#localadmin — Public Fediverse posts

Happy Monday! This is the last full week before vacation season starts :D

On a security note, we had an interesting event happen over the weekend. Our EDR started setting off flags for suspicious internet traffic to Github repos for offensive security tools on an end user laptop, as well as detections found in exe's that were downloaded with WMI exploits.

After investigating both the device and the end user, I found he is interested in security and had meant to do his searching on his personal computer -_-. At first, I thought his Slack was even compromised because that was the first time I had ever heard that one. Further digging found that wasn't the case.

I was so happy to find someone with 0 security experience wanting to learn and get into the field, but at the same time it made me look bad because he was able to download that stuff to begin with... GPO / Local admin audit it is.

#security #IR #github #localadmin #WMI

Also be sure to turn on these monitoring policies in #DefenderForCloudApps so you can #CatchTheHacker before they get too deep, whether you switch to #Kerberos or not. #NetworkSegregation is also a great #LayeredDefense method to ensure if one system is compromised the attacker can't use #SMBtraversal to get to all your computers, globally. #EternalBlue source code is still being used to get to #DCs via #Trikbot evolutions, after #Phishing a user with #LocalAdmin privileges, to execute #mimikatz against #ActiveDirectory to steal all the objects. #YesThisHappened

Also be sure to turn on these monitoring policies in #DefenderForCloudApps so you can #CatchTheHacker before they get too deep, whether you switch to #Kerberos or not. #NetworkSegregation is also a great #LayeredDefense method to ensure if one system is compromised the attacker can't use #SMBtraversal to get to all your computers, globally. #EternalBlue source code is still being used to get to #DCs via #Trikbot evolutions, after #Phishing a user with #LocalAdmin privileges, to execute #mimikatz against #ActiveDirectory to steal all the objects. #YesThisHappened

Also be sure to turn on these monitoring policies in #DefenderForCloudApps so you can #CatchTheHacker before they get too deep, whether you switch to #Kerberos or not. #NetworkSegregation is also a great #LayeredDefense method to ensure if one system is compromised the attacker can't use #SMBtraversal to get to all your computers, globally. #EternalBlue source code is still being used to get to #DCs via #Trikbot evolutions, after #Phishing a user with #LocalAdmin privileges, to execute #mimikatz against #ActiveDirectory to steal all the objects. #YesThisHappened

Also be sure to turn on these monitoring policies in #DefenderForCloudApps so you can #CatchTheHacker before they get too deep, whether you switch to #Kerberos or not. #NetworkSegregation is also a great #LayeredDefense method to ensure if one system is compromised the attacker can't use #SMBtraversal to get to all your computers, globally. #EternalBlue source code is still being used to get to #DCs via #Trikbot evolutions, after #Phishing a user with #LocalAdmin privileges, to execute #mimikatz against #ActiveDirectory to steal all the objects. #YesThisHappened