Creating an Effective Security Posture

the implant

welcome to in the clouds traffic b-side San Antonio I just like to take a brief moment to make all of our global sponsors vs st. Mary's USA Trend Micro digital attendance and sans without them this awesome conference would be here so big thank you to them please stick around later we're going to have a rap over and you see so we've got a lot of good prizes definitely want to stay on top of that I think that's it so without further ado creating an effective security posture dominate easy all right so I think we're good to go I think y'all for coming to the Senate o'clock talk I can't promise you anything but you're here so so today

what I want to do I can't move around too much today what I want to talk about is the basically what I see I guess a trend in our field as we're getting younger and younger people and as technology is growing and expanding so I really want to focus on what we should be focusing on you know we're always channelized by all this new stuff that's coming out and so I want to take a step back kind of reevaluate your posture the lay of the land and talk about methodologies and challenges that we kind of all have to deal with and so not so much of a tool talk there will be some tools but really I kind of want to

remove that crutch and gives back to the basics knowing the actual you know the the low-level technology behind everything and so I want to get away from well I need X to accomplish this so I can't do it without it like that's a bad mindset to have tools should empower your capabilities and like help you out not be a hindrance to you so Who I am so Dominic peasy I haven't doing this about six years professionally X amount of years prior I started off in higher education which is probably what gues gives me my viewpoint of this whole thing and that's because in higher education you don't really have a budget and it's pretty much go

and fix the world with nothing but some duct tape and so it was it was fun it was challenging and it really you know it changed my mindset of you know thinking outside a box of how can I accomplish this without a big budget without these big fancy blinky boxes and so really from there did that for a little while transition to a sock and then that gave me just a lot of perspective with different clients different industries and I realize you know yeah there's a lot of differences but at the same same time there's a lot of similarities that we're all getting wrong and again it's all coming down to well we didn't have this so that's why

that happens and that's the wrong the wrong stance on it and so recently I just transitioned to doing more of a threat hunting and so that's been fun the past couple of months but that's not we're talking about today so the focus for today is going to be what's on the slide but really it's you know tech industries changed like I said we're getting revision changes code pushes daily if not multiple times a day where before you would code something for you know to run and kilobytes of RAM you have to be exact precise and nowadays it's just like it ran let's throw some more stuff on top of it it's fine we'll go back and look at it later

and that's not that doesn't ever happen so you skip bugs after bugs after bugs and so that's happening in tech in the tech industry and it's kind of floating into the InfoSec industry we're losing I'm gonna sock just our core values our core capabilities and you know the new shiny is always kind of like oh yeah yeah we need go grab that and I mean if I had a budget an infinite budget sure that'd be great I would love to play with everything but reality doesn't happen too much Google call me but you know you're building on this crumbling foundation and we need it we need to stop that so focus on the basics get the

80% right you're gonna just just get you get so much return on value without that much input maybe a little bit of op X there it's not a lot of capex so at the end of this you know I hope you just think about your own personal environment your own industry everyone's different I can't talk about my situation and it apply directly to yours but I hope you can get some ideas out of it and that's the point of this so security landscape I don't know if you've ever had this conversation but with leadership it's why are you here why am I paying you to do whatever you do and a lot of times it ends up being

well they're more interesting than what they heard about on the news or some blog site or so-and-so told them you know one of their networking guys tell them about this thing and it's like yeah trying to did that really cool thing but they're not really after us and you know you have 20 Windows servers admin patch to 6 months it already P open to the Internet is that really your threat vector that you're going with right now and so it's it's hard to convey that to leadership I understand that but you know there's a lot thankfully now there's a lot of information coming out there there's a lot of reports come out reports coming out and it's real data

it's what they picked up they've analyzed it and now we can consume it it was great because it gives us actionable items to look at

and so with that comes I guess compliance and then what I like to call a checkbox security I think a lot of people are guilty of it unfortunately where we think we pass an audit so we're good and in reality that should be a starting point not the goal not the finishing line so with that these are some reports so as we can see here we have delivery method hmm email quite high up there what else are they doing phishing stolen credentials okay all right what are they using to actually run their exploit so the power shell that's the attack matrix if y'all know those codes but um this gives us real valuable insight to what so we should be

looking at and again we can look at the top ten vulnerabilities this is from record at future you don't really need to look at the CVE so you know if you can read that but basically windows logos and Adobe logos that's what you know and it over here we have file types that are coming in with spam attachments XLS PDF PDF J sBBs those are a high heavy hitters and so with this we can make an actual plan we can circumvent these things yes if you have your EDR solutions in your next-gen whatever we'll probably get this taken care of excellent but what if it gets through you're only protecting one doorway so let's go a little bit deeper so let's

start with email pretty simple it's been around for quite a while it's probably kind of prom because there's kind of just shims RFC's that RFC to help and you know move along to the future but these three items really should be just a foundation of how you set up your email and I'll go into the details but basically this enables you are enables your domain your company to not be easily spoof by other people so how does that work well we got the SPF which is the sender policy framework and we're good that's the sender policy framework and all of this is a text record in your DNS domain it's pretty simple you actually see an example at the

bottom left that's kind of what one looks like and what this does just say hey if you're gonna email from me I should be coming from that IP address range or whatever that SPF record is for that domain and then a little squiggle all tilde all that just means if I don't do this well you decide what to do don't hard fail me but it's up to you to decide whether to allow me or not and so that's great but this is all in the envelope cinder field so if you're forwarding emails and things like that you can actually lose this information and translation so that's where domainkeys identified mail comes in and basically this is just a signature for

your domain that is put into an awesome another text record that is actually in the header field of your emails and so that follows it along and it's it's a signature for you and with those two now you're getting somewhere is where you can say if you look in the bottom example you can say those are supposed to be - all's but if it's a - all that means hard fail so if I don't come from this result hard family and these are that's from the header information of an email that I received so you can see that it's checking SPI SPF record as it comes in looking at it and it's saying it passed great well if you're running

an SRE an email server if you ever have you realize just how hard that is so luckily there is the main base message authentication reporting and conformance Demark so i will never remember that what that does is give you it gives you reporting capability so basically I send you a bunch of emails all of a sudden they're getting drops for whatever reason I'm gonna get a report back I'm saying hey you and high influx of drop emails and and so now you can go and take a look at your SPF record or your signature and see what's going on so that right there is just huge as far as people can't send email on your behalf pretending to be

you your users can't get emails from external people pretending to be internal people and that right there it's just such a huge benefit and it's not that's difficult so next simple things right like I said we're going back to the basics real-time blackhole lists return path reputation networks these are all things that exchange mail proxy insert of choice can do there are some lists included we have geo blocks do you need to be cup talk contacting to all these overseas places maybe I don't know that's up to you do you but you can block them based on IP or just the TLD so if you have a dot C in I don't need that even if it is

from another US IP address and the big one I think file attachments you should know what you are allowing into your environment you can monitor this you can report on it you can get analytics and metrics from it it's 2019 XLS and Doc there's no reason for those the issue with those is that you can put macros in them and you don't realize it with the newer formats but the XML formats you have doc M XLS mmm so you know it's a macro enabled file so you automatically can say I don't want this from an external user say so I did a nice little let's see how just loads hey nice so I compiled this list and this is

again I'll share all the slides and everything like that but basically it's a list compiled from the office recommendations on Microsoft site see source and in Symantec and then some custom rules from random sources a whole bunch of them and what this does is all it does is go through make a nicer ad doob organize sorts alright so with that let's see with those lists of 100 some each we end up with 189 unique values now it's up to you to decide you know maybe you need zip coming in which you most likely do but Z that's easy that Isis things like that I really doubt you should be getting those emails from external internal internal sure maybe

but you know you need to look at these and you know look again look at your logs I say our people sending these am I gonna impact the business so that's all they're available for you do with it what you like don't blame me for anything and then you know that solves a lot of problems right there's always more they always figure out a way to get through and so these are some real life examples just so out-of-the-box ways I had to deal with some email so bad words up here but I had a particular client that was just getting inundated with sextortion emails about all types of crap I watched you do this FBI yada yada

I mean just multiple people internal all different senders all different host providers there wasn't really a elegant solution until I was like hey I mean we have a pattern we have you know these 100 emails see if we can find a pattern with these so rotary gex which basically just says space any of these words anything with an imgur or youtube link at the end just quarantine that lets someone review that that was a 90% reduction of emails getting users right away they were very happy with that again I didn't have to go and try to can I some weird solution and connect everything and just put backs at Rex good old reg ex and the

same thing with Bitcoin scams again just looking for a BTC or Bitcoin some spaces words and then any of those with a 35 character 26 to 35 character string which would be the address for a Bitcoin wallet that again was a 96% reduction that particular client definitely didn't do any type of whatever Bitcoin blockchain whatever so we didn't even have that now you know caveat there was a hundred percent reduction in email so I forgot to space the BTC and unfortunately HTML code of stuff has BTC in strings pretty often so that was a little oopsie moment but only happened for like five minutes so no I know this except to email guys and they were nice to tell me

oh yeah I guess that's a side note don't make changes before you leave always stay there and test them for a little bit I don't know if you've had that issue so reg X there's a little tester down there that's the one I usually use just to put in a string like a big random string and then see how my red X is working it's an awesome tool highly recommended now this one this one's pretty fun spoof names I don't know if you get this but we have a lot of people always saying like hey so-and-so I need you to give me whatever a gift card or you know the wallet address or credit card number so I can go buy this thing

real quick it's urgent and it always comes from you know a see let's just say director a c-level name to someone that has a position of power that can implement that or do that so how do we combat that well not the easiest thing in the world but not too hard either so we wrote a PowerShell script that all it does is walk through your 80 org so basically give it a user so let's say you want your CEO spin it in there do one two three levels deep however deep you'll never curse down into your org whoever has authority and then it'll print back something that looks like this where it's you know director and

all the managers so that the managers have people underneath them it'll give you all them and if they have people underneath mode you told them if you wanted that deep and what you can do with that it's all now you set up a transport rule right in exchange and it just says hey if people with these names are sending email to us not from these email addresses don't allow them quarantine them and so that right there was also a huge win and again that's on github up you can go check it out it's pretty simple I mean the whole point this is just a show that you don't need every fancy thing right and of course

something always gets through so we are depending on the users at the end of the day what can we do about that well phishing campaigns are great and I don't mean the really crappy ones there's a little more key things you know going around the thing and saying click me click me click me know look if you have if your company has a weekly report that goes out or something like that copy that make it hard don't make it easy so your numbers look good because then you're not getting any value out of it make it difficult clone those emails and get some good work out of it Go Go Fish is an awesome open-source free tool

if you don't have anything commercial works really well it's written and go easy to compile and run very cool now gamify as well so you can set up a PowerShell script maybe you have an exchange button you know in Outlook that says you know spam soon this is spam great you get into a folder you can have a PowerShell thing run once a month that just says all right cool I got um you know 1000 emails pick a random one and this person now again it's a $25 gift card yeah it's great to get $25 gift card but the more important thing is that people know that it's being looked at you know worst thing you can do is

just send stuff to a black box that people don't think there's a point of doing it you want them to know that they're being heard in our pours chicks I think goes without saying but everything every wind that you have needs to be broken down into numbers percentages for your leadership so you can show your value so that you can earn more of that pie the next quarter as well just help out your community reporting is pretty easy I actually used these of security this little link right here basically it's kept up to date of all the ways to report to different things and so I don't do them all but I generally always submit to Palo Alto and

