I Know What You Did Last Summer… I'm Still Hacking Your Small Business

can everybody hear me okay yes cool uh I'm Vincent my talk is titled I Know What You Did Last Summer I'm still hacking your small business my talk is rated M for Mature because at some point I'm going to use some profanity I'm sorry that's just how I am some things I'm going to show you today would be considered criminal activity should you not have the permission from your target FYI who am I I'm a penetration tester I'm a small business owner and I'm an Air Force veteran the things that are important to know about me are that I've been in tech for over 30 years I've run a technology business for the last 20 years it

started off as a break fix I.T company we were a concierge type business where we had a small number of clients and they were high revenue and then about 10 years ago Cloud started eating into our business model and our businesses didn't scale that way because uh you know we're once six-figure clients we're now low five figure clients so I decided to Pivot the business thought security be a good play seems like it wasn't a bad choice um and I took the oscp course do you know what that is and I fell in love with offense and I've been doing offensive security ever since foreign so what's this talk about so I work with small businesses so think

a thousand employees or less uh with big businesses say like a Bank of America Bank of America has a security team they have uh you know a sock they have layers and layers of security and they have big bags of money to throw at the problem small businesses on the other hand are the low-hanging fruit and this talk is about my Adventures while working with those small businesses so we are going to attack a small business like a malicious actor and our Target is going to be 100 to 250 employees in size this is a sweet spot for me personally because they're big enough that they have stuff but they're small enough that they're still very

immature so when we look in their environments they're not running EDR they don't have a sock they're not using sock as a service they're running traditional AV and most times we find that they're running flat networks so no segmentation so maybe somebody else in this room has thought about how they would hide their identity if they were going to be an attacker my wish list consists of burner laptops I'm going to work out of a mom-and-pop coffee shop because I feel like Starbucks is logging the traffic uh they've got cameras I don't know what the retention is on that I don't want to deal with that I'm going to work out of the mom and pop coffee shop I'm going to

use a privacy VPN I'm going to use tour and Tails and I'm going to have a VPS or two virtual private server some of you may recognize this it's the logo for Kali Linux I saw a little smile there can't be a hacker unless you use Cali truth be told actually don't use Cali I use Ubuntu I put a small set of tools on it that I use I find that Cali is big and Bloated and it tends to break in the middle of engagements but in the context of this talk I'm going to use Cali because every script kitty in the world uses it and if my operating system gets fingerprinted I'm gonna look like

everybody else I'm gonna use mold vad for my privacy VPN because they take cash and I thought that was hilarious they say send us cash but not too much but they don't specify how much is too much so I threw twenty dollars in an envelope mailed it to Sweden and it was expecting that to be beer money but in about a week it actually lit up I was really surprised I'm gonna get a little granular because I want you to see how simple it is to get this this platform set up so I'm going to install Tor I'm going to make a modification to proxy chains and then I'm going to curl my IP address before

and after and what we see is that we have one IP address and then when we go through tour we have another FYI those are not my IP addresses because this is the security conference I don't trust you people going to install them all that client gonna fire it up gonna connect so we're connected to Sweden again I'm going to check my IP address before and after and again what we see is that we have two different IP addresses so now I have several routes to go to the internet and I can masquerade my IP so the question is are we safe is this good opsec from a small business sure from three letter agencies or a nation state no but

this is good enough for what we're going to do oh that was my I don't know sorry so now we're gonna go hunting and you might be thinking well what are we hunting for I need a VPS and I was thinking that I would get some crypto and I would go to some shady provider and I would get a VPS from them but then I had this idea of firing up a honey pot now I've got a bunch of ports that are open on this and the first thing that I noticed was that there was a ton of SMB traffic coming inbound and it was just overwhelming I mean it was crazy like I had RDP open

and that would get hit here and there and you know obviously HTTP and https but SMB traffic was just flowing and flowing and flowing so after 10 minutes I just cut it I parse the logs I sorted for Unique IPS and I had 62 of them now my thinking here is these are bought compromised servers so they were they had vulnerabilities and those Bots took them over so I'm thinking I mean I've heard of bots actually patching but I can't imagine that's all of them so I think I can find a vulnerability I can compromise that and then I can take a position so I scan and I find that there are a bunch of ports open and so I'm liking my

odds at this point so as I dig in I do a reverse a reverse lookup and I see that I've got a bunch of ips that are actually out of country now I don't know but in my head I'm thinking if I stay out of the United States I'm probably better off that just adds another layer as I dig into that further I find four Russian IPS it Army of Ukraine and Anonymous are hacking the [ __ ] out of Russia so I feel like these are good targets for me because I can blend into that noise and I can take a position and again further you know hiding my identity so hack the planet right

would like to remind you that that would be considered a criminal activity so we're going to pretend let's say on one of those uh Russian IPS I find a vulnerable WordPress site now I have a number of plugins that I use to do various things on on WordPress let me step back for a second if you don't know what a plug-in is you go to a website it's got this pretty picture and that Scrolls and there's another picture that takes its place that's a plug-in it adds functionality to the core product um and so I've got one it's called WordPress backdoor that seems kind of suspicious so we're going to call it WordPress CSS updater and basically all

a plug-in is there's some comment lines that WordPress will recognize it is being a plug-in and then some PHP the bottom line is remote code execution so we zip it up we log in we point to the plug-in and then we activate the plugin and there it is our plugin is sitting in there now I've managed content Management Systems before and never have I gone in and scrutinized those plugins they just exist in their own little place now as an attacker though I'm looking at this and I see that two are in need of updating I don't want anybody to be drawn to that like if an admin comes in and sees that they're going to

go look in there I don't want them to see that because then they're going to come in and maybe see mine so I'm actually going to patch that as an attacker I'm going to do a good deed at the end of the day what we're trying to accomplish is this we point to the plug-in we give it the command of ID and then what we get back is dub dub data so right now I've got remote code execution and I've got myself a Russian C2 server so the next topic I want to talk about is phishing so back in the day when I first started running fishing campaigns I would take one email and I would blast it out to

all the users at the same time and then I would gather the metrics and I would weigh out like how good our training was doing the problem with that is people were like sneaking over the wall and they're like hey watch out for that fake phishing email and so I felt like that wasn't a very effective way so what we do today is we take our users and we break them up into groups so we have the marketing department the sales department finance and then what we do is we find fish that match those those those groups and so like the fake FedEx email is going to go to the shipping guy and then because we're working with

small business what happens is we very rarely see that uh two users get fished in the same day and rarely are two users um seeing the same fish now I want to show you some fish that hooks people um I want to talk about variables because you're going to see percent date percent time percent email these get populated at the time they get sent out so upper right hand corner you see percent date that would just show today's date so this was one that went out it's not great it says you ordered a 1700 laptop and the user is like oh [ __ ] I did not order that I'm going to click on all these links so that was something

to fish somebody here's another one big voicemail to email this is actually really successful in a client that actually has voicemail to email the problem with them is that their VoIP system puts their name and the company's name and the VoIP system name in here and this has none of that people keep clicking on it at the bottom of the barrel we have this piece of crap since we've received your order it'll be processed soon you can view your order by clicking here and it's got a link it says thank you customer service department it doesn't have their name doesn't have the company's name doesn't have anything and people click on this I swear it's crazy

so at the end of the quarter I run the metrics and what we see is that we had 10 users clicking links we had two reported when I run these campaigns I try to emphasize reporting to me that seems equally valuable as recognizing something and not clicking on the link and the reason being is if a fish comes into your environment and you report it I can Purge that from the mail system and I can stop other people from clicking on that link this client doesn't care though and so this is the guy that I report to for this specifically and he says we're doing our annual PCI security training hopefully they'll pay more attention this year

so funny thing is I went back in my email I have a an email from him last year literally said the same thing and these guys are at 20 click rate Which is higher than the average they suck all right I want to talk about spear fishing who thinks they can't be fished anybody I know it says you put your hands down so I assume there are people in the room that are looking to get their first job in security or they're looking to get a better paying job so I'm going to prop up a website Phoenix recruiters uh it says whether you need remote or on-site staff we understand the unique challenges of the Phoenix Metro Area job

market and you're like Vincent I'm in San Antonio you're right we understand the unique challenges of the San Antonio job market I buy domains for 12 bucks I got this template off of w3schools I spent maybe five ten minutes building this thing and that's that's the beginning of what I'm about to do so then I'm going to fire off an email and it says hi John I am Vincent Smith and I work as a senior placement specialist at Phoenix recruiters or San Antonio I saw your profile on LinkedIn and I was really impressed by your experience and computer-y things because computer things are in high demand right now here at Phoenix recruiters we always look to

collaborate with talented people blah blah blah sincerely Vincent Smith got a nice little signature block generated that a logo on adobe's website it was free took me about five minutes there are no links or no documents in here I'm going to go around and around establishing a relationship with you I'm going to offer you a half a million dollars a year because it's not my money and I don't care and then eventually I'm going to get to the point where I say my client would like to take this to the next level they need you to sign a non-disclosure agreement I'm going to send you a link or a document and I'm going to get you

to do something you don't want to do so bottom line is we can all be fished me too all right that was a little heavy I want to transition meet Jade Jade's got her CV posted up on his on this website she's currently working as a bilingual customer service rep at Therma Fisher Scientific prior to that she was an Engineering Systems technical sales engineer at Johnson Controls and prior to that she was a technical sales engineer at spirax she's got an MBA from Pepperdine and a bachelor's in mechanical engineering from Cal Poly she's got skills Office 365 Salesforce Vis me Zoom she speaks English and Spanish fluently a little bit German she's on LinkedIn is she real or fake

she's fake when the person does not exist that is an AI generated photo because I lack creativity I went to the fake name generator and got her name address and phone number somebody was telling me I was given this demo I was demoing this talk for timing and my one of my buddies was like well I looked at her profile on LinkedIn and see if she had connections I'm like dude in a week I was getting connections from Therma Fisher Scientific and the Pepperdine MBA school I'm like she's gonna look like it when I get done so you might be wondering where I'm going with this right to what end so I start my engagement and I'm on my client's

website and I'm kind of scouring for things at the bottom I see this thing for employment it's a PDF it's looking for a technical position with it you know that's a heavy engineering and sales so I tailored Jade to meet this position I went on the way back internet and I saw that this had been sitting up there for a long time so either this position churns or it's hard to fill in either case I'm liking where I'm going with this at the bottom of their website they give me an email address to email info companynade.com remember Jade Jay's got an outlook.com account turns out you can set up outlook.com without a phone in two weeks after setting up this

account it said hey we need a backup email or a phone so I went to the Disposable email site I generated an email gave that to Outlook it gave me a six digit PIN I gave it back and then I'm golden forever and you can do this over Tour by the way remember Jade CV site I embedded a canary token if you don't know what Canary tokens are there these little web bugs that you can put in various things like Doc documents and websites and AWS keys and what happens is when somebody trips on this it starts giving you information about the visitor look forward there we go so I send off an email to

infocompanen.com to whom it may concern I found your job posting for technical customer service rep and my qualifications are not an exact match which is technically not true they are however I'm attempting to secure employment in the Bay Area to be close to my family I appreciate your consideration blah blah blah kind regards Jade in her signature block I've got a link to the CV I've also got a link to LinkedIn which is just LinkedIn but the CV's got the canary token it's subtle I don't know that they're gonna click the link to the CV spoiler alert they click the link to the CV but should they but should if they had not I would just go around and around and then

eventually I would send them a link to something or I would send them a document what we get is this so after this document or after this uh email went around and around I get five hits I get an incident list and then when I dig into the incident what I get is an IP address and I get user agent information so I'm starting an engagement blind in this environment I don't know anything about this environment I do know that Windows controls seventy percent of the operating system Market but I'm on the Mac there's somebody in this room that's using Linux what I'm trying to get is information essentially for free that I do not have going into this environment

the other thing that I get is uh this user in particular is using Firefox might look up the version see if there's a vulnerability but it's just information that I can get for free without a little effort so next topic calling this multi-function Madness this is tank is real he is a 70 pound Pitbull and he's my buddy and tank has the prey drive of like on a scale from one to ten tank is a 15. tank is the kind of dog when you open up the door he surveys the perimeter I live in Arizona we back up to the desert we got lots of desert creatures that roam in and out of our backyard

Tank's doing his thing and gets along the back wall there's this giant [ __ ] lizard there's my first step on giant lizard on the wall tank hits along the back wall sees the lizard and lizard sees tank the lizard starts running tank's in Pursuit the lizard doubles back tank follows this goes back and forth a few times The Listener falls off the wall and tank bites it in the center and swallows the thing whole and it was the most disgusting thing I'd ever seen it is that kind of dry oh sorry I forgot so every day this has been two years ago every day since that day I open up the back door and tank makes a

beeline to that spot on the wall it's crazy and uh like a lizard's gonna appear for him you know and so it's that kind of drive that he has this is how I am with your multi-function copiers I love my fears because it's funny like after an engagement people are like well you know Hecker is going to make free coffees no the [ __ ] has privileged access it scans to file and it scans the email so I'm on an engagement I get into The copier it's scanned a file it's scanning into users home directories and those are restricted to the individual user so instead of taking that user account and giving it access to those those directories they just

made it domain admin I took over the scanner account I'm domain admin game over and another one with scan to file I get in and I see that there are no credentials so I think it's a mail relay and the back story is they were changing passwords every 30 days and it was breaking the scan to email function every 30 days so what they did was they decided they were going to White list an IP for mail relay except instead of doing a one-to-one mapping from the from the scanner through the the firewall they just whitelisted the entire network so I get in I don't see credentials in there I think mail relay I'm inside the network I send off an

email and it goes through so I started phishing everybody in the company off of the mail relay and I was bypassing their security controls so here I am on this engagement and I find one of my favorite devices a copier here's this Xerox Versa link so I go to Google and I say Google what is the default password and Google says one one one that seems safe so I go to the login page one one one one cross my fingers upper right hand corner I'm logged in as admin so I get into the settings and it actually has credentials in there but I get this idea I'm gonna put my attacking server IP address in as the mail server

and then I'm going to downgrade the port to 25 and the reason why I'm doing that is because it's unencrypted now if I were to make scanner software I would make it so that if you made modification to the settings it would blank out the password but I have never found that to be the case when I started engagement I fire up a tool called responder responder is an LL MNR poisoner it's basically used to do bad things for Microsoft but in this case I'm going to use it to catch credentials off this scanner hopefully so I've got the SMTP server set to my attacking server I've downgraded the 425 for uh because it's not encrypted and

then I throw in a bogus email and I hit test and back in responder I get cleared text credentials from that scanner so when I get in your environment I'm a scan for all the copiers and if we're counting them I got 19 and I'm going to go through every single one of these and I'm going to look and see if there's some credentials that I can abuse in there or steal or whatever so that scanner account that we just uh we just captured it actually wasn't domain admin but what it gave me access to was HR and accounting so for defining impact HR spii finances money right so in my pen test report I say the

penetration tester use tools and techniques to extract data from the network simulating the actions of a malicious attacker you got ransomware gangs they get into your network they encrypt your files and then they say pay us or we're going to take your data and we're going to dump it on the internet I basically just simulated that because they've they're exfiltrating your data and that's what I can do this next one I'm calling evil bookmark I need to give you a little backstory on this so in my scoping document I ask how is the penetration tester obtaining access to the network so it might be over a VPN uh if they don't manage the network and maybe they've got an IDs

I'll send them an Intel Nook which is a little computer and I'll ship it off to them and say drop this in the middle of your network plug it in turn it on it calls back to my attacking server and then I tunnel back in and do my thing another option is a jump box and that's where this is going so I get into the jump box and to my surprise the computer is inserted into the domain and my domain or my account is a domain user account and it maps drives for me and I'm like that is way way too much access that was not how that's supposed to go down but I'm like [ __ ] it I'm

gonna run with it so I had this idea so this is a bookmark right and what we got is this little picture and we got this arrow that indicates shortcut when we look at this at the file system level really all it is is a file name that ends in dot URL when we look inside it's this four lines of code right so it says internet shortcut uh it's got the resource google.com and what generates that picture is the reference to Icon file so I'm putting pointing this to my attacking server now I dropped this on this common share that I have access to thank you and I want you to recall when we went to

the desktop and you saw that tweet deck icon that little bird we didn't have to do anything to get that to render it's the act of opening to that location that causes it to look for the icon file so it's just dropping this out there when people open it up it should start sending things back to my attacking server so I've got responding server still fired up it starts raining hashes and I'm taking hashes and I'm throwing them into hash cat and I'm cracking them and then all of a sudden I get the administrator account the administrator account and I'm like what is going on and so I'm doing the postmortem on this with the

client and it turns out there was an administrator using the administrator account as his personal user account I'm like that is something you shouldn't be doing all right next we got tell me your secrets so I started my engagement and I go to a I go to Hunter i o and if you don't know what Hunter i o is it'll tell you uh known email addresses for this domain name the other thing that it'll tell you is the name format right so in the case of this client which is a little small it's first name dot last initial so I take the 200 most common names and then I do a little bash magic and basically

what I'm doing is I'm taking that list and I'm appending dot a through dot Z to the end of all of those basically trying to match that format right so you know Aaron a through o goes through Z do that for every single name now I'm going to use a cool a tool called curb root as an unauthenticated user I can spray the domain controller with that list and it will tell me if those are valid usernames so I'm starting to get hits I parse that out and I dump it into a text file that is one half of what I want the other half is I want passwords now there was a blog post a few years ago it was a

pen tester and he was finding these commonalities in his engagements in particular people would call the help desk and they would need their password reset and they helped us trying to be helpful and following password complexity rules right so need an upper need lower need number need a special character they were doing things like welcome one exclamation point capital W the other thing they were doing is the seasons so spring summer fall Autumn and then throw in the ear on the end of it so I took that I'm lazy I script everything so I've got an array welcome winter spring summer fall and I've got the years 2019 through 2022. now the reason why I'm going back into the past

is what I've found is that sometimes an account will get shut down and then a manager will call up and say I need that account opened up and they'll open it up and they'll say okay yeah we reset the password and it's summer 2021 exclamation point so we have actually found accounts from previous years it just got left open another thing that I'm going to do is I'm going to go through their website do they make a product or they in an industry can I take those words you know those words that might be used in a password I'm going to grab stuff from their address in this case I'm going to grab Fremont and then I'm going to make my list so

welcome one Fremont one and the seasons now I'm going to use a tool called crack map exact I'm going to call that CME moving forward because it's a tongue twister and I can spray that list of users with welcome one and what we see is status log and failure so that is not a good password for any of those accounts that I have I come back in with Fremont one and I get a hit jody.o [Music] so I'm going to use a tool called Hydra and Hydra is a brute forcing tool typically it would give it a username and a bunch of passwords in a list and you would spray a service I actually know the username and the password what

I'm doing is I'm putting a bash for Loop in front of this and I'm spraying hosts 1 through 100 looking for open RDP with that username and password after covid regular users have been given have been given remote desktops so this is something that we hunt for and we find when I get to host 62 I get a hit so the question is now what bro pop shells Metasploit right I could or I could use connect wise control if you don't know what connect wise control is he does you call the help desk and you say hey I got a problem with my computer my icons are upside down and the help desk is like hey I'll come under your computer

and turn those right side up they use a tool like connectwise control to screen share with you turns out you can set up a connectwise control account as any old person without a credit card so I use Jade because why not I'd like to point out that if you actually I learned earlier that I could I could actually hop in with somebody on RDP but prior to hearing that earlier today in a talk um I would typically not want to log in when a user is on their machine because it'll bounce them out it's going to draw attention so I typically want to work after hours in the case of this client I hopped in at four o'clock in the morning

I know it sucked but that's when I did it stop connect wise control and Jody Dash PC shows up in my console bottom left-hand Corner trial will expire in 14 days that's super convenient because my engagements usually the last two weeks I'm trying to get remote code execution and that's what I'm doing here I execute the command who am I it gives me back NT Authority system so I don't need Metasploit I don't need to have to do evasion techniques or disable defender or whatever I can just get this on the machine because it's a legitimate application like to point out that this dumpster fire was brought to you by local admin if you give your users local admin I'm

gonna wreck your [ __ ] so I'm on the user's desktop it's enumeration time if you've ever played the CTF world there's a offensive Powershell called Powersport I've never used that in the real world I actually live off the land I tend to just use Windows against itself and active and active directory the same uh so because I'm a local admin I'm gonna harp on that I can install rsat remote server admin tools so I get it installed and I start querying the environment what I'm looking for is password never expires password last set so I find a few accounts that are set to true so those are password never expires the reason why I'm hunting these down is because

I've actually been in the middle of an engagement where I get creds and then I lose them so if I can take over these accounts I know I'm good another thing that I'm gonna look for is service accounts because typically they set them to never expire and they always throw them into the domain admins group now at the bottom I see this comp ad and my I don't know what that is that's not that's something weird and I think in my head I have to like imagine what this could be and I think maybe they're using it to insert computers in the domain I query domain admins and that account is in the domain admin script so that would

be an account that I would go after that's a very very a lot of stuff that you can't see but basically this is all the custom Powershell that I've written that lives off the lamp um and I can do a whole talk on active directory another time but but basically unless you're looking for like Powershell execution I can do all this stuff I'm not getting detected all right I want to rewind I'm on this system I see Jody we're Jody we know this but I also see a disconnected user account now there was a there is a tool called Mimi cats that you could use to dump lsats but mimicats has been neutered recently but because I'm local admin

I don't need it I can right click in task manager and I can create a dump file of lsas if you don't know what lsas is it it contains clear correct clear text credentials and password hashes so I dump it to a file and it says hey it's in this temp folder and then moments later Defender kicks in and says whoa that was a severe behavior and I'm like oh [ __ ] it's going to delete that file so I immediately jump into the folder and I zip a copy in place and then I drag a copy to the desktop moments after that Defender deletes that file but it leaves the zip file and it leaves the

one on the desktop so it's the act of dumping lsas and not the presence of the file so Defender almost there but not quite and because I'm local admin I disable Defender because foreign so I dropped Mimi cats on the box I didn't have to I could have fold this over um and it pointed to my dump file and the first thing that we see at the bottom is uh the administrator account and the password hash so hold that thought though so then I get some clear text credentials and then I'm looking at this clear text credential I'm like I recognize that that's office 365. and this is an email account I'm like I'm gonna log into OHA Outlook web access

webmail so I go to OA I gave it my username and password and then it throws up and I'm like well that's weird it accepted the credential but it threw up and I'm like I don't know what this is but it's base64 so I'm going to decode it so it says the mailbox being accessed doesn't have a valid account State protocol disabled now again I have to conjure up in my head like what is going on here I think that they didn't want to enable two-factor authentication so what they did was they disabled Outlook web access but you don't create a mailbox unless you want to give user access one way shape or form right so I'm thinking well

you know I'm on Jody's system I got Outlook I fire up a new profile configure it with info at give it the password and when I see this I know I'm golden because you're all set so I get into the user's mailbox now it wasn't in scope to dig into this user's mail but the thing that Drew my attention was this down at the bottom it says cyber suppliers cyber security and it's from Raytheon now a few years back the government was basically getting tired of being hacked through the supply chain so they came up with some compliance things for their vendors and they were saying all right your vendors vendors need to go through some

of this I think dfars is the bottom of this Barrel now the thing that's really amusing to me is having just finished the penetration test for this client I know for a fact that they're not dfars compliant the other thing that's really amusing is that this is dated 2016. like they are six years not complete all right so you want to rewind back to that administrator account I'm going in for the kill shot I fire up CME I pointed to the domain controller I give it the administrator account and that password hash bottom right hand or we see the command completed successfully so that is a valid hash for that account I double checked on Main admins and

jody.o is in the domain admins group did I did I skip a slide oh no sorry yeah and so Jody is in the domain admins group so that's a fatality uh so I've exfiltrated data I've taken over the mail server I've been in a user's mailbox and I've taken over the domain admin so now let's talk about Solutions burn it all down any Defenders in the room anyone I'm sorry now I got Solutions uh gamify fishing this is something uh users don't care right you know if their computer gets ransomware they're like not my computer why do I care like I only care about my home computer so what we have found is that you we have to get

them engaged so uh pre-covid what we would do is we would give out these little rubber or little glass fish bowls and every time they completed the campaign successfully we would give them rubber fish we found that they started competing against each other to get more fish in their bowl uh post covid we started using Starbucks gift cards so remember these are small businesses so a hundred employees I'm doing my campaigns across the entire quarter and we say we're gonna give you a five dollar Starbucks gift card if you successfully complete this campaign 500 a quarter that's like pretzels and coffee probably right and then what we do is we'll set some benchmarks for them you know we'll

say all right eating you know 10 people click the link but two people report it we want 10 people reporting and then we're going to start you know raising or moving the goal posts basically get them you know at least get them to 16 which is the average like the bottom of the average past managers in 2fa we've been kind of beating that dead horse for the last 20 years um if you're not doing it do it AV to EDR so antivirus to endpoint detect and respond if you don't know what EDR is it's fancy antivirus um and it used to be Enterprise expensive and now it is small business inexpensive it's really not that much

more to go from traditional AV to EDR so we've been moving all of our clients to that and then seems security information event management basically it's a log Aggregate and and you can set thresholds on things and it'll trigger alerts based on that so in the past you'd need a team and you'd have to do a bunch of configuration there are actually some products that work well out of the box basically just install it and there's a default rule set in there that works really well the some of the stuff that you saw me doing earlier like adding into the domain admins group that's going to throw up an alert that's going to get me busted

um you know spraying that could get me busted so that's another thing it's not super expensive I don't want to name drop products if you want some recommendations just grab me offline and with that I'm going to say thank you and open it up for questions