Today we welcome our pal Matthew Warner (CTO and co-founder of Blumira) back to the show for a third time (his first appearance was #507 and second was #529).
I complained to Matt about how so many SIEM/SOC solutions don’t catch early warning signs of evil things lurking in customer networks. Specifically, I whined about 7 specific, oft-missed attacks like port scanning, Kerberoasting, ASREPRoasting, password spraying and more. (Shameless self-promotion opportunity: I will be discussing these attacks on an upcoming livestream on December 29).
Matt dives into each of these attacks and shares some fantastic insights into what they look like from a defensive perspective, and also offers practical strategies and tools for detecting them!
Note: during the discussion, Matt points out a lot of important Active Directory groups to keep an eye on from a membership point of view. Those groups include:
- ASAAdmins
- Account Operators
- Administrators
- Administrators
- Backup Operators
- Cert Publishers
- Certificate Service DCOM
- DHCP Administrators
- Debugger Users
- DnsAdmins
- Domain Admins
- Enterprise Admins
- Enterprise Admins
- Event Log Readers
- ExchangeAdmins
- Group Policy Creator Owners
- Hyper-V Administrators
- IIS_IUSRS
- IT Compliance and Security Admins
- Incoming Forest Trust Builders
- MacAdmins
- Network Configuration Operators
- Schema Admins
- Server Operators
- ServerAdmins
- SourceFireAdmins
- WinRMRemoteWMIUsers
- WorkstationAdmins
- vCenterAdmins
Share on socials: