The Problem With Identity Security & How To Fix It

traveling uh but this is the current state of Microsoft identity security uh common security issues and misconfigurations so I am sea meta founder and CTO of trar I'm a Microsoft certified master and act directory there's about 100 in the world most of whom work at Microsoft uh I started a company called trar we have a booth uh which is around the corner and down the street uh look for the uh the squishy we are giving these away so come on over and grab one if you haven't already um I've spoken at a lot of conferences first time speaking in bsid Dublin this is my second time I was accepted to speak at bsides Dublin thank you but this is my first

time actually being here and speaking so then people in the honors are like well what happened Sean well when I was going to speak at bid Dublin it was 2020 so I'm very happy to be a second time speaker but really a first time speaker here so uh thank you all for me I love speaking at conferences come by the trar booth I love chatting with with folks about their challenges and concerns about Microsoft identity security so like I said I have a lot to talk about I'm going to talk about a number of things that we see as part of our security assessments the trork that we do for customers and how that ties to

interesting things that have happened in the wild like the MGM breach I'm going to talk about OCTA integration uh anyone here heard of OCTA I'm sure probably use it I'm not going to make you raise your hand but uh there are some issues with that hybrid Cloud configuration and what attackers can do with it so at the Tech conference a couple years ago I spoke about what I call the identity Nexus and a Nexus is just a connection of a couple of different elements and so this identity Nexus comes into play really well in technology because we have onr on the left side and Cloud on the right side I know that some people are thinking Sean

it actually is entra Idan I tell you what once Microsoft changes every reference from Azure to ENT ID I will only call it ENT ID but you'll see in the slides some places I I often call it entra ID and Azure ad together um by the way if you sign up for a entra idp1 license it actually says Azure adp1 as the license on the user so like don't blame me blame Microsoft but this looks very clean right at the top we have the directory uh services at the bottom we have infrastructure just simplified VMware Azure right makes sense the problem is that this not it's not that clean in real life real life is messy

there's a lot of connectivity so what I call the identity Nexus is a situation where we have interconnectivity among everything and it's gotten so complex that you know you add in uh uh you add in Amazon AWS you know another major cloud provider so and then we we get into active directory where we have common security issues uh so I'm going to talk talk about that and in 2019 I did a talk at uh the experts conference at Tech and I put up this slide and I said this is the Avenues to compromise of active directory in 2019 this is the problem that we have group policy permissions permissions in Active Directory Group nesting that just expands the number of

of admins that we have all over accounts that are regular users that are admins service accounts that are all domain admins because why not it makes everything work keros delegation password vaults I cyberark secret server Beyond trust now what we're doing is we're taking these credentials and putting them to this other server that guess what we treat like another server we should be treating it like a domain controller but we don't in many cases and then the backups the backup has all that critical sensitive active directory user information in it but we don't treat that the same way as as domain so that was number of years ago five years if my math is right so has it gotten

better let's take a look nope it's the same problem we have the same problem 5 years later well hopefully with this talk it'll help you do your job better and enable you to be able to fix some of these things that we commonly see so again I'm going to show you some of the details here based on what I just said in 2019 these were the things that I highlighted it's a little B not a whole lot in 2024 so these red thing red items here are still problems we still see these all over the place the ones in green are the are the ones that are much better these are things that we don't

see as much of this as we have in the past but the the items in red are still pretty consistently bad across a lot of environments we do assessments of companies that are hundreds of users to up to a million or more we've actually assessed an environment with three million user accounts that was kind of crazy um they just never deleted any users and it was a portal environment so DM DMZ to to uh the world basically the portal for all of vendors and everyone else and never deleted and found so that was really fun uh but when we have ISS with act directory admin accounts we have admin accounts with old passwords we very often see accounts with

