1
00:00:09,390 --> 00:00:15,730
OK, so in the last lecture we installed since it was simple, seamless and sexy.

2
00:00:16,320 --> 00:00:18,330
OK, maybe not sexy, but it was still fun.

3
00:00:18,690 --> 00:00:25,110
Now we're going to get into power shows, love, great power shows and often abused framework.

4
00:00:25,140 --> 00:00:27,740
I mean, I've heard attackers called the post exploitation framework.

5
00:00:27,770 --> 00:00:27,970
Right.

6
00:00:27,990 --> 00:00:28,950
It's a that framework.

7
00:00:28,950 --> 00:00:30,060
And we'll get into power show later.

8
00:00:30,070 --> 00:00:32,190
We have the entire world and that is its course.

9
00:00:32,610 --> 00:00:34,850
But right now, I just want to show you how we can enable transcription.

10
00:00:35,190 --> 00:00:40,770
This is really important because when this is enabled, we can see each character that the attacker

11
00:00:40,770 --> 00:00:41,220
types.

12
00:00:41,610 --> 00:00:41,960
Right.

13
00:00:41,970 --> 00:00:46,640
That gives a lot look at the exact output that they would see on the screen that sent into our SIM,

14
00:00:46,920 --> 00:00:52,430
our security information and event monitoring platform, which we will be using Splunk for the cyber

15
00:00:52,440 --> 00:00:52,630
age.

16
00:00:52,670 --> 00:00:54,550
But let me show you how to get this set up.

17
00:00:54,570 --> 00:00:55,510
It's really, really cool.

18
00:00:55,770 --> 00:01:00,990
So I'm going to do is I'm going to open up the Web page and we went to Hurricane Lounds Dotcom.

19
00:01:02,060 --> 00:01:06,980
If we scroll down, you can see that there is this partial script, right, so we can click this.

20
00:01:09,020 --> 00:01:10,160
And we're just going to download it.

21
00:01:12,900 --> 00:01:14,670
So let's see here you click raw.

22
00:01:16,380 --> 00:01:22,030
You can basically select the name and then we can go to our show and pull it down.

23
00:01:22,920 --> 00:01:24,210
So let's go to our show.

24
00:01:26,280 --> 00:01:27,390
Control shift enter.

25
00:01:37,540 --> 00:01:39,940
Evoke Webb request.

26
00:01:41,340 --> 00:01:42,250
You are right.

27
00:01:42,280 --> 00:01:46,600
Let's see if this works and see if we can specify.

28
00:01:48,670 --> 00:01:50,950
I don't see an app or directory, but I think I wait.

29
00:01:51,640 --> 00:01:52,510
What's that out for?

30
00:01:53,180 --> 00:01:53,560
Sweet.

31
00:01:53,860 --> 00:01:57,300
So we can put that on our desktop or put it in our.

32
00:01:57,520 --> 00:02:02,580
Yeah, we'll put it in our desktop or downloadable and we'll just name it the same thing.

33
00:02:02,590 --> 00:02:04,720
Partial blogging dot.

34
00:02:04,750 --> 00:02:07,210
P.S. one second work.

35
00:02:09,170 --> 00:02:10,030
Looks like it might have.

36
00:02:12,050 --> 00:02:16,090
There we go, we have it right there, so now we need to run it, right, and how do we do that?

37
00:02:16,320 --> 00:02:19,320
Well, we can simply run the file.

38
00:02:19,330 --> 00:02:21,060
So if we try to run it, that's.

39
00:02:23,740 --> 00:02:31,510
It's going to still run because our execution policy is still set to bypass or unrestricted, right?

40
00:02:32,200 --> 00:02:32,520
All right.

41
00:02:32,590 --> 00:02:33,640
So we're good there.

42
00:02:34,600 --> 00:02:37,980
So now we actually should have power show logging enabled.

43
00:02:38,050 --> 00:02:39,280
We need to do is reboot the box.

44
00:02:40,000 --> 00:02:42,270
And before we do that, though, there's one of the things we need to do.

45
00:02:42,520 --> 00:02:43,660
This is just transcription.

46
00:02:43,660 --> 00:02:46,270
Logging is also another lock me to set up.

47
00:02:46,280 --> 00:02:48,400
So let's go to Ed and I see.

48
00:02:50,870 --> 00:02:56,600
And this is the local group policy, Ed, just want to make sure that we have module logging and also.

49
00:02:58,490 --> 00:02:59,540
Blood enabled.

50
00:03:04,990 --> 00:03:10,870
All right, so we don't so let's start from the top module of this logs, the modules, right, that

51
00:03:10,870 --> 00:03:12,010
are loaded, enable it.

52
00:03:12,160 --> 00:03:16,570
And for show, I'm just going to hit a star here so that we get everything.

53
00:03:17,780 --> 00:03:23,150
OK, this actually tells you what it does, and there's a really, really good article on what Paracha

54
00:03:23,150 --> 00:03:28,880
logging does and what you should enable, you go to a good friends Google.

55
00:03:30,760 --> 00:03:36,940
We can type fire I partial blogging, I believe that's all we need to search for.

56
00:03:38,040 --> 00:03:38,640
Yep.

57
00:03:39,840 --> 00:03:41,680
Greater visibility through a lot.

58
00:03:41,970 --> 00:03:46,530
Yeah, this article is kind of old, you know, when it comes to it in cybersecurity, I don't really

59
00:03:46,530 --> 00:03:50,370
care if I old because it's still a lot of them still have value.

60
00:03:51,420 --> 00:03:54,360
You know, attackers are still using Intermap in mappers.

61
00:03:54,540 --> 00:03:57,130
You know, back when the Matrix came out, trinities using em.

62
00:03:57,150 --> 00:03:57,390
Right.

63
00:03:57,400 --> 00:03:59,760
So, you know, these tools are still effective.

64
00:04:00,480 --> 00:04:03,540
But you can see here, if you read through this document, it tells you, you know, what is module

65
00:04:03,540 --> 00:04:04,590
logging, right.

66
00:04:05,340 --> 00:04:07,800
You know, this is really where the key tells you what a script like log.

67
00:04:09,220 --> 00:04:11,310
And so, you know, this is pretty cool.

68
00:04:11,320 --> 00:04:15,700
It says it also records the office gate code as it executed, right.

69
00:04:15,730 --> 00:04:16,460
So that's really good.

70
00:04:17,380 --> 00:04:20,990
It captures the full contents of code executed by the attacker.

71
00:04:21,250 --> 00:04:22,780
Obviously, they want to see that as a defender.

72
00:04:22,780 --> 00:04:23,050
Right.

73
00:04:23,620 --> 00:04:24,750
And then module logging.

74
00:04:24,760 --> 00:04:25,730
You can read all this, too.

75
00:04:26,050 --> 00:04:30,490
So what we're going to do is really pretty much we're going to follow the instructions here, but.

76
00:04:31,450 --> 00:04:35,320
You know, to save you from having to type everything in here, actually, you can see what we're doing

77
00:04:35,320 --> 00:04:38,460
right here where we're putting that star here to save you from typing everything in here.

78
00:04:38,460 --> 00:04:41,620
And from reading this, we're just going to go and follow it this way.

79
00:04:41,680 --> 00:04:41,980
All right.

80
00:04:41,990 --> 00:04:43,800
So I'm just going to show you I'm going to walk you through it.

81
00:04:44,290 --> 00:04:45,250
So we've got that enabled.

82
00:04:45,880 --> 00:04:46,870
We can hit next setting.

83
00:04:48,490 --> 00:04:50,140
Power shell script, block logging.

84
00:04:50,270 --> 00:04:51,340
Yes, we want that enable.

85
00:04:52,390 --> 00:04:53,100
It looks good.

86
00:04:55,320 --> 00:04:57,450
And we don't want script execution.

87
00:04:58,610 --> 00:05:03,270
And transcription, this should actually already be configured, but we can also label it here as well.

88
00:05:04,040 --> 00:05:09,290
And the reason I said it should already be configured is because we just ran that partial transcription

89
00:05:09,410 --> 00:05:10,790
logging script.

90
00:05:11,420 --> 00:05:14,930
And I like including the invocation headers, because then it shows the timestamps of what the script

91
00:05:14,930 --> 00:05:15,530
was executed.

92
00:05:16,220 --> 00:05:18,110
So I'm going to click, apply and click.

93
00:05:18,110 --> 00:05:20,180
OK, we're looking good here.

94
00:05:20,360 --> 00:05:26,930
We've got the three that the dynamic trio of powerful lights and the just gonna reboot and reboot.

95
00:05:29,370 --> 00:05:31,610
No, it's probably Komala for that.

96
00:05:32,030 --> 00:05:32,780
Now I'm curious.

97
00:05:44,190 --> 00:05:50,950
Let's get come in and we start we start computer.

98
00:05:51,810 --> 00:05:52,240
Look at that.

99
00:05:52,590 --> 00:05:52,930
All right.

100
00:05:52,930 --> 00:05:55,770
So I could say restart computer, but that's going to do it.

101
00:05:57,990 --> 00:05:59,220
Bam, that's how we roll.

102
00:05:59,340 --> 00:06:02,580
And don't worry, again, I'm going to show you power real awesomeness later, you're probably wondering

103
00:06:02,580 --> 00:06:06,750
what the heck was I get a command trick I just ran to or I'm going to demystify the whole thing for

104
00:06:06,750 --> 00:06:07,070
you guys.

105
00:06:07,240 --> 00:06:11,100
This is going to be the ultimate modern hacking, ethical hacking course.

106
00:06:11,490 --> 00:06:16,890
I really want to give you guys everything you need to become, you know, technically adept when it

107
00:06:16,890 --> 00:06:19,860
comes to launching attacks and detecting those attacks.

108
00:06:20,190 --> 00:06:20,510
Right.

109
00:06:21,000 --> 00:06:21,780
That's all we need.

110
00:06:22,350 --> 00:06:24,180
This box is going to reboot our to do its thing.

111
00:06:25,850 --> 00:06:31,640
And right now we are here, it's one thing I want to check to make sure that we are collecting partial

112
00:06:31,640 --> 00:06:32,090
logs.

113
00:06:33,810 --> 00:06:38,430
All right, let's go back into the event viewer.

114
00:06:52,570 --> 00:06:54,400
All right, let's go to Microsoft.

115
00:06:57,950 --> 00:07:00,440
Windows Power Shuttle.

116
00:07:03,580 --> 00:07:04,840
And we do see logs here.

117
00:07:06,730 --> 00:07:09,730
For one, two, three, four, one of four.

118
00:07:12,350 --> 00:07:13,310
And just to test it.

119
00:07:14,630 --> 00:07:16,880
What I can do is I can open up our show.

120
00:07:20,370 --> 00:07:24,240
I can type Pierre's version table and get

121
00:07:28,410 --> 00:07:36,080
it, I get service and then let's go back to the logs and see if we got anything in here.

122
00:07:36,300 --> 00:07:38,700
Click refresh and you can see.

123
00:07:40,480 --> 00:07:42,700
You can Secret Service was launched here.

124
00:07:43,860 --> 00:07:46,030
All right, so that is good in the next election.

125
00:07:46,060 --> 00:07:49,910
We are going to actually dig into Hekker hurricanes, windows, cheat sheets.

126
00:07:50,070 --> 00:07:54,940
So this is the de facto standard when it comes to what you should audit and log in.

127
00:07:55,270 --> 00:07:56,100
So we're almost there.

128
00:07:56,510 --> 00:07:57,360
We're making progress.

129
00:07:57,780 --> 00:07:59,470
But first, we need to set this up.

130
00:07:59,910 --> 00:08:01,580
These these audit policies.

131
00:08:01,610 --> 00:08:05,100
And then once we do that, we can start installing our universal forwarder.

132
00:08:05,170 --> 00:08:07,780
Then we can go to the root of some of the best practices.

133
00:08:08,160 --> 00:08:10,000
Hey, guys, I will see you the next lecture.

134
00:08:10,020 --> 00:08:10,860
It's going to be a lot of fun.

135
00:08:11,070 --> 00:08:12,270
I'll see you guys today by.