Palo Alto Networks Knowledgebase: PAN-OS Configuration Recommendations to Protect Against Shamoon 2

PAN-OS Configuration Recommendations to Protect Against Shamoon 2

Created On 09/27/18 09:43 AM - Last Updated 09/27/18 15:23 PM
Categories:  Threat Intelligence,  Threat Prevention



The "Shamoon 2: Delivering Disttrack" post by Unit 42 covers how Disttrack is delivered and distributed within the targeted network.


Here are some features and configuration best practices which can help with detection and prevention of such malicious activity on the Palo Alto Networks firewall:


Use of stolen credentials

A new feature for preventing credential based attacks was released through PAN-OS 8.0.

Credential phishing prevention works by scanning username and password submissions to websites and comparing those submissions against valid corporate credentials. An administrator can choose what websites to either allow, alert on, or block corporate credential submissions to, based on the URL category of the website. Alternatively, the firewall can be configured to present a page that warns users against submitting credentials to sites classified in certain URL categories. The solution also provides logging visibility into credential submission activity.


Here are some articles that introduce the feature and its configuration:


Use of Remote Desktop Protocol to administer the distribution server remotely

Palo Alto Networks App-ID provides the ability to safely enable applications and provides granular control over allowing approved app traffic in and out of the network. App-ID can be enforced in security policy for remote administration protocols such as RDP to ensure that only authorized users and sources are allowed access to network resources.

GlobalProtect can be used to enable remote users to safely access network resources remotely as well:


Copying suspicious file types such as EXEs and BAT files within the network

Efficient segmentation of the network can help with controlling traffic and getting visibility into traffic traversing different segments of the network. Different interface types and security zones can be configured on the firewall to achieve this:

Additionally, PAN-OS provides the ability to configure blocking of specific file types. The file blocking profile can be used to ensure only approved file types traverse sensitive segments of the network. A video covering the feature and its configuration is available at:


Delivery of malicious Disttrack executable

In addition to file blocking, WildFire and AntiVirus Signatures provide detection of and prevention against malicious files.

Dynamic updates should be configured to make sure the firewall always receives and installs the latest IPS and antivirus definitions:


Other features to aid visibility and enforcement

Lastly, configuration of other features such as SSL decryption, URL filtering, Dynamic block lists etc. can provide additional visibility into the traffic and provide additional enforcement capabilities during different stages of the attack lifecycle.


Some of these recommendations are detailed in the following article:

Although the above article is written with a focus on ransomware infection prevention, the different threat prevention features and their configuration listed in this article can greatly help reduce the attack surface and provide increased visibility into and prevention of any malicious activity. 


  • Print
  • Copy Link

Change Language: