In one word... brilliant. We may see this often in different videos, but you are on another level of skill when it comes to explaining things with great clarity and humility, as you always give credit to others.
I'm struggling to understand the reasoning behind editing all the settings on the victim machine, just to deploy into a local admin shell. If you have access to edit those kinds of settings (regedit), wouldn't you have admin on the victim already? maybe I'm just getting confused by some setup for the demo 🤷♂
Quick question: How would the breadcrumbs look if you used remote psexec to execute psexec on the target system to add another layer to things. Would that add any obfuscation to things?
since the attacker knows the name of the target machine, the attacker can simply rename their hostname to the victim’s hostname or another machine on the network. 🤷 even if they didn’t bother to do this, the name by itself doesn’t seem very useful for forensics, especially if it is a generic name. the important thing however is that the connection was logged with a timestamp.
at no point in the video are there reliable timestamps for an investigation. Each and everyone mentioned, the logs can be cleared or the artifact can be removed entirely. If you don't have log redundancy none of this is reliable
Hey John and you guys in the comments section, wanted to learn cybersecurity but I can't really follow John's videos as I am a beginner, where do I start?
Interesting video, but very superficial. Not only do you have to be in the local subnet and modify the firewall rules, but you also need to modify registry settings and have local admin credentials. This is at best a training exercise to find the psexec artifact. Also the most basic Antiforensic method for prefetch is to simply rm -r -force "C:\Windows\Prefetch\*.pf” and VSS alongside it while you’re at it…
using psexec in a pentest is the same level of noob as using ncat lol. plus your creating a new service when you could just use an existing non running service to elevate privileges. right?
![[MV] A leap of faith...ความเชื่อใจครั้งสุดท้าย (From "Petrichor the series")](http://i.ytimg.com/vi/U1piZH2CNXA/mqdefault.jpg)
moral of the story, when running the red team, just set the hostname of your attacking machine to the target's. It may confuse blue team for a while
this is the best pro tip i've ever heard in my life
Thanks for the shoutout! 🙏
I'm a Huge fan!!! Love you!!
@@PANDACRAFTS1 ❤
In one word... brilliant.
We may see this often in different videos, but you are on another level of skill when it comes to explaining things with great clarity and humility, as you always give credit to others.
Thanks for the shoutout John. Great video!
I'm struggling to understand the reasoning behind editing all the settings on the victim machine, just to deploy into a local admin shell. If you have access to edit those kinds of settings (regedit), wouldn't you have admin on the victim already? maybe I'm just getting confused by some setup for the demo 🤷♂
Quick question: How would the breadcrumbs look if you used remote psexec to execute psexec on the target system to add another layer to things. Would that add any obfuscation to things?
Who hacked "whom" ?
Ryan used me as an object !!
Think I used another version, 25 yrs ago when I was young and careless.
We did also use it to remove the logs when done :)
Ah the old PsExec.. One of my favorites over the last 20 years.
Dang..... I never realized psexec remote was over SMB -.-
Time for class with John. Yayyy
thanks for the great effort
since the attacker knows the name of the target machine, the attacker can simply rename their hostname to the victim’s hostname or another machine on the network. 🤷
even if they didn’t bother to do this, the name by itself doesn’t seem very useful for forensics, especially if it is a generic name. the important thing however is that the connection was logged with a timestamp.
at no point in the video are there reliable timestamps for an investigation. Each and everyone mentioned, the logs can be cleared or the artifact can be removed entirely. If you don't have log redundancy none of this is reliable
What stops an attacker from using a PsExec version below 2.30 so the key file isn't written?
Hey John and you guys in the comments section, wanted to learn cybersecurity but I can't really follow John's videos as I am a beginner, where do I start?
Yay, some forensics!
New to the cybersecurity world what video should I start with 😂 thanks for your help in advance
Interesting video, but very superficial. Not only do you have to be in the local subnet and modify the firewall rules, but you also need to modify registry settings and have local admin credentials. This is at best a training exercise to find the psexec artifact. Also the most basic Antiforensic method for prefetch is to simply rm -r -force "C:\Windows\Prefetch\*.pf” and VSS alongside it while you’re at it…
❤thanks John
Good video. thanks
I really like this wrap Thanks for sharing
Bro give my cat some fish
The blue team doesn't get cover a lot they are a lesser team that is covered everyone wants to do red team
Mark russnovich does amazing stuff
Why does your mic sound so muffled and weird this video?
Thank you, Mr Hammond. Great info.
Ty
ARE YOU FROM JURASSIC PARK?!
Collins robin jeff brandy fallon etc hacked me n my families
using psexec in a pentest is the same level of noob as using ncat lol. plus your creating a new service when you could just use an existing non running service to elevate privileges. right?
Do you breathe while recording. 😝
He does. I just cut the breaths out. :P
yo
I seem to be 4th.
Hy
Mhh. i seem to be first