This mitigation strategies that you can use in your organization to help prevent both lateral movement and privilege escalation by decreasing the impact of credential theft.
In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of the same value to the organization.
In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of a higher value to the organization.
These mitigations are effective, practical, and broadly applicable to different domain configurations.
These mitigations are defense-in-depth measures designed to ensure that your environment is protected even if these measures fail.
|Mitigation||Effectiveness||Effort Required||Privilege Escalation||Lateral Movement|
|Restrict and protect local accounts with Administrative Privileges||Excellent||Medium||√||–|
|Restrict and protect local accounts with Administrative Privileges||Excellent||Low||–||√|
|Restrict inbound traffic using the Windows Firewall||Excellent||Medium||–||√|
|More Recommendations||Effectiveness||Effort Required||Privilege Escalation||Lateral Movement|
|Remove standard users from the local Administrators Group||Excellent||High||√||–|
|Limit the number and use of privileged Domain Accounts||Good||Medium||√||–|
|Configure outbound proxies to deny internet to Privileged Accounts||Good||Low||√||–|
|Ensure Administrative Accounts don’t have email accounts||Good||Low||√||–|
|Use remote management tools that don’t place reusable credentials on a remote computers memory||Good||Medium||√||–|
|Avoid logons to less secure computers that are potentially compromised||Good||Low||√||√|
|Update applications and operating systems||Partial||Medium||–||–|
|Secure and manage Domain Controllers||Partial||Medium||–||–|
|Remove LM hashes||Partial||Low||–||–|
|Other Mitigation||Effectiveness||Effort Required||Privilege Escalation||Lateral Movement|
|Disable the NTLM Protocol||Minimal||High||–||–|
|Smart cards and multifactor authentication (MFA)||Minimal||High||–||–|
|Rebooting workstations and servers||Minimal||Low||–||–|
Have a nice day!