1 00:00:00,270 --> 00:01:02,719 [Music] 2 00:01:02,719 --> 00:01:05,220 so 3 00:01:05,220 --> 00:01:27,280 [Music] 4 00:01:27,280 --> 00:01:29,520 hey everybody welcome to grim con uh 5 00:01:29,520 --> 00:01:31,920 thank you so much for joining us today 6 00:01:31,920 --> 00:01:34,880 i'm really super excited to be here and 7 00:01:34,880 --> 00:01:37,200 uh talking about some finishing moves 8 00:01:37,200 --> 00:01:40,640 um so thank you for everybody uh for 9 00:01:40,640 --> 00:01:43,119 inviting me here and uh so let's get 10 00:01:43,119 --> 00:01:45,200 going so this is how to detect finishing 11 00:01:45,200 --> 00:01:47,119 moves before it's game over 12 00:01:47,119 --> 00:01:49,439 and i know i'm sure we have some moral 13 00:01:49,439 --> 00:01:51,360 combat fans that are out there 14 00:01:51,360 --> 00:01:53,680 um so why don't you 15 00:01:53,680 --> 00:01:55,840 you know put in chat or you know 16 00:01:55,840 --> 00:01:58,159 whatever just to tell me you know who 17 00:01:58,159 --> 00:02:00,399 your favorite mortal kombat character is 18 00:02:00,399 --> 00:02:02,479 uh maybe there are a couple you know 19 00:02:02,479 --> 00:02:05,200 maybe it's evolved through time you know 20 00:02:05,200 --> 00:02:07,040 finishing moves in 21 00:02:07,040 --> 00:02:09,280 insecurity definitely evolve through 22 00:02:09,280 --> 00:02:11,280 time although you know some of them have 23 00:02:11,280 --> 00:02:13,520 been around probably for 24 00:02:13,520 --> 00:02:15,120 you know a dozen years 25 00:02:15,120 --> 00:02:17,360 um but so who's who's your favorite one 26 00:02:17,360 --> 00:02:19,760 you know mine is definitely you'll see 27 00:02:19,760 --> 00:02:23,599 in my character sheet uh katana 28 00:02:23,599 --> 00:02:24,879 thank you to our marketing department 29 00:02:24,879 --> 00:02:27,200 for coming up with this it's super cool 30 00:02:27,200 --> 00:02:29,599 uh yeah she's rocking a mask so she's 31 00:02:29,599 --> 00:02:31,920 you know keep keeping it safe but you 32 00:02:31,920 --> 00:02:34,640 know also with some cool defense tools 33 00:02:34,640 --> 00:02:37,519 there um you know my signature move is 34 00:02:37,519 --> 00:02:39,760 honey hot hellfire i don't exactly know 35 00:02:39,760 --> 00:02:42,160 what that means but you know we may uh 36 00:02:42,160 --> 00:02:45,440 in introduce it as some kind of feature 37 00:02:45,440 --> 00:02:47,040 right in the future because that's kind 38 00:02:47,040 --> 00:02:48,319 of a cool name 39 00:02:48,319 --> 00:02:51,120 um i'm not super stealthy but you know 40 00:02:51,120 --> 00:02:53,440 the glasses help with sight so that's 41 00:02:53,440 --> 00:02:54,560 that's a plus 42 00:02:54,560 --> 00:02:56,160 uh origin story is protector of the 43 00:02:56,160 --> 00:02:59,120 realm i love defense uh and detection 44 00:02:59,120 --> 00:03:01,360 and hacker of mental health so i'm ceo 45 00:03:01,360 --> 00:03:03,040 of mental health hackers and you can 46 00:03:03,040 --> 00:03:05,280 find us at hacker's health if you want 47 00:03:05,280 --> 00:03:08,239 more information on that 48 00:03:08,480 --> 00:03:10,159 so here we go 49 00:03:10,159 --> 00:03:13,280 uh what exactly are finishing moves uh 50 00:03:13,280 --> 00:03:15,280 we know what they are in mortal kombat 51 00:03:15,280 --> 00:03:18,080 right finish him um i wish i had you 52 00:03:18,080 --> 00:03:20,159 know the sound board i'm sure there's a 53 00:03:20,159 --> 00:03:22,000 you know the mortal kombat sound board 54 00:03:22,000 --> 00:03:23,840 out there so you guys could have a 55 00:03:23,840 --> 00:03:25,200 little bit of a 56 00:03:25,200 --> 00:03:27,840 peek back into that kind of stuff um i 57 00:03:27,840 --> 00:03:29,360 mean i mean maybe you still play the new 58 00:03:29,360 --> 00:03:31,280 one's pretty interesting 59 00:03:31,280 --> 00:03:34,400 so but as far as information security 60 00:03:34,400 --> 00:03:36,080 these are detections that should be 61 00:03:36,080 --> 00:03:38,159 considered high fidelity and high 62 00:03:38,159 --> 00:03:40,640 priority threats so when one comes 63 00:03:40,640 --> 00:03:42,799 through it's almost certain that it's 64 00:03:42,799 --> 00:03:44,319 not going to be a false positive and 65 00:03:44,319 --> 00:03:46,080 you're going to need to engage incident 66 00:03:46,080 --> 00:03:48,799 response at some point right 67 00:03:48,799 --> 00:03:50,480 um so 68 00:03:50,480 --> 00:03:52,640 when you get a solution that's reporting 69 00:03:52,640 --> 00:03:55,280 this kind of activity um context is 70 00:03:55,280 --> 00:03:57,519 extremely important right 71 00:03:57,519 --> 00:03:59,439 you you know you don't want an alert 72 00:03:59,439 --> 00:04:02,000 that's just the name of alert maybe a 73 00:04:02,000 --> 00:04:04,720 link to a wikipedia article or her to a 74 00:04:04,720 --> 00:04:06,159 miter technique 75 00:04:06,159 --> 00:04:08,000 or something like that like that's not 76 00:04:08,000 --> 00:04:10,000 super helpful you know it's really 77 00:04:10,000 --> 00:04:12,879 important to have some kind of analysis 78 00:04:12,879 --> 00:04:15,360 and explanation of not only what's being 79 00:04:15,360 --> 00:04:17,199 detected but why 80 00:04:17,199 --> 00:04:19,440 what like the information around it why 81 00:04:19,440 --> 00:04:20,720 is it bad 82 00:04:20,720 --> 00:04:22,639 um sometimes you'll get this with an 83 00:04:22,639 --> 00:04:23,840 mssp 84 00:04:23,840 --> 00:04:26,560 um sometimes you know you may have to 85 00:04:26,560 --> 00:04:29,280 build this into your own 86 00:04:29,280 --> 00:04:30,320 um 87 00:04:30,320 --> 00:04:32,240 uh environment and whatever thing that 88 00:04:32,240 --> 00:04:33,680 you're using 89 00:04:33,680 --> 00:04:35,680 that's what we try and do inside lumira 90 00:04:35,680 --> 00:04:38,560 and is build all that into the product 91 00:04:38,560 --> 00:04:39,520 um 92 00:04:39,520 --> 00:04:41,759 so you know because not everybody is 93 00:04:41,759 --> 00:04:43,600 going to be a subject matter expert in 94 00:04:43,600 --> 00:04:45,360 all areas of defense and instant 95 00:04:45,360 --> 00:04:47,600 response like i'm definitely not like as 96 00:04:47,600 --> 00:04:50,560 much as i enjoy it and love it i'm not 97 00:04:50,560 --> 00:04:54,000 you know the subject matter expert in 98 00:04:54,000 --> 00:04:56,479 all of that that's a huge huge huge 99 00:04:56,479 --> 00:04:58,400 section of stuff right 100 00:04:58,400 --> 00:05:00,560 um you know you can defend against all 101 00:05:00,560 --> 00:05:02,800 technology so there's no way you can be 102 00:05:02,800 --> 00:05:04,560 an sme in all of that 103 00:05:04,560 --> 00:05:06,560 but it's better to have some kind of 104 00:05:06,560 --> 00:05:08,560 analysis and understanding of what's 105 00:05:08,560 --> 00:05:09,520 happening 106 00:05:09,520 --> 00:05:11,360 during at least these finishing move 107 00:05:11,360 --> 00:05:12,320 attacks 108 00:05:12,320 --> 00:05:15,440 um you know other than that title right 109 00:05:15,440 --> 00:05:18,000 so i've also heard of several different 110 00:05:18,000 --> 00:05:20,400 solutions uh that 111 00:05:20,400 --> 00:05:21,440 you know 112 00:05:21,440 --> 00:05:24,240 when people the customers ask you know 113 00:05:24,240 --> 00:05:26,000 why wasn't this certain thing detected 114 00:05:26,000 --> 00:05:27,919 you know you'll have a pen test or you 115 00:05:27,919 --> 00:05:30,400 know some some sort of incident where 116 00:05:30,400 --> 00:05:32,560 they're like okay i know this 117 00:05:32,560 --> 00:05:33,919 definitely shouldn't should have been 118 00:05:33,919 --> 00:05:35,039 detected 119 00:05:35,039 --> 00:05:38,240 um i've heard several times well your 120 00:05:38,240 --> 00:05:40,160 your environment isn't baselined yet you 121 00:05:40,160 --> 00:05:42,479 know you haven't had the the especially 122 00:05:42,479 --> 00:05:43,680 when they're doing proof of concepts 123 00:05:43,680 --> 00:05:45,680 right um your environment isn't 124 00:05:45,680 --> 00:05:47,759 baselined it's not been you know there 125 00:05:47,759 --> 00:05:49,919 long enough to figure out uh what's 126 00:05:49,919 --> 00:05:51,520 normal and what in your network and 127 00:05:51,520 --> 00:05:52,880 what's not 128 00:05:52,880 --> 00:05:53,919 um 129 00:05:53,919 --> 00:05:55,759 there are a ton of things in an 130 00:05:55,759 --> 00:05:57,360 environment that should never need 131 00:05:57,360 --> 00:05:59,039 baseline all right that's what these 132 00:05:59,039 --> 00:06:01,199 finishing moves are 133 00:06:01,199 --> 00:06:03,039 we like to differentiate different types 134 00:06:03,039 --> 00:06:04,800 of detections in different ways so 135 00:06:04,800 --> 00:06:06,560 you'll see those in the use cases we're 136 00:06:06,560 --> 00:06:08,560 going to go over here in a little bit 137 00:06:08,560 --> 00:06:09,680 but 138 00:06:09,680 --> 00:06:11,919 most of what you know the the single 139 00:06:11,919 --> 00:06:14,560 point in time 140 00:06:14,560 --> 00:06:16,240 detections that we use are called 141 00:06:16,240 --> 00:06:17,759 indicators 142 00:06:17,759 --> 00:06:20,319 you don't think of them as iocs but just 143 00:06:20,319 --> 00:06:21,120 like 144 00:06:21,120 --> 00:06:23,680 this certain thing happened right now i 145 00:06:23,680 --> 00:06:25,039 want to know about it as soon as 146 00:06:25,039 --> 00:06:26,080 possible 147 00:06:26,080 --> 00:06:27,039 um 148 00:06:27,039 --> 00:06:30,000 it's not something that you know 149 00:06:30,000 --> 00:06:32,639 should wait 20 minutes for a query to 150 00:06:32,639 --> 00:06:35,600 run or you know 24 hours for you to get 151 00:06:35,600 --> 00:06:38,000 a report or maybe the off chance that 152 00:06:38,000 --> 00:06:39,759 you log into the solution and see oh 153 00:06:39,759 --> 00:06:41,520 this thing is bad 154 00:06:41,520 --> 00:06:43,520 um there are certain things that you 155 00:06:43,520 --> 00:06:45,680 should know about 156 00:06:45,680 --> 00:06:46,560 now 157 00:06:46,560 --> 00:06:47,440 right 158 00:06:47,440 --> 00:06:48,400 um 159 00:06:48,400 --> 00:06:51,919 so those fire as soon as possible in the 160 00:06:51,919 --> 00:06:54,639 process um at the mirror even before 161 00:06:54,639 --> 00:06:57,199 they're stored on the database back end 162 00:06:57,199 --> 00:07:00,000 and the uh examples that i'll show you 163 00:07:00,000 --> 00:07:01,840 here a little bit are all of those kind 164 00:07:01,840 --> 00:07:04,240 of things so 165 00:07:04,240 --> 00:07:05,599 along with the detections that we'll go 166 00:07:05,599 --> 00:07:09,280 over um having playbooks so either from 167 00:07:09,280 --> 00:07:11,919 your sim vendor or internally are going 168 00:07:11,919 --> 00:07:13,680 to help you follow through for a quick 169 00:07:13,680 --> 00:07:14,880 response 170 00:07:14,880 --> 00:07:16,960 and i guarantee you that time to 171 00:07:16,960 --> 00:07:19,120 detection time to response time to 172 00:07:19,120 --> 00:07:21,280 remediation are going to be some of the 173 00:07:21,280 --> 00:07:23,280 key cyber security metrics in coming 174 00:07:23,280 --> 00:07:24,160 years 175 00:07:24,160 --> 00:07:25,919 um i know a lot of people are using them 176 00:07:25,919 --> 00:07:27,840 already and honestly it's one of the 177 00:07:27,840 --> 00:07:30,720 best things we've seen as far as metrics 178 00:07:30,720 --> 00:07:33,280 that you can use to pay attention to 179 00:07:33,280 --> 00:07:36,240 your program maturity 180 00:07:36,240 --> 00:07:38,560 so our first player here is sub-zero and 181 00:07:38,560 --> 00:07:40,880 he wins right so that's definitely a 182 00:07:40,880 --> 00:07:44,319 finishing move there for poor raiden um 183 00:07:44,319 --> 00:07:47,120 and you know maybe that's just like a 184 00:07:47,120 --> 00:07:49,599 active view of what the bits look like 185 00:07:49,599 --> 00:07:53,120 during this curve roasting attack 186 00:07:53,360 --> 00:07:55,440 so i'm not going to go too much into the 187 00:07:55,440 --> 00:07:57,759 inner workings of how microsoft active 188 00:07:57,759 --> 00:08:00,080 directory authentication functions 189 00:08:00,080 --> 00:08:02,639 um or how to successfully exploit it but 190 00:08:02,639 --> 00:08:04,160 you know we'll get into a little bit of 191 00:08:04,160 --> 00:08:06,479 it um you know we can't touch all of 192 00:08:06,479 --> 00:08:08,479 those things in the short amount of time 193 00:08:08,479 --> 00:08:10,400 that that is a talk but we'll cover some 194 00:08:10,400 --> 00:08:13,039 of the high level things um and we'll 195 00:08:13,039 --> 00:08:15,039 discuss ways to detect both in your 196 00:08:15,039 --> 00:08:17,280 environment so first i'll cover curb 197 00:08:17,280 --> 00:08:18,479 roasting 198 00:08:18,479 --> 00:08:20,879 and then as rep roasting and then right 199 00:08:20,879 --> 00:08:22,160 now we'll go over a little bit of 200 00:08:22,160 --> 00:08:23,520 differences 201 00:08:23,520 --> 00:08:25,680 or high level differences right so 202 00:08:25,680 --> 00:08:27,840 curb roasting is an enumeration attack 203 00:08:27,840 --> 00:08:29,680 on accounts in active directory 204 00:08:29,680 --> 00:08:33,519 uh using it's the microsoft spn which is 205 00:08:33,519 --> 00:08:36,958 service principal name ticket function 206 00:08:36,958 --> 00:08:40,399 uh while as rep roasting is an attack 207 00:08:40,399 --> 00:08:42,880 that specifically is against accounts 208 00:08:42,880 --> 00:08:44,320 that don't require 209 00:08:44,320 --> 00:08:46,560 uh pre-authentication so 210 00:08:46,560 --> 00:08:47,920 active directory requires 211 00:08:47,920 --> 00:08:50,080 pre-authentication by default but on 212 00:08:50,080 --> 00:08:52,240 account by count basis you can disable 213 00:08:52,240 --> 00:08:53,760 it um 214 00:08:53,760 --> 00:08:56,720 you know with it with a check mark right 215 00:08:56,720 --> 00:08:59,440 um as far as the request goes uh from 216 00:08:59,440 --> 00:09:02,399 the attacker uh with kerber roasting you 217 00:09:02,399 --> 00:09:04,720 know the threat actor enumerates active 218 00:09:04,720 --> 00:09:07,360 directory and 219 00:09:07,360 --> 00:09:11,120 uses that spn ticket right so it's at 220 00:09:11,120 --> 00:09:14,480 the kerberos ticket granting service um 221 00:09:14,480 --> 00:09:16,240 and they use those for the spns that 222 00:09:16,240 --> 00:09:17,519 have been gathered 223 00:09:17,519 --> 00:09:18,320 with 224 00:09:18,320 --> 00:09:20,160 as rep roasting 225 00:09:20,160 --> 00:09:22,720 they request the ticket granting ticket 226 00:09:22,720 --> 00:09:24,640 so a little bit of a difference there 227 00:09:24,640 --> 00:09:26,720 one's the service enumeration one is the 228 00:09:26,720 --> 00:09:28,399 actual ticket 229 00:09:28,399 --> 00:09:30,320 the response from the active directory 230 00:09:30,320 --> 00:09:33,120 domain controller in kerberos um is 231 00:09:33,120 --> 00:09:35,440 going to respond with that ticket right 232 00:09:35,440 --> 00:09:37,519 and that ticket 233 00:09:37,519 --> 00:09:40,480 is stored in memory so that's where you 234 00:09:40,480 --> 00:09:43,440 end up getting the extracted hashes from 235 00:09:43,440 --> 00:09:44,800 um to go down to the extracted 236 00:09:44,800 --> 00:09:47,360 particular listing and then with as rep 237 00:09:47,360 --> 00:09:48,560 roasting 238 00:09:48,560 --> 00:09:50,880 the dc responds with the ticket granted 239 00:09:50,880 --> 00:09:53,360 ticket so that is actually 240 00:09:53,360 --> 00:09:56,240 um captured from the data packet that 241 00:09:56,240 --> 00:09:58,880 comes across in that response 242 00:09:58,880 --> 00:09:59,839 so 243 00:09:59,839 --> 00:10:01,600 two different attacks 244 00:10:01,600 --> 00:10:04,000 that definitely boast both against the 245 00:10:04,000 --> 00:10:05,440 active directory authentication 246 00:10:05,440 --> 00:10:06,560 functions 247 00:10:06,560 --> 00:10:07,440 um 248 00:10:07,440 --> 00:10:08,800 fairly common 249 00:10:08,800 --> 00:10:10,560 extremely easy to run 250 00:10:10,560 --> 00:10:12,240 uh and we'll go over some examples of 251 00:10:12,240 --> 00:10:14,480 that 252 00:10:16,800 --> 00:10:19,680 so to be effective uh an attacker during 253 00:10:19,680 --> 00:10:22,000 the kerber roasting uh is gonna have to 254 00:10:22,000 --> 00:10:24,160 select what kind of encryption is this 255 00:10:24,160 --> 00:10:25,839 is susceptible to those brute force 256 00:10:25,839 --> 00:10:28,079 attacks in curb roasting it's almost 257 00:10:28,079 --> 00:10:29,920 always rc4 258 00:10:29,920 --> 00:10:31,519 uh m8 259 00:10:31,519 --> 00:10:34,800 rc4 hmac 260 00:10:34,800 --> 00:10:36,320 so and we see it's a favorite of pen 261 00:10:36,320 --> 00:10:39,279 testers but then you might ask yourself 262 00:10:39,279 --> 00:10:41,120 is it still being used in the wild right 263 00:10:41,120 --> 00:10:43,519 are there attacks that like or 264 00:10:43,519 --> 00:10:45,519 is it just like oh this pen tester is 265 00:10:45,519 --> 00:10:47,279 doing a proof of concept 266 00:10:47,279 --> 00:10:48,720 um 267 00:10:48,720 --> 00:10:50,320 great like 268 00:10:50,320 --> 00:10:53,120 that's you but do people actually see 269 00:10:53,120 --> 00:10:55,200 this in the wild 270 00:10:55,200 --> 00:10:57,920 well yes they do so especially 271 00:10:57,920 --> 00:11:00,320 ransomware has actually adapted to use 272 00:11:00,320 --> 00:11:02,160 those kind of techniques 273 00:11:02,160 --> 00:11:04,079 to infect networks so 274 00:11:04,079 --> 00:11:06,560 dfi report not too long ago 275 00:11:06,560 --> 00:11:08,720 had a really good in-depth analysis 276 00:11:08,720 --> 00:11:12,079 demonstrating the use of carb roasting 277 00:11:12,079 --> 00:11:13,839 when ransomware wants to spread 278 00:11:13,839 --> 00:11:16,399 throughout a network and it 279 00:11:16,399 --> 00:11:18,079 did that really really quick 280 00:11:18,079 --> 00:11:20,720 um fireeye has a really good report um 281 00:11:20,720 --> 00:11:22,560 on kerberos attacks 282 00:11:22,560 --> 00:11:23,360 and 283 00:11:23,360 --> 00:11:26,240 you know there's been um accounts of 284 00:11:26,240 --> 00:11:28,480 like different healthcare agencies 285 00:11:28,480 --> 00:11:30,240 and 286 00:11:30,240 --> 00:11:33,519 manufacturing banking that uses 287 00:11:33,519 --> 00:11:36,160 that as part of the attack right to just 288 00:11:36,160 --> 00:11:39,760 spread that malware through the network 289 00:11:40,800 --> 00:11:43,360 so here is a little uh 290 00:11:43,360 --> 00:11:45,440 video let's see if we can 291 00:11:45,440 --> 00:11:48,000 play this 292 00:11:50,399 --> 00:11:52,399 there you go so this slideshow shows the 293 00:11:52,399 --> 00:11:53,920 roasting itself 294 00:11:53,920 --> 00:11:58,079 um and uh how how it's gonna end up with 295 00:11:58,079 --> 00:11:59,360 uh um 296 00:11:59,360 --> 00:12:00,880 the result here so this is invoke 297 00:12:00,880 --> 00:12:02,079 kerberos 298 00:12:02,079 --> 00:12:04,399 um it you know it's looking at active 299 00:12:04,399 --> 00:12:07,120 directory you can run a variety of tools 300 00:12:07,120 --> 00:12:09,839 to do this attack um you know you can 301 00:12:09,839 --> 00:12:11,920 find accounts that are doing things like 302 00:12:11,920 --> 00:12:15,279 running iis or sql or you know some 303 00:12:15,279 --> 00:12:17,360 higher privilege accounts 304 00:12:17,360 --> 00:12:20,320 and kerberos not taking advantage of any 305 00:12:20,320 --> 00:12:22,399 kind of vulnerability or anything like 306 00:12:22,399 --> 00:12:23,360 that 307 00:12:23,360 --> 00:12:24,399 i know that 308 00:12:24,399 --> 00:12:26,000 it's pretty quick let me play that again 309 00:12:26,000 --> 00:12:28,079 so we can kind of go over it i kind of 310 00:12:28,079 --> 00:12:30,320 get on a tangent so this is info 311 00:12:30,320 --> 00:12:32,880 kerberos 312 00:12:35,519 --> 00:12:37,040 and i have multiple screens i promise 313 00:12:37,040 --> 00:12:38,480 i'm not ignoring you 314 00:12:38,480 --> 00:12:41,200 um so you can see here the same account 315 00:12:41,200 --> 00:12:43,200 name so like there's default app pool 316 00:12:43,200 --> 00:12:46,000 and iis there's the hash 317 00:12:46,000 --> 00:12:47,519 distinguished name 318 00:12:47,519 --> 00:12:49,760 you know pound town in this in this 319 00:12:49,760 --> 00:12:51,440 specific instance 320 00:12:51,440 --> 00:12:53,200 um but it's yeah it's not a 321 00:12:53,200 --> 00:12:54,880 vulnerability in active directory it's 322 00:12:54,880 --> 00:12:57,040 how active directory is built that's 323 00:12:57,040 --> 00:12:59,120 like that's what authentication is you 324 00:12:59,120 --> 00:13:00,560 know it's just intercepting that 325 00:13:00,560 --> 00:13:02,560 authentication and stealing the tokens 326 00:13:02,560 --> 00:13:04,560 and you can't block that behavior any 327 00:13:04,560 --> 00:13:06,399 account can do this that's on the on the 328 00:13:06,399 --> 00:13:08,720 network so unless you want to turn off 329 00:13:08,720 --> 00:13:10,639 authentication altogether or i mean 330 00:13:10,639 --> 00:13:11,920 switch to something else which is 331 00:13:11,920 --> 00:13:13,760 definitely possible 332 00:13:13,760 --> 00:13:16,160 um but the problem with trying to detect 333 00:13:16,160 --> 00:13:19,279 that is specifically that right you you 334 00:13:19,279 --> 00:13:21,600 have a really hard time detecting 335 00:13:21,600 --> 00:13:23,360 different roasting techniques 336 00:13:23,360 --> 00:13:25,360 because it's using the same 337 00:13:25,360 --> 00:13:27,040 authentication mechanism that everything 338 00:13:27,040 --> 00:13:28,720 else in the environment is 339 00:13:28,720 --> 00:13:29,839 so 340 00:13:29,839 --> 00:13:32,079 if you want to know that specific kind 341 00:13:32,079 --> 00:13:36,320 of stuff like you need a way to do that 342 00:13:36,320 --> 00:13:38,320 but before we do uh the detection part 343 00:13:38,320 --> 00:13:41,680 let's go on to asrep roasting 344 00:13:42,160 --> 00:13:43,680 without playing this video again there 345 00:13:43,680 --> 00:13:46,000 we go 346 00:13:46,079 --> 00:13:48,399 all right so speaking of finishing him 347 00:13:48,399 --> 00:13:52,000 there you go i think jax wins this one 348 00:13:53,760 --> 00:13:56,320 there we go oh that 349 00:13:56,320 --> 00:13:57,839 glorious right 350 00:13:57,839 --> 00:14:00,800 so moving on as rep roasting um you know 351 00:14:00,800 --> 00:14:02,639 we went over the differences and how to 352 00:14:02,639 --> 00:14:05,120 and then we'll cover uh a little bit 353 00:14:05,120 --> 00:14:06,800 more in the airstrip roasting and then 354 00:14:06,800 --> 00:14:08,480 built the detections 355 00:14:08,480 --> 00:14:09,920 and then uh just to point out like 356 00:14:09,920 --> 00:14:11,839 creating these slides like this one uh 357 00:14:11,839 --> 00:14:13,600 always gets me so there's no way we 358 00:14:13,600 --> 00:14:15,199 could have used any of the newer mortal 359 00:14:15,199 --> 00:14:17,199 kombat gifts 360 00:14:17,199 --> 00:14:18,000 but 361 00:14:18,000 --> 00:14:19,519 because boy do they get pretty graphic 362 00:14:19,519 --> 00:14:21,440 now 363 00:14:21,440 --> 00:14:22,720 but 364 00:14:22,720 --> 00:14:24,800 you know pixelated blood splatter is 365 00:14:24,800 --> 00:14:27,279 pretty great 366 00:14:28,480 --> 00:14:30,399 i talked about the check marks check box 367 00:14:30,399 --> 00:14:32,480 that you can mark uh in each individual 368 00:14:32,480 --> 00:14:34,480 account and that's what that is 369 00:14:34,480 --> 00:14:37,279 and a lot of times there are as rep 370 00:14:37,279 --> 00:14:39,920 roastable accounts it's a tongue twister 371 00:14:39,920 --> 00:14:42,000 um for different reasons you know i've 372 00:14:42,000 --> 00:14:44,079 seen it both as you know trying to get 373 00:14:44,079 --> 00:14:46,560 some legacy piece of software to work uh 374 00:14:46,560 --> 00:14:48,720 with authentication because you know 375 00:14:48,720 --> 00:14:51,120 maybe you know it was back from windows 376 00:14:51,120 --> 00:14:53,600 nt and they did not need it so 377 00:14:53,600 --> 00:14:55,199 um you know they don't they don't work 378 00:14:55,199 --> 00:14:57,120 with that pre-authentication method so 379 00:14:57,120 --> 00:14:59,120 people will go in and check that other 380 00:14:59,120 --> 00:15:01,199 times you know i've heard of just 381 00:15:01,199 --> 00:15:03,680 sysadmins help desk whatever just 382 00:15:03,680 --> 00:15:05,360 needing to get something to work they're 383 00:15:05,360 --> 00:15:06,639 like oh i was trying to get you know 384 00:15:06,639 --> 00:15:08,959 this user couldn't log in so i was going 385 00:15:08,959 --> 00:15:10,959 through and checking things and i must 386 00:15:10,959 --> 00:15:12,959 have left that checked you know some 387 00:15:12,959 --> 00:15:15,440 some kind of you know not great method 388 00:15:15,440 --> 00:15:18,240 but you know it's not inherently it 389 00:15:18,240 --> 00:15:20,320 doesn't show the risk here right it 390 00:15:20,320 --> 00:15:23,279 doesn't tell you that that could be used 391 00:15:23,279 --> 00:15:26,000 um for that kind of finishing move it's 392 00:15:26,000 --> 00:15:28,399 just it's just a checkbox right you know 393 00:15:28,399 --> 00:15:31,279 big no big deal 394 00:15:33,360 --> 00:15:35,120 so then we'll see in the next demo uh 395 00:15:35,120 --> 00:15:37,440 the rubius account uh the rubius tool 396 00:15:37,440 --> 00:15:39,920 that we'll be using uh to run that 397 00:15:39,920 --> 00:15:42,480 roasting attack so 398 00:15:42,480 --> 00:15:44,399 here the most important thing on this 399 00:15:44,399 --> 00:15:46,320 slide is you can actually audit your 400 00:15:46,320 --> 00:15:48,880 environment to see 401 00:15:48,880 --> 00:15:51,839 what has that enabled right so this is a 402 00:15:51,839 --> 00:15:56,000 power shell um script command whatever 403 00:15:56,000 --> 00:15:59,279 for getty user and it's looking for 404 00:15:59,279 --> 00:16:01,120 accounts that don't require that 405 00:16:01,120 --> 00:16:02,639 pre-authentication and it's going to 406 00:16:02,639 --> 00:16:04,320 return those to you 407 00:16:04,320 --> 00:16:06,880 in the command line so 408 00:16:06,880 --> 00:16:08,800 pretty important i know that it's out 409 00:16:08,800 --> 00:16:09,920 there i'm sure these slides are going to 410 00:16:09,920 --> 00:16:12,000 be shared later so feel free to run that 411 00:16:12,000 --> 00:16:13,920 if you have an on-prem active directory 412 00:16:13,920 --> 00:16:15,040 environment 413 00:16:15,040 --> 00:16:16,000 um 414 00:16:16,000 --> 00:16:18,959 just to see you know what what you have 415 00:16:18,959 --> 00:16:22,000 that you may not know about 416 00:16:22,000 --> 00:16:26,000 so here is the as rep roast itself 417 00:16:32,399 --> 00:16:35,279 so here we see rubius 418 00:16:35,279 --> 00:16:38,560 running as rep roast 419 00:16:38,880 --> 00:16:40,320 and then 420 00:16:40,320 --> 00:16:43,440 easyhazy right same thing as rep hash 421 00:16:43,440 --> 00:16:45,519 it's pulling that out of the packet 422 00:16:45,519 --> 00:16:47,279 that's being responded 423 00:16:47,279 --> 00:16:49,600 um so if you like run wireshark or 424 00:16:49,600 --> 00:16:51,600 anything like that you can actually see 425 00:16:51,600 --> 00:16:53,360 that in the packets you can see that 426 00:16:53,360 --> 00:16:56,320 hash in the packets 427 00:16:56,639 --> 00:16:58,399 and then this shows how you can kind of 428 00:16:58,399 --> 00:17:02,560 use those i think this is the next one 429 00:17:02,560 --> 00:17:04,559 maybe nope 430 00:17:04,559 --> 00:17:08,079 next slide there we go 431 00:17:08,799 --> 00:17:11,039 and running running demos and slides is 432 00:17:11,039 --> 00:17:12,400 always hard when you're trying to record 433 00:17:12,400 --> 00:17:13,839 it 434 00:17:13,839 --> 00:17:16,400 so this is using crack mac except crack 435 00:17:16,400 --> 00:17:18,640 map exec 436 00:17:18,640 --> 00:17:21,039 to use those cracked as rep roasting 437 00:17:21,039 --> 00:17:23,119 accounts to spray those creds everywhere 438 00:17:23,119 --> 00:17:25,839 and find where we're the local admin so 439 00:17:25,839 --> 00:17:27,359 again there's a handful of different 440 00:17:27,359 --> 00:17:29,280 ways to detect password spray and brute 441 00:17:29,280 --> 00:17:31,760 forcing against a multiple platforms but 442 00:17:31,760 --> 00:17:34,000 again we have only so much time 443 00:17:34,000 --> 00:17:36,240 so we're assuming here that the hashes 444 00:17:36,240 --> 00:17:38,000 we took in the last 445 00:17:38,000 --> 00:17:40,240 walk through 446 00:17:40,240 --> 00:17:43,200 have been captured and 447 00:17:43,200 --> 00:17:47,200 cracked so you can use those to you know 448 00:17:47,200 --> 00:17:50,160 try and pivot right so passwords are 449 00:17:50,160 --> 00:17:52,799 usually not that hard to crack um but we 450 00:17:52,799 --> 00:17:54,559 can use them you know 451 00:17:54,559 --> 00:17:57,120 maintain persistence maybe 452 00:17:57,120 --> 00:17:59,600 pivot move laterally you know all of 453 00:17:59,600 --> 00:18:02,240 those kind of things uh to kind of 454 00:18:02,240 --> 00:18:03,520 get a little bit further into the 455 00:18:03,520 --> 00:18:06,080 environment 456 00:18:06,880 --> 00:18:08,799 so how about the detection so who's 457 00:18:08,799 --> 00:18:10,559 gonna win in this case uh our honey 458 00:18:10,559 --> 00:18:13,520 token account or goro 459 00:18:13,520 --> 00:18:15,280 uh that's a crossover that would be kind 460 00:18:15,280 --> 00:18:17,200 of fun i guess um 461 00:18:17,200 --> 00:18:18,240 i mean 462 00:18:18,240 --> 00:18:20,480 winnie the pooh is a bear so but he's a 463 00:18:20,480 --> 00:18:22,720 stuffed one and like there's you know a 464 00:18:22,720 --> 00:18:24,480 lot of arms there to deal with so maybe 465 00:18:24,480 --> 00:18:25,280 not 466 00:18:25,280 --> 00:18:26,880 um so 467 00:18:26,880 --> 00:18:29,440 to detect cur both kerberos staying and 468 00:18:29,440 --> 00:18:32,320 i guess rep roasting the best way to do 469 00:18:32,320 --> 00:18:35,360 this is with um honey tokens honey 470 00:18:35,360 --> 00:18:39,039 accounts honey whatever right um it's 471 00:18:39,039 --> 00:18:40,320 it's an account that you're going to add 472 00:18:40,320 --> 00:18:42,240 to active directory 473 00:18:42,240 --> 00:18:43,120 to 474 00:18:43,120 --> 00:18:46,240 monitor on so in kerberos saying example 475 00:18:46,240 --> 00:18:48,799 it's the event id 4769 476 00:18:48,799 --> 00:18:51,919 um your ticket encryption type is 0x17 477 00:18:51,919 --> 00:18:53,919 you have ticket options there which 478 00:18:53,919 --> 00:18:55,440 equals something i can't i can't 479 00:18:55,440 --> 00:18:56,960 remember exactly what and then the 480 00:18:56,960 --> 00:18:58,960 service name is going to be whatever 481 00:18:58,960 --> 00:19:02,720 honey account that you have okay 482 00:19:02,960 --> 00:19:06,720 and then as far as uh as rep roasting 483 00:19:06,720 --> 00:19:10,320 um the event ideas event id is 4768 484 00:19:10,320 --> 00:19:12,400 instead of 47.69 485 00:19:12,400 --> 00:19:14,880 same ticket encryption type and options 486 00:19:14,880 --> 00:19:18,480 uh but the service name here is krb tgt 487 00:19:18,480 --> 00:19:19,919 which is the kerberos tank ticket 488 00:19:19,919 --> 00:19:21,360 granting ticket 489 00:19:21,360 --> 00:19:22,400 so 490 00:19:22,400 --> 00:19:23,919 in addition to rubius i mean you can see 491 00:19:23,919 --> 00:19:25,679 in the screenshot here there's also 492 00:19:25,679 --> 00:19:28,480 invoke as rep rose by harmjoy as well as 493 00:19:28,480 --> 00:19:30,160 a handful of other tools that are you 494 00:19:30,160 --> 00:19:31,440 know that can perform those kind of 495 00:19:31,440 --> 00:19:32,640 attacks 496 00:19:32,640 --> 00:19:36,000 and you know in in the um 497 00:19:36,000 --> 00:19:38,080 uh in the bottom of that powershell 498 00:19:38,080 --> 00:19:39,760 script you can see right there you know 499 00:19:39,760 --> 00:19:41,600 the tool finds three separate accounts 500 00:19:41,600 --> 00:19:43,840 with that pre-authentication enabled and 501 00:19:43,840 --> 00:19:46,000 enumerates all of them so 502 00:19:46,000 --> 00:19:48,000 as with any kind of active deception 503 00:19:48,000 --> 00:19:51,120 technology you should monitor your honey 504 00:19:51,120 --> 00:19:53,200 accounts how many tokens whatever 505 00:19:53,200 --> 00:19:56,559 way more than a normal account and 506 00:19:56,559 --> 00:19:58,480 it's definitely possible you know to 507 00:19:58,480 --> 00:20:00,400 perform this attack in some environments 508 00:20:00,400 --> 00:20:02,000 with active accounts 509 00:20:02,000 --> 00:20:03,679 but we i mean those accounts are going 510 00:20:03,679 --> 00:20:05,280 to be used all the time right maybe 511 00:20:05,280 --> 00:20:06,799 they're there because they have to have 512 00:20:06,799 --> 00:20:08,640 pre-authentication on 513 00:20:08,640 --> 00:20:10,799 um but 514 00:20:10,799 --> 00:20:12,480 so you can't really 515 00:20:12,480 --> 00:20:14,080 detect done those all the time you're 516 00:20:14,080 --> 00:20:16,799 gonna end up with uh way too many uh 517 00:20:16,799 --> 00:20:18,880 alerts and you know alert fatigue and 518 00:20:18,880 --> 00:20:20,720 you're going to want to ignore it right 519 00:20:20,720 --> 00:20:23,760 so using a honey account is way better 520 00:20:23,760 --> 00:20:26,960 um and you can closely monitor those and 521 00:20:26,960 --> 00:20:29,120 you know everything involved 522 00:20:29,120 --> 00:20:30,320 and they're going to be you know this 523 00:20:30,320 --> 00:20:31,600 kind of stuff is going to be more easily 524 00:20:31,600 --> 00:20:33,200 compromised 525 00:20:33,200 --> 00:20:34,960 even if you don't have accounts that 526 00:20:34,960 --> 00:20:36,159 have pre-authentication in your 527 00:20:36,159 --> 00:20:38,400 environment still add a honey honey 528 00:20:38,400 --> 00:20:40,080 account you'll know when somebody's 529 00:20:40,080 --> 00:20:42,880 attempting to do that as rep roasting 530 00:20:42,880 --> 00:20:45,360 um and just remember never allow those 531 00:20:45,360 --> 00:20:47,440 accounts to have any kind of like 532 00:20:47,440 --> 00:20:50,559 elevated permissions right 533 00:20:50,559 --> 00:20:54,080 so this slide is um this next slide is 534 00:20:54,080 --> 00:20:55,679 going to show you 535 00:20:55,679 --> 00:20:58,640 uh uh doj mira so many pauses for a 536 00:20:58,640 --> 00:21:00,080 second so 537 00:21:00,080 --> 00:21:02,159 dojimira is a powershell script that we 538 00:21:02,159 --> 00:21:04,080 have out there on our github uh if you 539 00:21:04,080 --> 00:21:06,400 just search bluemirror in github you'll 540 00:21:06,400 --> 00:21:08,640 find it um it's a powershell script that 541 00:21:08,640 --> 00:21:10,960 is going to generate the specific kind 542 00:21:10,960 --> 00:21:12,799 of accounts that you need 543 00:21:12,799 --> 00:21:13,600 for 544 00:21:13,600 --> 00:21:14,559 these to 545 00:21:14,559 --> 00:21:17,840 these detections to be created okay so 546 00:21:17,840 --> 00:21:19,919 it'll it'll output uh what those 547 00:21:19,919 --> 00:21:23,679 accounts are and you can take those and 548 00:21:23,679 --> 00:21:26,080 use the other things that i showed you 549 00:21:26,080 --> 00:21:27,440 and 550 00:21:27,440 --> 00:21:31,840 alert on those specific accounts 551 00:21:33,600 --> 00:21:34,960 so here we are 552 00:21:34,960 --> 00:21:37,520 i'm in my lumira directory and i'm just 553 00:21:37,520 --> 00:21:40,799 going to run the powershell script 554 00:21:41,200 --> 00:21:43,120 and that's it 555 00:21:43,120 --> 00:21:46,080 super easy goes ahead and adds uh adds 556 00:21:46,080 --> 00:21:48,480 that account um this one 557 00:21:48,480 --> 00:21:51,600 uh the the video for this is just the um 558 00:21:51,600 --> 00:21:53,440 kerber roasting one we've since added 559 00:21:53,440 --> 00:21:56,400 the ass rep roasting um after actually a 560 00:21:56,400 --> 00:22:00,000 really good um suggestion from one of 561 00:22:00,000 --> 00:22:01,760 our customers 562 00:22:01,760 --> 00:22:03,440 so 563 00:22:03,440 --> 00:22:06,700 um let's see here uh did it do 564 00:22:06,700 --> 00:22:08,720 [Music] 565 00:22:08,720 --> 00:22:11,520 not onto the next one so instead of 566 00:22:11,520 --> 00:22:13,360 playing this again there we go we're 567 00:22:13,360 --> 00:22:16,879 gonna move on to the second use case 568 00:22:19,360 --> 00:22:21,840 so w digest uh 569 00:22:21,840 --> 00:22:23,919 super fun detection 570 00:22:23,919 --> 00:22:27,600 here there we go another finishing move 571 00:22:27,600 --> 00:22:30,240 rain unfortunately does not win that one 572 00:22:30,240 --> 00:22:32,480 but we got some cool blue spikes 573 00:22:32,480 --> 00:22:34,480 and some more pixelated blue 574 00:22:34,480 --> 00:22:35,919 fantastic 575 00:22:35,919 --> 00:22:39,520 uh so w digest is a really old protocol 576 00:22:39,520 --> 00:22:42,240 has introduced an xp i think 577 00:22:42,240 --> 00:22:44,960 where in certain situations 578 00:22:44,960 --> 00:22:47,039 you know you can enable it in the 579 00:22:47,039 --> 00:22:48,640 in the registry 580 00:22:48,640 --> 00:22:49,679 to 581 00:22:49,679 --> 00:22:51,679 fall back to clear test clear text 582 00:22:51,679 --> 00:22:53,760 authentication 583 00:22:53,760 --> 00:22:55,679 in newer versions of operating systems 584 00:22:55,679 --> 00:22:57,600 it's disabled by default but the 585 00:22:57,600 --> 00:22:59,039 registry entry is still there and you 586 00:22:59,039 --> 00:23:01,600 can still enable it with local admin 587 00:23:01,600 --> 00:23:04,080 and that will allow an attacker to come 588 00:23:04,080 --> 00:23:06,960 back later and extract hashes and clear 589 00:23:06,960 --> 00:23:09,600 text passwords from directly from memory 590 00:23:09,600 --> 00:23:10,400 um 591 00:23:10,400 --> 00:23:12,480 you know because why bother cracking 592 00:23:12,480 --> 00:23:14,080 something if it could be in clear text 593 00:23:14,080 --> 00:23:15,360 anyways right 594 00:23:15,360 --> 00:23:18,240 so again with a you know there's 595 00:23:18,240 --> 00:23:19,600 a lot of 596 00:23:19,600 --> 00:23:22,480 opportunities for this one but as far as 597 00:23:22,480 --> 00:23:24,960 like uh performing the attack itself 598 00:23:24,960 --> 00:23:28,640 um but we'll see here uh with crack mac 599 00:23:28,640 --> 00:23:30,960 crack map exec again i always have a 600 00:23:30,960 --> 00:23:32,640 hard time saying that especially you 601 00:23:32,640 --> 00:23:34,960 know when i'm being recorded 602 00:23:34,960 --> 00:23:37,919 so it's going to be planting that w 603 00:23:37,919 --> 00:23:40,799 digest trap by just adding uh flipping 604 00:23:40,799 --> 00:23:43,360 that red registry key 605 00:23:43,360 --> 00:23:45,840 so you have local admin access you're 606 00:23:45,840 --> 00:23:47,919 going to run that 607 00:23:47,919 --> 00:23:51,200 that switch so that's the device that's 608 00:23:51,200 --> 00:23:52,480 being run on 609 00:23:52,480 --> 00:23:55,840 the user that we you know 610 00:23:57,120 --> 00:23:59,918 cracked earlier 611 00:24:01,120 --> 00:24:04,678 and then w digest 612 00:24:05,440 --> 00:24:08,480 and we're going to enable him 613 00:24:09,520 --> 00:24:10,799 and then it right there tells you that 614 00:24:10,799 --> 00:24:14,080 it was created successfully 615 00:24:14,320 --> 00:24:16,480 so yeah handful of thing handful of easy 616 00:24:16,480 --> 00:24:18,400 tools out there that can do that but 617 00:24:18,400 --> 00:24:19,919 it's always going to be that same 618 00:24:19,919 --> 00:24:21,760 registry key 619 00:24:21,760 --> 00:24:24,320 so how do we detect that 620 00:24:24,320 --> 00:24:27,039 fairly simple 621 00:24:27,360 --> 00:24:30,320 sysmon is fantastic 622 00:24:30,320 --> 00:24:32,720 if you don't have it installed i highly 623 00:24:32,720 --> 00:24:35,120 highly recommend it um 624 00:24:35,120 --> 00:24:36,960 and i'll show you i think it's in the 625 00:24:36,960 --> 00:24:39,279 last uk use case we're going to go over 626 00:24:39,279 --> 00:24:41,679 the difference that sysmon gives you as 627 00:24:41,679 --> 00:24:44,720 far as detection capabilities go and how 628 00:24:44,720 --> 00:24:46,960 to map some of that stuff so in this 629 00:24:46,960 --> 00:24:48,880 case you're just detecting registry 630 00:24:48,880 --> 00:24:51,760 change so windows event uh 13 through 631 00:24:51,760 --> 00:24:54,720 sysmon is just for that purpose is for 632 00:24:54,720 --> 00:24:56,320 registry changes 633 00:24:56,320 --> 00:24:58,640 um so your process name is going to be 634 00:24:58,640 --> 00:25:00,159 reg because it's going to be like red 635 00:25:00,159 --> 00:25:03,120 gxe reg whatever you know here you can 636 00:25:03,120 --> 00:25:05,120 see in the bottom part the actual 637 00:25:05,120 --> 00:25:07,440 command that was run it was reg ad 638 00:25:07,440 --> 00:25:09,360 uh through cmd can be done for 639 00:25:09,360 --> 00:25:12,240 powershell you know crack my crack 640 00:25:12,240 --> 00:25:14,720 exec again oh my gosh 641 00:25:14,720 --> 00:25:17,760 um maybe i'll just start saying cme 642 00:25:17,760 --> 00:25:20,240 i feel like at this point uh it would be 643 00:25:20,240 --> 00:25:23,279 easier and you know what i mean 644 00:25:23,279 --> 00:25:25,760 all right so yeah here's the detection 645 00:25:25,760 --> 00:25:27,360 on that and then the command or the 646 00:25:27,360 --> 00:25:29,200 parent command line is going to have 647 00:25:29,200 --> 00:25:32,240 that w digest user logon credential in 648 00:25:32,240 --> 00:25:34,720 there so it's flipping that bit on 649 00:25:34,720 --> 00:25:36,320 um so it's going to mention something 650 00:25:36,320 --> 00:25:38,880 about wdigest something about that 651 00:25:38,880 --> 00:25:42,320 specific key in the registry so you can 652 00:25:42,320 --> 00:25:45,600 detect on all of those kind of things um 653 00:25:45,600 --> 00:25:48,159 sadly we have seen some false positives 654 00:25:48,159 --> 00:25:49,279 from 655 00:25:49,279 --> 00:25:51,760 uh poorly written software so for some 656 00:25:51,760 --> 00:25:52,799 reason 657 00:25:52,799 --> 00:25:54,320 i don't know if they just didn't want to 658 00:25:54,320 --> 00:25:56,320 figure out how to do real authentication 659 00:25:56,320 --> 00:25:59,120 uh or they need to capture credentials 660 00:25:59,120 --> 00:26:00,720 for some reason but there's definitely 661 00:26:00,720 --> 00:26:01,919 some software 662 00:26:01,919 --> 00:26:05,840 platforms out there uh that do this 663 00:26:05,840 --> 00:26:07,679 as a part of how they work which is 664 00:26:07,679 --> 00:26:10,640 which is kind of sad 665 00:26:10,640 --> 00:26:13,039 so on next is 666 00:26:13,039 --> 00:26:14,480 a fun one 667 00:26:14,480 --> 00:26:17,360 everybody always covers past the hash 668 00:26:17,360 --> 00:26:18,159 uh 669 00:26:18,159 --> 00:26:21,679 see the poor little scorpions there 670 00:26:22,240 --> 00:26:26,000 oh no they're poor they're poor dad 671 00:26:26,000 --> 00:26:28,080 cover cover the children's eyes poor 672 00:26:28,080 --> 00:26:29,440 little scorpion 673 00:26:29,440 --> 00:26:30,480 it's pretty great i don't think this 674 00:26:30,480 --> 00:26:32,320 part was actually in the game i'm gonna 675 00:26:32,320 --> 00:26:33,919 guess uh 676 00:26:33,919 --> 00:26:36,400 maybe it was i don't know um i didn't 677 00:26:36,400 --> 00:26:39,360 play that much but i i feel like 678 00:26:39,360 --> 00:26:41,760 this is definitely some some good work 679 00:26:41,760 --> 00:26:44,559 on somebody's part 680 00:26:46,559 --> 00:26:48,880 so this is mostly seen with me me cats 681 00:26:48,880 --> 00:26:50,159 you know you'll you'll definitely see 682 00:26:50,159 --> 00:26:51,600 past the hash being mentioned all the 683 00:26:51,600 --> 00:26:53,440 time with me cats but there are a 684 00:26:53,440 --> 00:26:54,960 handful of other tools out there that 685 00:26:54,960 --> 00:26:56,159 can pass along those captured 686 00:26:56,159 --> 00:26:57,840 credentials to gain access to other 687 00:26:57,840 --> 00:26:58,960 endpoints 688 00:26:58,960 --> 00:27:00,960 um you know which if you're using the 689 00:27:00,960 --> 00:27:02,960 same admin account across your entire 690 00:27:02,960 --> 00:27:05,440 environment that can go really really 691 00:27:05,440 --> 00:27:08,720 poorly for you um i recommend if you are 692 00:27:08,720 --> 00:27:10,000 still running 693 00:27:10,000 --> 00:27:12,880 active directory on-prem look into lapse 694 00:27:12,880 --> 00:27:16,240 uh local admin password solution through 695 00:27:16,240 --> 00:27:18,480 microsoft um 696 00:27:18,480 --> 00:27:21,760 it's definitely um 697 00:27:21,760 --> 00:27:22,960 better for 698 00:27:22,960 --> 00:27:24,240 preventing 699 00:27:24,240 --> 00:27:25,840 past the hash with admin credentials 700 00:27:25,840 --> 00:27:27,600 because as soon as one you know i've 701 00:27:27,600 --> 00:27:28,880 seen 702 00:27:28,880 --> 00:27:30,640 lots and lots and lots and lots of 703 00:27:30,640 --> 00:27:33,600 networks um that i mean it's easier 704 00:27:33,600 --> 00:27:35,039 right if you are 705 00:27:35,039 --> 00:27:37,840 re-imaging you know dozens or hundreds 706 00:27:37,840 --> 00:27:41,120 of uh desktops for a new deployment um 707 00:27:41,120 --> 00:27:44,159 it's just easier to have the same admin 708 00:27:44,159 --> 00:27:47,360 password you know you you know 709 00:27:47,360 --> 00:27:50,320 you have 20 help desk people or ever or 710 00:27:50,320 --> 00:27:52,159 maybe one i don't know but it's easier 711 00:27:52,159 --> 00:27:54,080 because they can memorize that password 712 00:27:54,080 --> 00:27:56,799 um and then you know go work on any 713 00:27:56,799 --> 00:27:58,799 device that they need to it's it's super 714 00:27:58,799 --> 00:27:59,840 common 715 00:27:59,840 --> 00:28:00,799 um 716 00:28:00,799 --> 00:28:03,440 so you know passing the hash with really 717 00:28:03,440 --> 00:28:05,279 any admin account is going to be is 718 00:28:05,279 --> 00:28:07,440 going to be bad but it's it's seen a lot 719 00:28:07,440 --> 00:28:11,360 with the local default admin also 720 00:28:11,760 --> 00:28:13,440 so this is going to show the pass this 721 00:28:13,440 --> 00:28:14,799 next slide is going to show the pass the 722 00:28:14,799 --> 00:28:17,919 hash attack um with using 723 00:28:17,919 --> 00:28:20,799 cme again 724 00:28:21,840 --> 00:28:25,678 all right let's play this 725 00:28:27,679 --> 00:28:29,120 so here we see 726 00:28:29,120 --> 00:28:32,720 cme being run against a host 727 00:28:32,720 --> 00:28:34,799 and then we're just gonna 728 00:28:34,799 --> 00:28:37,120 pass the hash that we captured you know 729 00:28:37,120 --> 00:28:39,039 one of those other several ways right 730 00:28:39,039 --> 00:28:41,600 that we that we may have captured a hash 731 00:28:41,600 --> 00:28:44,240 um and right there you know that's i 732 00:28:44,240 --> 00:28:46,159 know it's a really quick video but it 733 00:28:46,159 --> 00:28:48,000 goes really fast especially when it 734 00:28:48,000 --> 00:28:48,880 works 735 00:28:48,880 --> 00:28:50,799 um you know you can 736 00:28:50,799 --> 00:28:52,320 you know in that case you're only 737 00:28:52,320 --> 00:28:53,440 scanning one endpoint so if you're 738 00:28:53,440 --> 00:28:56,240 scanning like slash 24 16 like it may 739 00:28:56,240 --> 00:28:59,039 take a little bit longer but you know it 740 00:28:59,039 --> 00:29:00,080 showed there at the end that it was 741 00:29:00,080 --> 00:29:02,639 successful 742 00:29:03,120 --> 00:29:06,399 so also again sadly uh there's actually 743 00:29:06,399 --> 00:29:09,840 a lot of back end uh stuff on bad 744 00:29:09,840 --> 00:29:12,559 software that will do past the hash 745 00:29:12,559 --> 00:29:13,600 um 746 00:29:13,600 --> 00:29:16,960 so that's why i have in this detection 747 00:29:16,960 --> 00:29:20,000 uh so it's windows event 4624 748 00:29:20,000 --> 00:29:22,799 which is login login type is nine and 749 00:29:22,799 --> 00:29:26,399 then the process is like sec logo and 750 00:29:26,399 --> 00:29:28,640 then that's why i have the fourth little 751 00:29:28,640 --> 00:29:30,080 little mention there of tuning for 752 00:29:30,080 --> 00:29:31,440 terrible software 753 00:29:31,440 --> 00:29:34,559 um i have a list of at least five or six 754 00:29:34,559 --> 00:29:37,200 pieces of software that just 755 00:29:37,200 --> 00:29:39,200 as a part of how they do administrative 756 00:29:39,200 --> 00:29:42,399 processes or manage your environment 757 00:29:42,399 --> 00:29:45,840 or you know i've i've seen um 758 00:29:45,840 --> 00:29:48,480 active directory management tools that 759 00:29:48,480 --> 00:29:50,799 you know they're gonna you know help 760 00:29:50,799 --> 00:29:52,799 your help desk 761 00:29:52,799 --> 00:29:55,120 change passwords or 762 00:29:55,120 --> 00:29:57,840 um you know maybe even change control or 763 00:29:57,840 --> 00:30:01,279 manage endpoints as far as like uh asset 764 00:30:01,279 --> 00:30:03,600 asset inventory go they use past the 765 00:30:03,600 --> 00:30:05,679 hash on the back end and boy they 766 00:30:05,679 --> 00:30:08,399 shouldn't because um uh you know i 767 00:30:08,399 --> 00:30:12,720 recently had um a discussion about 768 00:30:12,720 --> 00:30:13,919 why 769 00:30:13,919 --> 00:30:15,039 uh 770 00:30:15,039 --> 00:30:16,320 why like 771 00:30:16,320 --> 00:30:18,640 is there any good reason 772 00:30:18,640 --> 00:30:19,760 to have 773 00:30:19,760 --> 00:30:23,200 exceptions like antivirus exceptions or 774 00:30:23,200 --> 00:30:24,720 um you know 775 00:30:24,720 --> 00:30:26,960 exceptions on this kind of stuff right 776 00:30:26,960 --> 00:30:28,399 like you 777 00:30:28,399 --> 00:30:29,840 yeah i mean there 778 00:30:29,840 --> 00:30:32,000 the the reason is you don't want alert 779 00:30:32,000 --> 00:30:32,960 fatigue 780 00:30:32,960 --> 00:30:35,039 you know if you have a main piece of 781 00:30:35,039 --> 00:30:37,120 your environment that is going to 782 00:30:37,120 --> 00:30:38,960 trigger this detection 783 00:30:38,960 --> 00:30:41,919 once twice 10 times a day 784 00:30:41,919 --> 00:30:44,399 you're going to have to figure out some 785 00:30:44,399 --> 00:30:47,200 kind of tuning right 786 00:30:47,200 --> 00:30:50,080 but you know i'm sure a lot of you have 787 00:30:50,080 --> 00:30:51,360 played with firewalls or have seen 788 00:30:51,360 --> 00:30:53,039 firewall rules 789 00:30:53,039 --> 00:30:53,840 um 790 00:30:53,840 --> 00:30:57,279 but the concept is least privileged when 791 00:30:57,279 --> 00:30:59,200 it comes to even tuning 792 00:30:59,200 --> 00:31:00,240 so 793 00:31:00,240 --> 00:31:02,159 if you know 794 00:31:02,159 --> 00:31:03,200 what 795 00:31:03,200 --> 00:31:05,440 hash is always doing it you can use you 796 00:31:05,440 --> 00:31:07,039 can use that especially if you're using 797 00:31:07,039 --> 00:31:08,640 cismod because the hash values are in 798 00:31:08,640 --> 00:31:09,519 there 799 00:31:09,519 --> 00:31:11,360 um if you 800 00:31:11,360 --> 00:31:13,440 know what direct uh what i mean 801 00:31:13,440 --> 00:31:15,840 obviously the exe is okay but that can 802 00:31:15,840 --> 00:31:17,120 be spoofed 803 00:31:17,120 --> 00:31:20,399 um the directory also not great because 804 00:31:20,399 --> 00:31:21,760 you put anything in that directory and 805 00:31:21,760 --> 00:31:23,440 then nothing's gonna trigger 806 00:31:23,440 --> 00:31:25,120 um and if attackers know that they're 807 00:31:25,120 --> 00:31:27,200 gonna take advantage of it if they know 808 00:31:27,200 --> 00:31:28,799 software a 809 00:31:28,799 --> 00:31:31,919 does not um you know mimics past the 810 00:31:31,919 --> 00:31:33,600 hash on the back end they're gonna do 811 00:31:33,600 --> 00:31:36,399 what they can to mimic that um and if 812 00:31:36,399 --> 00:31:38,720 you have a blind spot to like that whole 813 00:31:38,720 --> 00:31:39,919 directory 814 00:31:39,919 --> 00:31:41,200 that's what's gonna happen you're not 815 00:31:41,200 --> 00:31:43,600 gonna be able to detect on something 816 00:31:43,600 --> 00:31:45,679 like this that you know is by is 817 00:31:45,679 --> 00:31:47,760 bypassing the um 818 00:31:47,760 --> 00:31:50,799 the administrator login 819 00:31:52,799 --> 00:31:55,200 so how about credential dumping this is 820 00:31:55,200 --> 00:31:57,679 great too 821 00:31:59,679 --> 00:32:01,600 i don't know i think oh right away 822 00:32:01,600 --> 00:32:03,200 scorpion wins 823 00:32:03,200 --> 00:32:05,519 that's super quick right flawless 824 00:32:05,519 --> 00:32:08,320 victory didn't even get a chance 825 00:32:08,320 --> 00:32:09,360 um 826 00:32:09,360 --> 00:32:11,039 so 827 00:32:11,039 --> 00:32:13,200 dumping active director of hashes 828 00:32:13,200 --> 00:32:15,279 no matter what way it's done 829 00:32:15,279 --> 00:32:17,679 what tool is used if it's a script 830 00:32:17,679 --> 00:32:19,679 third-party application built-in windows 831 00:32:19,679 --> 00:32:21,760 application 832 00:32:21,760 --> 00:32:23,840 if all of your hashes from your entire 833 00:32:23,840 --> 00:32:26,559 domain has successfully been captured 834 00:32:26,559 --> 00:32:28,720 and it's not just a pen test you're in 835 00:32:28,720 --> 00:32:31,200 for a really really bad time um 836 00:32:31,200 --> 00:32:34,080 i would love to know if anyone has ever 837 00:32:34,080 --> 00:32:36,559 either had to follow the microsoft guide 838 00:32:36,559 --> 00:32:38,799 on network eviction process 839 00:32:38,799 --> 00:32:41,200 um or starting a forest over from 840 00:32:41,200 --> 00:32:43,360 scratch because those are basically your 841 00:32:43,360 --> 00:32:44,640 two options 842 00:32:44,640 --> 00:32:46,960 um you know if there's any time to move 843 00:32:46,960 --> 00:32:50,320 to the cloud i guess it would be then 844 00:32:50,480 --> 00:32:52,240 because 845 00:32:52,240 --> 00:32:54,240 if an attacker has that 846 00:32:54,240 --> 00:32:56,000 and you don't follow network eviction 847 00:32:56,000 --> 00:32:58,640 process you have no guarantees that they 848 00:32:58,640 --> 00:33:01,120 don't still have a token 849 00:33:01,120 --> 00:33:04,559 or a ticket or some kind of um 850 00:33:04,559 --> 00:33:06,480 persistence in your network 851 00:33:06,480 --> 00:33:07,279 um 852 00:33:07,279 --> 00:33:09,760 so i you know as much as i loved doing 853 00:33:09,760 --> 00:33:12,799 sis admin stuff for a very long time uh 854 00:33:12,799 --> 00:33:15,919 that just seems extremely extremely 855 00:33:15,919 --> 00:33:19,679 stressful and so so much work um so i'd 856 00:33:19,679 --> 00:33:21,760 love to hear your stories if you know if 857 00:33:21,760 --> 00:33:25,120 if you've gone through that 858 00:33:25,120 --> 00:33:28,480 so this slide uh shows doing 859 00:33:28,480 --> 00:33:32,000 run as domain admin 860 00:33:33,440 --> 00:33:35,919 and then using mimi cats to extract all 861 00:33:35,919 --> 00:33:37,440 the hashes active out of active 862 00:33:37,440 --> 00:33:39,840 directory 863 00:33:46,320 --> 00:33:48,080 so that's the password we cracked and 864 00:33:48,080 --> 00:33:52,519 now we're into you know 865 00:33:57,440 --> 00:34:00,559 name cast directory 866 00:34:01,760 --> 00:34:05,640 zoom in a little bit on that 867 00:34:10,000 --> 00:34:10,800 so you know you have the right 868 00:34:10,800 --> 00:34:13,119 privileges when you do privilege debug 869 00:34:13,119 --> 00:34:16,159 and then you're going to do lsa dump 870 00:34:16,159 --> 00:34:19,399 on the domain 871 00:34:20,320 --> 00:34:21,918 and ta-da 872 00:34:21,918 --> 00:34:25,839 there's all of them which 873 00:34:25,839 --> 00:34:27,839 uh some active director environments are 874 00:34:27,839 --> 00:34:29,918 extremely large 875 00:34:29,918 --> 00:34:32,320 um there are a multitude of ways to 876 00:34:32,320 --> 00:34:34,480 detect this kind of activity a common 877 00:34:34,480 --> 00:34:36,399 being a common one being what we saw 878 00:34:36,399 --> 00:34:38,239 here um 879 00:34:38,239 --> 00:34:40,879 but then i'm not detected sorry attack 880 00:34:40,879 --> 00:34:44,560 this directory or that oh my gosh sorry 881 00:34:44,560 --> 00:34:47,119 so common way of 882 00:34:47,119 --> 00:34:49,918 attacking so this one we just saw 883 00:34:49,918 --> 00:34:52,320 uh which was mimikats but there's also 884 00:34:52,320 --> 00:34:54,320 one that you can use that's built in to 885 00:34:54,320 --> 00:34:56,800 windows called ntds util and we'll go 886 00:34:56,800 --> 00:34:58,400 over that one too 887 00:34:58,400 --> 00:34:59,760 and this one will show you a little bit 888 00:34:59,760 --> 00:35:04,640 the difference of um sysmod in between 889 00:35:04,640 --> 00:35:07,920 just windows like plane plane logging 890 00:35:07,920 --> 00:35:09,920 so again hash jumping is going to be 891 00:35:09,920 --> 00:35:11,440 something you want to know as soon as 892 00:35:11,440 --> 00:35:14,240 possible and definitely does not need a 893 00:35:14,240 --> 00:35:16,160 single bit of baselining lining 894 00:35:16,160 --> 00:35:18,640 because as the more time passes the more 895 00:35:18,640 --> 00:35:20,880 likely that attacker is going to be able 896 00:35:20,880 --> 00:35:22,800 to move laterally 897 00:35:22,800 --> 00:35:24,720 set up persistence perform other attacks 898 00:35:24,720 --> 00:35:26,880 inside the environment 899 00:35:26,880 --> 00:35:28,960 you know we saw mimikatz in the video 900 00:35:28,960 --> 00:35:32,079 example here's another one liner right 901 00:35:32,079 --> 00:35:34,079 so ntds util 902 00:35:34,079 --> 00:35:36,880 is a built-in microsoft utility 903 00:35:36,880 --> 00:35:39,040 so if you ever hear living off the land 904 00:35:39,040 --> 00:35:40,640 that's 905 00:35:40,640 --> 00:35:42,839 that falls into this category 906 00:35:42,839 --> 00:35:47,680 um so that uh ntds utils was created to 907 00:35:47,680 --> 00:35:49,599 manage the active directory database 908 00:35:49,599 --> 00:35:51,920 right which completely makes sense uh 909 00:35:51,920 --> 00:35:53,839 it's been used for years and years to 910 00:35:53,839 --> 00:35:56,640 perform functions and but it can also be 911 00:35:56,640 --> 00:35:58,480 used by threat actors to dump the 912 00:35:58,480 --> 00:36:00,480 ntds.dit file 913 00:36:00,480 --> 00:36:04,240 so ntds.dit is the ese database 914 00:36:04,240 --> 00:36:05,920 that contains all the active directory 915 00:36:05,920 --> 00:36:07,599 information 916 00:36:07,599 --> 00:36:10,240 you can use it to create a backup 917 00:36:10,240 --> 00:36:12,079 and the thread actor can use that and 918 00:36:12,079 --> 00:36:14,320 then go crack all those credentials so 919 00:36:14,320 --> 00:36:16,640 instead of capturing one two maybe three 920 00:36:16,640 --> 00:36:19,280 credentials using the other um the other 921 00:36:19,280 --> 00:36:21,520 ways we saw in the beginning this is 922 00:36:21,520 --> 00:36:23,280 everything they can take the entire 923 00:36:23,280 --> 00:36:25,440 database and go crack all the hashes at 924 00:36:25,440 --> 00:36:26,560 once 925 00:36:26,560 --> 00:36:28,960 um here we can see in 926 00:36:28,960 --> 00:36:32,000 this match evidence portion the actual 927 00:36:32,000 --> 00:36:34,240 command and the device it was being run 928 00:36:34,240 --> 00:36:35,280 against 929 00:36:35,280 --> 00:36:38,000 and you know that ntds you tell which 930 00:36:38,000 --> 00:36:39,839 tells you what that did 931 00:36:39,839 --> 00:36:42,240 aci ntds 932 00:36:42,240 --> 00:36:44,000 is setting 933 00:36:44,000 --> 00:36:46,560 ntds as the active instance so what pc 934 00:36:46,560 --> 00:36:47,680 means 935 00:36:47,680 --> 00:36:49,599 ifm is install for media and then 936 00:36:49,599 --> 00:36:51,359 creating the full backup 937 00:36:51,359 --> 00:36:54,240 that qq is just quitting both commands 938 00:36:54,240 --> 00:36:56,879 that it's run 939 00:36:58,960 --> 00:37:01,040 so let's dive a little deeper into the 940 00:37:01,040 --> 00:37:03,200 detection engineering side of this 941 00:37:03,200 --> 00:37:05,280 so 942 00:37:05,280 --> 00:37:06,640 i hope a lot of you have system 943 00:37:06,640 --> 00:37:08,240 installed feel free to say if you do or 944 00:37:08,240 --> 00:37:10,480 not and why you don't if you don't i 945 00:37:10,480 --> 00:37:12,320 would be interested to know that 946 00:37:12,320 --> 00:37:13,119 um 947 00:37:13,119 --> 00:37:15,359 but here are some major differences in 948 00:37:15,359 --> 00:37:16,640 this attack 949 00:37:16,640 --> 00:37:19,119 using just seeing the windows event ids 950 00:37:19,119 --> 00:37:20,880 and then seeing all of the cessna event 951 00:37:20,880 --> 00:37:24,560 ideas so on the left you just see a huge 952 00:37:24,560 --> 00:37:26,880 list of 47.99 953 00:37:26,880 --> 00:37:30,079 um you'll also see process creation but 954 00:37:30,079 --> 00:37:30,960 process 955 00:37:30,960 --> 00:37:32,880 so process creation with sysmon is the 956 00:37:32,880 --> 00:37:35,200 event one and don't worry about like 957 00:37:35,200 --> 00:37:37,200 blowing up your screen or like looking 958 00:37:37,200 --> 00:37:38,560 really really hard because i'm going to 959 00:37:38,560 --> 00:37:40,079 blow up these things in the next couple 960 00:37:40,079 --> 00:37:40,960 slides 961 00:37:40,960 --> 00:37:42,480 um 962 00:37:42,480 --> 00:37:46,079 and uh i'll go a little bit into why i i 963 00:37:46,079 --> 00:37:48,720 picked cis11 event one as opposed to the 964 00:37:48,720 --> 00:37:50,400 um 965 00:37:50,400 --> 00:37:53,280 process creation and just windows plane 966 00:37:53,280 --> 00:37:54,720 so 967 00:37:54,720 --> 00:37:57,599 on the left-hand side huge list of 47.99 968 00:37:57,599 --> 00:37:59,680 which enumerating security group 969 00:37:59,680 --> 00:38:01,520 memberships happens all of the time in 970 00:38:01,520 --> 00:38:02,960 active directory for a multitude of 971 00:38:02,960 --> 00:38:05,680 reasons it's definitely again part of 972 00:38:05,680 --> 00:38:07,440 how active directory works 973 00:38:07,440 --> 00:38:09,920 um to provide you know information to 974 00:38:09,920 --> 00:38:11,839 clients applications whatever 975 00:38:11,839 --> 00:38:13,760 and then on the right hand side you see 976 00:38:13,760 --> 00:38:16,880 a huge wall of text tiny tiny ticks 977 00:38:16,880 --> 00:38:18,480 with a bunch of information we're able 978 00:38:18,480 --> 00:38:21,440 to gather using sysmon so let's move on 979 00:38:21,440 --> 00:38:22,880 so you can see that's a little bit 980 00:38:22,880 --> 00:38:25,119 better 981 00:38:25,359 --> 00:38:27,680 so this is event id one a little closer 982 00:38:27,680 --> 00:38:28,720 up 983 00:38:28,720 --> 00:38:30,560 you can see that in tds util is the 984 00:38:30,560 --> 00:38:32,880 original file name there on the top the 985 00:38:32,880 --> 00:38:34,480 command that was run the full command 986 00:38:34,480 --> 00:38:36,960 line that was run uh who ran it there's 987 00:38:36,960 --> 00:38:39,839 me yay uh from the parent image of 988 00:38:39,839 --> 00:38:42,000 powershell i think is on the bottom yep 989 00:38:42,000 --> 00:38:43,440 all the way to the bottom if you see the 990 00:38:43,440 --> 00:38:44,800 parent image and then parent command 991 00:38:44,800 --> 00:38:46,160 line i was just running it through ice 992 00:38:46,160 --> 00:38:49,119 so i could capture it 993 00:38:49,119 --> 00:38:51,839 and it provides way way way more 994 00:38:51,839 --> 00:38:53,520 information about that newly created 995 00:38:53,520 --> 00:38:56,560 process when a commune was run so 996 00:38:56,560 --> 00:38:58,079 like the hashes it gives you there and 997 00:38:58,079 --> 00:39:00,160 you can correlate against those you see 998 00:39:00,160 --> 00:39:01,760 it's terminal session id seven it's 999 00:39:01,760 --> 00:39:03,520 because i was logged in over rdp when i 1000 00:39:03,520 --> 00:39:04,560 ran it 1001 00:39:04,560 --> 00:39:07,040 um and then you can use all of that to 1002 00:39:07,040 --> 00:39:09,359 correlate across you know when different 1003 00:39:09,359 --> 00:39:11,040 stuff like that is run 1004 00:39:11,040 --> 00:39:13,520 if you know you want to baseline your 1005 00:39:13,520 --> 00:39:15,680 environment you can use that 1006 00:39:15,680 --> 00:39:17,920 but that command should never be ran by 1007 00:39:17,920 --> 00:39:18,880 anyone 1008 00:39:18,880 --> 00:39:20,079 maybe 1009 00:39:20,079 --> 00:39:22,240 an admin does it every now and then but 1010 00:39:22,240 --> 00:39:24,240 at that point you should be able to you 1011 00:39:24,240 --> 00:39:26,079 know 1012 00:39:26,079 --> 00:39:29,720 tune out that activity 1013 00:39:30,720 --> 00:39:32,880 here's where we see event id 10 1014 00:39:32,880 --> 00:39:34,800 which is a process being accessed so 1015 00:39:34,800 --> 00:39:36,800 this is one of the 10 events that's 1016 00:39:36,800 --> 00:39:39,680 included in 1017 00:39:39,680 --> 00:39:41,920 that is included in sysmon that windows 1018 00:39:41,920 --> 00:39:43,280 doesn't have no matter what you 1019 00:39:43,280 --> 00:39:45,200 configure you know there are certain 1020 00:39:45,200 --> 00:39:47,280 things that sysmon has 1021 00:39:47,280 --> 00:39:48,079 um 1022 00:39:48,079 --> 00:39:50,160 that windows does but you have to 1023 00:39:50,160 --> 00:39:52,079 configure for policy like several 1024 00:39:52,079 --> 00:39:53,520 different places 1025 00:39:53,520 --> 00:39:55,760 or you know you have to 1026 00:39:55,760 --> 00:39:58,079 turn features on or or something like 1027 00:39:58,079 --> 00:39:59,359 that so like 1028 00:39:59,359 --> 00:40:01,599 to have process creation 1029 00:40:01,599 --> 00:40:02,720 show 1030 00:40:02,720 --> 00:40:05,760 command line uh arguments right like 1031 00:40:05,760 --> 00:40:07,200 anything in the powershell command line 1032 00:40:07,200 --> 00:40:09,200 or the regular command line 1033 00:40:09,200 --> 00:40:11,040 for regular windows 1034 00:40:11,040 --> 00:40:13,520 event to show those it shows up in you 1035 00:40:13,520 --> 00:40:15,839 know multitude of windows event ids 1036 00:40:15,839 --> 00:40:18,079 but you also have to turn on several 1037 00:40:18,079 --> 00:40:20,079 settings in group policy just to have 1038 00:40:20,079 --> 00:40:22,240 that kind of thing happen but process 1039 00:40:22,240 --> 00:40:24,400 being accessed you can't even do you 1040 00:40:24,400 --> 00:40:25,920 can't do no matter 1041 00:40:25,920 --> 00:40:28,000 what gpo thing you configure 1042 00:40:28,000 --> 00:40:29,119 um 1043 00:40:29,119 --> 00:40:32,240 and you know we see it here 1044 00:40:32,240 --> 00:40:33,040 it's 1045 00:40:33,040 --> 00:40:35,040 you know basically still powershell 1046 00:40:35,040 --> 00:40:36,960 using ntds util 1047 00:40:36,960 --> 00:40:39,760 and then what it's accessing underneath 1048 00:40:39,760 --> 00:40:42,160 that granted access is the space in 1049 00:40:42,160 --> 00:40:44,560 memory 1050 00:40:46,160 --> 00:40:47,920 and then leads us to the third one event 1051 00:40:47,920 --> 00:40:50,240 id 13 which is a registry value being 1052 00:40:50,240 --> 00:40:52,960 set so this populates whenever that 1053 00:40:52,960 --> 00:40:55,200 process executes successfully 1054 00:40:55,200 --> 00:40:57,680 so you see where it was executed at that 1055 00:40:57,680 --> 00:41:00,799 it was on tdsutel 1056 00:41:03,839 --> 00:41:06,560 now how to detect on this many different 1057 00:41:06,560 --> 00:41:08,960 ways all right so many different ways to 1058 00:41:08,960 --> 00:41:11,680 detect on ntds util being used in 1059 00:41:11,680 --> 00:41:12,800 general 1060 00:41:12,800 --> 00:41:15,440 um we can detect on me you know the 1061 00:41:15,440 --> 00:41:17,359 first example is mimi cats right there's 1062 00:41:17,359 --> 00:41:18,720 like a bunch of different ways to detect 1063 00:41:18,720 --> 00:41:20,160 on mimi mimikats 1064 00:41:20,160 --> 00:41:21,040 um 1065 00:41:21,040 --> 00:41:23,280 in this example though this is just 1066 00:41:23,280 --> 00:41:26,319 dumping active directory with ntds util 1067 00:41:26,319 --> 00:41:28,960 so that's you can detect on that windows 1068 00:41:28,960 --> 00:41:31,280 event id1 from through sysmon is the 1069 00:41:31,280 --> 00:41:33,040 first one that i showed 1070 00:41:33,040 --> 00:41:35,359 the process name is going to be 1071 00:41:35,359 --> 00:41:38,720 some version of ntds util 1072 00:41:38,720 --> 00:41:41,359 i have like there because 1073 00:41:41,359 --> 00:41:42,560 um 1074 00:41:42,560 --> 00:41:44,319 there are tools that try and do obvious 1075 00:41:44,319 --> 00:41:45,760 obfuscation 1076 00:41:45,760 --> 00:41:49,200 of those commands so you can kind of get 1077 00:41:49,200 --> 00:41:52,240 around that with doing likes um and and 1078 00:41:52,240 --> 00:41:54,000 different kind of regexes 1079 00:41:54,000 --> 00:41:55,040 and then the same thing with like the 1080 00:41:55,040 --> 00:41:57,599 command or the parent command line 1081 00:41:57,599 --> 00:41:59,359 for this example we just have the q q in 1082 00:41:59,359 --> 00:42:02,359 there 1083 00:42:04,880 --> 00:42:06,640 so to wrap up a little bit with some 1084 00:42:06,640 --> 00:42:09,520 detection planning 1085 00:42:10,319 --> 00:42:12,720 um who here on a regular cadence test 1086 00:42:12,720 --> 00:42:14,160 your sim 1087 00:42:14,160 --> 00:42:17,359 uh somewhere another not counting having 1088 00:42:17,359 --> 00:42:18,000 a 1089 00:42:18,000 --> 00:42:20,160 regularly scheduled pen test like that 1090 00:42:20,160 --> 00:42:22,800 obviously should be testing your sim but 1091 00:42:22,800 --> 00:42:24,480 do you test it at any other point in 1092 00:42:24,480 --> 00:42:25,760 time 1093 00:42:25,760 --> 00:42:26,960 um 1094 00:42:26,960 --> 00:42:28,880 just think about it you know the amount 1095 00:42:28,880 --> 00:42:31,200 of things that can go wrong in any given 1096 00:42:31,200 --> 00:42:33,680 day when it comes to the implementation 1097 00:42:33,680 --> 00:42:35,680 of alerting system you know you could 1098 00:42:35,680 --> 00:42:36,640 have 1099 00:42:36,640 --> 00:42:38,720 an endpoint client that 1100 00:42:38,720 --> 00:42:41,599 suddenly stops like the service stops or 1101 00:42:41,599 --> 00:42:44,400 maybe a network fire will rule or local 1102 00:42:44,400 --> 00:42:46,720 firewall rules put into place or maybe 1103 00:42:46,720 --> 00:42:48,560 you know there's a piece of uh an 1104 00:42:48,560 --> 00:42:51,359 endpoint software that stops stops the 1105 00:42:51,359 --> 00:42:52,800 export of logs 1106 00:42:52,800 --> 00:42:54,319 you know maybe 1107 00:42:54,319 --> 00:42:56,800 the mapping or the parsing of those 1108 00:42:56,800 --> 00:42:58,400 different things into fields that you're 1109 00:42:58,400 --> 00:42:59,680 looking at 1110 00:42:59,680 --> 00:43:01,520 has changed you know if 1111 00:43:01,520 --> 00:43:04,160 after doing this for years like vendors 1112 00:43:04,160 --> 00:43:05,599 all i mean windows not so much but 1113 00:43:05,599 --> 00:43:07,760 vendors in general will change 1114 00:43:07,760 --> 00:43:10,319 um the format of their logs like oh 1115 00:43:10,319 --> 00:43:12,319 we've got a firmware update or software 1116 00:43:12,319 --> 00:43:15,040 update or this update and 1117 00:43:15,040 --> 00:43:16,720 now there's a space in the logs or they 1118 00:43:16,720 --> 00:43:18,160 renamed a field 1119 00:43:18,160 --> 00:43:21,680 or the api endpoint has changed like 1120 00:43:21,680 --> 00:43:23,760 so many different things 1121 00:43:23,760 --> 00:43:26,640 can happen and that's that's just the 1122 00:43:26,640 --> 00:43:29,280 process that's above and beyond 1123 00:43:29,280 --> 00:43:30,160 you know 1124 00:43:30,160 --> 00:43:32,000 maybe there's a different way to run a 1125 00:43:32,000 --> 00:43:33,760 tool or an explainer maybe there's a new 1126 00:43:33,760 --> 00:43:36,000 tool or exploit like doing this stuff is 1127 00:43:36,000 --> 00:43:38,240 never ending which is why i find it so 1128 00:43:38,240 --> 00:43:39,280 incredibly 1129 00:43:39,280 --> 00:43:41,280 interesting and fun 1130 00:43:41,280 --> 00:43:43,200 so just thinking about all of those 1131 00:43:43,200 --> 00:43:44,720 different ways can interrupt those 1132 00:43:44,720 --> 00:43:46,400 detections from firing 1133 00:43:46,400 --> 00:43:48,400 regular testing is going to be 1134 00:43:48,400 --> 00:43:50,319 one of the best ways you can ensure that 1135 00:43:50,319 --> 00:43:53,119 system is working how you expect it to 1136 00:43:53,119 --> 00:43:55,040 now don't get me wrong 1137 00:43:55,040 --> 00:43:56,560 you're not going to be able to test all 1138 00:43:56,560 --> 00:43:58,240 of your detections all the time on every 1139 00:43:58,240 --> 00:43:59,839 endpoint that would be 1140 00:43:59,839 --> 00:44:01,680 incredibly a large amount of time and 1141 00:44:01,680 --> 00:44:02,800 i'm sure you have better stuff to do 1142 00:44:02,800 --> 00:44:03,920 than that 1143 00:44:03,920 --> 00:44:06,880 however prioritizing what endpoints and 1144 00:44:06,880 --> 00:44:09,280 top tests you want to ensure continue to 1145 00:44:09,280 --> 00:44:10,240 work 1146 00:44:10,240 --> 00:44:12,560 is a really good first step at 1147 00:44:12,560 --> 00:44:14,000 planning those ongoing tests and i'll 1148 00:44:14,000 --> 00:44:17,280 show you a little bit how we do that too 1149 00:44:17,280 --> 00:44:20,160 i also highly recommend adding parts of 1150 00:44:20,160 --> 00:44:22,319 detection testing into any tabletop you 1151 00:44:22,319 --> 00:44:24,960 might be doing whether it's tabletop 1152 00:44:24,960 --> 00:44:27,359 in general or maybe you're creating ir 1153 00:44:27,359 --> 00:44:28,640 playbooks 1154 00:44:28,640 --> 00:44:31,040 put some testing in there like run it 1155 00:44:31,040 --> 00:44:33,040 through from beginning to end 1156 00:44:33,040 --> 00:44:37,200 see what happens if you uh try and dump 1157 00:44:37,200 --> 00:44:38,640 those credentials that's just one 1158 00:44:38,640 --> 00:44:40,960 command obviously you should have you 1159 00:44:40,960 --> 00:44:42,880 know 1160 00:44:42,880 --> 00:44:44,720 approval and not just do it on random 1161 00:44:44,720 --> 00:44:46,560 you know active directory environments 1162 00:44:46,560 --> 00:44:47,440 but 1163 00:44:47,440 --> 00:44:49,599 running those commands seeing if it's 1164 00:44:49,599 --> 00:44:52,960 it's been detected and then what 1165 00:44:52,960 --> 00:44:54,560 if that's not 1166 00:44:54,560 --> 00:44:55,520 um 1167 00:44:55,520 --> 00:44:56,960 if that's not a 1168 00:44:56,960 --> 00:45:00,480 pen tester then what like do you have 1169 00:45:00,480 --> 00:45:02,079 some kind of in great agreement with a 1170 00:45:02,079 --> 00:45:05,520 third-party ir firm do you have any plan 1171 00:45:05,520 --> 00:45:07,680 do you 1172 00:45:07,680 --> 00:45:09,680 have you know even if you just write it 1173 00:45:09,680 --> 00:45:11,520 on a sticky note like 1174 00:45:11,520 --> 00:45:15,040 bad thing happens call number right like 1175 00:45:15,040 --> 00:45:17,359 that's something that is something more 1176 00:45:17,359 --> 00:45:20,000 than more than a lot of people do have 1177 00:45:20,000 --> 00:45:21,040 um 1178 00:45:21,040 --> 00:45:22,640 you know i've been involved in a large 1179 00:45:22,640 --> 00:45:25,520 number of tabletop exercises and they 1180 00:45:25,520 --> 00:45:27,520 identify those gaps and detections all 1181 00:45:27,520 --> 00:45:28,640 the time 1182 00:45:28,640 --> 00:45:29,760 you know when you're walking through a 1183 00:45:29,760 --> 00:45:31,680 real life scenario and you come up with 1184 00:45:31,680 --> 00:45:33,599 this situation you're like oh my gosh 1185 00:45:33,599 --> 00:45:36,160 like i completely forgot like that sql 1186 00:45:36,160 --> 00:45:38,960 server talks to that web server that you 1187 00:45:38,960 --> 00:45:41,599 know backs up to this thing and you know 1188 00:45:41,599 --> 00:45:43,599 we've never tested those backups so we 1189 00:45:43,599 --> 00:45:45,599 have no process on that 1190 00:45:45,599 --> 00:45:47,839 we didn't know that that's how you know 1191 00:45:47,839 --> 00:45:49,359 i'm the i'm the only one that knew how 1192 00:45:49,359 --> 00:45:51,200 that information flowed so like if i 1193 00:45:51,200 --> 00:45:53,200 leave nobody else will know that that 1194 00:45:53,200 --> 00:45:54,319 kind of stuff 1195 00:45:54,319 --> 00:45:56,079 um that you may never have thought of 1196 00:45:56,079 --> 00:45:57,520 before 1197 00:45:57,520 --> 00:46:00,960 and also highly highly recommend that 1198 00:46:00,960 --> 00:46:02,960 you have an active relationship if you 1199 00:46:02,960 --> 00:46:05,200 have a sim vendor um whether they're 1200 00:46:05,200 --> 00:46:06,960 your mssp 1201 00:46:06,960 --> 00:46:10,000 or you know you know you just you run it 1202 00:46:10,000 --> 00:46:12,240 internally 1203 00:46:12,240 --> 00:46:14,160 having that relationship especially if 1204 00:46:14,160 --> 00:46:15,040 they're an 1205 00:46:15,040 --> 00:46:16,319 mssp 1206 00:46:16,319 --> 00:46:17,200 um 1207 00:46:17,200 --> 00:46:18,880 is one of the things that i love i love 1208 00:46:18,880 --> 00:46:20,800 having active customers that test my 1209 00:46:20,800 --> 00:46:22,720 detections all the time you know we've 1210 00:46:22,720 --> 00:46:25,200 come up with some great detection ideas 1211 00:46:25,200 --> 00:46:28,079 like oh you know they ran this tool we 1212 00:46:28,079 --> 00:46:30,720 didn't detect it and oh that's why 1213 00:46:30,720 --> 00:46:32,400 because they're running it this way or 1214 00:46:32,400 --> 00:46:34,800 they ran it you know from this script 1215 00:46:34,800 --> 00:46:36,560 that called this thing that you know 1216 00:46:36,560 --> 00:46:38,079 there's a lot of different ways you can 1217 00:46:38,079 --> 00:46:40,560 get around detections um 1218 00:46:40,560 --> 00:46:41,599 and 1219 00:46:41,599 --> 00:46:43,040 it's it's great to have that kind of 1220 00:46:43,040 --> 00:46:46,319 relationship with your vendors 1221 00:46:48,240 --> 00:46:50,560 so another main detection creation 1222 00:46:50,560 --> 00:46:53,040 strategy is using adversary emulation 1223 00:46:53,040 --> 00:46:55,200 right so running those tools 1224 00:46:55,200 --> 00:46:57,200 and one of the ones that we use at our 1225 00:46:57,200 --> 00:46:59,680 disposal um is called vector and it's 1226 00:46:59,680 --> 00:47:03,040 free it's out there so vector.io and you 1227 00:47:03,040 --> 00:47:05,040 can import a lot of different frameworks 1228 00:47:05,040 --> 00:47:06,480 into the tool and i'll give you a few 1229 00:47:06,480 --> 00:47:09,280 examples of what we use uh when we went 1230 00:47:09,280 --> 00:47:12,160 down like our uh detection creation 1231 00:47:12,160 --> 00:47:13,359 journey 1232 00:47:13,359 --> 00:47:15,359 in the beginning so here you can see a 1233 00:47:15,359 --> 00:47:18,079 heat map of the minor attack framework 1234 00:47:18,079 --> 00:47:19,920 imported into vector 1235 00:47:19,920 --> 00:47:22,000 so each tactic 1236 00:47:22,000 --> 00:47:23,760 there are commands and other adversary 1237 00:47:23,760 --> 00:47:26,079 emulation notes tests whatever that you 1238 00:47:26,079 --> 00:47:28,880 can perform and track you know they're 1239 00:47:28,880 --> 00:47:30,640 using the atomic red team test through 1240 00:47:30,640 --> 00:47:33,440 red canary which also a huge fan of 1241 00:47:33,440 --> 00:47:35,760 and if you spent much time in either the 1242 00:47:35,760 --> 00:47:39,040 attack framework or atomic red team um 1243 00:47:39,040 --> 00:47:40,880 you know you can look at what to map 1244 00:47:40,880 --> 00:47:42,400 those two i'm sure there's other things 1245 00:47:42,400 --> 00:47:44,079 that you can import into vector like 1246 00:47:44,079 --> 00:47:46,079 pick your favorite adversary emulation 1247 00:47:46,079 --> 00:47:48,960 technique or our framework like there's 1248 00:47:48,960 --> 00:47:52,240 a lot of stuff vector does fantastically 1249 00:47:52,240 --> 00:47:53,119 right 1250 00:47:53,119 --> 00:47:54,960 um and it can be a daunting task at 1251 00:47:54,960 --> 00:47:59,599 first right so it makes it easier to 1252 00:47:59,599 --> 00:48:00,960 kind of track that stuff especially if 1253 00:48:00,960 --> 00:48:02,079 you're doing all of this stuff 1254 00:48:02,079 --> 00:48:04,160 internally um 1255 00:48:04,160 --> 00:48:06,800 it's it's a lot of work right you you 1256 00:48:06,800 --> 00:48:08,240 look at the minor attack framework 1257 00:48:08,240 --> 00:48:09,839 you're like oh my gosh there's thousands 1258 00:48:09,839 --> 00:48:11,760 of things there and i have to worry 1259 00:48:11,760 --> 00:48:12,800 about this and i have to worry about 1260 00:48:12,800 --> 00:48:13,839 that 1261 00:48:13,839 --> 00:48:16,640 prioritizing and mapping them 1262 00:48:16,640 --> 00:48:20,079 in here makes it so much easier um and 1263 00:48:20,079 --> 00:48:21,680 like i don't have anything to gain by 1264 00:48:21,680 --> 00:48:23,119 telling you to use them i just think 1265 00:48:23,119 --> 00:48:24,480 it's a great tool 1266 00:48:24,480 --> 00:48:25,599 um 1267 00:48:25,599 --> 00:48:27,440 and then in the next couple of slides 1268 00:48:27,440 --> 00:48:28,880 i'll just pick one of these and i'll 1269 00:48:28,880 --> 00:48:32,000 show you kind of what that looks like 1270 00:48:32,000 --> 00:48:32,880 so 1271 00:48:32,880 --> 00:48:34,960 we don't dive into this specific one 1272 00:48:34,960 --> 00:48:36,960 it's uh windows discover domain trust 1273 00:48:36,960 --> 00:48:38,640 with ntl test 1274 00:48:38,640 --> 00:48:40,240 um that's another 1275 00:48:40,240 --> 00:48:41,280 um 1276 00:48:41,280 --> 00:48:43,359 uh 1277 00:48:43,359 --> 00:48:46,240 ntl and l test um 1278 00:48:46,240 --> 00:48:48,559 so diving into that one there's a few 1279 00:48:48,559 --> 00:48:49,839 different sets of information this is 1280 00:48:49,839 --> 00:48:51,760 the red team portion right 1281 00:48:51,760 --> 00:48:53,920 um vector does a great job of separating 1282 00:48:53,920 --> 00:48:54,880 out the 1283 00:48:54,880 --> 00:48:56,319 different 1284 00:48:56,319 --> 00:48:58,800 stuff into different fields and here it 1285 00:48:58,800 --> 00:49:01,359 gives you the description of what it is 1286 00:49:01,359 --> 00:49:03,359 it gives you the operator guidance which 1287 00:49:03,359 --> 00:49:05,440 is the test you want to perform 1288 00:49:05,440 --> 00:49:07,760 and why it's potentially malicious so it 1289 00:49:07,760 --> 00:49:09,520 also lists here like this technique's 1290 00:49:09,520 --> 00:49:12,400 been used by the trickbot malware family 1291 00:49:12,400 --> 00:49:14,400 that's great i mean 1292 00:49:14,400 --> 00:49:17,599 i suppose depends on whose viewpoint but 1293 00:49:17,599 --> 00:49:20,079 it's great information to have right so 1294 00:49:20,079 --> 00:49:21,920 that operator guidance has you know the 1295 00:49:21,920 --> 00:49:24,240 specific and this is just one example 1296 00:49:24,240 --> 00:49:25,599 right this is just one tiny little 1297 00:49:25,599 --> 00:49:26,559 command 1298 00:49:26,559 --> 00:49:28,240 um some of them are a little bit more 1299 00:49:28,240 --> 00:49:29,359 in-depth 1300 00:49:29,359 --> 00:49:32,160 and you can use those to kind of you 1301 00:49:32,160 --> 00:49:33,920 know i'm not a red teamer right i don't 1302 00:49:33,920 --> 00:49:36,079 know exactly how all right teamers do 1303 00:49:36,079 --> 00:49:38,720 all of their stuff but this is great um 1304 00:49:38,720 --> 00:49:39,839 if you're going to start down that 1305 00:49:39,839 --> 00:49:42,240 journey into where to even start on 1306 00:49:42,240 --> 00:49:44,960 creating those detections 1307 00:49:44,960 --> 00:49:46,480 and then that same technique page they 1308 00:49:46,480 --> 00:49:48,559 offer a section for blue team detail so 1309 00:49:48,559 --> 00:49:50,880 this is where you can track the status 1310 00:49:50,880 --> 00:49:51,760 of 1311 00:49:51,760 --> 00:49:54,400 the detection in your organization so 1312 00:49:54,400 --> 00:49:56,079 you know any other notes you have can go 1313 00:49:56,079 --> 00:49:58,800 in here you know we use we use this for 1314 00:49:58,800 --> 00:49:59,599 um 1315 00:49:59,599 --> 00:50:00,559 going through all of our cismod 1316 00:50:00,559 --> 00:50:02,559 detections you know we perform the red 1317 00:50:02,559 --> 00:50:05,359 team attack uh save our working query 1318 00:50:05,359 --> 00:50:06,800 which is kind of blacked out here 1319 00:50:06,800 --> 00:50:08,880 because like there's customer specific 1320 00:50:08,880 --> 00:50:10,240 information in there 1321 00:50:10,240 --> 00:50:12,000 um and then we save it in like our 1322 00:50:12,000 --> 00:50:13,760 working notes right 1323 00:50:13,760 --> 00:50:16,000 we test it again after we've created it 1324 00:50:16,000 --> 00:50:17,680 in the application 1325 00:50:17,680 --> 00:50:19,760 use our notes whatever see if that maybe 1326 00:50:19,760 --> 00:50:22,079 there's other iterations that we can use 1327 00:50:22,079 --> 00:50:23,839 different flags that may bypass the 1328 00:50:23,839 --> 00:50:25,119 detection 1329 00:50:25,119 --> 00:50:27,040 um and then complete that specific 1330 00:50:27,040 --> 00:50:28,240 emulation 1331 00:50:28,240 --> 00:50:29,200 and 1332 00:50:29,200 --> 00:50:30,559 there you go you have a detection 1333 00:50:30,559 --> 00:50:32,240 created so 1334 00:50:32,240 --> 00:50:33,920 uh at the time we were creating these it 1335 00:50:33,920 --> 00:50:35,839 was just the system on related ones but 1336 00:50:35,839 --> 00:50:37,359 you could do this with anything you 1337 00:50:37,359 --> 00:50:39,119 could do it with your endpoints 1338 00:50:39,119 --> 00:50:42,240 um you know this is the obviously the 1339 00:50:42,240 --> 00:50:43,839 query is going to differ depending on 1340 00:50:43,839 --> 00:50:46,079 what kind of type of sim you use and if 1341 00:50:46,079 --> 00:50:48,240 you're attempting to see you know the 1342 00:50:48,240 --> 00:50:49,520 other detections 1343 00:50:49,520 --> 00:50:51,440 you know you can import 1344 00:50:51,440 --> 00:50:52,400 um 1345 00:50:52,400 --> 00:50:53,280 uh 1346 00:50:53,280 --> 00:50:55,920 and have different tracking things for 1347 00:50:55,920 --> 00:50:58,240 like your endpoint solution or network 1348 00:50:58,240 --> 00:51:01,200 ids ips other technologies plain windows 1349 00:51:01,200 --> 00:51:04,079 logs whatever you can have different uh 1350 00:51:04,079 --> 00:51:06,160 sections in there that you 1351 00:51:06,160 --> 00:51:10,240 try and cover all your bases for 1352 00:51:11,440 --> 00:51:13,680 and that's it so 1353 00:51:13,680 --> 00:51:16,880 hopefully that was helpful to uh you all 1354 00:51:16,880 --> 00:51:19,200 and i hope you have an awesome rest of 1355 00:51:19,200 --> 00:51:20,160 the con 1356 00:51:20,160 --> 00:51:22,480 um this is gonna be super fun 1357 00:51:22,480 --> 00:51:23,359 and 1358 00:51:23,359 --> 00:51:25,280 uh have a great time watching all the 1359 00:51:25,280 --> 00:51:26,559 other talks 1360 00:51:26,559 --> 00:51:27,359 and 1361 00:51:27,359 --> 00:51:28,800 hope to see you 1362 00:51:28,800 --> 00:51:31,790 in real life soon thank you 1363 00:51:31,790 --> 00:52:01,040 [Music] 1364 00:52:01,040 --> 00:52:03,119 you