5-year-old passwords 10-year-old passwords passwords some passwords are 15 years old does anyone have a car that's 15 years old anymore probably not ah there we go one in the back all right all right there we go two three yeah yeah okay we're coming out of the woodwork now hopefully you don't raise your hand if I say do you have any administrative accounts in environment with a password that's 15 years old uh by the way the default domain administrator account that's one of the ones that typically never gets his password changed and it's enabled and it has rights by default uh we have accounts with keros service principal names in order for keros to work you

have to have a service account with a keros spin or service principal name that basically enables you to connect that application to that service that service count and tie that into act directory so that's needed but if you have accounts tied to people there should be no Ker spins associated with this service accounts also account usage where are these accounts logging on how are they interacting with the system are they using an admin workstation based what I've seen they're not um are you rping directly in the bank controller probably are using a pass Revolt approxi it maybe but we see this a lot we see accounts with old passwords that are these act directory ad administrative

accounts uh these should change every year uh why do you think they should change every year well people move on you have admins that are there then they move on you have backups that are sitting out there for a while uh we want to make sure that attackers don't have the ability to to capture this now um in the US uh nist is one of the standard Frameworks for security and for computer systems uh one of the things that nist and Microsoft actually said was you don't have to change passwords anymore and then there was an asterisk you know it's like by the way there's more to that yes you don't have to change passwords anymore provided that you have

some sort of password filter to prevent users from using bad passwords because users never use bad passwords and really you should have some sort of MFA multiactor authentication or two factors associated with that account if you do that then you're in pretty good shape but we still feel at trar that you should be changing your your act directory admin accounts every year or two really depending on what other uh controls that you have in place again it's adjustable um because passage praying is a situation where an attacker can take a list of passwords and then attempt to authenticate as every one of the users in in the organization in the environment and if there's any

pentesters or red teamers in here you know that that works all the time you're going to find accounts that you have guessed the password for ker roing is that ability to effectively get a kerbo service ticket for a service count again because it's tied to that application and active directory and then take that service ticket offline and attempt to crack it uh so that means the service counts with 10 year old passwords the attackers are going to be able to track those and figure them out because they have time on their side so there's a number of checks that you should be doing for these ad admin accounts again looking for these old passwords um this uh po Shi command L at

the bottom or at the top here this command get 80 group member this will give you uh the the membership of that of of the administrator group and all of the the subgroups the the child the members of that uh we also have a free script here that will do a number of checks in the environment to look for the more common things that that are that are in there so improving ad admin account security these are the key things that really everyone should be doing and these are things that we don't see being done often enough in the environment making sure that you're limiting uh the accounts that are in these privilege ad admin groups domain admins should be

rarely used if ever which is kind of a weird thing to say given that that's the administrative group that other uses but domain admins by default have full access and control to act directory domain controllers all workstations all servers everything in the environment you can put those accounts into the administrators group instead and that will limit it and Source it just to act directory the service and be able to administer domain controllers we want to make sure that uh the passwords change you start with the approach that no service accounts have ad Aden rights and then you start asking questions well what rights do they require what do they need these rights for why are they here

um and then there's protections that you can do against keros delegation attacks which are very common now the best thing to do is to add these accounts these these accounts associated with people into the protected users group uh Jake Hilter is from the trar team uh recently did a talk and the slides are available on hub. trar security.com talking about not just getting into the protected users group but actually here's the process on how to do it here's how to phase it out and he's going to be releasing a tool later this year that he's calling super pug because pug protected users group pug um which will enable and provide the ability to step through this process because that really

breaks the majority of the delegation attacks against ad administrators of course making sure that any accounts associated with people don't have curro spins on them because they don't need them that's for service accounts and then get rid of those accounts that are no longer in use find them too far far too off cvus delegation is this interesting thing where you have the user and they log into a web server call it SharePoint right and when they log into this web server they're using their keros ticket well that web server can authenticate that user because of how keros works but the problem is that this backend SQL database server that SharePoint uses to store the data um

this web server can't do any updates on the database server as the user by default in Cerberus because this user is just authenticated to the web server so enter delegate delegation means impersonation so effectively delegation enables this web server to impersonate the user in order to make the changes on the database this makes sense because if you want to know who made changes in your database or who's accessing it this is the way it has to work the problem is that there's a number of attacks leveraging delegation uh in 2015 I I highlighted at a black hat talk how unconstrained delegation is incredibly dangerous because the users proof of identity their TGT and kerberus is plac

in that server memory when that happens so if this web server is configured for unconstrained delegation all this hacker needs to do is compromise this web server you compromise every user that is authenticated to it through keros and then they'll be able to have access to the whole environment this gets even worse if you're able to trick a domain admin act directory admin into logging into that system using ceras uh everyone here probably has worked with a vulnerability scanner right I'm assuming at some point in your environment uh no matter what the vendor is when that vulnerability scanner hits a web server or a server that's running unconstrained delegation using curos what do you think

happens that proof of identity for that vulnerab vulnerability scan account ends up in memory on the server and so now the attacker if they're able to compromise that server they compromise the entire environment so it's really important to remove uncon unconstrained allegation move to constrained unconstrained allegation is What was a able in act directory in the beginning the early days 2000 2001 2002 2003 we shouldn't be using it anymore there's a couple of very interesting Corner cases where it's still required but for the most part you should be able to get the constraint protect these accounts from delegation attacks especially those that are highly privileged admin accounts by setting that flag this account is sensitive and cannot be

delegated then move on to also adding it to the protected users Group which protects the Authentication controls and security around it because once you're in the protected User Group you can only authenticate using Kerberos AES you cannot use Kos de you cannot use ntlm much much Sher so we also see issues with custom permissions I don't have time to go into all the different permissions that we've seen come to the trar I'll be happy to tell you about some of the wacky things that we've seen uh on the domain level on the OU level Group Policy so this is a big one we have often seen a group policy linked to domain controllers the the container for domain controllers and

the servers o you because for a lot of folks that are server admins a domain controller is a server why wouldn't I have a group policy that applies to both and then a server admins team actually can manage that group policy that applies to domain controllers and servers for those who uh aren't as familiar with act directory that's a bad thing because if I can modify that group policy that links to the domain controller I can change the security of it I can change the membership of the administrator's group I can change I can run and install code on that domain controller because that's how Group Policy works it's basically an engine to make changes to that

system and then as I'm saying basically full control or modify on the permissions provides the ability to make changes to that group policy the other thing that we we look at is user rights assignments these are very interesting because these control uh who has what rights into that system but also to act directory itself when these uh group policies apply to the domain controllers and then there's a number of concerning configurations that we look for as well um in assessments so on the domain controllers there's a bunch of things that shouldn't shouldn't be done first of all principal service should not be running on a domain controller at all again ever a number of years ago the

folks from Spectre Ops did a presentation at derbycon and they talked about uh this printer book which is basically a combination of a principle or situation they identified on a domain controller and unconstrained delegation they basically could trick the domain controller into providing its credentials through unconstrained delegation to another server um because of this issue with the principle of service that's effectively you could set up a notify and have it send to whatever server you wanted to using whatever authentication method you wanted to so use keros what I just talked about with an delegation happens where the domain controller's computer account C ticket gets put on that server um but since then there's been a number of of

research around this uh where principal Services is just too dangerous we rate that as a critical when we do assessment so make sure the principal or service not running onto M controllers you can disable that through group policy very easily uh a number of problems with event auditing um it's default it doesn't use the advanced auditing that came about in 2008 um in the 2008 time frame uh so there's 53 categories with that in advanced auditing and then were only eight or nine before that so a lot more granular alerts that for detecting potentially inures activity user rights assignments on DCS as I mentioned the ability the controls the additional uh uh options in administration and and

permissions and rights on that uh install applications and agents uh we see some crazy ones I'll talk about that in a minute old versions of VMware tools just about every domain controller now is virtualized whether it's on Prem or in the cloud that cloud environment or that virtual environment has control over that domain controller through the agent that it has on it whether it's an Amazon agent or it's a VMware agent uh we often find old versions of GRE uh insecure remote access tools uh anyone remember BNC anyone think that's secure no it's completely unencrypted um and it's completely unencrypted and not only that but the password had a default and the passive would go across and clear text so really

really bad situation uh with that so we we have found VNC on aank T in the past year or two uh and then it's still running Windows Server 2012 or older so when I talk about user rights assignments this is what I'm talking about add workstations to The Domain things like curb relay up leverage the ability to add work solutions to The Domain which is a default right for all users we can't do that anymore we can't allow users to be able to do that um the ability to log on locally and log on through terminal Services uh the ability to debug program this is something that anyone mimik cats who knows mimik cats uh sbug you're familiar with that it

yeah basically what that does is provides that session within nimic cats the debug program rights which basically gives you developer rights to that system which enables you to pull out uh the the credentials from Elsas and interact with the system at at a much deeper level um by default administrators are there no one needs that right like so you can remove that uh developers will say they need it they don't um so able a computer and user accounts to be trusted for delegation I was just talking about how dangerous delegation can be um by default it it would be like domain administrators domain admins or administrators I have seen this set for another group that

means they can create delegation or set up delegation in the environment that is very dangerous that should not be configured that way only your ad0 admin should manage that load and unload device drivers uh you can compromise DCS with that right uh manage auditing and security log for some reason exchange still needs it so but hopefully you're not using on-prem Exchange once you get rid of on-prem exchange um you should remove exchange from having that right because that provides the ability to clear those security lws um and then the last one is pretty interesting take ownership of files and objects so in Windows when you create something you are the Creator owner you have owner

rights on that same thing in act directory when you create something you have owner rights on it owner rights enables you to actually change the permissions on it and so this gets really interesting because if you have the ability to take ownership of an object in act directory you can change the permissions on very very dangerous and finally on this not on the main controllers application list this is a list of things that we've seen uh these should not be on demain controllers um certainly not these Firefox Chrome or Brave which I've seen recently um if you are using your domain controller as a web browser please don't do that that's dangerous um because there's this thing

called like web attacks and you go to websites and they even just adware and stuff like that will install things and um the other thing is web browsers aren't always the most secure products and software in the world uh so yeah don't do that and SQL is a bad idea adfs asure ad and of course uh things like VNC don't don't do that either um but we've also seen some some fairly typical agents on demain shoulders from BMW tools this is the current version I looked this up a couple days ago it's 124.0 we've seen eight uh eight version eight is probably about seven six seven years old that's that's problem um and if if I don't know

if most people in the room has been keeping up with it but VMware has have a lot of security issues over the past few years VMware tools uh notwithstanding so uh anything older than 10.1.0 are vulnerable to a significant security issue through something called the vix API the vix API provided unauthenticated access through VMware into that uh actual VM and we we did a proof of concept for a customer because we identified this and their act of directory environment was PR it was one of the best we've ever seen we we had minimal issues that we identified we had V they had VMware and at the time we had uh one of our um uh VMware subject

matter X was working on this engagement because we knew that their ad environment would be pretty good well we also knew that they had pretty large VMware farm so as part of the Consulting engagement we we did some VMware work with them and we showed them how we could actually run code on the domain controller um unauthenticated all the way through using V API so this is very dangerous uh make sure you have a newer version uh EDR is a remote access tool okay we've heard of Iraq an EDR is the road access tool that the good folks use the bad folks use the rack they work the same it's basically running code on another system remotely through an agent

um SEC secm uh we see this less and less thankfully um the management of it uh but basically what we really want to see and Microsoft says is to make sure your patching system for the main controllers is separate and different from the rest of your environment domain controller should be tier zero they should be the protected at the highest level um and then Splunk Universal Porter default install at least when I looked at this a few years ago had the ability to run code so just be aware of that as well only run supported versions of Windows on your domain controllers these are the most important servers on your network uh we did an assessment recently

and all of the DCS were running 2019 except six and they were running 2012 critical sorry it's 2012 is let's see it's 2024 now 2012 12 years old okay we should not be running a 12-year-old oper anyone have a 12-year old car not not those folks that already said they had a 15-y car yeah that we shouldn't we shouldn't be doing that anymore um and so I'm not going to go through this the the slide this is kind of the capture of what we should be doing with that domain controller security you care about your act directory security you should be caring about your domain controller security because the domain controllers are your security for active

directory and so adcs uh this is Microsoft pki unfortunately apparently there's a problem with a tool where you can go next next finish and it's pki pki is complex right we can't diffuse that break the you know boil that down to next next finish so I'm going to go through these slides fairly quickly there's a number of things and problems with it we have release a tool for free on our our GitHub called locksmith and it goes through and not only identifies the issues with ABCs but will also provide fixes it generates the ctil code and command to actually run and fix these the first one is adcs auditing so this is the default here and

let's see if anyone can notice the difference between what the default is and what the recommended one [Music] is yeah for some reason Microsoft thought it would be great to just not set up any auditing on this at all so that's a problem also the uh CT uh the the certificate templates often have issues because of the way they're configured um basically there is a configuration to allow a person to say oh by the way I want the subject of the certificate to be domain controllers we shouldn't be able to do that either that's basically me going onto the plane and riding on the T on my my boarding pass pilot and then going into the cockpit and sitting down and

being like Hey we're going to be boarding but first we need to let more people on CU we're going to open up that that that airplane door again and we're going to leave the gate and go back again that's a call back to an earlier thing where I think there were 20 people in the room so those 20 folks got the show um oh and the bottom uh we found this at least at least one certificate that matches description 95% of the environments we assess what does this mean adcs is vulnerable in every environment run locksmith um this weird thing here edit F attribute uh secure subject alt name to basically it allows you to say who

you want the CT to be for it's very similar to what I just talked about um so I can say I want to be a domain admin so I'll be a domain admin and then Microsoft says don't do that but they allow you to do it and there's a lot of environment to re is configured um and then the HTTP end points really get rid of nlm make sure it's htvs um get these things fixed and cleaned up like I said uh the trar GitHub locksmith great tool we'll go through and identify things really will help you solve this you don't have to look at any slides just R locksmith honestly because all the things I talk

about are there um and as I said it identified here that auding is not enabled it's set to zero uh run this certain U till command and it'll set it all set it all and then restart the uh service for you so then auditing is working so let's move on to the cloud see I told you a ENT ID I did it we see a lot of issues with with configurations the common issues are privilege account issues standard user accounts are members of privilege roles uh service accounts service principles are members these generic type accounts uh accounts can authenticate from any workstation um because how do we manage cloud in the web browser probably the same web browser

we're using for Facebook Instagram uh I'm not going to mention one of the others because they're a sponsor uh but all these other sites that are like social media sites are there in our web browser and how does authentication work in the web browser we we use our username password hopefully we use MFA hopefully we do uh but then we get a cookie we get that session token that's stored as a cookie and there's a way in a web browser to interact and steal cookies from there so that means if I can steal that cookie and that session token I can move it over to another web browser and continue as the admin for a

period of time uh using pin pillage identity management where you can actually go in and out and we can control it so that people are eligible for a role but they're not member of that role group the whole time uh and no MFA configured uh applications that are highly pillaged group nesting is back in the cloud because it was so popular and onr and then partner access delegated access permission uh basically Microsoft set it up so that if you have a uh cloud service provider you could actually give them the ability to manage your your tenant sometimes you didn't realize they could manage your tenant and have Global admin rights because that part of the

portal was buried Microsoft has now moved it up to one of the top level uh pages so you can actually click on we we fixed the expires now I work at you work at Microsoft you'll be getting the followup for the Second Great thank you appreciate thank you Microsoft and that's it for me we didn't fix something else but we fix staff thank you doblin good night so here's what we see standard user accounts first name. last name these are very common uh and all the ones here are standard user accounts and they are permanent permanent active members that's a problem like I said they are permanent members and I'm just using the portal here so you can see

this in the Microsoft portal I I got these screenshots several months ago so it's probably changed so please bear with me um and then we can use Powershell uh the graph API to pull information about who's registered for different things so this guy Sean at Big Mega Corp apparently is uh using M Microsoft authenticator passwordless that's great register for MFA is MFA capable that's good passwordless capable but these all these standard user accounts don't have MFA that's a problem and there are a 100 entry ID roles I double check check this like few weeks ago there's 100 entra ID rules it is almost impossible to know what these are and what they're for I've gone through them so I had some time on

my hands and these are the ones that Microsoft say are privileged with a tag of privilege and the great thing is Microsoft shows the permissions why they're tagged is privileged my only concern about this is we have Global administrator which is the highest most privileged uhp role group of all of them and right next to that we have Global reader which is the low of all the Privileges because it could just read everything now I understand why because Global reader can read a lot of things that are sensitive like bit loock however I don't put them on the same level so here as at 422 and there's 26 of these roles so at TR we wanted to

make this easier for our customers and for the community so what we did was we broke these down on what we call levels levels are similar to tiers but Microsoft called them tier so we call them levels so level zero is similar to tier Zer this is basically Global administrator and hybrid identity administrator which has the ability to modify Federation settings and this link here will talk about why that's dangerous you can modify Federation settings you can control authentication to the envirment uh partner tier 2 support which is something that uh my friend Andy over at spects published a number of months ago uh partner tier 2 support can reset from passwords and invalidate refresh tokens for all Mount

