Profile picture
Sean (will be at DerbyCon)
@PyroTek3
, 11 tweets, 5 min read Read on Twitter
Please share in this thread some defensive techniques that are relatively simple to configure/deploy that has a high success rate (low false positives).

I'll start:
* Detect Kerberoasting:
trimarcsecurity.com/single-post/Tr…

* Detect PW Spraying:
trimarcsecurity.com/single-post/20…

#BlueTeam
* Deploy LAPS to automatically rotate local Administrator passwords on Windows computers
adsecurity.org/?p=1790
microsoft.com/en-us/download…
* Test & Deploy "AaronLocker" for simplified AppLocker deployment
github.com/microsoft/Aaro…
Ok, so not exactly simple, but can be very effective.
* Switch highly privileged service accounts with manually changed passwords to Group Managed Service Accounts (GMSAs)
docs.microsoft.com/en-us/windows-…

Note: Not exactly simple, but effective. Ensure service supports GMSA config.
* Add all AD admins to the "Protected Users" group.
Restricts authentication to Kerberos AES, prevents specific credential caching on system, & protects against Kerberos delegation attacks (+others).
(does require some OS & DC support for full protection)

docs.microsoft.com/en-us/windows-…
* Prevent Domain Admins & other privileged groups from logging onto workstations & servers
docs.microsoft.com/en-us/windows-…
* Enable & use the Windows Firewall to frustrate attackers
channel9.msdn.com/Events/Ignite/…
* Work to get NTLMv2 preferred in your environment by setting DC & client policy to "Send NTLMv2 response only\refuse LM" (supports NTLMv1, which isn't great).
Preferably "Send NTLMv2 response only\refuse LM & NTLM"

Enable NTLM auditing to discover use:
docs.microsoft.com/en-us/windows/…
* Update all of your Domain Controllers to Windows Server 2016.

Fun Fact:
When @jaredhaight & I were working to create labs for our #DerbyCon training on Windows Security (ok, so 99.9% Jared), we noticed that many of the recon tools didn't work against 2016, but did for 2012R2.
There are a number of minor security tweaks in the Windows Server 2016/Windows 10 OS that reduce the capability of recon tools. Blog post later for more detail

For example: Newer Win10 versions prevent users from enumerating local Admin group membership.
gallery.technet.microsoft.com/SAMRi10-Harden…
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Sean (will be at DerbyCon)
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#BlueTeam #DerbyCon

More from @PyroTek3 see all

Profile picture
Sean Metcalf
@PyroTek3
[Thread]
Enterprise password vaults (CyberArk, SecretServer, etc) can be useful but when they store privileged AD credentials, the security of that system needs to be protected like a DC.
adsecurity.org/wp-content/upl…
When using the RDP (or RDP proxy), if the remote system the credential is used on is compromised, the credentials can be re-used (default). Changing the password mitigates reuse of the NTLM cred (pw hash), not existing Kerberos tickets (good for 10 hrs)
adsecurity.org/?p=2362
Limiting privileged account authentication to admin systems is critical, even with password vaults managing privileged credentials.
Even brief access to a privileged credential can result in full AD compromise.
adsecurity.org/?p=1929
Read 4 tweets

Related threads

Profile picture
Cybermatron
@Cybermatron
I’m just thinking out loud here but MAYBE, instead of linking to its guidance on information requirements, @ICOnews should go public on how it views the complete absence of a legal ground for most facial recognition systems.

Lets go through them one by one, shall we? #thread 1/
Art. 6(1)(a): Most facial recognition systems are installed in public spaces where it is almost impossible to obtain a data subject’s consent. 2/
And even where this might be done (say by including it in applicable Ts&Cs) there is a good chance that this consent would not be seen as freely given because of Art. 7(4) GDPR, i.e. the prohibition on processing data for purposes unnecessary for contract performance. 3/
Read 34 tweets
Profile picture
Dr. Gautam Govitrikar DMD BDS
@Gautaamm
#thread on role of dental care pre-surgery. @medevidenceblog posted this. As a dentist who did a hospital based residency in the US, I have been saying this for a while! It is forgotten that attached to every persons body is an oral cavity aka mouth. #dentalcare #presurgery
Inside the mouth are teeth and gingiva(gums). Both potential sources for severe infections often asymptomatic for a long time. I used to be amazed during my private practice of 10 years in the US to see patients come in with severe gum infections #dentalcare #presurgery
And carious broken teeth with periapical pathology. I feel there is a huge area for improvement in this aspect of pre-surgical screening. For starters this needs to be made part of the PAT. A panoramic xray like this and a check up by a dentist,preferably #dentalcare #presurgery
Read 11 tweets
Profile picture
Avon Healthcare
@AVONHMO
Do you know that some pregnant women chew weird stuff like ice, chalk, clay or even sand? This can be due to a condition called ‘Pica’ which is sometimes seen as a symptom of iron deficiency anaemia.

Here's how to prevent it.
#Thread
There are various kinds of anaemia but iron deficiency anaemia is the most common.

When a woman is pregnant, there is a 30-50% increase in her blood volume to support her and the foetus. This in turn, decreases her blood’s haemoglobin concentration.
Since the body needs iron to make haemoglobin, red blood-cell production slows without sufficient iron.

This is why a pregnant woman’s daily iron requirement increases to 27mg from around 13mg as there is always a higher risk of iron deficiency anaemia during pregnancy.
Read 18 tweets
Profile picture
WonderWoman
@SecretDurga2
#Thread Pakistan's fake support to PM Modi to confuse Hindu voters.

(1/n) Just 2 day ago. They were supporting Rahul Gandhi.
(2/n) Direct target to BJP in fighter plane issue. PM of another country is targeting a political party of India **very strange**
(3/n) Love for Kejriwal because of his speech in Rajyasabha.
Read 18 tweets
Profile picture
♰🇺🇸🕵 A Anon ⭐⭐⭐
@AAnon_QArmy
🕵#Thread

[#PAYtriots vs #Patriots]

Time for #AAnon to weigh in

I will make 2 points and then speak my mind

Before I start a little about me

🕵I'm a work for free Patriot/Anon on #YouTube & #Twitter

🕵To me the war on the [deep state] is priority #1

READ ALL
↙⬇↘
🕵1st point:

Taking money in this movement can hurt a person's credibility because people will start to view them as a business. Reaching out can then be viewed as marketing. Shares, likes, hits and views are then looked at as gains.

[Keep reading]
↙⬇↘
🕵2nd point:

A person making money off the movement does not turn them into a bad person. Disinformation does. If they are spreading the truth, thats all that matters. There are a lot of Patriots that want to support the work of Patriots they look up too

[KEEP READING]
↙⬇↘
Read 16 tweets

Trending hashtags

#CongPakPlan #LargeGroups #Analytics #loveyourskin #Unmissable #RNM #Telecommunications #notetaking #Music #Assessment #FalseAllegations #logocentrism #ITIL #MichaelJackson #anytime #lifestyle #Excellence #CognitiveTheory #Imagery #Toolkit #Hindu #GirlChild #GameofThrones #Voat #schoolshouldnevergavethememail
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!