SlideShare ist ein Scribd-Unternehmen logo

Detect and Prevent Lateral Movement

C
ColloqueRISQ

RISQ - Colloque 2017 09h45 Pascal Bourbonnais

Technologie
1 von 30
Downloaden Sie, um offline zu lesen
Prévention  et  détection   des  mouvements  latéraux     ...sans  dépenser  un  sou  
Lateral  movement               ü  Phishing   ü  Credential  harvesting   ü  Reuse  of  credential   neighbor  (PtH)   ü  Retrieve  cached   credentials   ü  Reuse  credential  and   move  to  another  tier   Workstations   Servers   Domain  Controller  
The  First  Step   –  Prevent  Local  Account   access  from  the  network   using  GPOs   Centrally  monitor  logs  with   Windows  Event   Forwarding   –  Protect  network   communications  using   IPsec   –  Configure  AppLocker  to   Prevent  unauthorized   Applications    
Prevent  Lateral   Movement  with   Local  Accounts    
Windows   Event   Forwarding  
Configuration   Steps   Collector  configuration   q Configure  WinRM  listener  and  open  the  firewall   q Verify  the  SPN  for  WSMAN  is  published   q Create  subscription     Workstation  GPO   q Configure  Audit  policy   q Enable  WinRM  service   q Configure  log  target   q Add  Network  Service  to  Event  Log  Reader  group     Server=h'p://<SERVER  FQDN>:5985/wsman/SubscripAonManager/WEC,Refresh=<SubscripAonRefresh>  
Category   Subcategory   Audit  settings   Account  Logon   Credential  Validation   Success  and  Failure   Account  Management   Security  Group  Management   Success  and  Failure   Account  Management   User  Account  Management   Success  and  Failure   Account  Management   Computer  Account  Management   Success  and  Failure   Account  Management   Other  Account  Management  Events   Success  and  Failure   Detailed  Tracking   Process  Creation   Success   Detailed  Tracking   Process  Termination   Success   Logon/Logoff   Logon   Success  and  Failure   Logon/Logoff   Logoff   Success   Logon/Logoff   Other  Logon/Logoff  Events   Success  and  Failure   Logon/Logoff   Special  Logon   Success  and  Failure   Logon/Logoff   Account  Lockout   Success   Object  Access   File  Share   Success   Object  Access   Removable  Storage   Success   Policy  Change   Audit  Policy  Change   Success  and  Failure   Policy  Change   MPSSVC  Rule-­‐Level  Policy  Change   Success  and  Failure   Policy  Change   Other  Policy  Change  Events   Success  and  Failure   Policy  Change   Authentication  Policy  Change   Success  and  Failure   Policy  Change   Authorization  Policy  Change   Success  and  Failure   System   Security  State  Change   Success  and  Failure   System   Security  System  Extension   Success  and  Failure   System   System  Integrity   Success  and  Failure   Recommended   Audit  Policy  
Windows   Firewall  with   IPsec   IPsec   • Enforce  Ipsec  protocol  default   • Create  Ipsec  rule  for  WinRM   Firewall   • Deny  WinRM  ports  and  program   • Permit  authenAcated  tcp/5985  
Verify  result  
AppLocker  
Enable  the   AppID  service  
h'ps://technet.microsoP.com/pt-­‐pt/library/ee460944(v=ws.10).aspx   Drive,  ex:  C:   Path  Variables  
Add  Event   Collector   Subscription  
Network   shares  ?  
AppLocker   Reporting  !   PowerShell  time  !   • Extract  event  ID  8002  and  8003:  Get-­‐WinEvent   • Resolve  user  a'ribute  from  SID  using   • Export  the  result  to  CSV   • Send  the  CSV  by  email  ?   • Scheduled  the  script  user  Local  System  account.  
Program:   %SystemRoot%system32WindowsPowerShellv1.0powershell.exe   Arguments:   -­‐noprofile  -­‐noninteracAve  -­‐windowstyle  hidden  -­‐ep  bypass  –file  (admin  writeable  only  file  locaAon).ps1  
What  else  ?   Deploy  latest  PowerShell  and  enable  logging   Authentication  Silos   Group  Managed  Service  Accounts   Protected  Users  security  group   Assume  you’re  breached:  Reset  Golden  Ticket   LAPS   Disable  NTLM  
Merci   pascal.bourbonnais@mcgill.ca  
