8 hours 28 minutes

Video Transcription

hello and welcome to another application of the minor attack framework discussion today. We're going to beginning into account discovery.
So today's objectives are as followed. We're going to describe account discovery and some applicable commands that we can use based on the operating system in question to discover account information. What are some mitigation techniques that we can use in this process and help to maybe prevent, or at least further deter a threat actor from getting information?
And what are some detection techniques that we can use here is well,
now account Discovery is a very simple definition, not getting too heavy into language or anything of that nature. It's just when a threat actor works to get a listing of local or domain accounts, local system or domain accounts. And so that's essentially what they're hoping to do so that they're making
use those maybe to their benefit, to use a password crack in something of that nature.
And so some commands that we can use are going to be dependent on the underlying operating system.
As you can see here, I just, uh, dotted out the name, but we used that user, and as you can see, it provided a return of some different user names that was blacked out. Default account, etcetera. Guests. So
there may be something there that a threat actor could use. They may see if this account is active. They may see if the guest account is active just so that they could maybe get on a system and do some research and further work. Now some of the Windows commands or things like that user that will give you some information about user accounts. That group that local group
and then on the max. You've got groups
I D D SCL doubtless groups some other utilities here that you can use Lennox. You can get to the etc password directory groups you can use i D. So there's a number of different commands that a threat actor could use to attempt to get user account information that could pipe this out to a text file or pipe this out
to ah file somewhere on the system that you may not see it so that they can have that information for further evaluation and use.
Now, what are some mitigation techniques that we could use to potentially keep a threat? Actor from taking advantage of our system and getting account information
well. We can prevent administrator accounts from being enumerated when an application is elevated through USC. And so we could use the GPO under computer configuration policies, administrative templates, Windows components and then credential user interface and numerator administrator accounts on elevation.
And we can make some adjustments there so that,
users, let's just say, if I'm a standard used and I can't use the command prompt
and there are some USC capabilities or some ways that I can then elevate my privileges for some reason
we can prevent enumeration through that elevation.
Now, some detection techniques that we can take into consideration here we can look for behavioral patterns that would indicate a threat. Actors attempting to discover information about the network so that we have in map skins going on. Do we have some of these commands that are being run that we just discussed? Do we have a lot of like ping sweeps going on?
Anything that we could monitor and then correlate could be beneficial. With respect to detecting that type of activity, we could monitor processes and command line arguments essentially for actions again that may be used to gather system information. And so you know your environment best. And so if there's anything that kind of raises, a question
and you're not sure
whether or not that activity is legit, you've never seen these types of applications used on the network before. There's a lot of heavy scripting that's going on, and you know that you're not the one writing some of these scripts and doing some of these things
it would be worth looking into to ensure that you don't have somebody that's doing something they shouldn't be doing.
So let's do a quick check on learning true or false account. Discovery is when a threat actor attempts to discover what user names are on a system.
All right, well, if you need additional time, please pause the video.
So in this case account Discovery is when a threat actor does attempt to discover what user names are on a system. So in the case of this statement, it is true. All right, so let's go ahead and pop over to our summary for this discussion.
So we described account discovery again. It's just a threat Actor attempting to figure out who is using the system who can access a system. We also looked at some commands in between these two areas here, discussing what you could do on Windows versus Mac versus limits to
potentially get a listing of accounts.
We looked at some mitigation techniques, such as preventing administrators from using elevated prompts or from a user that elevates into a problem from
doing account discovery and things of that nature doing enumeration. And then we describe some detection techniques, primarily focusing on network activity and system activity that would be out of the norm. So with that in mind, I want to thank you for your time today
and I look forward to seeing you again.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica