Prevent threat actors getting (and using) your passwords | SC Media
Ransomware
BrandView

Prevent threat actors getting (and using) your passwords

November 18, 2021
  • Discover information about the system and the surrounding environment using simply commands like ‘whoami’ and ‘ipconfig’ (T1016
  • Search the device I’m on (and any mapped drives) for files with ‘passwords’ in the name or contents (T1552.1
  • Search LDAP to see what other accounts might be interesting (T1087.2
  • Search the Windows registry (T1552.2) for stored credentials 
  • Search web cookies for stored credentials (T1539
  • Drop a PowerShell-based command and control tool, so I can get back in even if you do change a password or patch your exploit (T1059.1
  • Discover what programs are installed – remote access tools and admin tools like PSExec and PSKill can be super useful if they already exist (T1592.2
  • How to spot a phishing email 
  • Not re-using passwords – password management tools can help with this 
  • Not using work passwords for personal accounts 
  • Password complexity requirements 
  • Avoiding dubious websites 
  • Multi-factor authentication should be used as widely as possible 
  • The external attack surface should be as small as possible and kept up to date 
  • Keep the number of highest-level accounts to a minimum. Let’s just say that eight Domain Administrators is too many… 
  • Restrict use of local administration rights 
  • Service account hygiene – remove un-used service and testing accounts 
  • Control and monitor the use of powerful admin tools and potentially unwanted programs 
  • Monitor for unexpected logins (e.g. geography and time) 
prestitial ad