This mitigation strategies that you can use in your organization to help prevent both lateral movement and privilege escalation by decreasing the impact of credential theft.
Lateral Movement: In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of the same value to the organization.
Privilege Escalation: In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of a higher value to the organization.
These mitigations are effective, practical, and broadly applicable to different domain configurations.
These mitigations are defense-in-depth measures designed to ensure that your environment is protected even if these measures fail.
Mitigation | Effectiveness | Effort Required | Privilege Escalation | Lateral Movement |
Restrict and protect local accounts with Administrative Privileges | Excellent | Medium | √ | – |
Restrict and protect local accounts with Administrative Privileges | Excellent | Low | – | √ |
Restrict inbound traffic using the Windows Firewall | Excellent | Medium | – | √ |
More Recommendations | Effectiveness | Effort Required | Privilege Escalation | Lateral Movement |
Remove standard users from the local Administrators Group | Excellent | High | √ | – |
Limit the number and use of privileged Domain Accounts | Good | Medium | √ | – |
Configure outbound proxies to deny internet to Privileged Accounts | Good | Low | √ | – |
Ensure Administrative Accounts don’t have email accounts | Good | Low | √ | – |
Use remote management tools that don’t place reusable credentials on a remote computers memory | Good | Medium | √ | – |
Avoid logons to less secure computers that are potentially compromised | Good | Low | √ | √ |
Update applications and operating systems | Partial | Medium | – | – |
Secure and manage Domain Controllers | Partial | Medium | – | – |
Remove LM hashes | Partial | Low | – | – |
Other Mitigation | Effectiveness | Effort Required | Privilege Escalation | Lateral Movement |
Disable the NTLM Protocol | Minimal | High | – | – |
Smart cards and multifactor authentication (MFA) | Minimal | High | – | – |
Jump servers | Minimal | High | √ | – |
Rebooting workstations and servers | Minimal | Low | – | – |
Have a nice day!