Re: Simple enough
"If admin creds are getting stolen you have issues with your admins not keeping things tidy. If your admins have these issues, I don't wanna know what else is going down the toilet."
We're global, we have thousands of exit nodes we monitor, as well as log aggregators, network taps, HIPS, IPS and more.
We see webshells created from an unknown entry point, lateral spread via RDP sessions, notepad used as a tool depositing tool, the resultant script ran, which installed more tools, then pass the hash uncovers admin accounts on that box, then those used to enter Active Directory and raise merry hell quietly on the network.
Incident response teams try to contact that distant manager and admin, to learn that it's between 1 and 3 AM and nobody can respond.
Or the server is a critical server room pet, which takes days to get off of the network.
The bugger even got into our antivirus server, software inventory server and more.
The adversary knows the network well now, knows when response will be slow and capitalized upon that repeatedly.
2FA would help a lot, but corporate doesn't want to spend the money, as we're talking global 2FA in 100K users.
I could write a script that could follow the SOB back to the ingress point, terminating his connections and installing itself on the lateral spread points, but the script would have to have a global admin privilege set and that is a greater security risk.