Today we have some cool updates on this SIEM-focused series we’ve been doing for a while. Specifically, I want to share that one of these solutions can now detect three early (and important!) warning signs that bad things are happening in your environment:
-
ASREPRoasting
-
WDigest flag getting flipped (
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
) -
Restricted admin mode getting enabled (
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
) – see n00py’s blog for more info
Share on socials: