In our previous blog we wrote about the importance to monitor all endpoints in your organization for the existence of cached credentials. If present, hackers can easily reveal their hash using Mimikatz. Then, the attacker can use the “pass the hash” technique to gain access to remote machines and services.
What can you do about it?
- Mimikatz and similar tools are only able to access the credential hashes when run as a privileged user such as a local administrator.Mitigation action: minimize privileged user access where possible.
- Microsoft desktops and servers have a configuration known as the Debug Privilege. This is a security policy setting that allows users to attach a debugger to a process or to the kernel. For example, with debug privilege, one can silently remove all the security agents installed on a device, without raising any alert.On many versions of Windows, including Windows 10, Debug Privilege is assigned to the Built-in Administrators group by default!
That is a great power in the hands of whoever wants to spread their ransomware in your organization.Mitigation action: Apply GPO and revoke the debug privilege from all users:
Group Policy Management Editor → Windows Settings → Security Settings → Local Policies → User Rights Assignment → Debug programs → Define these policy settings → Leave the box empty and press OK
When an attacker gains a privilege escalation on one of your endpoints, it’s already bad news. They will then try to leverage that power for making a lateral movement inside your network and take over additional workstations and servers.
Still, by applying the right practices on your endpoints, the attacker’s chances are slim.
Gytpol always monitors and reports on all endpoints in your organization. We can tell if the debug privilege is not secured properly including whether the policy has also been successfully applied.