1 00:00:08,580 --> 00:00:13,620 All right, so in our last lectures, we explored our Windows 10 target. 2 00:00:13,980 --> 00:00:16,910 Now we're going to instrument the endpoint. 3 00:00:17,750 --> 00:00:20,760 This assessment is awesome. 4 00:00:21,370 --> 00:00:23,100 If you haven't heard of it, it's great. 5 00:00:23,110 --> 00:00:32,010 It's an excellent way to forward your logs and monitor and log all of the activity on an incline. 6 00:00:32,610 --> 00:00:35,280 And it provides a lot of detail, information about what's happening. 7 00:00:36,180 --> 00:00:41,280 It's very, very good from a incident response and a blue team perspective. 8 00:00:41,580 --> 00:00:45,630 This is what you want if you're looking to get visibility into your endpoints. 9 00:00:46,020 --> 00:00:47,990 OK, so what we're going to do is we're just going to kick it off now. 10 00:00:48,010 --> 00:00:50,070 I'm going to show you the best way to do this. 11 00:00:50,340 --> 00:00:50,630 Right. 12 00:00:50,640 --> 00:00:54,360 So, you know, you may Google around and how to install systems and you'll see tutorials, but I'm 13 00:00:54,360 --> 00:00:58,970 going to show you the most current techniques for installing this mom with the best configuration. 14 00:00:59,480 --> 00:01:00,050 Are we going to do this? 15 00:01:00,060 --> 00:01:01,800 We're just going to go ahead and click download this one. 16 00:01:03,420 --> 00:01:07,140 And it's really, really small, so I can right click show and folder. 17 00:01:09,350 --> 00:01:10,040 Very cool. 18 00:01:10,520 --> 00:01:13,220 I'm just going to say extract all. 19 00:01:14,160 --> 00:01:18,480 I'm going to put this in a folder called Systema, so let's go and browse. 20 00:01:19,420 --> 00:01:20,050 Let's see. 21 00:01:21,700 --> 00:01:24,000 See, we'll put it in our files. 22 00:01:30,560 --> 00:01:31,270 It's good to me. 23 00:01:33,900 --> 00:01:34,620 Extract. 24 00:01:35,870 --> 00:01:39,800 Of course, we need elevated rates to do this because we're writing to the program files directory. 25 00:01:41,330 --> 00:01:42,620 Right, that was really fast. 26 00:01:45,410 --> 00:01:47,650 Now, here we go, we're in program files and we have Sismondo. 27 00:01:48,580 --> 00:01:53,980 Now that step is done also now what we need to do is we need to get a system configuration. 28 00:01:54,250 --> 00:01:57,970 So I'm going to go over to all of Hartong systems modular. 29 00:01:58,510 --> 00:02:01,180 So this is a sort of a guess. 30 00:02:01,180 --> 00:02:07,420 You can call it a branch from Swift on security, which is a very popular system configuration. 31 00:02:08,440 --> 00:02:16,270 But I like all of Hartong Sesemann modular better because it's just it breaks down each of the different 32 00:02:16,690 --> 00:02:17,770 events that you want to see. 33 00:02:19,120 --> 00:02:23,410 Into sort of a modular framework, and it just makes it really, really easy to collect all this stuff 34 00:02:23,410 --> 00:02:23,630 right. 35 00:02:23,980 --> 00:02:26,380 We can see create process access. 36 00:02:28,180 --> 00:02:34,780 You know, image loads, right, people create times, everything is here, process creation, the one 37 00:02:34,780 --> 00:02:37,220 is the event ID that you're going to see in the log. 38 00:02:37,240 --> 00:02:41,440 So, for example, Event ID 22 is a DNS query to all DNS queries. 39 00:02:41,440 --> 00:02:45,190 You'll see that here process and you'll see an event idea five. 40 00:02:45,640 --> 00:02:51,160 And I like this repro because it's current and this is the most updated rebo that I've seen for this 41 00:02:51,160 --> 00:02:52,090 modern configuration. 42 00:02:53,240 --> 00:02:55,700 OK, so the way we get it is we just download it, right? 43 00:02:55,760 --> 00:02:57,050 I'm just going to go ahead and click code. 44 00:02:57,740 --> 00:02:59,000 I'm going to say download ZIP. 45 00:03:00,760 --> 00:03:04,350 All right, we've got zip, very cool show info there. 46 00:03:05,390 --> 00:03:06,260 Open this guy up. 47 00:03:08,280 --> 00:03:14,010 All right, and we're just going to extract oil and we're going to put it in that folder we created 48 00:03:14,010 --> 00:03:15,380 earlier I'm program. 49 00:03:15,440 --> 00:03:15,840 That's right. 50 00:03:17,680 --> 00:03:20,020 C program files. 51 00:03:21,620 --> 00:03:24,800 And is Sismondo there it is so nice. 52 00:03:25,900 --> 00:03:27,100 OK, let's give it a go. 53 00:03:27,340 --> 00:03:29,020 Extract continue. 54 00:03:31,770 --> 00:03:35,640 All right, so we're going to let this run in, once it finishes, we'll come back and we'll start the 55 00:03:35,640 --> 00:03:37,430 configuration of this one, right. 56 00:03:37,440 --> 00:03:40,050 So the extraction finished in a few minutes. 57 00:03:40,500 --> 00:03:42,450 We're just going to make sure everything is in the same folder. 58 00:03:42,450 --> 00:03:43,890 So I'm going to go inside of here. 59 00:03:45,120 --> 00:03:48,420 Control a control export control act to put the clipboard. 60 00:03:49,460 --> 00:03:52,970 And then it will be the Paiste will continue. 61 00:03:56,380 --> 00:03:58,220 Do this for all current items. 62 00:03:58,240 --> 00:03:58,660 Yes. 63 00:04:02,720 --> 00:04:05,330 Then I'm just going to tweet that since my Modula master folder. 64 00:04:08,710 --> 00:04:13,120 All right, so it's looking good now we need to do is get power, show up and running here, so I'm 65 00:04:13,120 --> 00:04:14,230 going to go to the command prompt. 66 00:04:15,620 --> 00:04:21,320 I believe I can press control shift, enter to open an elevated command prompt, yes, that was straight 67 00:04:21,320 --> 00:04:22,780 up from memory, which is pretty cool. 68 00:04:22,790 --> 00:04:25,490 Control shift and turn gives you that power, so. 69 00:04:33,270 --> 00:04:39,180 All right, so we are running Paracha, and let's now go to this directory and what we're going to do 70 00:04:39,180 --> 00:04:39,510 that. 71 00:04:40,140 --> 00:04:42,240 So I control seed and then I right. 72 00:04:42,240 --> 00:04:44,930 Click inside the window to paste it into this window. 73 00:04:46,910 --> 00:04:52,340 What happened here, I will say that is a weird error message. 74 00:04:59,930 --> 00:05:04,130 And I'm guessing the reason I did that is because I didn't put it in quotes, so this space was causing 75 00:05:04,130 --> 00:05:04,610 problems. 76 00:05:05,300 --> 00:05:12,590 So I thought that filesystem on this right here after the space with an argument to some application 77 00:05:12,590 --> 00:05:14,090 called Seacombe Backslash Program. 78 00:05:16,550 --> 00:05:16,940 All right. 79 00:05:17,060 --> 00:05:18,350 So now what do we do once we get here? 80 00:05:18,710 --> 00:05:22,190 Well, we could look at all the files and the ones we really care about. 81 00:05:22,790 --> 00:05:26,270 Is this the system on modular script? 82 00:05:26,720 --> 00:05:28,550 So you should see this one right here. 83 00:05:29,010 --> 00:05:33,830 And the way you run it is we first need to disable our execution policy. 84 00:05:33,830 --> 00:05:34,010 Right? 85 00:05:34,010 --> 00:05:40,520 Because right now, if I try to run it, parshall's like, nope, scripts are disabled. 86 00:05:41,150 --> 00:05:41,480 Right. 87 00:05:41,900 --> 00:05:43,980 And this is not really a security boundary. 88 00:05:44,210 --> 00:05:47,270 This is just power shell preventing people from making silly mistakes. 89 00:05:47,690 --> 00:05:49,760 So what we can do is disable that right. 90 00:05:49,760 --> 00:05:53,750 So I can say set execution to complete. 91 00:05:54,500 --> 00:05:54,820 Right. 92 00:05:55,130 --> 00:06:01,070 And then tack and hit tab every time a tab shows me any parameter, if I hold down shift and press tab 93 00:06:01,310 --> 00:06:01,970 go backwards. 94 00:06:02,300 --> 00:06:04,580 It's execution policy set to unrestricted. 95 00:06:06,350 --> 00:06:07,190 Very, very cool. 96 00:06:07,400 --> 00:06:12,050 And now I can outsource this. 97 00:06:13,820 --> 00:06:19,130 I had a dog that had another dog and a backslash in the name of the script, and that -- load it into 98 00:06:19,130 --> 00:06:19,520 memory. 99 00:06:21,080 --> 00:06:21,380 All right. 100 00:06:21,380 --> 00:06:22,780 I'm going to say run once. 101 00:06:23,630 --> 00:06:24,490 Very, very cool. 102 00:06:25,010 --> 00:06:29,840 And now the last step is just to merge all six ximo. 103 00:06:30,050 --> 00:06:32,420 You can see now it is in our path. 104 00:06:32,960 --> 00:06:34,480 Now, where am I getting all this magic from. 105 00:06:34,850 --> 00:06:36,650 I'm not some super guru really. 106 00:06:36,830 --> 00:06:38,690 All these commands just came from this GitHub page. 107 00:06:38,690 --> 00:06:38,960 Right. 108 00:06:38,960 --> 00:06:43,130 So you can see what I'm doing and in fact I'm going to make things easier by just copying and pasting 109 00:06:43,940 --> 00:06:44,330 this. 110 00:06:44,520 --> 00:06:45,350 So control see. 111 00:06:47,110 --> 00:06:50,840 Enemy, back to that right click into. 112 00:06:52,580 --> 00:06:53,290 Let's see what happens. 113 00:06:53,720 --> 00:06:57,860 Very cool, so now you can see it produced this Tessmann config XML file, right? 114 00:07:04,630 --> 00:07:06,050 So that's the fire we just created. 115 00:07:06,070 --> 00:07:11,530 Now let's go ahead and install this man as a service so that it can survive a reboot and start with 116 00:07:11,530 --> 00:07:12,310 the operating system. 117 00:07:13,150 --> 00:07:15,720 I'm going to accept the other. 118 00:07:16,480 --> 00:07:24,040 I think we need one single tick not to OK, and then I'm going to install. 119 00:07:26,180 --> 00:07:26,940 This is Michael Vick. 120 00:07:28,400 --> 00:07:31,030 And again, you can see that right here, right? 121 00:07:31,140 --> 00:07:32,420 I'm not doing anything special. 122 00:07:32,450 --> 00:07:35,120 I'm just reading the instructions, to be honest with you guys. 123 00:07:36,300 --> 00:07:39,810 That's minimize that it's minimize all this clean things up a little bit. 124 00:07:41,880 --> 00:07:42,450 Here we go. 125 00:07:42,490 --> 00:07:43,010 Here we go. 126 00:07:43,260 --> 00:07:43,680 What's up? 127 00:07:43,930 --> 00:07:44,420 What's up? 128 00:07:46,240 --> 00:07:50,710 Sweet Sesemann has started, antisemite is configured, that's it somehow. 129 00:07:50,740 --> 00:07:53,200 Let me show you something if I open up the here. 130 00:07:57,080 --> 00:07:59,480 Let's show you the hard work that we did, all right. 131 00:07:59,900 --> 00:08:01,610 Right, click open administrator. 132 00:08:04,560 --> 00:08:06,130 All right, expand this window. 133 00:08:06,150 --> 00:08:09,750 I'm just going to go to applications and services logs. 134 00:08:11,880 --> 00:08:12,810 It's a little bit bigger. 135 00:08:15,230 --> 00:08:19,100 All right, that finally loaded, we're going to expand Microsoft, we're going to go to Windows. 136 00:08:21,270 --> 00:08:23,820 And we're going to go all the way to the bottom. 137 00:08:25,000 --> 00:08:29,390 And we should seize this moment here and we do that is really cool. 138 00:08:29,410 --> 00:08:31,890 Now, I've got this operational log. 139 00:08:32,740 --> 00:08:37,340 We'll get all kinds of juicy events, right, so we can already see some of code 12. 140 00:08:37,810 --> 00:08:39,420 And again, if you don't know these events, codes are. 141 00:08:40,170 --> 00:08:41,580 And by the way, this is really cool. 142 00:08:41,600 --> 00:08:42,850 It's mapping everything to you. 143 00:08:42,850 --> 00:08:43,710 See the technique called. 144 00:08:45,000 --> 00:08:46,980 And by the way, this is something else that's really cool. 145 00:08:47,010 --> 00:08:50,840 Notice I'm having right now, we have no malware on this box. 146 00:08:50,850 --> 00:08:54,570 It's a completely fresh image, but the logs are showing. 147 00:08:56,500 --> 00:09:01,110 Activity that's mapped to the MIETEK framework, specifically this this technique idea, right? 148 00:09:01,840 --> 00:09:04,210 So this is where cybersecurity gets really complicated. 149 00:09:04,450 --> 00:09:05,590 T one, five, four, three. 150 00:09:05,590 --> 00:09:05,890 Right. 151 00:09:06,250 --> 00:09:09,570 Because filtering out the noise, right. 152 00:09:09,600 --> 00:09:11,110 T one, five, four, three. 153 00:09:11,230 --> 00:09:13,870 Lyter, how do you know what's good and what's bad? 154 00:09:13,870 --> 00:09:15,460 And that's why context is everything. 155 00:09:16,370 --> 00:09:17,380 If I pack this in here. 156 00:09:18,490 --> 00:09:26,050 Let's see, look, create or modify system process adversaries may create or modify systems processes 157 00:09:26,050 --> 00:09:28,080 to repeatedly execute malicious payloads. 158 00:09:28,090 --> 00:09:28,330 Right. 159 00:09:28,900 --> 00:09:32,590 So if you don't really know what you're doing and you're looking at logs, maybe these logs are being 160 00:09:32,590 --> 00:09:35,560 sent into a SIM and you see this, you might think, oh, no, we're under attack. 161 00:09:35,710 --> 00:09:36,780 No, we're not under attack. 162 00:09:36,790 --> 00:09:37,810 This is part of normal. 163 00:09:38,870 --> 00:09:43,560 Usage of the operating system and you can see here the image is Valmar tools, right? 164 00:09:43,580 --> 00:09:45,400 So few more tools is doing what it's supposed to do. 165 00:09:45,920 --> 00:09:49,930 It's really, really, really, really, really important that, you know, normal. 166 00:09:50,600 --> 00:09:54,230 How can you detect what's abnormal unless you know what is normal? 167 00:09:54,620 --> 00:09:56,890 And I'm going to harp on that a lot during this training. 168 00:09:57,050 --> 00:09:59,750 But the good thing is we have all of our vets coming in here. 169 00:09:59,750 --> 00:10:03,920 If you need some help with these other and what they mean, you can read the task category or you can 170 00:10:03,920 --> 00:10:05,390 just go back to the page. 171 00:10:06,280 --> 00:10:12,570 That we came from and you can actually go down to the bottom and it will tell you what. 172 00:10:12,620 --> 00:10:19,230 All right, that's what we have here in the next lecture, are going to up the ante with power show. 173 00:10:19,690 --> 00:10:21,910 I see guys in the next lecture right by.