1
00:00:00,450 --> 00:00:06,390
All right, welcome back on this lecture, we are going to map everything against attack, a major attack

2
00:00:06,390 --> 00:00:12,390
matrix, which is a vocabulary for basically understanding attackers techniques and procedures.

3
00:00:13,400 --> 00:00:15,210
Let's go ahead and look at the enterprise matrix.

4
00:00:15,750 --> 00:00:23,890
This is a vernacular that every cybersecurity hopeful or expert needs to understand that it would do

5
00:00:23,890 --> 00:00:26,190
you well to actually read through these techniques.

6
00:00:26,970 --> 00:00:28,440
But how do we get access to the box?

7
00:00:29,660 --> 00:00:34,770
I do remember well, it started with the SharePoint site, right.

8
00:00:34,920 --> 00:00:42,360
And there were really just clear text credentials that were sitting around on the SharePoint site.

9
00:00:42,360 --> 00:00:45,150
So we choose valid accounts to get there.

10
00:00:45,270 --> 00:00:50,430
Right, without accounts, which is a valid FTP credentials to FTP in the box.

11
00:00:51,000 --> 00:01:02,310
And then once we stepped in, we were able to look around and we found a password vault, where did

12
00:01:02,310 --> 00:01:02,660
I go?

13
00:01:04,920 --> 00:01:08,250
And then from there we got more ballot accounts than we cracked that.

14
00:01:08,640 --> 00:01:13,710
And then we were able to get to the share of the file share, which included a binary which had clear

15
00:01:13,710 --> 00:01:15,590
text credentials hard coded into that binary.

16
00:01:15,600 --> 00:01:17,550
So that's something to keep in mind.

17
00:01:17,820 --> 00:01:23,970
If you're a developer, you never want to include your clear text credentials inside of a binary executable

18
00:01:24,390 --> 00:01:25,770
because it can always be pulled out.

19
00:01:26,460 --> 00:01:30,660
And for execution, we used util, which is a living off the land binary.

20
00:01:31,650 --> 00:01:35,550
I think that's under command and scripting interpreter.

21
00:01:40,140 --> 00:01:48,130
Let's see if it is certainly to actually let's just go this way, sir.

22
00:01:48,630 --> 00:02:01,850
You tell the search, you tell my lighter and let's see Ingress Tool's music downforce from a given

23
00:02:01,850 --> 00:02:06,200
you earlier to ingress to all transfer is the technical term.

24
00:02:09,730 --> 00:02:14,650
This is under command and control, command and control, ingress, tool transfer.

25
00:02:15,690 --> 00:02:17,740
That's what we use to download files

26
00:02:20,410 --> 00:02:24,790
to our system and to the system so we can go up.

27
00:02:31,670 --> 00:02:39,940
So this right here is the miter attack ingress tool transfer, where we use certain detail to download

28
00:02:40,000 --> 00:02:43,260
Hepcat on to the target system.

29
00:02:45,680 --> 00:02:52,130
From there we got a reversal and we were able to elevate using GC potatoe and that would be underprivileged

30
00:02:52,130 --> 00:02:55,390
escalation, privilege, escalation.

31
00:02:56,720 --> 00:02:57,560
Where is that?

32
00:03:05,100 --> 00:03:10,410
Access to clean manipulation was a technique we use in escalation, and this is where we basically used

33
00:03:10,410 --> 00:03:18,000
a juicy potato, we created the process with the tokin and we were able to achieve as he would impersonate.

34
00:03:18,010 --> 00:03:18,320
Right.

35
00:03:20,130 --> 00:03:21,990
So this is straight out of the miter playbook.

36
00:03:22,620 --> 00:03:23,580
And here's the mitigations.

37
00:03:23,580 --> 00:03:24,170
You can scroll down.

38
00:03:24,190 --> 00:03:28,200
You can see these are some things you could do to limit an attacker like me from doing this in your

39
00:03:28,200 --> 00:03:28,770
environment.

40
00:03:29,670 --> 00:03:32,340
And you'd go down further and see, you know, how you can detect this.

41
00:03:32,340 --> 00:03:36,360
We already kind of looked at that in the event log A, it doesn't actually include the detection that

42
00:03:36,360 --> 00:03:40,230
we we saw for Florian Roth in the signal role here.

43
00:03:41,190 --> 00:03:45,750
But it's good to, you know, basically search for Miter and sigma when you want to look at detections,

44
00:03:46,290 --> 00:03:47,170
references down below.

45
00:03:49,200 --> 00:03:50,220
So that is it.

46
00:03:50,400 --> 00:03:51,920
I hope you enjoyed this lecture.

47
00:03:51,930 --> 00:03:52,560
There's a lot here.

48
00:03:52,560 --> 00:03:54,060
You know, make sure you carefully go through it.

49
00:03:54,480 --> 00:04:00,060
You understand what we're doing and, you know, continue to continue to learn and to continue to be

50
00:04:00,060 --> 00:04:00,490
awesome.

51
00:04:00,840 --> 00:04:01,230
All right.

52
00:04:01,230 --> 00:04:01,550
Bye.