What To Do When an Admin is Compromised

A common tactic used by hackers once they have landed within your environment, is to escalate their level of access by compromising a user with administrative privileges.  In this post, we cover the issues with admin accounts being compromised, and the steps you can take if you believe one of yours has been.

To have a privileged user or an admin compromised instantly jeopardizes the cybersecurity of an entire organization. With the access power of a privileged user or admin, a malicious actor can gain widespread access, install malware, and make system-level alterations. This can open you up to losses far worse than if a read-only or standard-level user clicked on something they shouldn’t. A hacker who gains admin level access could potentially manage privileged user accounts or groups, reset passwords, change domain security group memberships, or even create legitimate-looking accounts to allow for future malicious use. All of this would be difficult to trace, given that it looks like it’s coming from an authorized source.

Unfortunately, no matter how robust your security hygiene is, accidents can happen or a clever, determined hacker can configure a way into your system. Many times this is from zero-day attacks undetected by your Antivirus, or via compromised passwords traded on the dark web. Hackers have many other tactics at their disposal to attempt to gain this level of control – it’s what you can do about it once it happens that we are focusing on today.

So what can you do if these privileged users are compromised? Here are seven steps to take to protect your systems:

1. Disable Accounts and Change Passwords

The first step should be the most basic: disable the affected user’s compromised account. You’ll need to reset all admin-level passwords, and just to be safe, you should have (Read more...)

*** This is a Security Bloggers Network syndicated blog from IntelliGO MDR Blog authored by Adam Mansour. Read the original post at: