BSidesCharm 2024 - Protect Your Most Sensitive Users With This One Weird Trick!

[Music] hey everybody I'm Jake nice to meet you all thank you for coming out today to protect your most sensitive users with this one weird trick as I said my name is Jake this is not an appropriate slide for this type of talk this is more what we're going to be talking about [Applause] so I have to apologize for several things up front number one the colors number two there will be some motion there's no like flashing there will be a lot of motion so if that's that bothers you please uh you know I don't know I'm sorry uh thirdly I am going to gloss over a lot of technical details in this because this is a presentation this is

not a white paper JY um yeah and there will be a section towards the end that is is really really code heavy so if that if that's not your thing just be aware of that I'm going to try and fly through it as quickly as possible but there is going to be a lot of code on screen and I'm going to try to explain what I can but we'll see where we go all right so today we will be talking about the protected users group in active directory I got a groan out of this out of the audience already so you may be asking why would I want to present a whole ass talk about a single group in

active directory well i' like to maybe show you why so show of hands in the crowd please if you work with active directory whether that's operations Administration defense or offense like okay we got one we got we got some we got okay keep your hands up for a second keep your hands up for a second all right if you have heard of the protected users group before that slide before uh go ahead and keep your hands up everybody else put your hands down if you okay all right now with the people with their hands up how many of you actually use this group yeah we got Rob thanks to me thank you buddy so this is why this is why I want to talk

talk about this this group right so what we're going to talk about first it's going to be what some basic background on what the group is then we're going to talk about the four different buckets of protection this provides to your most sensitive users and those would be um enforcing really strong authentication eliminating delegation and then uh eliminating cache credentials across the network and lastly shortening session length for uh these sensitive users I'm going to show some examples some quick uh mermaid diagrams showing what happens before and after these protections are put in place and then we'll discuss why so few folks have actually heard of and or Ed this group and then lastly I'm going to

present a methodology that should help you all get those most sensitive users into this super important group so first off though we got to do the the thing the thing so I'm Jake hildr uh I am a husband a father a recovering CIS admin that's my my daughter Kate my wife Carrie uh I grew up uh I started working help desk in 2000 and then moved through CIS admin Network admin Etc and then joined up with trar uh about two and half years ago so uh at trar I am a senior security consultant uh I lead our active directory security assessment team so I am assisting others with their assessments making sure that the service

stays up to dat uh writing and improving tools that help other assessors do their jobs better communicate findings better analyze data better whatever that may be and uh speaking of tools so I also dabble in open source uh development so if you've heard of locksmith that's me if you've heard of blue tuxedo that's me and Jim um yeah open source is awesome I think information wants to be free as much as it possibly can so try to do that and then last but not least co-host of the trar uh twitch happy hour Fridays at 2m if you want to be a guest please just get a hold of me we love having people of all ranges on we got an old

school hacker there we got a speed dresser we got some new faces like uh Devin Kerr we've got uh some hidden faces like Jack Reider and then sometimes when I'm not there my face still shows up so yeah all right let's let's get into it I've I've talked about me enough tiny bit of of background info what is the protected users group it's a group it's just a freaking group that shows up in active directory after you promote a domain controller to Server 2012 R2 and make that a a primary domain controller emulator and just so you know that is uh I asked chat jpt give me a very cute picture of an Active Directory Group I thought I did okay

there's going to be a lot of a lot of chat GPT pictures in here so as I mentioned Windows Server 2012 R2 is required there's a a set of protections that are like device based and there's a set of protections that are domain controller based in order to get those device-based protections you need to have that uh domain controller put in the primary domain controller uh emulator rule if you want full protections your domain function level which is basically all of our domain controllers are here and higher can support these protections Etc uh needs to be 2012 R2 or higher so that's what that is now the protections that I talked about they are not

configurable it's a set of protections you cannot work around these they are set in stone with the exception of the administrator uh default domain administrator Jim and and here it is I mean this is this is the group I like the way that I first came across it I was cleaning up ad after uh you know functional level Improvement and I'm like what what's this guy poked around a little bit I'm like okay we're doing this what does it do first off talked about strong authentication what does that mean sure you all have heard of LM and ntlm if you're in this talk it eliminates those you cannot if a member or sorry if a user is a member of

these groups they cannot use those weaker uh authentication methods they can't even use the weaker versions of Kerberos authentication so if there's a a Dez encrypted Kerberos off or rc4 encrypted Kerberos gone AES 128 or GTFO second delegation delegation is impersonation it is the the process where a server a service a process can impersonate you when contacting something else I don't know about you but my ad admins should not be impersonated eliminates those cash creds so Windows off is messy stuff gets left all over the place you log into a machine there's stuff left behind add somebody the protected users group that doesn't happen anymore and then lastly it shortens that session length so by default uh

cose uh has a default 10-hour session that then can get Auto renewed up to seven days in length this by adding a member to the protected users group shortens that session length to four hours non-renewable four hours full stop the end so who I already mentioned this once but who are those most sensitive users well I work in ad so it's going to be your ad admins right and there we are talking about the default domain administrators group The Domain admins the Enterprise admins schema admins can go in there ah Jim thank you should go in there also you shouldn't have any schema admins unless you absolutely need them so uh different conversation please come to the booth

and talk we will tell you why um yeah so 0 admins and any groups nested within those please don't Nest groups within your ad admins I have a article on the Trimark Hub talking all about all about why that's bad so now we get into the good stuff the examples of what these protections actually do when they are in place so we'll go through this again CD Kerberos over there you know uh we want Kerberos to be as strong as possible and we want to get rid of nlm and LM and all the other BS that's out there so this is how an attacker could abuse ntlm before an ad admin is being added to the protected users

group an attacker some somehow tricks an admin into connecting to a share that they own and are running something like responder right if that is an IP based uh uh share windows will immediately degrade down from coros authentication and go to ntlm Authentication ntlm authentication is basically a a chunk of data gets sent from the admin workstation to the controller PC and then the as you can see on the right side there oh wait I have a laser I have a new pointer so I don't know where the laser is but oh no oh no I'm red green color blind I can't even see it so never mind it's [Laughter] fine so on the right side then okay the

attacker gathers that ntlm hash sends it off to the domain controller and now the domain controller accepts that that was an ad admin connecting to it it's not true but that's where we are afterwards so number one that ad admin could not connect successfully to an i IP based share but then because of because keros just would fail remember we are enforcing strong authentication only Kerberos 128 or higher so Number One initial attack is not GNA not going to work number two the ad admin connects to that attacker controlled PC the attacker can gather KERO stuff there are some attacks there's not I mean it's not impossible to attack that it's just a heck of a lot harder and

really that's kind of all what security is right just making things a little bit harder and so that's what we're doing here um yeah this is probably your biggest the biggest impact to using the protected users group is just eliminating that weak authentication now impersonation I sh touched on it several times yesterday delegation is impersonation what delegation is is a user connects to a server says hey can you go get data from this other server and that that Ser you know server one goes to server two and says hey you know can I can I have data on behalf of this other guy yeah here you go it's fine again ad admins super important in

your environment right I don't want anyone impersonating those folks so this is what it looks like in reality maybe okay we've got Dave Dave is an ad admin and on trying again with the laser it's not no it's not g to work common common flow right admin uh connects to a web server web server asks the SQL Server may I have Dave's confidential data the SQL Server smartly checks with the domain controller and says is this web server even allowed to do this and if they are not a member of the protected users group the domain controller responds and says of course you know this web server is allowed to delegate I see no protections against Dave being

you know being impersonated here you go and then SQL Server hands back the data that was requested web server hands it back to the uh to ad0 admin Dave and Dave is Happy uh despite just performing an incredibly risky maneuver afterwards maybe there we go so same flow at the beginning right may I have the confidential data yes of course you may no but instead may I have to Dave's confidential data again SQL Server checks can I imperson is the web server allowed to impersonate Dave this time around wait the web server is allowed to do impersonation but Dave is protected against this they are in the protected users group and so yeah despite what Dave told you

man like I'm not I can't I can't do it for you and then the web server responds and I am sorry for the very long leadup for a hell 9,000 [Laughter] joke all right as we as we mentioned earlier you know you connect to a machine your credentials are going to be left behind unless you are a protected user there there's other protections that could be in place credential guard helps etc etc but in general we don't want our ad admins connecting to anything other than a domain controller or a privileged access workstation it's too much of a risk to connect to these other devices so thankfully the protected users group exists because people are still going to

do that we were in a call with Microsoft a year ago somewhere around there and I brought up the protected users group because I am a onetick pony and you know how how do we get this out there how do we get people more people using it etc etc etc and they're like we don't know we don't understand I'm like you're Microsoft you've got marketing dollars we we could make this happen um and they said you know it really is kind of like the best thing that you can do unless you are doing every other thing exactly perfectly the protected users group will really help you right tell me out there how many of you know that you are doing

