7MS #499: Desperately Seeking a Super SIEM for SMBs - Part 6

December 16, 202121m 35s

Audio is streamed directly from the publisher (traffic.libsyn.com) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.

Original episode page

Show Notes

Today we have some cool updates on this SIEM-focused series we've been doing for a while. Specifically, I want to share that one of these solutions can now detect three early (and important!) warning signs that bad things are happening in your environment:

ASREPRoasting
WDigest flag getting flipped (reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1)
Restricted admin mode getting enabled (reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f) - see n00py's blog for more info

← All episodes of 7 Minute Security