Here are some features and configuration best practices which can help with detection and prevention of such malicious activity on the Palo Alto Networks firewall:
Use of stolen credentials
A new feature for preventing credential based attacks was released through PAN-OS 8.0.
Credential phishing prevention works by scanning username and password submissions to websites and comparing those submissions against valid corporate credentials. An administrator can choose what websites to either allow, alert on, or block corporate credential submissions to, based on the URL category of the website. Alternatively, the firewall can be configured to present a page that warns users against submitting credentials to sites classified in certain URL categories. The solution also provides logging visibility into credential submission activity.
Here are some articles that introduce the feature and its configuration:
Use of Remote Desktop Protocol to administer the distribution server remotely
Palo Alto Networks App-ID provides the ability to safely enable applications and provides granular control over allowing approved app traffic in and out of the network. App-ID can be enforced in security policy for remote administration protocols such as RDP to ensure that only authorized users and sources are allowed access to network resources.
Copying suspicious file types such as EXEs and BAT files within the network
Efficient segmentation of the network can help with controlling traffic and getting visibility into traffic traversing different segments of the network. Different interface types and security zones can be configured on the firewall to achieve this:
Additionally, PAN-OS provides the ability to configure blocking of specific file types. The file blocking profile can be used to ensure only approved file types traverse sensitive segments of the network. A video covering the feature and its configuration is available at:
Lastly, configuration of other features such as SSL decryption, URL filtering, Dynamic block lists etc. can provide additional visibility into the traffic and provide additional enforcement capabilities during different stages of the attack lifecycle.
Some of these recommendations are detailed in the following article:
Although the above article is written with a focus on ransomware infection prevention, the different threat prevention features and their configuration listed in this article can greatly help reduce the attack surface and provide increased visibility into and prevention of any malicious activity.