2. Lateral
movement
ü Phishing
ü Credential
harvesting
ü Reuse
of
credential
neighbor
(PtH)
ü Retrieve
cached
credentials
ü Reuse
credential
and
move
to
another
tier
Workstations
Servers
Domain
Controller
3. The
First
Step
– Prevent
Local
Account
access
from
the
network
using
GPOs
Centrally
monitor
logs
with
Windows
Event
Forwarding
– Protect
network
communications
using
IPsec
– Configure
AppLocker
to
Prevent
unauthorized
Applications
7. Configuration
Steps
Collector
configuration
q Configure
WinRM
listener
and
open
the
firewall
q Verify
the
SPN
for
WSMAN
is
published
q Create
subscription
Workstation
GPO
q Configure
Audit
policy
q Enable
WinRM
service
q Configure
log
target
q Add
Network
Service
to
Event
Log
Reader
group
Server=h'p://<SERVER
FQDN>:5985/wsman/SubscripAonManager/WEC,Refresh=<SubscripAonRefresh>
8.
9. Category
Subcategory
Audit
settings
Account
Logon
Credential
Validation
Success
and
Failure
Account
Management
Security
Group
Management
Success
and
Failure
Account
Management
User
Account
Management
Success
and
Failure
Account
Management
Computer
Account
Management
Success
and
Failure
Account
Management
Other
Account
Management
Events
Success
and
Failure
Detailed
Tracking
Process
Creation
Success
Detailed
Tracking
Process
Termination
Success
Logon/Logoff
Logon
Success
and
Failure
Logon/Logoff
Logoff
Success
Logon/Logoff
Other
Logon/Logoff
Events
Success
and
Failure
Logon/Logoff
Special
Logon
Success
and
Failure
Logon/Logoff
Account
Lockout
Success
Object
Access
File
Share
Success
Object
Access
Removable
Storage
Success
Policy
Change
Audit
Policy
Change
Success
and
Failure
Policy
Change
MPSSVC
Rule-‐Level
Policy
Change
Success
and
Failure
Policy
Change
Other
Policy
Change
Events
Success
and
Failure
Policy
Change
Authentication
Policy
Change
Success
and
Failure
Policy
Change
Authorization
Policy
Change
Success
and
Failure
System
Security
State
Change
Success
and
Failure
System
Security
System
Extension
Success
and
Failure
System
System
Integrity
Success
and
Failure
Recommended
Audit
Policy
10. Windows
Firewall
with
IPsec
IPsec
• Enforce
Ipsec
protocol
default
• Create
Ipsec
rule
for
WinRM
Firewall
• Deny
WinRM
ports
and
program
• Permit
authenAcated
tcp/5985
20. AppLocker
Reporting
!
PowerShell
time
!
• Extract
event
ID
8002
and
8003:
Get-‐WinEvent
• Resolve
user
a'ribute
from
SID
using
• Export
the
result
to
CSV
• Send
the
CSV
by
email
?
• Scheduled
the
script
user
Local
System
account.
25. What
else
?
Deploy
latest
PowerShell
and
enable
logging
Authentication
Silos
Group
Managed
Service
Accounts
Protected
Users
security
group
Assume
you’re
breached:
Reset
Golden
Ticket
LAPS
Disable
NTLM
27. EventID
DescripAon
Impact
1102/517
Event
log
cleared
A'ackers
may
clear
Windows
event
logs.
4610/4611/4
614/4622
Local
Security
Authority
modificaAon
A'ackers
may
modify
LSA
for
escalaAon/persistence.
4648
Explicit
credenAal
logon
Typically
when
a
logged
on
user
provides
different
credenAals
to
access
a
resource.
Requires
filtering
of
normal.
4661
A
handle
to
an
object
was
requestedSAM/DSA
Access.
Requires
filtering
of
normal.
4672
Special
privileges
assigned
to
new
logon
Monitor
when
someone
with
admin
rights
logs
on.
Is
this
an
account
that
should
have
admin
rights
or
a
normal
user
4723
Account
password
change
a'empted
If
it's
not
an
approved/known
pw
change,
you
should
know.
4964
Custom
Special
Group
logon
tracking
Track
admin
&
users
of
interest
logons.
7045/4697
New
service
was
installed
A'ackers
oPen
install
a
new
service
for
persistence.
4698/4702
Scheduled
task
creaAon/modificaAon
A'ackers
oPen
create/modify
scheduled
tasks
for
persistence.
Pull
all
events
in
MicrosoP-‐Windows-‐TaskScheduler
/OperaAonal
4719/612
System
audit
policy
was
changed
A'ackers
may
modify
the
system's
audit
policy.
4732
A
member
was
added
to
a
(security-‐enabled)
local
group
A'ackers
may
create
a
new
local
account
&
add
it
to
the
local
Administrators
group.
4720
A
(local)
user
account
was
created
A'ackers
may
create
a
new
local
account
for
persistence.
3065/3066
LSASS
AudiAng
checks
for
code
integrity
Monitors
LSA
drivers
&
plugins.
Test
extensively
before
deploying.
3033/3063
LSA
ProtecAon
drivers
that
failed
to
load
Monitors
LSA
drivers
&
plugins
&
blocks
ones
that
aren't
properly
signed.
4798
A
user's
local
group
membership
was
enumerated.
PotenAally
recon
acAvity
of
local
group
membership.
Filter
out
normal
acAvity.
28. Type
Name
DescripAon
Creds
on
Disk
Creds
in
Memory
DistribuAon
0
System
Typically
rare,
but
could
alert
to
malicious
acAvity
Yes
Yes
0%
2
InteracAve
Console
logon
(local
keyboard)
which
includes
server
KVM
or
virtual
client
logon.
Also
standard
RunAs.
No
Yes
#5
/
0%
3
Network
Accessing
file
shares,
printers,
IIS
(integrated
auth,
etc),
PowerShell
remoAng
No
No
#1
/
~80%
4
Batch
Scheduled
tasks
Yes
Yes
#7
/
0%
5
Service
Services
Yes
Yes
#4
/
<1%
7
Unlock
Unlockthe
system
No
Yes
#6
/
<1%
8
Network
Clear
Text
Network
logon
with
password
in
clear
text(IIS
basic
auth).
If
over
SSL/TLS,
this
is
probably
fine.
Maybe
Yes
#2
/
~15%
9
New
CredenAals
RunAs/NetOnly
which
starts
a
program
with
different
credenAals
than
logged
on
user
No
Yes
#3
/
<
1%
10
Remote
InteracAve
RDP:
TerminalServices,
Remote
Assistance,
RDP
Maybe
Yes*
#9
/
0%
11
Cached
InteracAve
Logon
with
cached
credenAals
(no
DC
online)
Yes
Yes
#8
/
0%
29. Topic
Link
Local
account
SID
https://blogs.technet.microsoft.com/pfesweplat/2014/10/16/prevent-‐
lateral-‐movement-‐with-‐local-‐accounts/
Windows
Event
Forwarding
https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-‐
what-‐matters-‐windows-‐event-‐forwarding-‐for-‐everyone-‐even-‐if-‐you-‐
already-‐have-‐a-‐siem/
Audit
Policy
https://docs.microsoft.com/en-‐us/windows/threat-‐protection/use-‐
windows-‐event-‐forwarding-‐to-‐assist-‐in-‐instrusion-‐detection
AppLocker
https://blogs.technet.microsoft.com/askpfeplat/2016/06/27/applocker-‐
another-‐layer-‐in-‐the-‐defense-‐in-‐depth-‐against-‐malware/
https://technet.microsoft.com/pt-‐pt/library/ee460944(v=ws.10).aspx
Custom
Event
log
https://blogs.technet.microsoft.com/russellt/2016/05/18/creating-‐
custom-‐windows-‐event-‐forwarding-‐logs/
Event
list
to
paste
in
subscription
1102,517,4610,4611,4614,4622,4648,4661,4672,4723,4964,7045,4697,46
98,4702,4719,612,4732,4720,3065,3066,3033,3063,4798
Authentication
Silos
https://blogs.technet.microsoft.com/askpfeplat/2017/10/31/protecting-‐
domain-‐administrative-‐credentials/
AppLocker
meme
http://www.learnsecurity.org/single-‐post/2017/03/02/Detecting-‐Insider-‐
Threats