Webinar Takeaway: The Quest for the Kill Chain Killer Continues

My key takeaways

• baseline defence must grow
• centralized logging required anyway
• VPNs need MFA too, esp with working from home
• early installations of Zoom-client on Windows got you a webserver running with open RDP
• JUGLAR = J-User-Global-Universal-DomainLocal-Resource
• More than 50% of enterprises that BHIS tests, still have support for LLMNR and NBNS enabled
  • How to disable LLMNR: Computer Configuration -> Policies -> Admin Templates -> Network -> DNS Client : Turn off multicast name resolution: ENABLED
• Search your file shares for: password, credentials, *.kdbx
• SMB signing should be enabled
• Find local admins at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Security Options -> Accounts*
• You need a SIEM in place to make use of canary account
  • Windows Event logs --> SIEM --> Alert

Env

• Provided by BHIS
• Presenter:
  • Kent Ickler
  • Jordan Drysdale

additional links

• https://www.blackhillsinfosec.com/active-directory-best-practices-to-frustrate-attackers-webcast-write-up/
• https://github.com/arch4ngel/eavesarp
• http://blog.dbsnet.fr/disable-netbios-with-powershell
• https://tzusec.com/cracking-keepass-database/
• https://www.blackhillsinfosec.com/webcast-group-policies-that-kill-kill-chains/
• https://github.com/JavelinNetworks/HoneypotBuster/blob/master/Invoke-HoneypotBuster.ps1
• https://docs.microsoft.com/en-us/security/compass/incident-response-playbooks
• https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
• https://github.com/Microsoft/AaronLocker
• https://uncoder.io/