1 00:00:00,330 --> 00:00:05,430 So now let's go ahead and enable the registry key that will allow us to remotely connect. 2 00:00:18,220 --> 00:00:22,430 Three Windows command line. 3 00:00:33,790 --> 00:00:38,440 OK, so we want this key change the value of hefting and its connections to zero. 4 00:00:42,940 --> 00:00:43,360 Here we go. 5 00:00:43,390 --> 00:00:46,060 It looks like they've actually provided the full command here. 6 00:00:46,370 --> 00:00:50,080 Sweet spot that goes back to our show. 7 00:00:53,770 --> 00:00:54,140 Nice. 8 00:00:54,660 --> 00:00:56,680 Now we need to disable the firewall, 9 00:01:03,550 --> 00:01:07,000 actually, instead of disabling it, let's just poke a hole through it. 10 00:01:07,000 --> 00:01:14,290 So enable party through the firewall a little less noisy during the entire firewall off. 11 00:01:24,120 --> 00:01:25,540 This is not give me what I want. 12 00:01:25,560 --> 00:01:26,590 Let's just go inside the room. 13 00:01:27,810 --> 00:01:28,520 Let's go back here. 14 00:01:30,810 --> 00:01:44,160 We can say that DBP firewall, see that rule, let's name it, party B, enable party being able that 15 00:01:44,160 --> 00:01:47,590 works protocol. 16 00:01:48,570 --> 00:01:50,490 Oh it's going to kill me. 17 00:01:51,420 --> 00:01:55,710 That's a well it looks like I need to copy and paste this, 18 00:01:59,090 --> 00:02:00,100 but have it in here. 19 00:02:00,150 --> 00:02:00,620 Yeah. 20 00:02:00,630 --> 00:02:01,560 Let's take it in here first. 21 00:02:02,130 --> 00:02:02,790 Copy and paste it. 22 00:02:03,360 --> 00:02:17,070 EDV firewall rule name equals party p port protocol equals Tsipi. 23 00:02:18,390 --> 00:02:20,460 The direction is going to be Elbaum. 24 00:02:22,410 --> 00:02:27,290 Local port is three three eight nine and the action is allow. 25 00:02:28,050 --> 00:02:28,860 Let's grab this. 26 00:02:38,100 --> 00:02:38,650 Does that work? 27 00:02:40,660 --> 00:02:41,420 No, I did not. 28 00:02:43,420 --> 00:02:44,200 We're done up. 29 00:02:47,200 --> 00:02:49,120 We need to add the rule because that's the problem. 30 00:02:51,930 --> 00:02:56,770 Trial and error, you know, you just keep trying until you get it. 31 00:02:59,680 --> 00:03:00,190 How was it? 32 00:03:00,730 --> 00:03:03,790 OK, so now that we have our desktop. 33 00:03:04,900 --> 00:03:05,500 Yes, we do. 34 00:03:06,040 --> 00:03:07,090 Our desktop 35 00:03:09,610 --> 00:03:10,720 will allow us to connect. 36 00:03:14,190 --> 00:03:25,060 So we can be like, let's see, let's do our desktop technique and then down here, we'll build it up 37 00:03:25,350 --> 00:03:26,100 to our desktop. 38 00:03:28,790 --> 00:03:29,520 What do we want? 39 00:03:29,640 --> 00:03:34,080 They want to use your name and they go to the server. 40 00:03:36,720 --> 00:03:40,350 These are body server 41 00:03:46,140 --> 00:03:46,830 daizy. 42 00:03:47,760 --> 00:03:49,290 The certificate is a tally. 43 00:03:49,720 --> 00:03:50,280 So I do. 44 00:03:51,480 --> 00:03:53,280 And what the crap is happening here. 45 00:03:54,280 --> 00:03:57,660 Take Connect to quit SSP required by server. 46 00:04:02,290 --> 00:04:05,680 Let's try a different desktop to free already being. 47 00:04:14,430 --> 00:04:22,920 OK, zero X free already be C, our options are 48 00:04:30,420 --> 00:04:31,480 what do we want to do? 49 00:04:32,520 --> 00:04:33,870 Let's be smart about this. 50 00:04:34,440 --> 00:04:35,970 Grep are. 51 00:04:41,620 --> 00:04:47,080 Looks like this is the site for user and then I think there's a flight to scale the window. 52 00:04:47,410 --> 00:04:49,930 Yes, your desktop or smart sizing. 53 00:04:50,170 --> 00:05:00,580 OK, so I should be able to pull this off, slash you body, slash P 54 00:05:04,270 --> 00:05:17,320 and then slash skill or smart sizing can work with, say, invalid hostname. 55 00:05:17,320 --> 00:05:20,200 I wouldn't put it server in italic. 56 00:05:22,870 --> 00:05:24,490 And yes, I do trust certificate. 57 00:05:24,520 --> 00:05:25,210 This is tally. 58 00:05:26,560 --> 00:05:27,870 We get that criticism crap. 59 00:05:29,050 --> 00:05:29,730 What does it say. 60 00:05:35,250 --> 00:05:41,490 There are connected organ failure, I should take the last report out, actually, it was partial. 61 00:05:41,510 --> 00:05:42,190 That's one, two, three, one 62 00:05:45,620 --> 00:05:48,530 oh typos. 63 00:05:49,470 --> 00:05:50,000 Here we go. 64 00:05:50,430 --> 00:05:54,470 In sports, I think is nice because it'll actually it'll scale the window. 65 00:05:55,800 --> 00:06:02,590 So it keeps it allows us to scale it pretty easily to minimize everything else behind us. 66 00:06:03,450 --> 00:06:04,390 Nice clean window. 67 00:06:05,100 --> 00:06:08,580 So here we are in the compromise post. 68 00:06:10,170 --> 00:06:10,830 This is really cool. 69 00:06:10,860 --> 00:06:12,450 So now we are actually logged in. 70 00:06:12,480 --> 00:06:16,890 This box has been completely polland by us and we can sort of explore the logs. 71 00:06:16,890 --> 00:06:19,110 We can look at evidence of attack. 72 00:06:19,500 --> 00:06:27,120 And I think there's actually a sigma rule for GC Potatoe Sigma Rule, GC potatoe. 73 00:06:28,170 --> 00:06:31,200 I'd be on Twitter or some segments just to standardize. 74 00:06:33,630 --> 00:06:34,460 How do I explain it? 75 00:06:34,470 --> 00:06:45,330 It's basically standard rules, kind of like, kind of like the rules, but it's for a simple security 76 00:06:45,330 --> 00:06:48,570 events, information of events, monitoring tool like Splunk. 77 00:06:49,110 --> 00:06:52,940 And so Sigma rules are the industry standard. 78 00:06:52,980 --> 00:06:56,970 This is what people should be using and if they want to detect this kind of thing. 79 00:06:58,470 --> 00:07:04,470 And so here we can see Floriane Roth has a sigma rule that detects juicy potato potato like attacks. 80 00:07:04,470 --> 00:07:10,470 We actually go to this GitHub page and look at the rule and then figure out, you know, how we can 81 00:07:10,470 --> 00:07:11,550 search the logs for this. 82 00:07:12,940 --> 00:07:15,030 You see, it's really pretty straightforward what it's doing. 83 00:07:15,600 --> 00:07:18,540 It's looking Luxor's Windows Security. 84 00:07:18,960 --> 00:07:22,740 You can see it actually even maps it to my attack, which is pretty cool. 85 00:07:22,740 --> 00:07:26,280 Probably escalation credential access, which this will be your next video. 86 00:07:26,280 --> 00:07:31,110 But the product is Windows Security and we're looking for four sixty four events. 87 00:07:31,110 --> 00:07:34,080 Login Type three, the target username should be anonymous. 88 00:07:34,080 --> 00:07:37,550 Log on workstation should be a dash and it should be for the localhost. 89 00:07:39,540 --> 00:07:41,610 Let's go ahead and take a look to see if we can find this. 90 00:07:43,960 --> 00:07:46,230 So if we go to event viewer. 91 00:07:56,120 --> 00:07:56,750 It looks pretty bad. 92 00:07:56,830 --> 00:07:58,700 I want full screen is going to fix itself. 93 00:08:01,410 --> 00:08:02,220 I don't think it is. 94 00:08:04,890 --> 00:08:06,770 OK, so security logs, right? 95 00:08:22,240 --> 00:08:28,020 For 464 events, so we can probably filter the log by clicking current log, by the way, this box is 96 00:08:28,020 --> 00:08:28,980 super, super slow. 97 00:08:29,010 --> 00:08:34,140 So we want to be very, very gentle with it now because we don't want to completely lock it up. 98 00:08:37,230 --> 00:08:42,990 So leave an I.D. We want for six to four 99 00:08:47,160 --> 00:08:47,970 click, OK. 100 00:08:50,450 --> 00:08:56,570 These are the 464 events we could potentially go through these logs and see. 101 00:09:03,290 --> 00:09:04,820 You know what, the logotype type is three. 102 00:09:07,240 --> 00:09:11,830 And the target username and was like on, so if we had a simple setup, we could easily do that. 103 00:09:14,460 --> 00:09:19,720 Of course, this is something you want to see, you know, if you see a new account being created as 104 00:09:19,720 --> 00:09:25,480 it is for 64 years, that's definitely an interesting event that you should look for. 105 00:09:33,170 --> 00:09:40,130 This is an account was successfully logged on, right, but let's look a bit like for a calculation. 106 00:09:50,030 --> 00:09:51,400 It's forty seven twenty. 107 00:09:54,350 --> 00:09:59,570 Right, so if we go back here, we should be able to filter by 47, 20. 108 00:10:14,150 --> 00:10:17,310 Yeah, now we only have a few of these and you shouldn't see a lot of these in your environment. 109 00:10:18,380 --> 00:10:19,310 I'm to be honest. 110 00:10:21,950 --> 00:10:26,280 Here you can see this white collar scroll up a little bit. 111 00:10:26,320 --> 00:10:35,270 This is this RTP windows, very, very lagi vonne money is being created and you can see the time. 112 00:10:35,960 --> 00:10:37,280 So that. 113 00:10:37,280 --> 00:10:37,460 Right. 114 00:10:37,460 --> 00:10:40,550 They were being alerted, the account being created. 115 00:10:42,010 --> 00:10:44,310 It's a being created right here or being alert totally. 116 00:10:45,040 --> 00:10:47,500 What about adding music to the Abigroup Avenues? 117 00:11:03,050 --> 00:11:07,000 Four, seven, three two, a member was added to a security enabled vocal group. 118 00:11:09,310 --> 00:11:10,390 473 to. 119 00:11:13,670 --> 00:11:14,910 We should get even more information. 120 00:11:25,050 --> 00:11:29,940 You see Barney with a member of users there, and then one minute later 121 00:11:33,030 --> 00:11:34,660 she's a member of administrators. 122 00:11:35,530 --> 00:11:39,270 So, yeah, that that again, that is a noisy event. 123 00:11:40,440 --> 00:11:44,450 I know the attack, but you can see how you could pick that up easily in the logs, right? 124 00:11:44,910 --> 00:11:45,570 That's pretty cool. 125 00:11:46,650 --> 00:11:51,210 And by the way, if you want to look at a very good cheat sheet that contains a lot of this and Google 126 00:11:51,210 --> 00:11:57,060 for Hacker who is a hacker hurricaine 127 00:12:00,030 --> 00:12:06,120 malware, archaeology, cheat seats, please. 128 00:12:06,420 --> 00:12:07,470 You can find it this way. 129 00:12:09,570 --> 00:12:16,600 Yeah, this guy's got some awesome whenas if mortgage rates are finding crap like this in your logs. 130 00:12:18,640 --> 00:12:18,890 Yeah. 131 00:12:18,900 --> 00:12:19,390 Here we go. 132 00:12:20,490 --> 00:12:22,770 Windows logging Jegede is the PDF. 133 00:12:22,770 --> 00:12:24,380 You want things gold. 134 00:12:24,390 --> 00:12:30,120 You can see it covers Windows seven three Windows 2000 nineteen for first tells you you know what you 135 00:12:30,120 --> 00:12:35,040 should enable and what configuration stated what tools you can use to gather the logs and then how to. 136 00:12:35,040 --> 00:12:41,430 Actually I'm saying those events to Assim like Splunk and you can see here telling you what you need 137 00:12:41,430 --> 00:12:48,120 to enable DNS logs, you know, is what you configure a group policy. 138 00:12:49,710 --> 00:12:54,600 And then he actually talks about like what you can do to hunt for specific events. 139 00:12:57,550 --> 00:12:58,930 So this is really good. 140 00:12:58,960 --> 00:13:04,960 Here's actually the video right here, four four six nine eight that's watching for a process to start 141 00:13:04,960 --> 00:13:06,100 and call other processes 142 00:13:09,940 --> 00:13:12,990 because a lot of really good stuff in here and give you the event ideas. 143 00:13:13,000 --> 00:13:14,110 That's really the important thing. 144 00:13:14,140 --> 00:13:16,800 This thing right here, little caption and then the event. 145 00:13:17,740 --> 00:13:20,990 So definitely download this and study it and you'll be well on your way. 146 00:13:22,240 --> 00:13:28,060 You can even see the login types right to login type three network net use if you remember back in Sigma 147 00:13:29,230 --> 00:13:30,190 Log and type three. 148 00:13:30,430 --> 00:13:30,720 Right. 149 00:13:31,360 --> 00:13:34,180 So that means that this was let's go back. 150 00:13:36,190 --> 00:13:37,810 This was non interactive, right. 151 00:13:37,930 --> 00:13:42,670 It was purely using the net use command, which is what we used the agency potatoe 152 00:13:46,390 --> 00:13:46,900 back here. 153 00:13:47,740 --> 00:13:58,030 And this is basically using where is it, these necromancy net share net local group that's not use. 154 00:13:58,640 --> 00:13:58,960 Right. 155 00:14:00,100 --> 00:14:01,930 So that is definitely something you would want to see. 156 00:14:01,930 --> 00:14:08,050 So download these from from our archaeology and, you know, start studying them. 157 00:14:10,720 --> 00:14:11,730 And really, that's really it. 158 00:14:11,740 --> 00:14:14,830 I mean, we could continue looking through this computer. 159 00:14:16,000 --> 00:14:18,370 We already kind of know what is on the file system. 160 00:14:22,500 --> 00:14:27,830 Know what, that director is nothing in that I mean, this little letter out holds, but, you know, 161 00:14:27,840 --> 00:14:28,580 you could dig into this. 162 00:14:28,580 --> 00:14:29,760 You can go deeper if you want. 163 00:14:30,510 --> 00:14:34,800 You can, you know, look at the exterior configuration here. 164 00:14:37,110 --> 00:14:39,900 If you wanted to, for example, you can right click. 165 00:14:39,900 --> 00:14:45,300 You can go to Internet, Internet information services. 166 00:14:45,930 --> 00:14:54,060 You could open this up, you know, see poke around how they have everything configured with the application 167 00:14:54,060 --> 00:14:54,570 pools. 168 00:14:55,230 --> 00:14:56,850 And you can see what logging they actually have. 169 00:14:56,880 --> 00:14:58,440 These are all the applications they have set up. 170 00:14:58,510 --> 00:15:03,210 It's like there's a bunch of a bunch of different sites set up here. 171 00:15:04,310 --> 00:15:05,150 All right. 172 00:15:05,160 --> 00:15:08,730 And you can even see, like, the logging levels, like, guess if you logging, maybe the logging is 173 00:15:08,730 --> 00:15:10,650 not adequate if you logs. 174 00:15:12,480 --> 00:15:17,410 I can't get to what's even going to happen, so I don't know what's up with that, you probably need 175 00:15:17,410 --> 00:15:20,710 to be the Iast service in order to look at those logs. 176 00:15:22,510 --> 00:15:22,680 Yes. 177 00:15:22,740 --> 00:15:23,770 So that's the box. 178 00:15:24,490 --> 00:15:25,960 That is everything I have for you 179 00:15:29,080 --> 00:15:29,870 in the next lecture. 180 00:15:29,890 --> 00:15:31,090 We are going to dig into my ear. 181 00:15:31,100 --> 00:15:37,600 I'm going to map everything to the MicroTech framework so you can see all the awesomeness from the miner 182 00:15:37,600 --> 00:15:38,490 perspective. 183 00:15:44,220 --> 00:15:47,590 There's duty data, right, all right. 184 00:15:47,610 --> 00:15:50,730 So I will see you in the next lecture. 185 00:15:51,510 --> 00:15:52,040 All right, bye.