How Attackers Move Laterally In Your Network

Vectra’s Director of Consulting Analysts Jonathan Barrett explains the basics of RPC, Kerberos, and how attackers use it in your network. Understand how to investigate some of the behavioral models that the Managed Detection and Response (MDR) team get asked about the most. Understand the role Reconnaissance and Lateral Movement models like Privilege Anomaly, Suspicious Remote Execution, and RPC Recon play in finding malicious actors and some expected authorized examples of these behaviors:
► The role Kerberos and RPC traffic play on the network
► The behaviors Vectra identified that use these protocols
► How to investigate these behaviors both in and out of Vectra


You can find more information here:
► Read about Vectra Sidekick MDR Services: https://www.vectra.ai/resources/vectr...
► 24*7 eyes-on-glass service for threat detection and response: https://www.vectra.ai/blogpost/introd...
► Vectra is Security that thinks. Learn more at www.vectra.ai

0:00 Introduction
2:57 What this presentation is not
6:41 Where does it fit into a Windows network?
12:03 What to focus on
13:24 Common SPNS
14:48 Common Errors
16:36 Common Attacks
24:33 What is happening
25:42 RPC authentication and encryption
26:25 RPC encapsulation within secondary protocols
27:00 Basic RPC Structure
28:36 Basic RPC operations and fields
31:47 Common Endpoints
35:02 Attackers uses of RPC traffic
37:53 Kerberos is about detecting the usage of access
38:34 Privilege spectrum
40:36 Traffic Evaluation
47:50 RPC is about understanding goal
48:35 RPC Targeted Recon