When talking about detection, it is important to talk about Indicators of Compromise (IoC). When new threats are found in the wild, they usually have a pattern of behavior and they leave their footprint in the target system.

For example, Petya ransomware ran the following commands in the target system to reschedule a restart:

    schtasks /Create /SC once /TN "" /TR "<system folder>shutdown.exe /r /f" /ST <time>
    cmd.exe /c schtasks /RU "SYSTEM" /Create /SC once /TN "" /TR "C:Windowssystem32shutdown.exe /r /f" /ST <time>
  

Another Petya IoC is the local network scan on ports TCP 139 and TCP 445. These are important indications that there is an attack taking place on the target system and, based on this footprint, Petya is the one to blame. Detection systems will be able to gather these indicators of compromise and raise alerts when an attack happens. Using Azure Security Center as an example, some hours after the Petya outbreak, Security Center automatically updates its detection engine and was able to warn users that their machine was compromised, as shown in the following screenshot:

You can sign up with OpenIOC (http://openioc.org) to retrieve information regarding new IoC and also contribute to the community. By using their IoC Editor (consult the reference section for the URL to download this tool), you can create your own IoC or you can review an existing IoC. The example that follows shows the IoC Editor showing the DUQU Trojan IoC:

If you look in the right lower pane, you will see all the indications of compromise, and logic operators (in this case most are AND) that compare each sequence and only return positive if everything is true. The Blue Team should always be aware of the latest threats, and IoC.