Group Policies That Kill Kill Chains

Join us in the Black Hills InfoSec Discord server here: https://discord.gg/BHIS to keep the security conversation going! Reach out to Black Hills Infosec if you need pentesting, threat hunting, ACTIVE SOC, incident response, or blue team services -- https://www.blackhillsinfosec.com/ 00:00 - Introducing what a kill chain is and general background you need for this webcast 05:16 - Pre-Reqs: Things you need to know and practice 15:53 - Getting into group policies, best practices, group policies that we're not covering today but you should be doing already 20:56 - Local admin controls, honey accounts, LAPS, making a policy for admin groups 27:02 - addressing LLMNR, SMB signing, configuring host firewalls 33:43 - Limiting and restricting logons, configuring your web proxies/WPAD, logging your network and alerts 42:46 - Kerberos ticket operations, catching Powershell and CMD, utilizing Sysmon 47:44 - Q&A Description: On this webcast, we'll guide you through an iterative process of building and deploying effective and practical Group Policy Objects (GPOs) that increase security posture. The GPOs will specifically focus on things that make attacker’s lives difficult and assist in shutting down the kill chain. Windows Auditing, Logging, Event Forwarding? Yes. Sysmon? Yes. Destroy LanMan? Killing LLMNR? Extending the AD schema for longer minimum password length? Yes. Yes. Yes. Limiting admin network logons? Yes. LAPS? Sure, why not? ADExplorer? Yes. Much much more. These are the Group Policies that trip us up on every pentest in some fashion or another. Combining these configurations creates a baseline security that stops attackers in their tracks and causes them to move on to an easier victim. Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_GroupPoliciesThatKillKillChains.pdf Black Hills Infosec Socials Twitter: https://twitter.com/BHinfoSecurity Mastodon: https://infosec.exchange/@blackhillsinfosec LinkedIn: https://www.linkedin.com/company/antisyphon-training Discord: https://discord.gg/ffzdt3WUDe Black Hills Infosec Shirts & Hoodies https://spearphish-general-store.myshopify.com/collections/bhis-shirt-collections Black Hills Infosec Services Active SOC: https://www.blackhillsinfosec.com/services/active-soc/ Penetration Testing: https://www.blackhillsinfosec.com/services/ Incident Response: https://www.blackhillsinfosec.com/services/incident-response/ Backdoors & Breaches - Incident Response Card Game Backdoors & Breaches: https://www.backdoorsandbreaches.com/ Play B&B Online: https://play.backdoorsandbreaches.com/ Antisyphon Training Pay What You Can: https://www.antisyphontraining.com/pay-what-you-can/ Live Training: https://www.antisyphontraining.com/course-catalog/ On Demand Training: https://www.antisyphontraining.com/on-demand-course-catalog/ Educational Infosec Content Black Hills Infosec Blogs: https://www.blackhillsinfosec.com/blog/ Wild West Hackin' Fest YouTube: https://www.youtube.com/wildwesthackinfest Active Countermeasures YouTube: https://youtube.com/activecountermeasures Antisyphon Training YouTube: https://www.youtube.com/antisyphontraining Join us at the annual information security conference in Deadwood, SD (in-person and virtually) — Wild West Hackin' Fest: https://wildwesthackinfest.com/ #bhis #infosec