Credentials of a user logging onto a machine are often exposed in-memory, allowing malware to steal them and impersonate the user. Privileged users with access to sensitive business data should only connect to secure, trusted machines to minimize identity theft risk. Technical measures exist to enforce this rule, and this Indicator of Exposure verifies their implementation.
To increase the difficulty for attackers and malware to steal privileged identities and their associated permissions, privileged users should only connect to trusted machines. After determining privileged users and trusted machines using a "tier model," implement technical measures to enforce logon restrictions for privileged users during day-to-day operations, even in the event of a mistake.
Name: Logon Restrictions for Privileged Users
Andrew Robbins (@_wald0), Rohan Vazarkar (@CptJesus), Will Schroeder (@harmj0y): BloodHound
Benjamin Delpy: Mimikatz