Feb 20 2019 05:18 AM
As I understand it, the risk of a lateral movement attack is increased where sensitive users (e.g. domain admins) log onto the same machine as std users (with Internet access / email access / etc) who also have local admin access to the machine. The attack vector being that an adversary could compromise the user account and then (using their local admin permissions) harvest the domain admin ‘cached user credentials’ stored on the machine, thus facilitating further propagation across the network.
If we set the ‘previous logins cached’ to 0 for all our servers, does this remove the risk from lateral movement paths? If there are no ‘cached user credentials’ on the server then the presence of both users with local admin access, and users with domain access shouldn’t be an issue, as an adversary wouldn’t be able to harvest any ‘cached user credentials’ – thus removing the risk from lateral movement paths (even though this would still be flagged in ATA).
This seems like a simple solution to the problem of Lateral Movement Attacks however I have not seen it mentioned anywhere. Am I correct or are there other factors negating this as a control?
Feb 20 2019 07:36 AM
SolutionFeb 20 2019 07:43 AM
Thanks. Which credentials does a lateral transfer attack use if it doesn't use the domain authenticated cached credentials?
Feb 20 2019 08:19 AM
Mar 01 2019 01:17 AM
Also to clarify the latermal movement path with identify where a sensitive user has logged onto a machine where there is a non-sensitive user who is a member of the local administrators group. AATP will also then calculate the paths to this machine.
Feb 20 2019 07:36 AM
Solution