Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion. Today. We're going to look at system owner slash user Discovery. So today's objectives are as follows we're going to describe system owner or user. Discovery will look at some commands and air in here.
00:19
We'll talk about mitigation techniques and detection techniques as well.
00:24
So with that, let's go ahead and jump right in. System owner and user Discovery is pretty straightforward. It's one of threat actor attempts to identify the primary user logged into a system and then the Threat actor made then use this information to determine next steps and how to use that individual account.
00:42
So some commands that a threat actor might use in that instance, once they've gotten into a system would be things like Am I on Windows System? They may use I d Dash U N or W. On a Mac
00:55
who admire W on Olympics device
00:59
and so really just depends on what distribution they've gotten themselves into or what version of an operating system they've gotten themselves into. And then they will run some standard commands to see who the user is, what their access level is, and what they can do at that point with the account. So it's not very high level is far us the details on this It's just
01:19
what am I would have I gotten myself into? And is it a super user? Is that just a standard,
01:23
maybe front desk type account?
01:26
So some mitigation techniques here, really preventing the use of the command line
01:32
and not allowing users to use the command line is going to be beneficial here. And if a user has a reason to use the command line than they could have a separate account that they could use while they need to write scripts or do something in that nature, and then they use a different account for day to day and are, you know, non scripting type activities?
01:51
Detection techniques follow, along with some of our previous discussions, is essentially
01:56
looking at system events on looking at activity to determine if they amount to a malicious threat actor or if it's just normal day to day business activity again, As we get into some of these areas, we get less and less dependent on tools and mawr and mawr dependent upon
02:15
ah, human intervention
02:16
and human kind of knowledge with respect to knowing how these things look and knowing what is normal and is not normal for a business entity. Now let's go ahead and jump into our check on learning true or false user discoveries when a threat actor attempts to determine the current or primary user of a system.
02:37
So if you need additional time, bowel means, please pause the video. But in this instance, this particular statement is true. User discovery is when a threat actor attempts to determine the current or primary user of a system. So this is a true statement now,
02:55
jumping into our summary
02:59
we looked at and described AH, system owner and user discovery and why that would be important to a threat doctor is so that they could figure out who they are, what they could do and then kind of figure out their next steps.
03:12
Mitigation techniques are really going to be preventing end users from using the command line and thereby hopefully mitigating the Threat actor from using some of those commands
03:21
detection techniques air following along with previous discussions where we're really looking at correlating activity and determine if we have a malicious entity on the network. So with that in mind, I want to thank you for your time today. And I look forward to seeing you again soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor