1
00:00:00,100 --> 00:00:02,690
Let's talk about mitigation strategies.

2
00:00:02,850 --> 00:00:04,920
So what can we do here.

3
00:00:04,920 --> 00:00:09,180
Well we can enable S&amp;P signing on all devices right.

4
00:00:09,180 --> 00:00:12,870
And that is the go to strategy.

5
00:00:12,870 --> 00:00:15,260
The pro here is that it completely stops the attack.

6
00:00:15,270 --> 00:00:19,860
The con is that there can be performance issues with file copies.

7
00:00:19,860 --> 00:00:28,050
It's reported that it's about a 15 percent or so decrease in speed on file transfers when you're running

8
00:00:28,050 --> 00:00:29,280
with SMB.

9
00:00:29,340 --> 00:00:33,470
So that SMB signing does cause a little bit longer time period.

10
00:00:33,510 --> 00:00:41,370
But the thing I argue is that the longer time period for computer security is worth it it's worth the

11
00:00:41,370 --> 00:00:47,550
tradeoff other options that you can take is you can disable entail them authentication on the network

12
00:00:47,850 --> 00:00:51,330
if there is no end to them authentication then it completely stops the attack.

13
00:00:51,660 --> 00:00:57,960
However if curb growth stops working as the authentication method then Windows is going to default back

14
00:00:57,960 --> 00:00:59,410
to entail them anyway.

15
00:00:59,520 --> 00:01:02,260
So it's not a failsafe completely.

16
00:01:02,430 --> 00:01:05,430
More things account Dearing is super important.

17
00:01:05,460 --> 00:01:11,700
So what that means is if you have a domain administrator that domain administrators only logging into

18
00:01:12,000 --> 00:01:18,360
their domain accounts or their their domain servers their domain controllers right.

19
00:01:18,390 --> 00:01:23,730
They're not logging into a user account because that would be really bad if we can capture a domain

20
00:01:23,730 --> 00:01:26,310
administrator in this sort of attack.

21
00:01:26,310 --> 00:01:29,790
The other thing too is that you want local AV and restriction here.

22
00:01:29,790 --> 00:01:36,300
So if we don't have a local administrator this can prevent a lot of lateral movement.

23
00:01:36,300 --> 00:01:41,940
We can't really get the shell we can't get the hashes that we saw none of that would happen if that

24
00:01:41,940 --> 00:01:46,230
Frank capsule user was not also a local administrator on another machine.

25
00:01:46,230 --> 00:01:51,060
So the con here is that you might see a potential increase in the amount of service desk tickets users

26
00:01:51,060 --> 00:01:51,900
complain about it.

27
00:01:51,900 --> 00:01:56,910
They always want to have admin but it's not usually in the best interests of the company to give your

28
00:01:57,210 --> 00:02:00,000
users administrator rights on a computer.

29
00:02:00,090 --> 00:02:07,290
So that's it for SMB really a big thing to talk about again is that SMB signing should be disabled and

30
00:02:07,290 --> 00:02:10,200
that local admins should be really restricted here.

31
00:02:10,200 --> 00:02:15,720
The other two are just best practice sort of things but still don't completely eliminate the attack.

32
00:02:15,720 --> 00:02:22,110
So from here we're going to go ahead and talk about gaining shell access and how we can gain shells

33
00:02:22,110 --> 00:02:25,050
with some of the information that we've already gathered right now.

34
00:02:25,170 --> 00:02:31,170
And then we'll move into some IP 6 attacks which are really really fun and onto enumeration.

35
00:02:31,170 --> 00:02:32,730
So I'll see you over in the next video.