Exploitation of Remote Services

00:00

hello and welcome to another application of the minor attacked framework discussion.

00:05

Today. We're looking at the exploitation of remote services, so let's go ahead and jump into our objectives.

00:13

So today's objectives are as follows. We're going to describe exploitation of remote services. We're going to look at some examples of mitigation techniques. We're going to look at some detection techniques, and we'll also look at a particular type of service that can be exploited on various systems.

00:31

So with that, let's go ahead and look at what minor It says. Exploitation of remote services IDs.

00:38

So exploitation of remote services is when a threat actor takes advantage of a programming error and a program service or within the operating system, software or colonel to execute adversary controlled code and kind of get out of line. There.

00:53

Systems are identified using network service scanning, identifying commonly vulnerable software's. We're doing patching gaps that leave a system open to attack. And so, you know, as a threat actor, we confined different

01:07

things. Using either in mapper, you know, usually in map, is where we start. But if we can identify that software is running off a port and we can identify its version,

01:15

and that version is vulnerable.

01:17

We can take advantage of it. So let's look at Windows s and B server, remote code execution. And so this is a particular see ve that is associated with a number of systems. And so, as you can see here, we really

01:34

shouldn't run into too many instances of 2003 and XP. But they exist. I've seen him.

01:38

We've got court 2012 and 2008. We've got Windows Server 2008 to 2012 to 2016 and then we've got everything from Windows seven to Windows, Tim.

01:49

And so in this particular area, we're looking at CV easier to be associate ID

01:57

primarily with S and B B one. And so

02:00

there was a big kick back when this hit the mainstream

02:05

where we were working to essentially look at client systems and determine if s and be the one was being used for anything. And if not, we worked to globally disabled that on systems to prevent this particular exploit from happening so

02:21

essentially, an unauthenticated attacker could send a specially crafted packet to a target US and BV one server,

02:27

successful exploitation of the most severe of these vulnerabilities could result in an attack regaining the same privileges as the longtime user. And so this was concerning because at the time, SMB V one was being used in pretty much all of the systems that we were looking at.

02:45

And so we essentially worked with everybody to figure out where systems could use S and B V one, if they had to, and how we could circumvent this particular exploit from happening. And if there was nothing we could do, then we worked to make sure that it was shut down and that they were only using a newer versions that we're not vulnerable.

03:02

And so this is just one example of a service that could be exploited.

03:07

There are plenty of other examples out there. It's not just limited to S and B

03:13

now, some mitigation techniques that we could use here so we can disable or remove features that are not necessary mean this is re occurring. You're going to see this over and over again. Whether it's here or in CSP materials is a material anything where we look at a system where evaluating the system against best practice

03:30

have you removed functions that are not necessary, that they will not need to be enabled. And if the answer is no,

03:38

that's not a wrong answer, per se. But it's just a matter of what you're able to do and what your resource limitations are. Keeping software up to date again

03:49

Making sure that we applied current patches do those kinds of things never goes out of style, identifying vulnerabilities with vulnerability Scanning to her Mediate findings. Now

03:59

for me, this bordered on the edge of detection. But when we're talking about minor detection is where we find the threat actor doing the naughty are doing the bad things that they shouldn't be doing. Mitigation, in this case is keeping the threat actor from doing something. And so, in this case,

04:17

by identifying the vulnerability up front

04:20

and then getting rid of that vulnerability or mitigating the underlying factors, we have, in fact kept a threat actor out. So don't let that confuse you by thinking Wait a minute. Scanning is a detection, you know. We're detecting something, you know. How is that mitigating? Okay, Don't don't get confused by terminology here mitigation.

04:40

Find him and preventing a threat after from getting in detection Threat Actor has gotten in. How do we know that there there, how do we get them out? Network segmentation to reduce the ability for a threat actor to easily reach critical systems Again, We've said this in other areas,

04:55

but if you cannot see it, you cannot get to it right away. Then you can't compromise it now. There are ways that they could get around that. But again, this just makes the job harder. And it gives us more time for those detection components that we put in place to work effectively and help us to find a threat. Actor.

05:15

Now, some detection techniques monitor for behavior endpoint systems. That could be an indicator of compromise.

05:21

So in this case, we could be looking for suspicious files written the systems

05:26

process, injection attempts or success again. If you're an accounting firm, not a software dead friend, you're not making security tools. You shouldn't see process injection really happening in the environment unless you have something that is known for doing that. Otherwise it is suspicious. It should be considered malicious, and you're looking into it again.

05:46

This is going to continue to be a pattern for detection

05:49

across many of the remaining areas in the framework. Now, let's do a quick check on learning true or false exploitation of remote services. Onley involves the manipulation for of Rdp.

06:04

All right, well, in this case, this is a false statement. The exploitation of remote services involves many, many, many, many, many different service areas. It could be anything that would allow a threat actor to exploit a service. So if they can remote us, get us and be rdp any number of things,

06:23

that would be a manipulation there.

06:26

So let's go ahead and turn over to our summary. So in summary, we looked at and described exploitation of remote services. We looked at an example with that whole S and B remote exploitation

06:39

affecting V. One of that, we looked at and described mitigation techniques, and we continue to reiterate some detection techniques that way we have seen in other areas. But again,

06:49

this just goes to show you if you hear us mention

06:53

a particular detection technique

06:57

and it seems to overlay with a number of areas, if you seem to hear a mitigation technique that overlays with multiple areas, that's kind of a great thing because that means that by implementing that one control,

07:10

we could potentially help to mitigate the risk of several different attack vectors from being successful. So it doesn't cover all of them, but it can help cover a majority of them. So keep that in mind if you hear a say in user awareness training over and over again if you hear monitoring for a normal activity. If you hear patching,

07:27

you hear segmentation of the network least privilege.

07:30

These are things that ultimately help us to reduce risk and reduce the ability of a threat actor to get into systems. So with that in mind, I want to thank you for your time today,