everything exactly perfectly in your active directory environment and if you say that please come to me afterwards and we we will have a chat yes so this one this one is pretty straightforward ad admin connects to a user Workstation they log off some of those credentials are left behind some uh very elite hacking AKA fishing takes place and now that attacker can gather those credentials for use in other places simple straightforward Etc afterwards all right ad admin connects again after they log off because they are members of the protected users group those cach credentials no longer exist on the machine Elite hacking takes place again but there is no credentials to steal at this point so can't easily

laterally move but guess what they're going to attack something else anyway because ultimately no matter how secure your ad admin Castle is like really they're just it's not a CTF people aren't trying to get domain admin for domain admin to be cool they want to get that data they want to sell that data they want to extort you they want to encrypt you Etc so please this isn't protected users is great it's going to add some protections right but it's you're not done and lastly shortening session length I mean I I don't know why I created a diagram for this because it's pretty pretty straightforward but seven days is a long time for an attacker to

be playing in your environment four hours less time still a lot of time don't get me wrong what's the shortest uh compromise we've we've seen 20 minutes something like that from less from from compromise to full ransomware yeah so yeah four hours is good is is better but not uh not the be all end all so that being said if you have been proactive and you have taken steps to actually shorten that ticket time length even further past four hours that will will take effect your users will hate you for that and that is why I hated the protected User Group when I first put it in place and so yeah oh after yeah four hours we get

it it's fine Gary yes you get prompted again it it actually like you try to connect to a new a new resource and it pops you up anytime you try to connect to a new resource it'll pop up a a login at that point does that make sense you'd have a right exactly yeah yeah it's not a boom you're gone it's a okay we need to make sure you are who you are you will still maintain local local computer access which if they've gotten onto your paw you've got different issues anyway so um yeah so of all of those like you know how much is it going to cost it's free this is built into windows it's been

here uh checking my watch here uh 10 years 10 years okay 10 years and I will I will not lie I've seen about 200 250 environments since starting to work at Trimark of those less than 5 % have fully implemented the protect protected users group and I'm talking super mature environments to really immature environments nobody uses this freaking thing so we ask why don't you use this right well it does have some limitations that can get in the way of some existing Administration behaviors but if I was going to put it in another way what it's preventing are those riskiest behaviors that you need to eliminate anyway so anytime I hear somebody say Well it broke this workflow

I'm like you probably shouldn't have been doing that workflow to begin with guys so common things that we run up to number one I I'm sorry for the dumb pun but a I'm a dad as previously explained number two when I was I was demoing these uh these slides for Brandon on the trar team and this came up and he lost it he's like dude dude Legacy I get it I was like oh sh I wasn't intended but Okay cool so you all have to suffer too um all right so Legacy applications what am I talking about like with this it's not exactly Legacy but yes Legacy old stuff is probably going to have hardcoded weak

authentication involved but some not so old stuff also has that vsphere you heard of it yeah they don't support members being in protected users group I'm curious if this is an intentional thing or if it's just hard because really I don't want my ad admins to be administering my VMware infrastructure anyway have you heard of an identity Nexus a guy I work for talked about it yesterday how it's all tied together right you compromise VMware you compromise ad you compromise ad you compromise VMware and then you pivot to entra and then AWS according to mutki over here and like we're just bouncing all over the place right so VH V's backup was one that got

brought up to us commonly we could not use vhim if we uh had members in the protected us group they thankfully as of I believe May of last year now support full Kerberos authentication and membership in the protected users group this weird one at the end here that I've mentioned is uh entra ID seamless single sign on you you can't you can't roll the the account password for that you have to be a member of global admin and domain admins and not a member of protected users group in order to rotate this password and they want it rotated every 30 days no so those are some uh Rob out here uh Told Me Maybe ivanti or tavoli

or right yeah oh there another one that yeah formerly shavick uh is another one that is it hardcoded nlm or is it uh not sure okay cool but yeah so there are some things out there that that just don't support it but again I don't want my ad admins the most crucial accounts in this entire environment to be doing those things anyway they should be doing ad Administration exclusively come on let's do this girl there we are all right uh I talked about this earlier but um Kerberos and IP addresses uh can be done but it's it's requires additional configuration and it's a little brittle and whatnot so when uh when a user connects to

something via IP address and needs to authenticate with active directory it's going to default down to ntlm and as we've described ntlm is it's insecure how insecure let's talk about that um earlier this week Erica zelic posted on twister Twitter not twister oh man that'd be a cool one uh about how she was able to capture the ntlm hash of a domain controller and for $130 and 20 hours of time was able to completely crack that ntlm hash that means get the full plain text password for a domain controller which is like 256 characters is that I'm always looking over here these guys know stuff I just I just repeat it chat GPT right here in my

brain but yeah so that's kind of why we're pushing these two like it's it's not ntlmv1 is it is insecure it should be considered nearly critical and should be gotten gotten rid of remote desktop issues always another another common issue that pops up and what we're talking about here Network level authentication is required once you become become a member of the protected users group and a lot of people disabled that back in the day because it caused weirdness it fix your weirdness let's get you let's get you more secure right um also very old devices don't even support it to begin with so let's let's work to get those very old devices off of your network as well

I understand it or sorry OT and IC networks are a different world we'll talk all right why additionally non- Windows devices I am a Mac User I I love I love my Mac at my old job my Mac was my my daily driver and then I would connect to other windows devices I added protected users group my my admin account and suddenly could not do that and uh I was very sad I understand it I don't like it I understand it Microsoft on a Microsoft device controls end to end the entire process right so it's one of the times that I like a wal Garden is is here and the Apple App Store as much as

they do wrong but I do like it sorry uh required delegation it's going to break required delegation why are your ad admins being delegated to begin with again we keep going back to this it's a risky Behavior stop it ad admins only administer ad and they only log into pause and domain controllers the end uh yeah they should not be SharePoint admins and whatever's going on um and then there are there are some limitations and I'm you're going to hear me repeat something else again uh number one uh our rid 500 account is what we call it but basically the default domain administrator account when you stand up a domain it does not get the full set of

protections from the protected users group so there are some other protections you can assign and we'll talk about those in a second um additionally because of the way computer accounts and uh service accounts just work Microsoft is strictly against adding service accounts and computer accounts into uh the protected users group so we have seen an occasional service account make it in I'm like how's that work they're like I'm like do you actually need that service account in ad admins and they're like well probably not and there's where we are service accounts and computers should not be ad admins to begin with again it's protected users group not protected computers not protected service accounts we want users in there

only so now we get into a little bit of the hey I am right on time just like I thought I would be sweet we're going to this is the code section we're we're going to talk about code uh I am trying to give a high level overview of what the code is doing in most locations but there this is going to be a lot of code across the bottom of every slide there will be a link to uh my GitHub where each of these Snippets is an individual uh PS1 script and so you can you can run this on for yourself all right PS1 all right who's a Powershell fan bigger than me oh think oh man all right all

right have you gotten a tattoo of it yet I hav't either but it's just just curious just curious uh so yeah Powershell 5 we're talking about so you can open your isse if you're old school or your vs code if you're cool um load the active directory Powershell module and then you have in a single domain Forest you can be a domain admin in a multi-domain forest you want to be an Enterprise admin because we're going to be logging into each of your domain controllers to do stuff okay and I would really like it if nobody else could log into your domain controllers and if other people can again Booth is right over there all right first thing we're going to do

I talked about the forest functional level right Forest functional level means basically all of your domains in your Forest are at this level or higher they can support the schema for this specific Forest Etc we want you to be you have to be to get full protection uh in all of your domains you want to be Server 2012 R2 or server 2016 uh this environment that I'm testing in uh 2016 Forest because it was stood up I think June of last year it sounds about right Jim when did you buy all your vmw

gear and if and if your Forest functional level is there we can skip ahead like five slides all the other stuff is like trying to get things set up to at least get you the bare minimum of what you need to get some of these Protections in place so if your Forest functional level is not there you can at least get your domains up they can be they can be moved up separately right again we want to see 2012 R2 or higher in order to get domain controller level protections if your domain functional level is not 20 2012 R2 or higher you can still get device level only protections you need at least one Server

2012 R2 domain controller and you need to as I mentioned way long ago promote that to a primary domain controller emulator role once you do that that protected users group becomes available to lower uh lower level domain controllers let me take take it okay hold on um if you are still running older than 2012 R2 come no no no don't even come see me at the booth just Ju Just fix it just get it done it's a domain controller it's it's cattle it's not cheap you can stand up a new one and take the old ones down it's fine um yeah uh just finished up an assessment a couple months ago that were 2008 R2 servers everywhere and

I it yes very much so if you're at 2012 R2 reminder though that support for that expired last year so you are now running unsupported to replace your domain controllers please okay so for whatever reason you don't have a domain controller at 2012 R2 but you used to and it used to be the pdce there's a really small chance that you might have one that hanging out if you get to this point though really you're you're probably doing things wrong and you just need to need to take a couple steps back all right so one of the requirements that I've harped on a couple times here is Kerberos AES 128 or higher encryption right that was instituted in Server

2008 when you raised your domain functional level to 2008 or higher the curb TGT account which is the service account that signs every single keros ticket that's going in your environment that password gets changed to support AES if you do not change pass ad passwords after that they cannot support they do not have an AES encryption or their their password cannot support AES encryption so if if you've got admins that are older than the curb TGT password they should be changed if they're older than a year they should be changed if Curb TGT has a password older than six months it probably should be changed there's a thing here uh change your passwords like I understand nist 853 says we can get

rid of that not for ad0 admins ever please all right so uh yeah quick quick talk about the um what we're doing here setting setting up the uh getting some what your domains are in your environment setting up the variables for it then we are going to grab the important SIDS security identifiers in the network so we're going to grab your curb TGT account because we're going to use that for comparison we're grabbing all those domain uh sorry ad admin groups so again schema admins Enterprise admins domain admins and default domain administrators groups then we're going to enumerate those recursively because we regularly find groups that are nested Within These groups even though you shouldn't etc etc

we recursively grab all those and collect a list of distinguished names of all of your ad admins then we're going to go ahead and enhance that data a little bit we're going to add the domain that that user resides in we're going to add a a Sam account name because reading distinguished names can be hard and we are going to grab the password last set and then ultimately that very last line across the bottom says show me the domain show me the Sam account name and show me the password last set okay this is what you get boom sorted list by domain of when the password was set and then you can see clearly in Blu tuxedo dangling espn.

LOL Jim um we the curb TGT password is the oldest password in that domain that means all the accounts afterwards are able to be added to the protected users group except for the uh the service account and the computer that I put in there huh um but however we look at Bow Tie a child domain and the administrator account here is actually older than the curb TGT password so in this instance we're going to go ahead and update those passwords and again if your ad admin password is older than a year change it I don't care just change it just just change it all right now that we have that in place we now need to enable the logs to

actually check to see if these weaker authentication methods are being used um log on auditing should be enabled and if you don't have it enabled we are right up there uh what you can do though it is pretty simple you you can log into your domain controller and basic basically run this command at the top set the log into success and failure and you're done you do need to do this on every domain controller would a gopo be easier yes it would be let's talk a little bit later in this uh in this talk here and then this is not strictly required for getting users in but once the protected users group shows up in

your environment there are a bunch of protected users Associated logs you can go ahead and enable those so that way when you start to add users if you're getting failures you can identify what the failure is so we enable those logs for going forward how am I doing on time here yeah okay cool all right now is where we get down to the nitty-gritty okay we've enabled the logs we're going to start looking to see where these weaker forms of authentication are being used so over here on the right uh we've got an XPath filter whoever created XPath is a stist this is true it is possibly the hardest querying language I've worked with so

far um yeah yeah a lot of a lot of angry Mourns going on here then we used that filter and we basically checked the security log for ntlm based logons okay and this is what you get we can see my domain admin account logged in insecurely ghda pops up in red right I think that's red again red green color blind I use the isse color theme and in vs code to make uh Jim and Sean feel comfortable so um yeah if so back to that if you see any of this you are not ready you need to go track actually dig into the event logs find the computer the service the service account whatever that is causing ntlm it may be a

specific application it may be weird behaviors that you're your admins are doing etc etc track that down this will probably be the hardest part of all of it honestly is tracking down ntlm usage I mean we we go into detail in our reports about how to do it it's it's not easy it's the most timec consuming part I promise you the juice is worth the squeeze then we start auditing uh keros encryption types okay like I said uh about a thousand times now nothing below AES 128 so what you see over there on the right is a filter that says if it is not 12 which means uh AES 256 only or 11 which is AES 128 or 256 throw up an

alert uh oh yeah X paath is still sadistic cool and then we again look through the event log and find any identified problems right and there we are J HDA yet again uh log it in insecurely because domain admin I do what I want and lastly the last thing we need to be auditing is where keros delegation is being used I remembered that I didn't include this slide last night so I created it and I don't remember the event IDs and I was very tired so that's what you get also side note every other every other cute thing that I've had in here I asked chat GPT please give me a graphic of a very cute blah blah blah

whatever it may be this one I said please give me a very cute auditor and it legit it legit gave me like just a human lady normal real life lady I'm like d yeah whatever it's fine all right so we have audited everything right we are happy we know that there's no insecure logging going or insecure logons going on there's no ntlm usage there's no no delegation Etc let's baby step into protected users group and the way that you can do that is uh oh I have the wrong uh wrong subtitle there um the way that you can do that there's a setting called account is sensitive and cannot be delegated you can check that on any account that

is uh sensitive and should not be delegated and that is a sensitive uh plant up there by the way uh jay van down here was the only one to to recognize what that was so super happy about that um yeah you can you can check this box and then it's pretty easy to check or uncheck a box as you are testing so do this first once you can get all your ad admins done there it is then time to finally test with one repeat after me one not two not three one user please preferably somebody that can tolerate a little bit of weirdness you all know who your admins are that can handle that add them let them run for a month

see what hurdles they press up against and when that happens let me know because I'm still collecting data about this I really want to kind of release a a list almost of these are the things these are the softwares these are the services that are going to break when you try this so yeah please let me know and then test test test test test test test and then when you're done with that test some more please again like I mentioned a while ago this is not configurable you cannot work around these what you can do is if you need for whatever reason to break this flow or you know to get around you can then remove the user from protected

users Rob informed me and I'm adding this into something soon is uh that he kind of looks at it as a just in time Administration but in Reverse you temporarily removed you add back after you're done um yeah and as I mentioned because the rid 500 default domain administrator account does not get full protections and you should be only using it as a break glass account anyway you can probably leave that out of the protected users group still Market is sensitive still check that box that box is super important Daryl on our team uh did a whole talk at while was hacken Fest a couple years ago I think it or was it tech one of those one CH

one box means a lot right and that that box is important so that all sounds hard so I'm here to make your life easier later this year power pug what we're going to do whoa too far coming to fall 2004 first we're going to make sure that those domain functional levels and Forest functional levels are all up to date your dcl's are good get a check to make sure that the logs that you need to do this process are enabled and then start auditing for you run this on a regular basis check if you're getting insecure stuff that would break as soon as uh the protected users group is enabled once that is taken care of then

kind of slow roll the process of adding those users into the group and as mentioned yeah fall 2004 or 2024 not 2004 that'd be weird I I to have this released that either blue team conon y w hacking Fest hackers teaching hackers one of those um and if I don't get accepted for anyos I'm just going to release it anyway this fall so please please come to my GitHub and you can grab it it'll be on the Trimark GitHub Etc uh but yeah I really want people to be using this and I think if we can just smooth smooth the process out right and just get rid of those little fears it'll really help out so um hey I'm good with

this thank you all seriously thank you all for coming out

like it it really means a lot to me that like other people care about this stuff a little bit and so hopefully I've shared some good information with you um I do want to do I I want to thank besid charm for having me out for a third year in a row um that the you all are always fantastic uh it's I always feel welcome Etc it's always well-run so yeah thank you so much and uh thanks to the trar crew uh we got Sean metf who uh picked me out of a crowd and made me or allowed me to do cool stuff uh Daryl Baker which uh I'm not sure where Daryl is maybe oh he at

the booth you could talk to Daryl too um you know purple teamer extraordinaire and hype man hype man for days man uh Jim sakur multi-dimensional brain over here that uh unlike anybody else if I have a question Jim some people say I'm a subject matter expert Jim is the subject matter expert that's who I go to so yeah and then uh relle relle since you've taken over running conferences they actually run super smoothly and I love it and you're awesome so thank you again I have all of my contact info at the bottom I'm most uh most active on LinkedIn surprisingly I made fun of LinkedIn in the last two years but um yeah it seems to be a decent platform

for me uh mask it on if you want some absurdest humor and stuff but GitHub that's where I'm doing stuff locksmith is still being regularly updated blue tuxedo kind of Fallen by the way said I'm sorry Jim um and then the Trimark Hub as I mentioned we've got blogs we've got presentations we've got uh I don't think we have any all of our tools have moved to the GitHub but we have a link there so and if you don't want to copy all those down you can scan the QR code I promise it's my link tree I promise you uh I I would be really bad if I just gave you a QR code and then you know

exactly who it's from so um yeah that that's it if you have any questions I am right up on my time right now so if you have any questions come to the booth we've got a lot of uh ad experts there and uh yeah I would love to love to chat love to talk to get to more get to know all of you more honestly so thanks so much [Applause]