Malware may attempt to either obtain Windows credentials, stored usernames and passwords from web browsers or other credentials the user may have stored on the system. |
Windows Credentials
If the malware can get access to additional Windows credentials then it may be able to spread inside the network. This can be done via memory scraping, credential dumping, the credential manager and other methods.
Web Browser Credentials
Malware may specifically target web browsers to obtain stored credentials. Many users save their usernames and passwords for websites in browser password managers, and malware can target these repositories. This is particularly valuable with high-value victims that may have access to important web sites. For example, attackers pollute open source projects and embed malicious code in testing suites that obtains browser settings, among other things nefarious behavior.
Keylogging
Malware can intercept all keyboard activity, potentially giving it full access to usernames and passwords from both internal and external resources.
Other
Pass-The-Hash attacks and browser session hijacking are other methods that can give malware access to remote systems without the actual usernames and password.
Organizations can use several approaches to protect against credential theft:
•Ensure that the OS and all applications are up-to-date with the latest version and patches •Ensure that best security practices are used throughout the network •Detect unusual network activity, such as unusual logins and applications executed •Detect additional keyboard and driver installation |
EventSentry Benefits |
||
Validation Scripts EventSentry Validation Scripts ensure that all Windows installations are up to date and that best security practices are followed. |
||
|
||
Windows Software Software Monitoring tracks all installed software, version checks are done for common software. |
||
Anomaly Detection Anomaly monitoring can detect & flag unusual process activity, e.g. flagging processes that have never before been seen on a particular host. |
||
|
||
|
||
Service Monitoring Services and drivers can be monitored by both Windows and EventSentry, making it possible to detect suspicious changes like newly installed drivers in near real-time. |
||