Endpoint Privilege Manager
Milliken & Company, a diversified global manufacturer, has a long-standing heritage of exploring, discovering, and creating ways to enhance people’s lives. With a culture based on allowing freedom to innovate and operating across 50 sites globally they were in need of a flexible and scalable solution to address data privacy concerns and protect IP. To support this freedom, end users were running with full administrative rights on their company devices. Learn how Milliken efficiently deployed CyberArk Endpoint Privilege Manager on over 5,000 endpoints implementing least privilege and application control policies with minimal impact to end-user experience.
CyberArk Viewfinity with enhanced protection is now CyberArk Endpoint Privilege Manager
Enforcing privilege security on the endpoint is a fundamental part of your security program. However, this impacts user and helpdesk productivity. Endpoint Privilege Manager helps remove this barrier and allows organizations to block and contain attacks at the endpoint, reducing the risk of information being stolen or encrypted and held for ransom.
A combination of privilege security and application control reduces the risk of malware infection. Unknown applications run in a restricted mode to contain threats and behavioral analysis blocks credential theft attempts. These critical protection technologies are deployed as a single agent to strengthen your existing endpoint security.
In this paper we will focus on detecting Pass-The-Hash attacks, after the credentials were stolen, via the event viewer.
Pass-The-Hash is an attack technique that allows an attacker to start lateral movement in the network over NTLM protocol,
in contrary to Over Pass-The-Hash which use Kerberos protocol, without the need for the user password. We will compare
between legitimate and illegitimate NTLM connections, we will show what indictors can be used to distinguish between
them and what we can conclude from that to build out an algorithm to demonstrate detection of Pass-the-Hash attacks.
CyberArk Labs created a tool (Ketshash) that demonstrate the detection methods that we will talk about in this paper. This
paper does not provide a 100% solution for Pass-The-Hash attack but it will show what can be done with the available tools
and how to create a general view of the NTLM connections over the network.
This short demo previews new feature functionality of CyberArk Endpoint Privilege Manager.