Popular attacker trick in corporate networks: change the WDigest UseLogonCredential registry key to 1.
Helpful if you want to transmute RDP brute forced local admin credential into domain credentials without risking a Mimikatz detection.
Why?
WDigest=plaintext creds in memory. WDigest credentials being available in memory means attackers can use alternate sophisticated tools like taskmanager to get credentials versus bringing cred theft tools that AV might detect. WDigest is disables by default but can be enabled as admin without reboot (just lock.)

Attackers don’t make assumptions that security policies are followed - they test them. There’s probably at least one person in your org that thinks Winter2019! is a strong password, and your service account passwords may not be as strong as you assume them to be. Have a safe, legal, and documented way to verify your user accounts are following password best practices, Password Sprays are a common entry vector because human generated passwords that match ‘complexity’ tend to overlap. microsoft.com/en-us/microsof…

Some things attackers like:

-Domain Admin accounts that do logon type 4 or 5 to workstations
-Accounts with weak Kerberos configs like DES encryption or no preauth
-GPO settings that allow unexpected admin actions like loading drivers

Why not check for these before they do? Highly privileged accounts doing logon type 4 or 5 to workstations are useful to attackers because they leave credentials in memory and on disk - so an attacker can transmute one local administrator account into a domain wide compromise.

Windows Event ID 4624 displays a numerical value for the type of login that was attempted. These numbers are important from a forensic standpoint but also for understanding credential exposure and mitigating risks. Descriptions in replies. Logon type 10: this is a typical RDP alert meaning that terminal services was engaged for the logon. 3rd party software like virtualization consoles and screen share can also generate it. Means credentials were in memory (lsass) and also hit cached credentials.

Cases I have investigated recently have included:

-new ‘elite’ malware that most well configured/behavioral AV would have caught
-‘junk’ malware used for initial entry
-unpatched servers on the internet

Attackers don’t often encounter networks that require advanced techniques. Every week we encounter at least one case of malware taking advantage of matching local admin passwords. You can fix that for free with aka.ms/laps

Build a fast, free, and effective Threat Hunting/Incident Response Console with Windows Event Forwarding and PowerBI: aka.ms/WEFFLES This is a blog post about how to build the lightweight IR console I personally used during my time as a consultant, which a lot of companies still have in place and use. I'm posting it in the hopes of 'commoditizing' security efforts and making things easier for defenders.

Reacting to a new technique with 'well of course it works, they had admin' may indicate you don't fully appreciate the attacker mindset. The attacker goal is not just to run code, but often to keep it running without you noticing for as long as possible-'borrowed' trust helps.