Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:01
hello and welcome to another application of the minor attack framework discussion.
00:06
Today. We're going to be looking at Sudo. So what? That let's go ahead and jump right in to the objectives. So today's objectives are as follows. We're going to describe what pseudo is. How can pseudo be used. What are some mitigation techniques
00:24
and what are some detection techniques?
00:27
So
00:29
Sudo s laid out in the minor attack framework makes use of members of the suit doers file and the etc suit doers, directory or folder. The command allows users to temporarily escalate their privilege when it is necessary for administrative purposes. And so I should say that there's a file
00:49
where these members are laid out. So not so much a directory, but a
00:52
particular file where the members are listed and so the file can be manipulated to not prompt users for a password. By modifying Stewart's final any manners such as the Given command here or given line that would be modified. So user one all no password, all And so in this case,
01:11
it would not prompt a user for credentials when the pseudo command is you. So however, it would be somewhat counter intuitive Aziz. The function could potentially slow a threat actor down or alert the user on malicious activity. And so
01:29
by default, when I'm playing around in my distributions and I tried to intercede, Oh, and I accidentally entered the wrong password.
01:38
It longs that particular error or that failure as an incident, and it longs it in a file that you could essentially go back and look to see when a user attempted to use the privilege and when they failed to do so, so that could be beneficial.
01:55
Now, how can sido be used from the threat actor standpoint? Well, as we know, it's kind of like running his administrator. Threat Extra can compromise a standard user who is a member of the suitors group, and in some cases there may not be a need to enter credentials. And then the Threat actor can operate with escalated privilege.
02:13
And so I know that I've seen before in some pin testing labs and things like that
02:19
where you get into a standard user account and then you do pseudo or something of that nature that pulls from the sewers group, and that user is a member of the group, and suddenly you've got escalated privileges and you can kind of do whatever you want at that point. There's also a C V E that I like to mention Seavey 2019
02:38
pseudo before 1.8 point 28 So, in this case,
02:42
the threat actor or standard user can craft a user I D. That allows them to pass to bypass the route configuration. And so,
02:53
in those cases where you've got the older versions here, you would just want to make sure that everything is up to date and that you're not using anything that is inherently vulnerable. So let's go ahead and talk about some mitigation techniques.
03:07
So do not allow pseudo to be executed without providing a password. Kind of a given, you'd figure. Yeah, that makes sense. You know, why would I do something counterintuitive to this? But
03:16
people do things all the time. That can be a little bit counterintuitive when it comes to computers or inv users. Or half you've constantly got somebody nagging you about something, and you just want to make them stop. Sometimes we do things that would not be in the best best interests of our security standing,
03:34
the sewers file should be controlled and users should not be allowed to spawn risky processes. So
03:40
kind of two separate things there. But really, you know, you shouldn't allow manipulation of the sewers file, and you should not manipulate the follow lightly. That should be very controlled on protected to ensure that
03:53
users can't just come in and do what they want to to it, which could result in a threat actor having some form of unauthorized access to the system. Now, as faras detection techniques or concern linens provides and alert any time of users actual i D. And effective I d or different. So that could be
04:12
kind of like an indicator of Hey, something suspicious is going on here.
04:15
Su do incidents or pseudo incidents should be reviewed regularly, okay to detect potential potential manipulation or privilege escalation attempts.
04:27
So in those cases, um, looking at that follows we discussed could be beneficial in detecting a threat actor. Now, true or false, the pseudo command is specific to Lennox based systems and does not work on Windows based systems.
04:46
All right, well, if you need any additional time, please go ahead and pause this video and then pick it back up from there. So in this case, the pseudo command is specific to Lennix and Mac and things of that nature. But it does not work on when news based systems. So this command for this particular statement is
05:06
true.
05:08
So what? That let's go ahead and jump over to our summary.
05:13
So in summary, we described what pseudo is again. This is a way for you to take a standard user and elevate their privileges to an administrative level. We described how this could be used and so looking at either a getting in where a user doesn't have their credentials set up
05:32
or they don't need to put a password in.
05:34
There are also some vulnerabilities that can take advantage of deprecate ID pseudo versions where
05:42
essentially the
05:44
control can be bypassed.
05:46
Describe some mitigation techniques as far as looking at making sure that you have to enter a password and, of course not adding miscellaneous users to the sewers file
05:57
and then some detection techniques. As we said, incidents are logged within that pseudo file that long file,
06:03
and so in those cases you can review that information and that should Qu into potential manipulation. So with that in mind, I want to thank you for your time today. And I look forward to seeing you again, Sim.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor