only grant it to specific users on a case by case basis. Typically, only those users or administrators who manage the network or Windows operating systems (OSs) should be permitted to use PowerShell.
  • Update Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell versions. Logs from Windows PowerShell prior to version 5.0 are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities.
  • Enable enhanced PowerShell logging.
    • PowerShell logs contain valuable data, including historical OS and registry interaction and possible indicators of compromise (IOCs) of a cyber threat actor’s PowerShell use.
    • Ensure that PowerShell instances, using the latest version, have module, script block, and transcription logging enabled (enhanced logging).
    • The two logs that record PowerShell activity are the PowerShell Windows Event Log and the PowerShell Operational Log. We recommend turning on these two Windows Event Logs with a retention period of at least 180 days. Check these logs regularly to confirm whether the log data has been deleted or logging has been turned off. Set the storage size permitted for both logs to be as large as possible.
  • Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec.
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP).
  • Reduce the threat of credential compromise:
    • Place domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
    • Implement Credential Guard for Windows 10 and Server 2016.
    • Refrain from storing plaintext credentials in scripts.
  • Implement time-based access for accounts set at the admin level and higher, such as the Just-in-Time (JIT) access method, which provisions privileged access when needed and supports the principle of least privilege (as well as the Zero Trust model).

In addition, CISA, FBI, MS-ISAC, and CCCS recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors:

  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).
  • Maintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum) to minimize the impact of disruptions.
  • Require all accounts with password logins to comply with NIST standards for developing and managing password policies:
    • Use longer passwords consisting of at least 15 characters.
    • Store passwords in hashed format using industry-recognized password managers.
    • Add password user “salts” to shared login credentials.
    • Avoid reusing passwords.
    • Implement multiple failed login attempt account lockouts.
    • Disable password “hints.”
    • Refrain from requiring password changes more frequently than once per year.
  • Require phishing-resistant multifactor authentication for all services, particularly for webmail, virtual private networks, and accounts that access critical systems.
  • Keep all operating systems, software, and firmware up to date by applying timely patches. Patch vulnerable software and hardware systems within 24 to 48 hours of vulnerability disclosure. Prioritize patching known exploited vulnerabilities in internet-facing systems.
  • Segment networks to prevent the spread of ransomware by controlling traffic flows between subnetworks and restricting lateral movement.
  • Identify, detect, and investigate abnormal activity and potential ransomware traversal with a network monitoring tool. Implement a tool that logs and reports all network traffic, including lateral movement activity.
  • Install, regularly update, and enable real-time detection for antivirus software on all hosts.
  • Disable unused ports.
  • Consider adding an email banner to emails received from outside your organization.
  • Ensure all backup data is encrypted, immutable, and covers the entire organization’s data infrastructure.