1
00:00:00,570 --> 00:00:06,870
And one more thing I want to do before we completely wrap this, I just wanted to map this attack to

2
00:00:06,870 --> 00:00:07,830
the bioterror attack.

3
00:00:09,220 --> 00:00:10,340
Framework, right?

4
00:00:10,380 --> 00:00:15,790
So we gained initial access and we did that actually through a couple of ways.

5
00:00:15,790 --> 00:00:17,350
One developed accounts, right?

6
00:00:17,380 --> 00:00:28,040
Remember, we found a valid credentials for the defector user and we were also able to, you know,

7
00:00:28,060 --> 00:00:29,290
get those credentials to log in.

8
00:00:29,830 --> 00:00:34,480
But we also the main the main method of getting those credentials was through exploiting a public facing

9
00:00:34,480 --> 00:00:35,020
application.

10
00:00:35,020 --> 00:00:35,340
Right.

11
00:00:36,730 --> 00:00:37,990
You see here every type of skill.

12
00:00:39,020 --> 00:00:40,700
You'll see the sequel injection is in here.

13
00:00:41,560 --> 00:00:46,680
So this happens a lot, a lot of groups use sequel injection to compromise systems.

14
00:00:46,710 --> 00:00:53,320
Yeah, this is still an old school technique that still works in many ways and we use to map as well.

15
00:00:53,320 --> 00:00:55,110
But we did a lot of manual exploitation.

16
00:00:55,420 --> 00:00:58,680
So that's the initial access piece execution.

17
00:00:59,160 --> 00:01:03,940
We didn't really execute me malware or do any persistence before privilege escalation.

18
00:01:04,850 --> 00:01:07,510
We did use valid accounts.

19
00:01:07,990 --> 00:01:08,370
Right.

20
00:01:09,630 --> 00:01:12,780
Which can make it relatively difficult to discover.

21
00:01:13,800 --> 00:01:20,700
Right, and we didn't really modify a system process, we modified the registry value, so these two

22
00:01:20,700 --> 00:01:27,300
things aren't a perfect mapping, but we did use valid accounts for escalation here.

23
00:01:28,460 --> 00:01:31,430
And so that's something you would also want to check out.

24
00:01:33,270 --> 00:01:39,210
Now, defensive Asian didn't have to worry about that because Aviva's was disabled credential access.

25
00:01:40,950 --> 00:01:47,400
You know, as far as that's concerned, you know, you didn't really do anything specific there, but

26
00:01:47,520 --> 00:01:48,570
for lateral movement.

27
00:01:49,740 --> 00:01:57,570
We used the which is valid, a valid account for lateral movement, so I'm not sure why it doesn't show

28
00:01:57,570 --> 00:02:00,910
that here within the collection for command and control.

29
00:02:01,680 --> 00:02:05,970
Again, we didn't institute any malware, so we weren't really controlling the application of that way.

30
00:02:06,720 --> 00:02:10,260
But for exfiltration, we did exfiltrate over a Web service.

31
00:02:10,260 --> 00:02:10,620
Right.

32
00:02:10,620 --> 00:02:13,140
Which is expatriated through the sequel injection Attack Vector.

33
00:02:14,770 --> 00:02:23,470
Which is common because, you know, web stuff usually is it can just blend in with the noise when you

34
00:02:23,470 --> 00:02:24,020
do it that way.

35
00:02:24,490 --> 00:02:28,840
And lastly, in terms of impact, of course, we can we could account access removal.

36
00:02:28,850 --> 00:02:30,190
We had access to a hectors account.

37
00:02:30,190 --> 00:02:30,880
We got deleted it.

38
00:02:30,880 --> 00:02:37,750
We could destroy data, you know, be very easy to deface the website since we had access to the directory.

39
00:02:38,940 --> 00:02:44,510
You know, we could completely deny service to that box, stop all the services and shut down the server,

40
00:02:44,520 --> 00:02:44,750
right.

41
00:02:44,760 --> 00:02:46,040
We own the box completely.

42
00:02:46,050 --> 00:02:48,330
So that's just a rough mapping to Miter.

43
00:02:48,930 --> 00:02:50,820
And I hope that brings things into perspective.

44
00:02:50,820 --> 00:02:55,800
You know, make sure that, you know, this could have been prevented if the server was properly not

45
00:02:55,800 --> 00:03:06,150
not patched specifically, but if the Web application was properly sanitizing the right fields, right,

46
00:03:06,600 --> 00:03:07,920
SQL injection would have been possible.

47
00:03:08,160 --> 00:03:13,140
And on top of that, it also would have helped if the Web application developers weren't using access

48
00:03:13,140 --> 00:03:15,510
control through custom headers.

49
00:03:16,050 --> 00:03:16,290
Right.

50
00:03:16,320 --> 00:03:19,920
You know, you don't need custom headers to get to restrict access to the application because those

51
00:03:19,920 --> 00:03:25,200
headers can be fuzzed, which is what we did to gain access, unauthorized access to the target app.

52
00:03:25,710 --> 00:03:26,010
All right.

53
00:03:26,070 --> 00:03:26,480
That's all.

54
00:03:26,760 --> 00:03:28,170
And I hope you enjoyed this lecture.

55
00:03:28,470 --> 00:03:28,800
All right.