Red Flag Alert: Service Accounts Performing Interactive Logins

Posted by Monnia Deng on Aug 29, 2019 1:32:26 PM

In the world of account security, we often focus on end user accounts as the weak vector vulnerable to attackers. 

On the contrary, we at Preempt see something that happens just as frequently: failing to limit exposed and vulnerable service accounts. Service accounts often differ from end user accounts in that they usually have higher privileges that are used to control or call applications and services. As a result, looking for key indicators of compromise of your service accounts should be at the forefront of your network security strategy.

Read More

Topics: Privileged Accounts, Active Directory, Credential Compromise, Passwords, Insider Threat, Black Hat, Lateral Movement, Stealthy Admin

Enterprises continue to suffer from poor password hygiene and a lack of visibility & control over privileged users

Posted by Yaron Zinar on Dec 19, 2018 6:08:06 AM

It has been more than a year since I last shared Preempt Inspector statistics. Last time we shared Preempt Inspector statistics we found some alarming numbers. With the end of 2018 approaching, I would like to share with you key findings from Preempt Inspector [a free security tool that has been replaced by the more robust and also free Preempt Lite] to help you focus on the most important security issues you might be facing.

Read More

Topics: Privileged Users, Insider Threats, Passwords, Stealthy Admin

Is Your Organization at Risk Because a Local Administrator Has a Weak Password?

Posted by Marina Simakov on Dec 18, 2018 7:32:55 AM

In July, media reported that SingHealth, Singapore’s largest health organization, was breached with 1.5 million medical records stolen. The stolen records included those of Singapore’s prime minister Lee Hsien Loong. Consequently, a special inquiry had taken place, revealing that SingHealth had several security gaps and vulnerabilities which could have easily been exploited by attackers, including a local administrator account with a very weak password (P@ssw0rd). In fact, one of the ways which enabled the attackers to move laterally in the network was by using compromised Citrix local accounts.

Read More

Topics: Passwords, Stealthy Admin

Advisory: Flaw in Azure AD Connect Software Can Allow Stealthy Admins to Gain Full Domain Control

Posted by Roman Blachman on Dec 12, 2017 9:42:26 AM

Authors: Roman Blachman, Yaron Zinar.
We recently reviewed a customer’s network and found that 85%(!) of all users in the network had some unnecessary administrative privilege. The excessive privilege stemmed from an indirect inclusion in a
protected admin group. Most Active Directory audit systems easily alert on excessive privileges, but will often miss users who have elevated domain privileges directly through domain discretionary access control list (DACL) configuration. We refer to these users as stealthy admins.

Read More

Topics: Credential Compromise, Stealthy Admin, Azure AD Connect, Security Advisory, Microsoft