administrators and and administrators including Global advence so that's kind of dangerous partner tier 2 is not supposed to be used I don't know when it was supposed to be used but it's also hidden from the main role list so it's one of those things where you have to really dig in to find it um privilege authentication administrator Microsoft says do not use uh but people use it and here we have the ability to reset passwords privilege role administrator can manage Ro assignments uh including Global administrator so very obviously tier zero level zero right well we continue with level one I'm not going to go through all of these again the slides will be published uh so you can see here

that there's a number of them and and Microsoft actually most of the ones that Microsoft says a privilege we have here uh we have added a couple additional ones and the ones in bold that I have here are actually ones that could be considered really level zero depending on the configuration of the environment so application administrator Cloud application administrator directory synchronization accounts um the have the ability to modify uh application permissions uh in the case of directory synchronization they can update credential service principles so if I can modify uh an application so for example application administrator Cloud application administrator probably the big two if I can modify the um or add a credential to an application I can

impersonate that application I can add a password to that application by having that role and I'll talk about why that's Sous um I have added exchange administrator to what we call level one why because I have worked uh in breaches where the attacker compromise and exchange admin and basically then Set uh authenticated users to have read mail rights on every mailbox in the environment that is like forever persistence for all the mail ever because that is almost never going to be identified and found that's what we you can do when you have exchange admin right so we consider this level one uh partner tier one has also the ability to update application credentials uh so these are

the ones really you should focus on the most right spend your time on level one level zero then look at level one and Microsoft has a chart but I like Andy's better uh so it's here and it talks about who can who can change what password if they're in what role it's very confusing uh but Andy put a great chart together it's linked at the bottom and group nesting is back so Microsoft realized and customer feedback well we want to have groups that are we can put in these roles we don't want to have direct members and Global administrator because that seems too simple so what we want to do is we have a group so Microsoft said okay we'll

create this thing called a role signable group because we learned our lesson from act directory a bit and we're not going to make it so that admins can make changes to this group we're going to make sure that this role assignable group can only be created by the global administrator and the uh I just blanked on it it's this one here the privilege role administrator thank you slides uh they are the only ones that can create the the RO signable groups and can modify the membership except if you have a certain application permission and if you are an owner of that Ro assignable gr then you can manage the membership uh so this is where get things get a little

bit interesting so we have a number of global admins here and we have this Ro assignable group the thing I hate about the portal is you would think I could click into this and see who the members are you cannot you then have to go into the groups pane in there and then search for that group in order to see who the members are that doesn't seem easier to me and so then we go to the groups uh in order to look this up and then we can see that we have a bunch of user accounts this is probably the most common scenario that we see in assessments where we have a ro assignable group that's in a role and

then people have not done a good job of managing who's in it we also have owners that are user rights that have been added in there they can control the membership of that this is the global admin's Ro assignable group that has Global admin rights these users can change the membership of this group and effectively add people into Global admins that seems like a problem to me just like we did level zero uh for roles we also do that for applications these are the application permissions that we consider tier zero so if you have have applications that have any of these permissions at your tenant level now your application uh application administrator and your Cloud application

administrator should be considered level zero roles because that they have the ability to add credentials to the applications that have these rights directory read write all Microsoft says uh that this is effectively a global admin level permission um I did put in asterisk because there is some conversation on the internet about do they what can they really do and is it really that powerful I'm going to go with what Microsoft said and sick with that uh app roll sign read right all this allows an application to Grant additional privileges to itself other applications or any other user that's a problem uh role management rewrite directory managing directory role these are just all very bad like

anything with this is going to be problematic you can review these with the uh Powershell script at the bottom we'll get into that but application owners again have the ability to add an credential to that [Music] application so during the solar wind times there there was a uh Cloud breach of a major security company and they couldn't figure out how but basically they figured out that there was a partner that had rights to that environment and we can look at that by going to delegated admin partners and like I said if it says Global admin that's a problem if you see any Partners here that's a problem you want to check into that see why they have those rights

remove them if possible even better is moved to granular delegated admin privileges uh so Microsoft had a uh a big issue where there was a signing key uh for their consumer environment Cloud environment that had been lost it had been acquired and uh so what ended up happening was according to Microsoft a China based threat group gained access to the signing key which enabled them to then create whatever tokens they wanted in order to access the consumer side of the Microsoft cloud however there were a number of problems with this and I'm not going to read through this I'm going to show you the picture because I like pictures then you can read the details

later here's the picture so basically there was a crash dump in that environment that went to crash dump analysis in a in a production environment which connected to the internet they believe storm 0558 gained access to that and then what they did was they created their own uh token and they use a to then connect to exchange online to the to to basically pull email from it and the reason why this was possible was because of a comedy of errors The Comedy of Errors was that basically there was no validation on the uh the Enterprise side to ensure that consumer Keys couldn't be used and so siza did the scathing report of this situation basically a Cascade of

failures on Microsoft's CL um and 22 Enterprise organiz ation well 500 Rel 53 related personal accounts worldwide were affected by this situation the worst part about it was that the logs were not accessible without premium service so sza said Microsoft you need to change this because basically from what siza the cyber security infrastructure Security Agency of the federal government in the United States said Microsoft was prioritizing profits over security Microsoft has since come out and said we're changing this so midnight blizzard basically uh is a threat group in Russia and they were the ones that had uh compromised uh portions of Microsoft's email system because of a situation where there was a test tenant with an account that shouldn't have had

any rights but actually had rights into the Microsoft environment uh that's a problem what's interesting is Microsoft has some information about password fraying that account that test account that test tenant uh was password Fray had no MFA configured on so your big takeaway here is to ensure MFA is there so with um hold on a second

so all right so I still have like five minutes so that's good so thank you um so with OCTA uh Adam Chester uh had published this in September about the way that OCTA integration works and you'll notice down here that the customers that they have um were pretty interesting I'm not going to call any of these out by name but it's pretty interesting the ones that are here um but he published this great article about OCTA for red teamers and what he highlighted was that you can have delegated access which is similar to uh Azure ad and and one of the configurations there where you can you can SSO uh from OCTA to to pretty much

any other system but if you can compromise the OCTA surge Town ad then you can a to OCTA as any AD user and SSO to anything else which is pretty interesting um you can also have uh Leverage The OCTA agent um which basically you the if you can get onto that agent then you can see the clear text username and passwords or you could if you could uh create your own agent then you could get things rolling through that and you could do what you want and basically create your own access to other systems so again Adam Chester put this together and it was interesting because OCTA themselves had their own issues uh in fact it says here

sport Engineers are also able to facilitate the resetting of passwords and MFA factors for us users that's pretty powerful um so they've had their own issues so the risk really comes down to all right we're having some problems with the cloud but we have a lot of a trust there and the reality is that the business of cyber crime has run like a real business I mean they have support Engineers they have support uh hotlines they have support email addresses it's run like a business full profit and it's very effective and so with MGM they realized how effective this was because they got r someware they got Ransom and Caesars did too Caesars paid apparently

like $20 million uh MGM didn't and end up spending probably $100 million in getting this fixed and these are just some slides showing like what they said over time um as we learn more about what was going on with MGM and so this is very telling all they did was they hopped on LinkedIn find an employee and then called the help desk so a company valued at, million 33.9 billion was defeated by a 10-minute conversation unfortunately this is the reality we have today because our security controls aren't good enough and it was this affected everything these are these are gaming systems at MGM um and the notes here from the attacker was look at that

they were able to sniff the passwords on the OCTA agent server they got super admin privileges to their OCTA uh system they had Global admin privileges to the Azure tenant uh they launched ransomware against esxi which is VMware um that was pretty huge uh like I said Caesars had published in America now any company that's that's a publicly traded company has to publish an SEC fing if they have a breach um companies have not done a good job of really being honest in this and they're starting to get called out on so what is the current state of Microsoft security you think it's good active directory you think it's good no in our assessments we find four our mcsa which

is our Azure ad entra ID security assessment 34% have the highest level of severity rating this is at least one critical which is like compromise like that so this is over a third do we think it's better in active directory yes or no no far worse 76% of act directory environments we see across just about every industry of just about every size 34 of those act directory environments have at least one credit this is a problem things have not gotten better unfortunately but there's hope so we have published locksmith we have published a Powershell tool invoke Trimark ad checks we have an article with that which goes through some of the quick wins um and like I said there's a

lot of issues with a lot of things we can fix these things we can get to a better place with all of the security in these systems uh we need our vendors to do better please ask them to do better but we can make things better um again this goes to our link tree uh you can get access to uh dozens of papers that we published on improving security we have white papers that we published on how to improve act director security more quickly um we're available at the booth like I said come and find uh one of the Little Red Dragons um but that's been my time thank you very much for yours