This mitigation strategies that you can use in your organization to help prevent both lateral movement and privilege escalation by decreasing the impact of credential theft.
Lateral Movement: In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of the same value to the organization.
Privilege Escalation: In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of a higher value to the organization.
These mitigations are effective, practical, and broadly applicable to different domain configurations.
These mitigations are defense-in-depth measures designed to ensure that your environment is protected even if these measures fail.
Mitigation | Effectiveness | Effort Required | Privilege Escalation | Lateral Movement |
Restrict and protect local accounts with Administrative Privileges | Excellent | Medium | √ | – |
Restrict and protect local accounts with Administrative Privileges | Excellent | Low | – | √ |
Restrict inbound traffic using the Windows Firewall | Excellent | Medium | – | √ |
More Recommendations | Effectiveness | Effort Required | Privilege Escalation | Lateral Movement |
Remove standard users from the local Administrators Group | Excellent | High | √ | – |
Limit the number and use of privileged Domain Accounts | Good | Medium | √ | – |
Configure outbound proxies to deny internet to Privileged Accounts | Good | Low | √ | – |
Ensure Administrative Accounts don’t have email accounts | Good | Low | √ | – |
Use remote management tools that don’t place reusable credentials on a remote computers memory | Good | Medium | √ | – |
Avoid logons to less secure computers that are potentially compromised | Good | Low | √ | √ |
Update applications and operating systems | Partial | Medium | – | – |
Secure and manage Domain Controllers | Partial | Medium | – | – |
Remove LM hashes | Partial | Low | – | – |
Other Mitigation | Effectiveness | Effort Required | Privilege Escalation | Lateral Movement |
Disable the NTLM Protocol | Minimal | High | – | – |
Smart cards and multifactor authentication (MFA) | Minimal | High | – | – |
Jump servers | Minimal | High | √ | – |
Rebooting workstations and servers | Minimal | Low | – | – |
Have a nice day!
Can I just say what a relief to find someone who actually knows what theyre talking about on the internet. You definitely know how to bring an issue to light and make it important. More people need to read this and understand this side of the story. I cant believe youre not more popular because you definitely have the gift.