I could've run "net accounts" on my workstation to query Active Directory directly & see their password policy, but decided to look elsewhere first. I didn't want to set off any alerts or logging.
I know nothing about Windows, but I'd have thought checking password policies far less likely to alert than plugging in your own device on the network.
Anyway, my favourite bit was that they didn't stop the people in Accounts running Powershell, they just raised an alert. I much prefer that approach to blocking people most likely just doing their job.
If PowerShell and cmd logging is turned on (and I'm sure it is) then seeing net * commands run from a marketing machine is hella bad. Its similar to "HEY LOOK AT ME IM HACKED!"
These logging things do get in the way of devs. They run PowerShell after ps... Its not uncommon for MB's a day of log per dev. So if you're wanting to run crap and get away with it, hack a dev machine and bury your commands in there.
So true. Just write an innocuous automation script that will fail on privs generating massive logs and then use debugging as an excuse when you try to systematically audit capabilities. Often helpful IT staff will open up vulns for ya to put an end to the noise. Of course in many orgs it’s necessary to do this in order to get legitimate work done too...
I know nothing about Windows, but I'd have thought checking password policies far less likely to alert than plugging in your own device on the network.
Anyway, my favourite bit was that they didn't stop the people in Accounts running Powershell, they just raised an alert. I much prefer that approach to blocking people most likely just doing their job.