It is the responsibility of administrators to control the threat surface of their corporate environments. Authentication based attacks, such as pass the hash, are making this harder every day. Learn how to mitigate this risk by reducing the privileged account access of internet-facing machines.
StealthINTERCEPT for AD can help you accomplish this in just a few minutes!
First create a new Policy by right clicking on your desired Directory, for these I created one called “Authentications”. Select New > Policy and go to the Event Type tab and, after clicking the Green ‘+’ icon, check the Authentication event type then OK. Now the various Authentication Event Filters are available and we can designate WHO our privileged accounts are, and WHERE our Internet-Facing Machines are located.
The WHO is set in the AD Perpetrator tab. Here we can set the inclusion to an existing Collection our simply designate them through the Include Perpetrators for known account/groups (i.e. Domain, Enterprise, and Schema Admin groups). WHERE is then defined in IP Address (to) and/or Hosts (to) tabs, here you will have to know your internet facing machines IP addresses or OUs within AD.
Now save & enable your policy to begin seeing every privileged account that is exposing themselves to a possible pass the hash attack! This information is perfect to have relayed to your current SIEM solutions or use existing report templates with.
Jeff is a Senior Engineer at Stealthbits – Now part of Netwrix.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Read more© 2022 Stealthbits Technologies, Inc.
Leave a Reply