It is the responsibility of administrators to control the threat surface of their corporate environments. Authentication based attacks, such as pass the hash, are making this harder every day. Learn how to mitigate this risk by reducing the privileged account access of internet-facing machines.
StealthINTERCEPT for AD can help you accomplish this in just a few minutes!
First create a new Policy by right clicking on your desired Directory, for these I created one called “Authentications”. Select New > Policy and go to the Event Type tab and, after clicking the Green ‘+’ icon, check the Authentication event type then OK. Now the various Authentication Event Filters are available and we can designate WHO our privileged accounts are, and WHERE our Internet-Facing Machines are located.
The WHO is set in the AD Perpetrator tab. Here we can set the inclusion to an existing Collection our simply designate them through the Include Perpetrators for known account/groups (i.e. Domain, Enterprise, and Schema Admin groups). WHERE is then defined in IP Address (to) and/or Hosts (to) tabs, here you will have to know your internet facing machines IP addresses or OUs within AD.
Now save & enable your policy to begin seeing every privileged account that is exposing themselves to a possible pass the hash attack! This information is perfect to have relayed to your current SIEM solutions or use existing report templates with.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff is a Senior Engineer at STEALTHbits.