The Network: A financial services firm headquartered on the U.S. East Coast with several hundred servers and workstations.
The Expectation: Temporary staff is needed to handle a surge of work in the IT department. Such “experts” can be brought on the payroll on an as needed basis for short periods of time and for specific tasks.
The Catch: EventTracker detected the modification of a specific registry key on two servers, one of which hosted a back-end MS SQL and the other of which hosted a web based front end with an application. The specific key was HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel. This has been called The Most Misunderstood Windows Security Setting of All Time. The setting takes effect on next reboot.
The Find: A contract employee hired by the IT department and provided Administrator privileges had been unhappy with early termination of his contract and installed malware to eavesdrop on traffic between the front and back end systems. This person wanted to “punish” his employer for perceived wrongs.
The Fix: Restore the registry key setting to its desired level (which is 5). Look for other administrative action performed by the contract employee for evidence of improper behavior.
The Lesson: Stealing valid credentials is at the top of every attacker’s to-do list. It allows outsiders to masquerade as insiders. Critical registry settings such as LmCompatibilityLevel must be monitored on high value assets.