EventID   DescripAon   Impact   1102/517   Event  log  cleared   A'ackers  may  clear  Windows  event  logs.   4610/4611/4 614/4622   Local  Security  Authority  modificaAon   A'ackers  may  modify  LSA  for  escalaAon/persistence.   4648   Explicit  credenAal  logon   Typically  when  a  logged  on  user  provides  different  credenAals  to  access  a   resource.  Requires  filtering  of  normal.   4661   A  handle  to  an  object  was  requestedSAM/DSA   Access.     Requires  filtering  of  normal.   4672   Special  privileges  assigned  to  new  logon   Monitor  when  someone  with  admin  rights  logs  on.  Is  this  an  account  that   should  have  admin  rights  or  a  normal  user   4723   Account  password  change  a'empted   If  it's  not  an  approved/known  pw  change,  you  should  know.   4964   Custom  Special  Group  logon  tracking   Track  admin  &  users  of  interest  logons.   7045/4697   New  service  was  installed   A'ackers  oPen  install  a  new  service  for  persistence.   4698/4702   Scheduled  task  creaAon/modificaAon   A'ackers  oPen  create/modify  scheduled  tasks  for  persistence.  Pull  all  events   in  MicrosoP-­‐Windows-­‐TaskScheduler  /OperaAonal   4719/612   System  audit  policy  was  changed   A'ackers  may  modify  the  system's  audit  policy.   4732   A  member  was  added  to  a  (security-­‐enabled)  local   group   A'ackers  may  create  a  new  local  account  &  add  it  to  the  local  Administrators   group.   4720   A  (local)  user  account  was  created   A'ackers  may  create  a  new  local  account  for  persistence.   3065/3066   LSASS  AudiAng  checks  for  code  integrity   Monitors  LSA  drivers  &  plugins.  Test  extensively  before  deploying.   3033/3063   LSA  ProtecAon  drivers  that  failed  to  load   Monitors  LSA  drivers  &  plugins  &  blocks  ones  that  aren't  properly  signed.   4798   A  user's  local  group  membership  was  enumerated.   PotenAally  recon  acAvity  of  local  group  membership.  Filter  out  normal   acAvity.  
Type  Name   DescripAon   Creds  on   Disk   Creds  in   Memory   DistribuAon   0   System   Typically  rare,  but  could  alert  to  malicious  acAvity   Yes   Yes   0%   2   InteracAve   Console  logon  (local  keyboard)  which  includes  server   KVM  or  virtual  client  logon.  Also  standard  RunAs.   No   Yes   #5  /  0%   3   Network   Accessing  file  shares,  printers,  IIS  (integrated  auth,   etc),  PowerShell  remoAng   No   No   #1  /  ~80%   4   Batch   Scheduled  tasks   Yes   Yes   #7  /  0%   5   Service   Services   Yes   Yes   #4  /  <1%   7   Unlock   Unlockthe  system   No   Yes   #6  /  <1%   8   Network  Clear  Text   Network  logon  with  password  in  clear  text(IIS  basic   auth).  If  over  SSL/TLS,  this  is  probably  fine.   Maybe   Yes   #2  /  ~15%   9   New  CredenAals   RunAs/NetOnly  which  starts  a  program  with  different   credenAals  than  logged  on  user   No   Yes   #3  /  <  1%   10   Remote  InteracAve   RDP:  TerminalServices,  Remote  Assistance,  RDP   Maybe   Yes*   #9  /  0%   11   Cached  InteracAve   Logon  with  cached  credenAals  (no  DC  online)   Yes   Yes   #8  /  0%  
Topic   Link   Local  account  SID   https://blogs.technet.microsoft.com/pfesweplat/2014/10/16/prevent-­‐ lateral-­‐movement-­‐with-­‐local-­‐accounts/   Windows  Event  Forwarding   https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-­‐ what-­‐matters-­‐windows-­‐event-­‐forwarding-­‐for-­‐everyone-­‐even-­‐if-­‐you-­‐ already-­‐have-­‐a-­‐siem/   Audit  Policy   https://docs.microsoft.com/en-­‐us/windows/threat-­‐protection/use-­‐ windows-­‐event-­‐forwarding-­‐to-­‐assist-­‐in-­‐instrusion-­‐detection   AppLocker   https://blogs.technet.microsoft.com/askpfeplat/2016/06/27/applocker-­‐ another-­‐layer-­‐in-­‐the-­‐defense-­‐in-­‐depth-­‐against-­‐malware/     https://technet.microsoft.com/pt-­‐pt/library/ee460944(v=ws.10).aspx   Custom  Event  log   https://blogs.technet.microsoft.com/russellt/2016/05/18/creating-­‐ custom-­‐windows-­‐event-­‐forwarding-­‐logs/   Event  list  to  paste  in   subscription   1102,517,4610,4611,4614,4622,4648,4661,4672,4723,4964,7045,4697,46 98,4702,4719,612,4732,4720,3065,3066,3033,3063,4798     Authentication  Silos   https://blogs.technet.microsoft.com/askpfeplat/2017/10/31/protecting-­‐ domain-­‐administrative-­‐credentials/   AppLocker  meme   http://www.learnsecurity.org/single-­‐post/2017/03/02/Detecting-­‐Insider-­‐ Threats  
Merci   pascal.bourbonnais@mcgill.ca  

Empfohlen

Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyPalo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyAlberto Rivai
 
Aruba cppm 6_1_user_guide
Aruba cppm 6_1_user_guideAruba cppm 6_1_user_guide
Aruba cppm 6_1_user_guideAruba, a Hewlett Packard Enterprise company
 
ClearPass 6.3.6 Release Notes
ClearPass 6.3.6 Release NotesClearPass 6.3.6 Release Notes
ClearPass 6.3.6 Release NotesAruba, a Hewlett Packard Enterprise company
 
ObserveIT whitepaper: "Log Blindspots" > generare i Log in automatico per un ...
ObserveIT whitepaper: "Log Blindspots" > generare i Log in automatico per un ...ObserveIT whitepaper: "Log Blindspots" > generare i Log in automatico per un ...
ObserveIT whitepaper: "Log Blindspots" > generare i Log in automatico per un ...Clever Consulting
 
User Expert forum Wildfire configuration
User Expert forum Wildfire configurationUser Expert forum Wildfire configuration
User Expert forum Wildfire configurationAlberto Rivai
 
ClearPass Guest 6.4 User Guide
ClearPass Guest 6.4 User GuideClearPass Guest 6.4 User Guide
ClearPass Guest 6.4 User GuideAruba, a Hewlett Packard Enterprise company
 
Trusted extensions-gdansk-v1 0
Trusted extensions-gdansk-v1 0Trusted extensions-gdansk-v1 0
Trusted extensions-gdansk-v1 0Kevin Mayo
 
Airheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard AgentsAirheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard AgentsAruba, a Hewlett Packard Enterprise company
 

Empfohlen

Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyPalo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyAlberto Rivai
 
Aruba cppm 6_1_user_guide
Aruba cppm 6_1_user_guideAruba cppm 6_1_user_guide
Aruba cppm 6_1_user_guideAruba, a Hewlett Packard Enterprise company
 
ClearPass 6.3.6 Release Notes
ClearPass 6.3.6 Release NotesClearPass 6.3.6 Release Notes
ClearPass 6.3.6 Release NotesAruba, a Hewlett Packard Enterprise company
 
ObserveIT whitepaper: "Log Blindspots" > generare i Log in automatico per un ...
ObserveIT whitepaper: "Log Blindspots" > generare i Log in automatico per un ...ObserveIT whitepaper: "Log Blindspots" > generare i Log in automatico per un ...
ObserveIT whitepaper: "Log Blindspots" > generare i Log in automatico per un ...Clever Consulting
 
User Expert forum Wildfire configuration
User Expert forum Wildfire configurationUser Expert forum Wildfire configuration
User Expert forum Wildfire configurationAlberto Rivai
 
ClearPass Guest 6.4 User Guide
ClearPass Guest 6.4 User GuideClearPass Guest 6.4 User Guide
ClearPass Guest 6.4 User GuideAruba, a Hewlett Packard Enterprise company
 
Trusted extensions-gdansk-v1 0
Trusted extensions-gdansk-v1 0Trusted extensions-gdansk-v1 0
Trusted extensions-gdansk-v1 0Kevin Mayo
 
Airheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard AgentsAirheads Tech Talks: Understanding ClearPass OnGuard Agents
Airheads Tech Talks: Understanding ClearPass OnGuard AgentsAruba, a Hewlett Packard Enterprise company
 
What's New in AlienVault v3.0?
What's New in AlienVault v3.0?What's New in AlienVault v3.0?
What's New in AlienVault v3.0?AlienVault
 
Clear Pci Vulnerability Scans Web2
Clear Pci Vulnerability Scans Web2Clear Pci Vulnerability Scans Web2
Clear Pci Vulnerability Scans Web2Cybera Inc
 
ClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User GuideClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User GuideAruba, a Hewlett Packard Enterprise company
 
Novinky F5 pro rok 2018
Novinky F5 pro rok 2018Novinky F5 pro rok 2018
Novinky F5 pro rok 2018MarketingArrowECS_CZ
 
Tech t18
Tech t18Tech t18
Tech t18SelectedPresentations
 
EMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issuesEMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issuesAruba, a Hewlett Packard Enterprise company
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
Rsa authentication manager 8.2 presentation
Rsa authentication manager 8.2 presentationRsa authentication manager 8.2 presentation
Rsa authentication manager 8.2 presentationZeev Shetach
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchLior Rotkovitch
 
ISACA-presentation-Aug-18-2016- Onion ID
ISACA-presentation-Aug-18-2016- Onion IDISACA-presentation-Aug-18-2016- Onion ID
ISACA-presentation-Aug-18-2016- Onion IDbanerjeea
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior Rotkovitch
 
Routing host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamRouting host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamKarri Huhtanen
 
RSA Secur id for windows
RSA Secur id for windowsRSA Secur id for windows
RSA Secur id for windowsarpit06055
 
EMEA Airheads- Getting Started with the ClearPass REST API – CPPM
EMEA Airheads- Getting Started with the ClearPass REST API – CPPMEMEA Airheads- Getting Started with the ClearPass REST API – CPPM
EMEA Airheads- Getting Started with the ClearPass REST API – CPPMAruba, a Hewlett Packard Enterprise company
 
SplunkSummit 2015 - Splunking the Endpoint
SplunkSummit 2015 - Splunking the EndpointSplunkSummit 2015 - Splunking the Endpoint
SplunkSummit 2015 - Splunking the EndpointSplunk
 
The WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems OverviewThe WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems OverviewNick Owen
 
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...Precisely
 
F5 TMOS v13.0
F5 TMOS v13.0F5 TMOS v13.0
F5 TMOS v13.0MarketingArrowECS_CZ
 
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014Puppet
 
Paloalto Networks ACE
Paloalto Networks ACEPaloalto Networks ACE
Paloalto Networks ACEadam_jhon
 
Bh Win 03 Rileybollefer
Bh Win 03 RileybolleferBh Win 03 Rileybollefer
Bh Win 03 RileybolleferTimothy Bollefer
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 

Weitere ähnliche Inhalte

Was ist angesagt?

What's New in AlienVault v3.0?
What's New in AlienVault v3.0?What's New in AlienVault v3.0?
What's New in AlienVault v3.0?AlienVault
 
Clear Pci Vulnerability Scans Web2
Clear Pci Vulnerability Scans Web2Clear Pci Vulnerability Scans Web2
Clear Pci Vulnerability Scans Web2Cybera Inc
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
Rsa authentication manager 8.2 presentation
Rsa authentication manager 8.2 presentationRsa authentication manager 8.2 presentation
Rsa authentication manager 8.2 presentationZeev Shetach
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchLior Rotkovitch
 
ISACA-presentation-Aug-18-2016- Onion ID
ISACA-presentation-Aug-18-2016- Onion IDISACA-presentation-Aug-18-2016- Onion ID
ISACA-presentation-Aug-18-2016- Onion IDbanerjeea
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior Rotkovitch
 
Routing host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamRouting host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamKarri Huhtanen
 
RSA Secur id for windows
RSA Secur id for windowsRSA Secur id for windows
RSA Secur id for windowsarpit06055
 
SplunkSummit 2015 - Splunking the Endpoint
SplunkSummit 2015 - Splunking the EndpointSplunkSummit 2015 - Splunking the Endpoint
SplunkSummit 2015 - Splunking the EndpointSplunk
 
The WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems OverviewThe WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems OverviewNick Owen
 
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...Precisely
 
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014Puppet
 
Paloalto Networks ACE
Paloalto Networks ACEPaloalto Networks ACE
Paloalto Networks ACEadam_jhon
 

Was ist angesagt? (20)

What's New in AlienVault v3.0?
What's New in AlienVault v3.0?What's New in AlienVault v3.0?
What's New in AlienVault v3.0?
 
Clear Pci Vulnerability Scans Web2
Clear Pci Vulnerability Scans Web2Clear Pci Vulnerability Scans Web2
Clear Pci Vulnerability Scans Web2
 
ClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User GuideClearPass Insight 6.3 User Guide
ClearPass Insight 6.3 User Guide
 
Novinky F5 pro rok 2018
Novinky F5 pro rok 2018Novinky F5 pro rok 2018
Novinky F5 pro rok 2018
 
Tech t18
Tech t18Tech t18
Tech t18
 
EMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issuesEMEA Airheads- Troubleshooting 802.1x issues
EMEA Airheads- Troubleshooting 802.1x issues
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
Rsa authentication manager 8.2 presentation
Rsa authentication manager 8.2 presentationRsa authentication manager 8.2 presentation
Rsa authentication manager 8.2 presentation
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
 
ISACA-presentation-Aug-18-2016- Onion ID
ISACA-presentation-Aug-18-2016- Onion IDISACA-presentation-Aug-18-2016- Onion ID
ISACA-presentation-Aug-18-2016- Onion ID
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
 
Routing host certificates in eduroam/govroam
Routing host certificates in eduroam/govroamRouting host certificates in eduroam/govroam
Routing host certificates in eduroam/govroam
 
RSA Secur id for windows
RSA Secur id for windowsRSA Secur id for windows
RSA Secur id for windows
 
EMEA Airheads- Getting Started with the ClearPass REST API – CPPM
EMEA Airheads- Getting Started with the ClearPass REST API – CPPMEMEA Airheads- Getting Started with the ClearPass REST API – CPPM
EMEA Airheads- Getting Started with the ClearPass REST API – CPPM
 
SplunkSummit 2015 - Splunking the Endpoint
SplunkSummit 2015 - Splunking the EndpointSplunkSummit 2015 - Splunking the Endpoint
SplunkSummit 2015 - Splunking the Endpoint
 
The WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems OverviewThe WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems Overview
 
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
 
F5 TMOS v13.0
F5 TMOS v13.0F5 TMOS v13.0
F5 TMOS v13.0
 
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
 
Paloalto Networks ACE
Paloalto Networks ACEPaloalto Networks ACE
Paloalto Networks ACE
 

Ähnlich wie Detect and Prevent Lateral Movement

Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Set up of-sso_tickets_for_portals_and_crm
Set up of-sso_tickets_for_portals_and_crmSet up of-sso_tickets_for_portals_and_crm
Set up of-sso_tickets_for_portals_and_crmmanishgtalreja
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Miguel Zuniga
 
Event-Based API Patterns and Practices
Event-Based API Patterns and PracticesEvent-Based API Patterns and Practices
Event-Based API Patterns and PracticesLaunchAny
 
Event log analyzer by me
Event log analyzer by me Event log analyzer by me
Event log analyzer by me ER Swapnil Raut
 
Season 4 [Free OpManager training] Part1- Discovery and classification
Season 4 [Free OpManager training] Part1- Discovery and classificationSeason 4 [Free OpManager training] Part1- Discovery and classification
Season 4 [Free OpManager training] Part1- Discovery and classificationManageEngine, Zoho Corporation
 
Log management principle and usage
Log management principle and usageLog management principle and usage
Log management principle and usageBikrant Gautam
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Chapter 3 overview
Chapter 3 overviewChapter 3 overview
Chapter 3 overviewali raza
 
Free OpManager training Part 4 - Fault Management and IT automation
Free OpManager training Part 4 - Fault Management and IT automationFree OpManager training Part 4 - Fault Management and IT automation
Free OpManager training Part 4 - Fault Management and IT automationManageEngine, Zoho Corporation
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Amazon Web Services
 
Deep Dive - Usage of on premises data gateway for hybrid integration scenarios
Deep Dive - Usage of on premises data gateway for hybrid integration scenariosDeep Dive - Usage of on premises data gateway for hybrid integration scenarios
Deep Dive - Usage of on premises data gateway for hybrid integration scenariosSajith C P Nair
 
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINALMartin Evans
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id conceptsMostafa El Lathy
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
 
Free OpManager training Part1- Discovery and classification season#3
Free OpManager training Part1- Discovery and classification season#3Free OpManager training Part1- Discovery and classification season#3
Free OpManager training Part1- Discovery and classification season#3ManageEngine, Zoho Corporation
 
Observability for Integration Using WSO2 Enterprise Integrator
Observability for Integration Using WSO2 Enterprise IntegratorObservability for Integration Using WSO2 Enterprise Integrator
Observability for Integration Using WSO2 Enterprise IntegratorWSO2
 

Ähnlich wie Detect and Prevent Lateral Movement (20)

Bh Win 03 Rileybollefer
Bh Win 03 RileybolleferBh Win 03 Rileybollefer
Bh Win 03 Rileybollefer
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Set up of-sso_tickets_for_portals_and_crm
Set up of-sso_tickets_for_portals_and_crmSet up of-sso_tickets_for_portals_and_crm
Set up of-sso_tickets_for_portals_and_crm
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014
 
Event-Based API Patterns and Practices
Event-Based API Patterns and PracticesEvent-Based API Patterns and Practices
Event-Based API Patterns and Practices
 
Event log analyzer by me
Event log analyzer by me Event log analyzer by me
Event log analyzer by me
 
Season 4 [Free OpManager training] Part1- Discovery and classification
Season 4 [Free OpManager training] Part1- Discovery and classificationSeason 4 [Free OpManager training] Part1- Discovery and classification
Season 4 [Free OpManager training] Part1- Discovery and classification
 
Log management principle and usage
Log management principle and usageLog management principle and usage
Log management principle and usage
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Chapter 3 overview
Chapter 3 overviewChapter 3 overview
Chapter 3 overview
 
Free OpManager training Part 4 - Fault Management and IT automation
Free OpManager training Part 4 - Fault Management and IT automationFree OpManager training Part 4 - Fault Management and IT automation
Free OpManager training Part 4 - Fault Management and IT automation
 
Network fault management and IT automation training
Network fault management and IT automation trainingNetwork fault management and IT automation training
Network fault management and IT automation training
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro
 
Deep Dive - Usage of on premises data gateway for hybrid integration scenarios
Deep Dive - Usage of on premises data gateway for hybrid integration scenariosDeep Dive - Usage of on premises data gateway for hybrid integration scenarios
Deep Dive - Usage of on premises data gateway for hybrid integration scenarios
 
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINAL
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id concepts
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
Free OpManager training Part1- Discovery and classification season#3
Free OpManager training Part1- Discovery and classification season#3Free OpManager training Part1- Discovery and classification season#3
Free OpManager training Part1- Discovery and classification season#3
 
Observability for Integration Using WSO2 Enterprise Integrator
Observability for Integration Using WSO2 Enterprise IntegratorObservability for Integration Using WSO2 Enterprise Integrator
Observability for Integration Using WSO2 Enterprise Integrator
 

Mehr von ColloqueRISQ

Blockchain Technologies : Landscape and Future Directions
Blockchain Technologies : Landscape and Future DirectionsBlockchain Technologies : Landscape and Future Directions
Blockchain Technologies : Landscape and Future DirectionsColloqueRISQ
 
Béluga : un super-ordinateur pour la science de demain
Béluga : un super-ordinateur pour la science de demainBéluga : un super-ordinateur pour la science de demain
Béluga : un super-ordinateur pour la science de demainColloqueRISQ
 
Why SD-WAN as it Moves to Mainstream Adoption?
Why SD-WAN as it Moves to Mainstream Adoption?Why SD-WAN as it Moves to Mainstream Adoption?
Why SD-WAN as it Moves to Mainstream Adoption?ColloqueRISQ
 
La révolution 5G et le projet ENCQOR
La révolution 5G et le projet ENCQORLa révolution 5G et le projet ENCQOR
La révolution 5G et le projet ENCQORColloqueRISQ
 
Travailler TOUS ensemble lors d’une cybercrise!
Travailler TOUS ensemble lors d’une cybercrise!Travailler TOUS ensemble lors d’une cybercrise!
Travailler TOUS ensemble lors d’une cybercrise!ColloqueRISQ
 
Audit 101 - Un guide de survie
Audit 101 - Un guide de survieAudit 101 - Un guide de survie
Audit 101 - Un guide de survieColloqueRISQ
 
Votre meilleure protection est un internet canadien
Votre meilleure protection est un internet canadienVotre meilleure protection est un internet canadien
Votre meilleure protection est un internet canadienColloqueRISQ
 
Office 365 : Sécuritaire?
Office 365 : Sécuritaire?Office 365 : Sécuritaire?
Office 365 : Sécuritaire?ColloqueRISQ
 
What Nature Can Tell Us About IoT Security at Scale
What Nature Can Tell Us About IoT Security at ScaleWhat Nature Can Tell Us About IoT Security at Scale
What Nature Can Tell Us About IoT Security at ScaleColloqueRISQ
 
The Power of the NREN
The Power of the NRENThe Power of the NREN
The Power of the NRENColloqueRISQ
 
L’hyperconvergence au cœur du Software-defined data center
L’hyperconvergence au cœur du Software-defined data centerL’hyperconvergence au cœur du Software-defined data center
L’hyperconvergence au cœur du Software-defined data centerColloqueRISQ
 
Plus de darkweb, moins de problèmes pour les pirates informatiques?
Plus de darkweb, moins de problèmes pour les pirates informatiques?Plus de darkweb, moins de problèmes pour les pirates informatiques?
Plus de darkweb, moins de problèmes pour les pirates informatiques?ColloqueRISQ
 
L'humain dans la cybersécurité - Problèmes et réflexions
L'humain dans la cybersécurité - Problèmes et réflexionsL'humain dans la cybersécurité - Problèmes et réflexions
L'humain dans la cybersécurité - Problèmes et réflexionsColloqueRISQ
 
L'internet des objets et la cybersécurité
L'internet des objets et la cybersécuritéL'internet des objets et la cybersécurité
L'internet des objets et la cybersécuritéColloqueRISQ
 
Au-delà du réseau - une défense simple en profondeur
Au-delà du réseau - une défense simple en profondeurAu-delà du réseau - une défense simple en profondeur
Au-delà du réseau - une défense simple en profondeurColloqueRISQ
 
Threat Landscape for Education
Threat Landscape for EducationThreat Landscape for Education
Threat Landscape for EducationColloqueRISQ
 
Comment sécuriser les centres de données virtuels ou infonuagiques avec NSX
Comment sécuriser les centres de données virtuels ou infonuagiques avec NSXComment sécuriser les centres de données virtuels ou infonuagiques avec NSX
Comment sécuriser les centres de données virtuels ou infonuagiques avec NSXColloqueRISQ
 
Sécuriser votre environnement de l'Internet des objets (IoT)
Sécuriser votre environnement de l'Internet des objets (IoT)Sécuriser votre environnement de l'Internet des objets (IoT)
Sécuriser votre environnement de l'Internet des objets (IoT)ColloqueRISQ
 
The 2018 Threat Landscape
The 2018 Threat LandscapeThe 2018 Threat Landscape
The 2018 Threat LandscapeColloqueRISQ
 
Cybersecurity Through Collaboration
Cybersecurity Through CollaborationCybersecurity Through Collaboration
Cybersecurity Through CollaborationColloqueRISQ
 

Mehr von ColloqueRISQ (20)

Blockchain Technologies : Landscape and Future Directions
Blockchain Technologies : Landscape and Future DirectionsBlockchain Technologies : Landscape and Future Directions
Blockchain Technologies : Landscape and Future Directions
 
Béluga : un super-ordinateur pour la science de demain
Béluga : un super-ordinateur pour la science de demainBéluga : un super-ordinateur pour la science de demain
Béluga : un super-ordinateur pour la science de demain
 
Why SD-WAN as it Moves to Mainstream Adoption?
Why SD-WAN as it Moves to Mainstream Adoption?Why SD-WAN as it Moves to Mainstream Adoption?
Why SD-WAN as it Moves to Mainstream Adoption?
 
La révolution 5G et le projet ENCQOR
La révolution 5G et le projet ENCQORLa révolution 5G et le projet ENCQOR
La révolution 5G et le projet ENCQOR
 
Travailler TOUS ensemble lors d’une cybercrise!
Travailler TOUS ensemble lors d’une cybercrise!Travailler TOUS ensemble lors d’une cybercrise!
Travailler TOUS ensemble lors d’une cybercrise!
 
Audit 101 - Un guide de survie
Audit 101 - Un guide de survieAudit 101 - Un guide de survie
Audit 101 - Un guide de survie
 
Votre meilleure protection est un internet canadien
Votre meilleure protection est un internet canadienVotre meilleure protection est un internet canadien
Votre meilleure protection est un internet canadien
 
Office 365 : Sécuritaire?
Office 365 : Sécuritaire?Office 365 : Sécuritaire?
Office 365 : Sécuritaire?
 
What Nature Can Tell Us About IoT Security at Scale
What Nature Can Tell Us About IoT Security at ScaleWhat Nature Can Tell Us About IoT Security at Scale
What Nature Can Tell Us About IoT Security at Scale
 
The Power of the NREN
The Power of the NRENThe Power of the NREN
The Power of the NREN
 
L’hyperconvergence au cœur du Software-defined data center
L’hyperconvergence au cœur du Software-defined data centerL’hyperconvergence au cœur du Software-defined data center
L’hyperconvergence au cœur du Software-defined data center
 
Plus de darkweb, moins de problèmes pour les pirates informatiques?
Plus de darkweb, moins de problèmes pour les pirates informatiques?Plus de darkweb, moins de problèmes pour les pirates informatiques?
Plus de darkweb, moins de problèmes pour les pirates informatiques?
 
L'humain dans la cybersécurité - Problèmes et réflexions
L'humain dans la cybersécurité - Problèmes et réflexionsL'humain dans la cybersécurité - Problèmes et réflexions
L'humain dans la cybersécurité - Problèmes et réflexions
 
L'internet des objets et la cybersécurité
L'internet des objets et la cybersécuritéL'internet des objets et la cybersécurité
L'internet des objets et la cybersécurité
 
Au-delà du réseau - une défense simple en profondeur
Au-delà du réseau - une défense simple en profondeurAu-delà du réseau - une défense simple en profondeur
Au-delà du réseau - une défense simple en profondeur
 
Threat Landscape for Education
Threat Landscape for EducationThreat Landscape for Education
Threat Landscape for Education
 
Comment sécuriser les centres de données virtuels ou infonuagiques avec NSX
Comment sécuriser les centres de données virtuels ou infonuagiques avec NSXComment sécuriser les centres de données virtuels ou infonuagiques avec NSX
Comment sécuriser les centres de données virtuels ou infonuagiques avec NSX
 
Sécuriser votre environnement de l'Internet des objets (IoT)
Sécuriser votre environnement de l'Internet des objets (IoT)Sécuriser votre environnement de l'Internet des objets (IoT)
Sécuriser votre environnement de l'Internet des objets (IoT)
 
The 2018 Threat Landscape
The 2018 Threat LandscapeThe 2018 Threat Landscape
The 2018 Threat Landscape
 
Cybersecurity Through Collaboration
Cybersecurity Through CollaborationCybersecurity Through Collaboration
Cybersecurity Through Collaboration
 

Kürzlich hochgeladen

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Kürzlich hochgeladen (20)

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

Detect and Prevent Lateral Movement

  • 1. Prévention  et  détection   des  mouvements  latéraux     ...sans  dépenser  un  sou  
  • 2. Lateral  movement               ü  Phishing   ü  Credential  harvesting   ü  Reuse  of  credential   neighbor  (PtH)   ü  Retrieve  cached   credentials   ü  Reuse  credential  and   move  to  another  tier   Workstations   Servers   Domain  Controller  
  • 3. The  First  Step   –  Prevent  Local  Account   access  from  the  network   using  GPOs   Centrally  monitor  logs  with   Windows  Event   Forwarding   –  Protect  network   communications  using   IPsec   –  Configure  AppLocker  to   Prevent  unauthorized   Applications    
  • 4. Prevent  Lateral   Movement  with   Local  Accounts    
  • 5.
  • 7. Configuration   Steps   Collector  configuration   q Configure  WinRM  listener  and  open  the  firewall   q Verify  the  SPN  for  WSMAN  is  published   q Create  subscription     Workstation  GPO   q Configure  Audit  policy   q Enable  WinRM  service   q Configure  log  target   q Add  Network  Service  to  Event  Log  Reader  group     Server=h'p://<SERVER  FQDN>:5985/wsman/SubscripAonManager/WEC,Refresh=<SubscripAonRefresh>  
  • 8.
  • 9. Category   Subcategory   Audit  settings   Account  Logon   Credential  Validation   Success  and  Failure   Account  Management   Security  Group  Management   Success  and  Failure   Account  Management   User  Account  Management   Success  and  Failure   Account  Management   Computer  Account  Management   Success  and  Failure   Account  Management   Other  Account  Management  Events   Success  and  Failure   Detailed  Tracking   Process  Creation   Success   Detailed  Tracking   Process  Termination   Success   Logon/Logoff   Logon   Success  and  Failure   Logon/Logoff   Logoff   Success   Logon/Logoff   Other  Logon/Logoff  Events   Success  and  Failure   Logon/Logoff   Special  Logon   Success  and  Failure   Logon/Logoff   Account  Lockout   Success   Object  Access   File  Share   Success   Object  Access   Removable  Storage   Success   Policy  Change   Audit  Policy  Change   Success  and  Failure   Policy  Change   MPSSVC  Rule-­‐Level  Policy  Change   Success  and  Failure   Policy  Change   Other  Policy  Change  Events   Success  and  Failure   Policy  Change   Authentication  Policy  Change   Success  and  Failure   Policy  Change   Authorization  Policy  Change   Success  and  Failure   System   Security  State  Change   Success  and  Failure   System   Security  System  Extension   Success  and  Failure   System   System  Integrity   Success  and  Failure   Recommended   Audit  Policy  
  • 10. Windows   Firewall  with   IPsec   IPsec   • Enforce  Ipsec  protocol  default   • Create  Ipsec  rule  for  WinRM   Firewall   • Deny  WinRM  ports  and  program   • Permit  authenAcated  tcp/5985  
  • 11.
  • 12.
  • 15.
  • 16. Enable  the   AppID  service  
  • 18. Add  Event   Collector   Subscription  
  • 20. AppLocker   Reporting  !   PowerShell  time  !   • Extract  event  ID  8002  and  8003:  Get-­‐WinEvent   • Resolve  user  a'ribute  from  SID  using   • Export  the  result  to  CSV   • Send  the  CSV  by  email  ?   • Scheduled  the  script  user  Local  System  account.  
  • 21.
  • 22. Program:   %SystemRoot%system32WindowsPowerShellv1.0powershell.exe   Arguments:   -­‐noprofile  -­‐noninteracAve  -­‐windowstyle  hidden  -­‐ep  bypass  –file  (admin  writeable  only  file  locaAon).ps1  
  • 23.
  • 24.
  • 25. What  else  ?   Deploy  latest  PowerShell  and  enable  logging   Authentication  Silos   Group  Managed  Service  Accounts   Protected  Users  security  group   Assume  you’re  breached:  Reset  Golden  Ticket   LAPS   Disable  NTLM  
  • 27. EventID   DescripAon   Impact   1102/517   Event  log  cleared   A'ackers  may  clear  Windows  event  logs.   4610/4611/4 614/4622   Local  Security  Authority  modificaAon   A'ackers  may  modify  LSA  for  escalaAon/persistence.   4648   Explicit  credenAal  logon   Typically  when  a  logged  on  user  provides  different  credenAals  to  access  a   resource.  Requires  filtering  of  normal.   4661   A  handle  to  an  object  was  requestedSAM/DSA   Access.     Requires  filtering  of  normal.   4672   Special  privileges  assigned  to  new  logon   Monitor  when  someone  with  admin  rights  logs  on.  Is  this  an  account  that   should  have  admin  rights  or  a  normal  user   4723   Account  password  change  a'empted   If  it's  not  an  approved/known  pw  change,  you  should  know.   4964   Custom  Special  Group  logon  tracking   Track  admin  &  users  of  interest  logons.   7045/4697   New  service  was  installed   A'ackers  oPen  install  a  new  service  for  persistence.   4698/4702   Scheduled  task  creaAon/modificaAon   A'ackers  oPen  create/modify  scheduled  tasks  for  persistence.  Pull  all  events   in  MicrosoP-­‐Windows-­‐TaskScheduler  /OperaAonal   4719/612   System  audit  policy  was  changed   A'ackers  may  modify  the  system's  audit  policy.   4732   A  member  was  added  to  a  (security-­‐enabled)  local   group   A'ackers  may  create  a  new  local  account  &  add  it  to  the  local  Administrators   group.   4720   A  (local)  user  account  was  created   A'ackers  may  create  a  new  local  account  for  persistence.   3065/3066   LSASS  AudiAng  checks  for  code  integrity   Monitors  LSA  drivers  &  plugins.  Test  extensively  before  deploying.   3033/3063   LSA  ProtecAon  drivers  that  failed  to  load   Monitors  LSA  drivers  &  plugins  &  blocks  ones  that  aren't  properly  signed.   4798   A  user's  local  group  membership  was  enumerated.   PotenAally  recon  acAvity  of  local  group  membership.  Filter  out  normal   acAvity.  
  • 28. Type  Name   DescripAon   Creds  on   Disk   Creds  in   Memory   DistribuAon   0   System   Typically  rare,  but  could  alert  to  malicious  acAvity   Yes   Yes   0%   2   InteracAve   Console  logon  (local  keyboard)  which  includes  server   KVM  or  virtual  client  logon.  Also  standard  RunAs.   No   Yes   #5  /  0%   3   Network   Accessing  file  shares,  printers,  IIS  (integrated  auth,   etc),  PowerShell  remoAng   No   No   #1  /  ~80%   4   Batch   Scheduled  tasks   Yes   Yes   #7  /  0%   5   Service   Services   Yes   Yes   #4  /  <1%   7   Unlock   Unlockthe  system   No   Yes   #6  /  <1%   8   Network  Clear  Text   Network  logon  with  password  in  clear  text(IIS  basic   auth).  If  over  SSL/TLS,  this  is  probably  fine.   Maybe   Yes   #2  /  ~15%   9   New  CredenAals   RunAs/NetOnly  which  starts  a  program  with  different   credenAals  than  logged  on  user   No   Yes   #3  /  <  1%   10   Remote  InteracAve   RDP:  TerminalServices,  Remote  Assistance,  RDP   Maybe   Yes*   #9  /  0%   11   Cached  InteracAve   Logon  with  cached  credenAals  (no  DC  online)   Yes   Yes   #8  /  0%  
  • 29. Topic   Link   Local  account  SID   https://blogs.technet.microsoft.com/pfesweplat/2014/10/16/prevent-­‐ lateral-­‐movement-­‐with-­‐local-­‐accounts/   Windows  Event  Forwarding   https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-­‐ what-­‐matters-­‐windows-­‐event-­‐forwarding-­‐for-­‐everyone-­‐even-­‐if-­‐you-­‐ already-­‐have-­‐a-­‐siem/   Audit  Policy   https://docs.microsoft.com/en-­‐us/windows/threat-­‐protection/use-­‐ windows-­‐event-­‐forwarding-­‐to-­‐assist-­‐in-­‐instrusion-­‐detection   AppLocker   https://blogs.technet.microsoft.com/askpfeplat/2016/06/27/applocker-­‐ another-­‐layer-­‐in-­‐the-­‐defense-­‐in-­‐depth-­‐against-­‐malware/     https://technet.microsoft.com/pt-­‐pt/library/ee460944(v=ws.10).aspx   Custom  Event  log   https://blogs.technet.microsoft.com/russellt/2016/05/18/creating-­‐ custom-­‐windows-­‐event-­‐forwarding-­‐logs/   Event  list  to  paste  in   subscription   1102,517,4610,4611,4614,4622,4648,4661,4672,4723,4964,7045,4697,46 98,4702,4719,612,4732,4720,3065,3066,3033,3063,4798     Authentication  Silos   https://blogs.technet.microsoft.com/askpfeplat/2017/10/31/protecting-­‐ domain-­‐administrative-­‐credentials/   AppLocker  meme   http://www.learnsecurity.org/single-­‐post/2017/03/02/Detecting-­‐Insider-­‐ Threats