then the Google one I always do those and it's pretty quick as far as how quick that propagates throughout all different rule sets so just help out your community if you get something that's bad it's not getting caught that nothing is showing as malicious help out everybody you know take that two minutes to help us out again I use this site it's kept updated so and just real quick this is kind of a goldfish looks like if you want to take a look at it like I said it's super easy to run but you can see here how many were sent and open clicked and in submitted data and you can set it up to where you can look at

the submitted data or not look at the submitted data you know obviously for obvious reasons but real if you have a smaller org you know set this up or just test it out in small environment it's it's really easy just just to get going all right office ducks like I said if we member those slides few food few slides back XLS doc all those that those are our main problem child so how those work well if you look at all reports if you read some blog posts I mean it's all that they're launching shells somehow through macros word whatever that's how they're doing it so what can we do about that well these three items right here let me show you

that real quick so Microsoft Windows 10 caveat Windows 10 it's kind of like the II met replacement but these are rules that are built into the Windows Defender security suite they're part of the exploit package of it not necessarily the AV package so you can have your own you know corporate ad while still running Defender it's not gonna like they're not gonna step on each other but these rules right here second one block all office applications from creating child processes that's pretty neat I don't know of any really scenario where a user needs to have an office doc that launches some type of application from it I'm sure you can come up with some sure but mmm small

percentage and then that bottom one as well Blanka w reader from creating child processes all right now we're getting somewhere so that was windows and the adobe so great that's a feature that's there how do we actually do that well like this so this is a sample of a test I'm about to show you so basically it's just calling a dotnet web object and downloading a file from my github and if you take that code and you want to escape all the quotes that's what it looks like in a macro in an office doc and I mean basically it's just calling PowerShell as a command run run this as a command downloading a file from that location and saving it to

Bad txt in my home drive

see if it works magic so pause all right pay attention to the file folder over here so I'm watching sample 1 dot docx super secret notice now there's a bad dot txt in the file explorer so had that been an actual malicious script dialing a file which would then execute something else or pull down something malicious from the internet would've been all good and we can see yes we can see here this is what looks like it's a waiting word exe just didn't call us powershell so we saw it caused a child process well let's change that so I'm using PowerShell right now is an admin and add MP preference is the command and I want to call the attack

surface reduction rules and that string is the one that is for office docs to block child processes so I'm enabling that and we can see here if you look at your GPO you can see here attack service reduction that's where you can also change it if you want to do it that way

alright so let's see what happens again launching a file oh look at that action blocks yeah that sucks okay you can even debug it and see what it blocked on and I can rewind that real quick so you can see that is what it actually highlights and says a no good man we're not going to do that Wow very impressive I know I know oh no I lose my presentation

I have perfect so we're we all know motivation drives success there's always a way around whatever you implement attackers are always going to be one step ahead if they want your information bad enough so CBE twenty eighteen eighty four one four Spectre offs identified that one I camera the exact context of what they did but they were able to bypass and use some built-in launchers within windows and get around those protections now it was fixed thankfully but you know there's always going to be another way another doorway so layer your defenses and how else you know think about how else can we stop these things well macros do we need those potentially maybe we set up macros only to run from

internal documents that we created inside that's an option change default programs if you have script files you know you can change the notepad or software restriction policies or even app Locker gonna get more advanced we're all built into us but there's always some more problems so here's two different ways invoke web request is basically calling a remote site and I'm getting the information from it you see a two hundred code and you can see here if you actually use the net-net method that there's no user agent or anything like that unless you specify it there is a default PowerShell user agent in the invoke web requests but you can modify that if you want so mm-hmm

what can we do if it gets around our steps well we can block processes maybe from getting to the Internet at all or we can set up monitoring for user agents based on their streams so here I am I made a new firewall rule in Windows Firewall called PS web block and said outbound action block for only this program PowerShell at exc only protocol TCP and only go into HTTP or HTTPS you get a success great we have a new rule we can see it in the Windows Firewall GUI over here PS web block awesome what happens with that ah yes it can't do anything and that's what we want it right the few scenarios like you think of where you

would want to get internet access for PowerShell and stuff like that is if you're loading custom modules from the internet and things like that but you can have a developer group or an admin group where you have to escalate or be part of a special highly you know more authenticated group to then do these things you can set up that firewall rules to only work for regular users if you want all right well after all this we kind of see PowerShell is kind of an issue so I love it and you hate it um what can we do about this so how can we be more aware of what's going on on a binary for PowerShell well being sent up

logging detection and I can show you some ways to get around that so by default PowerShell 5 is what's has all the logging goodies PowerShell version 2 3 & 4 when I seen a chart some of them the logs you have to enable yourself though they're not by default you got to turn them on and they log to those two default locations and your Event Viewer and there's three log types transcription module and script block transcription is actually local that's not going to be log to the Event Viewer that's going to be log to a file on the system you can change that to maybe a network share if you want but that is going to be a full transcription of

everything that happens at that console what they're typing what's coming back out everything very noisy but it has a lot of information it thankfully it is local so your sound like you're sitting it over via the wire modules just show what modules are being called so if I use a git date module or like if I previous slide the invoke net firewall or new net firewall it would show that and that would be it just saying that that got called and this is a response from it and then the script block logging will actually show the entire script block that gets run so if I run a full command with you know all these tacks and then file names here locations

it'll show all that and you can do each one of those individually as far as logging set up and here you can see a sample of basically changing the turn on module logging that's all that's the only one I turned on and then I put an asterisk value for any modules log it you can specify somewhere noisy and there's some lists out there on github potentially malicious modules that you want to take an extra look at so if it is causing too much noise you can modify that and you see once I turn it on now I'm getting operational logs and we look at it when I run the get bake command now I have command implication get

Dayton so now I know what happens and I know what's been returned

so logging I have a lot of links just FYI in the notes section of all these slides so when when I really released them go as deep and nerdy as you want there's plenty of information here but for the sake of this time those are the event IDs that you want to get you want to see what is actually if a PowerShell process runs if a new service from PowerShell runs that's very interesting and you can search for strings to detect obfuscation which I'm about to show you and look for encoding commands so there is a ENC flag not just NC as you'll see that will enable you to base64 encode or other encoding methods if you would like

your your strings or your commands so I'll be going Sigma rules this is basically like an agnostic where the am ohara forget rule sets that you can use for your sims ordered sections and here this too right here the one on the left you can see the system net web client download string so all this is looking for that or the download file and it's going to make an alert for that and you can see it's even mapped to the attack matrix and one of the rights he is looking for a client IP URL a user agent to look like you know wild card Windows PowerShell another obvious sign that PowerShell is attempting to get

something from the Internet so here's rules for you already you can set up for alerting and there's a lot more in that repository and here I was talking about obfuscation both these commands are totally valid yeah you can escape it to your heart's content which is why it makes it difficult to actually set up alerts for these and why sometimes you have to brute-force it just to say this guy's running a string of 80 characters and a PowerShell command that's just odd like what is he doing and so not have the brute force if you can see here if I call a full path of calc I can do it with the question mark so without it and it loads up just

fine there's a lot more information about that in that link so that's PowerShell in nutshell it's a quite powerful and yeah it's unfortunate but you know it's also really useful and it's what I write a lot of my stuff in nowadays so let's talk about network now network security again simple like the email blocks or your friends blacklist TLDs do we need these things I don't know but you should be able to know if you're looking in your environment now some other things are NetFlow I know full packet capture is a dream pretty much all of us but net flow is something more manageable you can get metadata pretty well pretty easily proper segmentation of your networks you know

you should only have client or you should not have clients a client communications client a server server client there's no reason for us to be talking on a network share together client to client URL shorteners are I guess I'm noticing more emails come through with them but one in particular is cut us or something like that I'm seeing that a lot lately and that like like Bentley has a pretty good report of you know I can report that and within minutes it's it's taken care of cut not us or whatever it is is not everything I've seen from there is just a farías so I would just block that if possible and then maybe some

other things if you're comfortable with that you have all these things done well what about dynamic DNS why are users going to no mames that are hosted in dynamic DNS I've had situations where it's I've only seen really developers and admins like randomly SS aging into things they have the home network maybe I've seen that but otherwise if you're any type of legit domain you would own your own domain so there's lists out there that you can check against in your logs do some lookups with very convenient and then Public DNS as well not quite as useful but it is it does identify if you have systems that are supposedly on your ad network and with your configuration not

talking to your DNS servers so that could be an indicator of something going on maybe a user changed it maybe not who knows but you can find out and then I would like your help on this one for newly observed domain so anything less than seven days or 30 days things like that real obvious sign of I probably don't want you going there right away I've only found this one free link with some with some lists in it if you have more police in them to me because I looked and looked so I would like some more and then user agents as well you can look at known malicious user agents for like Empire or any of these other

mini cats Metis whatever you can we can look at user agents that they use and you can make lists of those and see if they're being run on your network and this one's fun I actually just found out about this one so we always we're always worried about what's coming against our network but not necessarily what's going out as far as a port perspective and so if you go to all ports dot exposed it'll tell you all your ports that are exposed it's you can run it in a loop basically and you can hit it with every single port and you can see what's getting out of your firewall really convenient because when you're talking to things in like above 10,000

you kind of want to question that so it's a again don't just say block and then you know get the screams on the phones let's not do that but start monitoring that and see if there's a business justification for it and that brings me back to point I forgot to mention as well on the PowerShell on the blocking of office documents loading child processes you can set that just to an audit mode if you're worrying about what that can cause and you can monitor it and you can say well is there business justification for this is there legit reason for it so don't be worried about breaking stuff at what time all right I'm gonna speed through this next

section a little bit like if I'm a mouse I don't really want to talk about this too much you get cross-eyed with it it it's a necessary evil and I say that constantly but they really have gotten better in the past few years I know ten years ago these are something else let's just say that nowadays they're they're pretty applicable and they're good again you know starting starting lines they're not the goals but here let's see so we have all these choices and sometimes it can get a little a little much but generally speaking starting off at the CSF is a good way to go and all these are doing is just good standards and baselines that you should

be incorporating into your environment into your policies into configurations there's nothing magic about them it's just it's already done for you and you don't have to do all of them you can go compare and compare your own systems like what do you mind look like compared to this this rule set it's just it's it's nice to have to point at something of what we should be doing versus you know someone asking you well what should we be logging how should this be set up well why do I have the authority to say that you know here's some great guidelines really smart people have created let's start there and so the CSF yeah it's just like I said basic

standards and best practices there's five main function identities and then it goes out in the categories and sub-categories it's pretty easy to follow honestly for for a framework so as good as you can get about simple as you can get and if we've had to take a look at that here's just some screenshots from it from the PDF and you can see you know identify protect detect respond and recover and then it's broken down into categories and then you can measure against those am I you know doing what X says to identify that oh we can check it and missed here go Stig's SIG's are really cool they were first created for I think the DoD

started doing them so you know everyone always asked like well what should I how should I set up my configuration yeah pick one unless you have compliance reasons for your industry didn't definitely pick the right one but you know these are really simple XML files of just again like here's my firewall it turned on does my password lock after three attempts there's a ten password history so you can't reuse the same password things like that and you see here if you use stig viewer comm since they're all XML files it's kind of hard to read but you can go sick viewer calm and I always just taking a look at the Windows 10 and the very first like high

critical finding and just says Val you know lanman hash one so is that turned off let me check my system let me check my yep yes it is cool so obviously if we were going to be implementing this we don't want to go line by line and thankfully there's a way to get around that so most of these like I said are in XML files I'm trying to remember the actual format it's like an ASD MX or a a DMX the admx and so it's a configuration file where you can actually load that and you can it'll just set everything for you and do a backup of your previous settings before maybe I yes benchmarks pretty much the

same thing as the Stig's as far as just well here it sections count policies local policies event logs how should those things be set up and you can dive down into that and then we get the top 20 controls which you know that's famous sans right but it is important and these still aren't being done right today like it literally has a number it has top 20 like we should be doing that we're all about the numbers games and we don't do these things inventory and authorized and unauthorised advices what if you have idea it's pretty easy to find out so according to sands their little posters this is kind of what it should look like right you get a control

framework and your program framework and then your risk framework which we're gonna glossed right over today but you can see that's kind of what their recommendations are and you know I'm not one for reinventing the wheel might as well go with the flow and you see how they map to the actual CI yes controls and the CSF controls right here so there is some overlap which is good and they're starting to realize that which is good because we don't want ten different things to look at and a really useful feature is that link up there that brings you to the NIST website where you can search for I don't know Adobe or Windows 10 or IPM and it'll

pull up all the different configuration policies that they have from all those different sources and in here you can see power stick I just found out about this yesterday so Microsoft and all their wisdom actually made a PowerShell module to load in specific Stig's from the website and either compare or implement them on your systems very cool obviously it's not the whole entire index they're focusing on the Microsoft stuff but it is really convenient and here's what I was talking about literally one website compliance Windows 10 I got Stig's I got C is which version great I can start I have a starting point and like I said risk assessments assessment we're gonna skip over this

cuz time is short so now I'm moving on endpoint security again EDR solutions are great but if you don't just being able to query your endpoints is a great feature powershell by itself setup right can do this now it's not all scripted or agent like that but you can go in and you can say well invoke this for that system and pull this information from it collides really awesome I believe I forgot who invented that first so it's Facebook or not but it's a really cool feature where you can basically do sequel syntax its agent rents on the systems do sequel syntax and you can get back on whatever information you query for and gur is

pretty similar that's from Google where it's Python though and again it's an agent system where you can then query the boxes that you want very useful in an ir situation and then huzzah if you had to check that out it's just really cool go check it out it's an actual endpoint it's an EDR tool open source go check it out and then admin rights I don't really need to say it but don't don't have it lapse is also another really easy convenient you know solution from Microsoft to give you different admin passwords local admin passwords per machine instead of having a global admin password for your entire org or your forest and then I know I talked a lot

about logging earlier in a game like I said all these slides have excellent resources but here's where you should go like just just go there go there read it absorb it that's that's really all you need and we get so s hardening again they have the admx I'm knockin at that file extension right but they have Microsoft themselves have best practice configurations kind of like the the stig's and the CIS where you can go download a configuration for your GPO and play with it and how are sick again so always oh sit yourself right it's pretty easy this first link just found out about that one basically is it looks for similar domain syren I haven't

tested it out yet no guarantees but it looks cool the harvester if you haven't heard of it it's an awesome program it'll search different repos either Google search engine being or some other repositories for whatever information you send it and I'll show that to you in a second and then shown an that's where you can just pull up you know an online scanner to basically scan the internet now you can get free you know free external scanning for your systems and go look at what they found great cert thought shell is a really cool feature just to give you what certifications are for what organizations so if you want to search example comm you can see all of their

shirts that are signed to them which can come in handy if you want to map that back to other organizations and the DNS dumpster as well it'll find basically any sub domain of what you throw at it so let's try it out actually I should start at the beginning

dual core Core i5 and something went wrong guess we're not gonna get it today try it one more time I fixed it so I'm gonna let that run for a second I might be blocked on a guest Network I guess we'll find out I think I am yep

well I think I've been denied on all of them network is no fun all right well they're pretty simple I'll actually throw in some screenshots of this then before I upload them let you guys see that in action so I highly doubt the harvester is gonna work

please be in command history hey cool so this is it basically the harvester and I'm saying go query for google.com only returned 50 items and search hi folks on geekier unfortunately we had one that capture devices freeze up and we have no audio for the rest of this particular presentation sorry for the inconvenience