My key takeaways
- baseline defence must grow
- centralized logging required anyway
- VPNs need MFA too, esp with working from home
- early installations of Zoom-client on Windows got you a webserver running with open RDP
- JUGLAR = J-User-Global-Universal-DomainLocal-Resource
- More than 50% of enterprises that BHIS tests, still have support for LLMNR and NBNS enabled
- How to disable LLMNR:
Computer Configuration -> Policies -> Admin Templates -> Network -> DNS Client : Turn off multicast name resolution: ENABLED
- How to disable LLMNR:
- Search your file shares for: password, credentials, *.kdbx
- SMB signing should be enabled
- Find local admins at
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Security Options -> Accounts*
- You need a SIEM in place to make use of canary account
Windows Event logs --> SIEM --> Alert
Env
- Provided by BHIS
- Presenter:
additional links
- https://www.blackhillsinfosec.com/active-directory-best-practices-to-frustrate-attackers-webcast-write-up/
- https://github.com/arch4ngel/eavesarp
- http://blog.dbsnet.fr/disable-netbios-with-powershell
- https://tzusec.com/cracking-keepass-database/
- https://www.blackhillsinfosec.com/webcast-group-policies-that-kill-kill-chains/
- https://github.com/JavelinNetworks/HoneypotBuster/blob/master/Invoke-HoneypotBuster.ps1
- https://docs.microsoft.com/en-us/security/compass/incident-response-playbooks
- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
- https://github.com/Microsoft/AaronLocker
- https://uncoder.io/