Today we welcome our pal Matthew Warner (CTO and co-founder of Blumira) back to the show for a third time (his first appearance was #507 and second was #529).

I complained to Matt about how so many SIEM/SOC solutions don’t catch early warning signs of evil things lurking in customer networks. Specifically, I whined about 7 specific, oft-missed attacks like port scanning, Kerberoasting, ASREPRoasting, password spraying and more. (Shameless self-promotion opportunity: I will be discussing these attacks on an upcoming livestream on December 29).

Matt dives into each of these attacks and shares some fantastic insights into what they look like from a defensive perspective, and also offers practical strategies and tools for detecting them!

Note: during the discussion, Matt points out a lot of important Active Directory groups to keep an eye on from a membership point of view. Those groups include:

  • ASAAdmins
  • Account Operators
  • Administrators
  • Administrators
  • Backup Operators
  • Cert Publishers
  • Certificate Service DCOM
  • DHCP Administrators
  • Debugger Users
  • DnsAdmins
  • Domain Admins
  • Enterprise Admins
  • Enterprise Admins
  • Event Log Readers
  • ExchangeAdmins
  • Group Policy Creator Owners
  • Hyper-V Administrators
  • IIS_IUSRS
  • IT Compliance and Security Admins
  • Incoming Forest Trust Builders
  • MacAdmins
  • Network Configuration Operators
  • Schema Admins
  • Server Operators
  • ServerAdmins
  • SourceFireAdmins
  • WinRMRemoteWMIUsers
  • WorkstationAdmins
  • vCenterAdmins

Written by: Brian Johnson

Share on socials: