Press Release

Preempt Releases Industry-First Functionality Allowing Enterprises to Eliminate Stolen User Credentials & Lateral Movement as Threat Vectors

Feb 02, 2018

New NTLM and DCE/RPC Capabilities can automatically detect and block abnormal behavior, including use of toolkits employed by attackers

SAN FRANCISCO – February 22, 2018 – Preempt, a leader in adaptive threat prevention that helps enterprises eliminate insider threats and security breaches, today announced new industry-first capabilities that provide organizations with control over some of the most persistent areas of risk in a network while simultaneously robbing attackers of their favorite tools. The Preempt Platform enables organizations to easily control security risk by directly analyzing protocols such as NTLM and Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) and automatically stopping abnormal or malicious behavior.

Last year’s Petya/NotPetya outbreak put the world of IT security on edge, as the malware was able to laterally spread from machine to machine. Researchers found that Petya exhibited an increasingly common trait for malware – after the initial infection it would use a combination of common tools that IT Administrators use such as Mimikatz, PsExec, and WMI to steal credentials and spread through the network.  Some of these tools are very common and hard to blacklist in a network, and likewise make use of protocols such as NTLM and DCE/RPC.

“With the addition of broader NTLM and DCE/RPC protocol support, as well as Kerberos and LDAP, we are giving IT teams visibility into how users are being authenticated for any activity on the network,” said Roman Blachman, CTO and co-founder at Preempt. “This can allow teams to eliminate any unnecessary or dangerous use of NTLM or DCE/RPC and automatically provide additional controls when necessary. Instead of allowing these protocols to be used universally and without oversight, it can be allowed only in the few instances where it is required and by legitimate verified users and denied otherwise.”

Preempt’s new protocol protection functionality allows, for the first time in the industry, organizations to take a proactive role in dealing with tools such as Mimikatz and PsExec (which have been associated with everything from PoS malware to webshells) and their protocols. NTLM traffic is encrypted, making it impossible to directly analyze on the wire. Preempt is the first behavioral analysis platform to decrypt and decode NTLM traffic for analysis and prescriptively enforce policy directly on the traffic. This allows Preempt to both detect and block the use of tools like Mimikatz on the network.

“NTLM is hard to manage directly as the session traffic is encrypted. This means most organizations have been limited to monitor NTLM via log files, which typically lack important information such as the host IP address,” added Blachman. “With this new functionality, we are giving organizations the power to preempt risks before they can become a major issue.”

The latest Preempt release also adds support for the analysis of DCE/RPC traffic. Given that tools like Powershell, WMI, and PsExec are commonly needed by administrators, they can’t reasonably be blacklisted. Instead, Preempt uses identity, behavior, and risk analysis to identify and challenge any abnormal DCE/RPC behavior as well as other protocols and activities. For example, DCE/RPC can be allowed but only by any administrator, and only after passing an MFA challenge. Instead of giving attackers free reign inside the network to use DCE/RPC, administrators can limit it to instances of verified need.

For more details on Preempt Platform’s new functionality, visit

Additional Resources:

Detailed Blog: