Malware can leverage administrative tools and features within operating systems to propagate within a network. These tools - built into the operating system for legitimate system administration purposes - can be abused by malware to execute commands, spread across systems, and maintain persistence. This is also referred to "living off the land". |
Attackers can utilize a number of utilities and features in Windows to spread inside a network. Utilizing existing tools that fall under the umbrella of administrative tools can offer significant functionality while at the same time blending in with regular administrative activity. However, several proactive and reactive steps can be taken to minimize this risk.
•Disable all unnecessary administrative features that aid attackers, for example WinRM •Uninstall unneeded and unused software, including administrative tools and utilities •Enforce the principle of least privilege •Use LAPS or similar solutions to avoid password reuse •Enable firewall rules on workstations to prevent peer to peer access (workstations rarely need to access each other) |
EventSentry Benefits |
||
Anomaly Detection EventSentry can detect & flag unusual usage of administrative tools (and other executables), logon activity related to lateral movement and more. |
||
Validation Scripts Validation scripts help companies improve their baseline security by flagging insecure protocols, services and settings. Custom validation checks that are specific to the end user's organization can easily be integrated into built-in validation scripts. |
||
|
||
Windows Software Software Monitoring tracks all installed software and can help identify unneeded software. |
||