如何监视Windows防止凭据窃取攻击

CSO在线|2019年9月18日

现在,攻击者能够WDigest凭据缓存,让他们收获的凭据。以下是如何发现它。

版权所有©2019足球竞彩网下载

再次问好。这是苏珊·布拉德利CSO在线。今天我们要谈收获的凭证。什么让我对这个话题又是在微软后卫安全中心发布。这提醒了我,凭证采伐在很多方面发生。一个特别的方式是通过一种叫w ^摘要。我们消化凭证收获是什么,一直存在很长一段时间。但它可能要重新审视作为一个有点近期安全威胁的结果的东西。去年有一个叫Trickbot恶意程序。而且它有,其中包括一个screenlocker模块一个不寻常的一部分。 The screen locker module was specifically designed to capture and harvest credentials. What was unique and how it actually went back and enabled that w digest support. So if you had a disabled or if you had it not set at all, it would actually go through your systems and enabled w digest support. The screen locker module would then kick in making the user re log in. That process of re logging in capture the credentials they could then harvest that credentials inside of LSA memory and then off they went to the races. So their intention in this circumstance was not for ransom rather, they wanted your username and password. And back in March of this year I actually wrote an article talking about W digest and how it was a security patch that needed additional registry keys. And if you kind of snoozed a little bit and forgot about it and realize that you didn't need it on Windows 8.1 and higher you might not think you would need to care about it. But BLEEPING COMPUTER article reminded us that even if you don't have W digest enabled. The attackers can actually go back and re enable it and capture that information.
那么,什么是一个人在做。所以,你想要做的是积极主动地设置注册按键甚至更高的版本是什么。
然后你要监视这些注册表项,并确保他们不被篡改。因此,寻找关键本地计算机系统的电流控制设定。控制安全提供W¯¯消化,实际上设置。使用登录凭据。您可以通过组策略去做。您可以通过脚本做。然后回去和查询,并确保它的设置正确。即使是在8.1和2012 R2的更高版本及更高版本Windows 10所有这些较新的。你不需要到位的注册表项,而是积极主动地把它存在意味着,攻击者不能回来,并重新设置它。因此,采取所有端点的快速查询和检查,看看使得w摘要设置为你想要它是攻击者希望它是不是什么。 Until next time This is Susan Bradley for CSOonline. See you at tech talk from IDG on YouTube channel.
流行
从IDG.tv精选视频