你好了。我是CSO在线的苏珊·布拉德利。今天我们要讨论的是“凭证收获”。让我再次关注这个话题的是微软防御安全中心的一个帖子。这让我想起了获取证书的方式有很多。一种特殊的方法是通过W文摘。我们所理解的凭证获取是一种已经存在了很长时间的东西。但由于最近的安全威胁,您可能需要重新考虑这些内容。去年有一个恶意程序叫做Trickbot。它还有一个不寻常的部分,包括一个屏幕锁定模块。 The screen locker module was specifically designed to capture and harvest credentials. What was unique and how it actually went back and enabled that w digest support. So if you had a disabled or if you had it not set at all, it would actually go through your systems and enabled w digest support. The screen locker module would then kick in making the user re log in. That process of re logging in capture the credentials they could then harvest that credentials inside of LSA memory and then off they went to the races. So their intention in this circumstance was not for ransom rather, they wanted your username and password. And back in March of this year I actually wrote an article talking about W digest and how it was a security patch that needed additional registry keys. And if you kind of snoozed a little bit and forgot about it and realize that you didn't need it on Windows 8.1 and higher you might not think you would need to care about it. But BLEEPING COMPUTER article reminded us that even if you don't have W digest enabled. The attackers can actually go back and re enable it and capture that information.
那么一个人应该做什么呢?所以你要做的是在更高版本上主动设置注册键。
然后你需要监控那些注册表项确保它们没有被篡改。因此,寻找关键的本地机器系统当前控制设置。控制安全供应商摘要并实际设置。使用登录凭据。您可以通过组策略来实现。你可以通过一个脚本来完成。然后返回查询,确保设置正确。甚至在后来的8.1、2012 R2和Windows 10等更新版本中也是如此。您不需要设置注册表项,但主动将其放在那里意味着攻击者无法回来再次设置它。因此,快速查询所有端点,检查w摘要设置是否为您所希望的,而不是攻击者所希望的。我是CSOonline的苏珊·布拉德利,下期见。 See you at tech talk from IDG on YouTube channel.
那么一个人应该做什么呢?所以你要做的是在更高版本上主动设置注册键。
然后你需要监控那些注册表项确保它们没有被篡改。因此,寻找关键的本地机器系统当前控制设置。控制安全供应商摘要并实际设置。使用登录凭据。您可以通过组策略来实现。你可以通过一个脚本来完成。然后返回查询,确保设置正确。甚至在后来的8.1、2012 R2和Windows 10等更新版本中也是如此。您不需要设置注册表项,但主动将其放在那里意味着攻击者无法回来再次设置它。因此,快速查询所有端点,检查w摘要设置是否为您所希望的,而不是攻击者所希望的。我是CSOonline的苏珊·布拉德利,下期见。 See you at tech talk from IDG on YouTube channel.
受欢迎的
来自IDG.tv的特色视频