Please Waste My Time - Qasim Ijaz

believe that we like ad well uh I'm in and the topic from here please waste my time I'm a red teamer I Le a team of pentesters at a small consulting firm blue Bash SEC blue teaming and red te um and and because we do blue and red I have had some change of heart over the years and I've changed my mind quite a bit on on some issues because I'm starting to see the pain that L was um now that I'm not just handing over the pent report and disappearing for one year and coming back we used the same vulnerabilities starting to see some of the issues that The Blue Team runs into budget being one of them

people launch into passwords we had an inser response where the CIS admin one of the CIS admins at that very large organization just forgot to change his password after an incident and he was responsible for issuing password resets for everybody during a ransom incident and for just forgot to change the passord so that kind of stuff happen um and uh we come in and do our pen testing and I got really excited this one time because I found a window Server 2003 bux on an external network and it was vulnerable to Ms 0867 it was vulnerable to a turtle blue and I got start I walk to call the CL saying hey I really want to P this but I think the a

better thing to do would be to just tell you to Pi it down right now and they go no we don't have a v Server 2003 box we don't have one open B World either what's going on are you sure you have the right score I call Cory my vpf blue team and he starts laughing at me because well that was one of our honey Bots that you ran into so dude you sure have told me that yesterday I made 8 hours on this so 8 hours basically on that so that's what I want to talk about today um so before we uh start getting into it why why why do we care for this

well there's few ways to look at this one quite often like here we don't have the budget for the for the sin we don't have the budget for a security team uh we don't have time to put in those controls and maybe I don't know this is a good idea or a bad idea but maybe you start with some honey pots or you got money you are very mature organization you spent all this time putting in these controls the the best ad out there um you are no longer using nordon you know maybe you arej um and uh I just lost my problem here so you've got the best and the brightest and the most am money you

could spend and now you're just sitting in there and just dealing with the alerts all day long and even then it maybe a good idea to put in a honey pod because depending on your thread actors there may be a Mission St in there and no matter how much money you spend on an EDR as just a mediocre rep teer myself I can tell you there are still ways to get around us and you are decied to give us a lot of pain at the same time still is cat and mouse here uh another bad good good bad advice if you were just learning s security you are wanting to be a blue teamer or you want to be a red teamer

and you want to play with some real CED data Maybe spin up a honeypop in AWS and Azure Lio somewhere just not at home just don't do that at home okay I had a friend told me this morning that he's so fed up with Google that he wants to spin up his own email server please don't know that not up your own email server anyway so uh why why waste my time well you should waste my time because there will be a compromises some point no matter who you are no matter how secure you are no matter what zero trust you've got okay even if you have sneaker neets when you have to physically walk a file from

one computer to another still not zero trust you are trusted the person who's walking that file from one computer to another and another thing to think about especially I'm focusing on Windows in here that's one my ad expertise and two is most common in corporate environments there are things in corporate environments specifically windows acly that make it more likely that you are having a hard time protecting the environment and makes it more likely that Rec myself are having a lot of fun and I call them feature or vulnerability because sometimes we don't really know if it's our feature or if it's not one of them the most common one is broadcast multi resolution protocols okay so in in colleges we're

taught in schools we're taught you want to know what google.com is you go to the domain name server and the story that's not true if you pull up one shop in an N Enterprise environment you will likely see net bio name service mdms llmnr those three protocols they are broadcast and multicast name resolution meaning I'm asking everybody in the neighborhood hey do you know where this host is the crazy part in Windows it's not just that I'm asking everybody in this network I'm asking everybody in every single Network I have an adopter N if you on a VPN maybe traversing over a VPN too so uh what happens with this is we go into Network environments um we

do our pentest we spin up this to called responder we it's so common that we joke about it as if it's the most basic thing you'll do in a fantastic reality is it is the most effective thing you end up doing so your computer is asking the domain name server hey do you know what HR share is at the same time it's asking everybody in the network when you respond to that and we say hey we are the HR share you're looking for it doesn't matter if user mistyped it or they typed it right the computer is still doing that name resolution so you've got responder on the right side and we get what is called the N nlm hash

what I us which can then be relayed or cracked um we were correcting that in the class yesterday I think it was about uh 9 mahes per second in a on a CPU in a BM I got 9 million per second in a virtual machine with a CPU that's pretty crazy so good luck with the a profor there another issue that makes it difficult to do the decept the uh detection response and to protect your environments is how easy it is to spill those hashes tracking pixels and emails can spill you hashes you are pretty much used to marketing teams using tracking pixels uh you open the email the tracking pixel is loaded from the

marking team's website that's how they know that you open the email well what if you use the UNC path that's SL slash in the beginning as the UNCC path like going to a Windows file share you do that whoever opens that email they're uh in out desktop they hash has sent over to whoever uh is running the IP address I used this against a client it was taking too long to get in anywhere they were really good at what they were doing and they had asked me do whatever you want to get some access so I said hey here's my daily stus email in the pentest we have not done anything so you know maybe

the report will be empty and in that email was a traffic off and I got my point of context credentials this way so you get those hashes and then instead of having to crack them if your envirment does not have SMB signing requireed does not require digital signatures which is default in Windows you can just R those hashes so I can take that netm hash from one box and walk over to another and say hey I'm passing here's my hash let L plog in you can do this class protocol to Elda to Aca certificate Services uh Windows summer 2016 the main controllers and later require as be signning now uh Windows 11 will start requiring it in a

future version it's not mandatory just yet uh but hey they tried to disable us maybe one long ago right they stole it all the corner so we'll probably still see that so we got broadcast protocols spearing hashes we got the ability to pull hashes because we have um anytime we go to UNC path we spill hashes uh we can just take those hashes we can walk through to anybody else in the network who does not require us to be signing and we can sign in as whoever's hash we stole this has become such an easy path to Da that we really just pipeline it in the beginning of a pest I have responder learning that is responding to broadcast

multicast protocol uh name resolution request that I have ntlm relx running responder gets those hashes and relay relays them another issue that is pretty common for Asal and window's environments karos then Kos has two tickets the two ticket types that are used for authentication uh you go to the domain controller when you loog into your computer in the morning the computer goes to domain control for the KDC service running on it and says hey I'm cin um here is the response to your challenge is really just encrypting a time stamp with your cash can you please give me an authentication ticket that is your your TGT tiet gruning ticket that is the badge you got when you came to

the conference this morning then you went to some Villages some of you went to trainings yesterday that required an additional interaction that is your service ticket so you show your badge and you go hey I'm authorized to be here but I also want one more service it's like going to a county or state fair you have an ambition ticket to enter that County or state fair that is your ticket gring ticket and then you need another ticket for Ferris wheel uh which surprise case he has a f whe middle of a parking lot keep crazy it's a so you've got the um you hand over the uh the TGT your admission tiet you say hey can I have a ticket for a fast wheal

can I have a ticket for another ride that is your service ticket TGs well the TDs is encrypted with the service accounts and Tash so what we do any domain user in the environment can go to The Domain control and say hey give me service tickets for every single service account that is your authenticating for that service account doesn't necessarily mean you're authorized to access the service but you do get the service ticket that you can use to interact with it that is encrypted with service accounts hash and we take it offline and we start tracking it um that one in a CPU we got about uh I think it was five or six mahes per second something like

that um still still pretty fast to C often times service accounts are using bad passwords how often do you see them as domain adits service accounts given domain admin privileges me as a rer I love that makes my job so much easier uh but Defenders Mak have more difficult so things that we do and rate that is possible and makes it difficult for you to protect the environments and what activity we perform in red teams uh and vest excuse me pass the hash so I take a hash an NT or an LM hash from a device and instead of cracking it I walk over to anybody in the network say hey I'm here's my hat um this method is pretty common

Microsoft's patch to this was you you cannot do a pass the hash attack against an account that is either not a account well sorry let me it you can do pass the hash against a local admin or any user you're allowed to do after the Microsoft Patch pass the hash tax against local admins and domain users so who the heck is Left who who am I not able to do this against non-privileged local users well I don't really care for the man one so pass the hash is a pretty common activity uh then pass a ticket when you are using Kross to perform auth indication which is the future now in Windows you going start seeing more and

more curos those tickets are stored locally on your Bots these are the tgts ticket grunting ticket uh and then the ticket gring ticket that you you hand over to the domain controller to get TGs you can grant a service ticket they're both stored in memory so if you have local admin you can dump them not only can you dump these tickets you can then take these tickets to other boxes and say hey here's my ticket that's authenticate that is called pass the tiet and we've used that quite often in our environment another common issue we see in V's environments is the improper ading privileges so this is through a tool called blood hound I would highly

suggest checking out blood hound really good tool for identifying weird as na so we were performing a pen test against a plant environment and we saw that all domain users the group domain users was allowed to modify the group policy applied to domain controllers so the main users group was given right privileges the default domain controllers policy soain user can just modify the policy in the main controllers and just launch a script and whatever you want one we see doain users or one weird user somewhere is given local admin on a box but nobody knows how that happens so Blood Hound can help you find that um we'll also find things like users given right privileges to shares

we exported on the class yesterday you can draw an MK file so start sping hashes uh you can drop bware in there you know you drop a file there called uh uh 203 salaries. PDF a lot of people on that so in this case for example the service account has generic right on penos who a member of the main adment service account also has SQL adment on P box so s account also happens to have s principle name set with cable so quite easy path to escalation quite up under domain admin that we exploiting um making it difficult to perform detection response to perform security controls and this is my most and least favorite at the same

time um password PA data in network shares quite Happ to find that uh my favorite was key pass database which is a password manager it's database stored on the it share which is not necessarily a bad thing you need to be an IT user it member to access it but it wasn't just that it was keypass database keypass databases password the encription key was stored in a TT file right next to it and ke pass installer was also there so everything you need to access it was right there another was one we saw a while back was in a hospital where um the electronic medical record data was being copied over to a network share for

the past 10 years so we had about 13 billion patient directors um and it was an NFS share so nobody knew it existed and it was open to everybody else in the environment and this organization had about 10,000 users pretty B just running LS command in that Network share just took a whole day it was 30 billion fish record it was like a billion files in there so quite often we are seeing uh this kind of stuff where credentials are stored sensitive data is stored in text files in PDF files XLS files and and it's making my job quite easy let's grab that and start using it now one more thing I want you to note

all of this everything I went through not only is it making my job easy I'm getting used to youring this and that's what you are going to exploit I'm used to seeing passwords in a test spot I'm used to seeing the bad permissions tickets laying around hashes laying around in memory I'm used to seeing C roastable accounts broadcast multicast name resolution requests all of this I'm used to seeing that so this is leads us to how do you waste my time what are things that you can do to cause that waste of time my favorite one in this would be well I'm going to say that but every SLE slide So to that uh un users create a

user that is a real user don't create a fake user create a real User make a real have the user loged onto some devices periodically have the user created some network activity give it a password that is not too easy but also it's not too difficult somebody will likely guess it right um and I would also suggest if you are doing things like changing requiring password changes for your users every 90 days which stop doing that please make it once a year make your password 16 C WR don't require you're going to make my job extremely difficult good tangent 16 C passwords are extr difficult to grab or guess by the time I get to guessing that

on those passwords you've already seen a million requests from you you've already detected me and your users if you let them choose a password that they will remember and does not require having to use uppercase lower case special eff numbers uh and and you know your firstborn son and whatnot um it's to make it the password change also easier for you heal desk is going to have less calls coming so give it a password that's not too difficult but not too easy haven't change the password as often other users do um and then watch the event view work on the main controller for any authentications for thater uh if I land Blood Hound which blood hound will pull in all the user

data computer data real policies to see which are different paths I can take to escalate I'm going to pull that user too okay but if you find that to be too much if that generates too much traffic then maybe you don't focus on was this user information requested maybe you focus on a specific property of that user there are some properties for uh ad objects that are not commonly pulled by your typical tools use one of those and one of the uh bonus things you can do is you could have a schedule class running on a Windows on a domain joint window device that has this user access a file share that has this user maybe R

to a different device uh in a file share you could simply just do a schedule task and a schedule task you can do explorer.exe and then the path to the file file share and this user periodically then does that activity which will be seen by the acad in the network don't do it every minute that's kind of crazy and hope pretty easily CAU by us but do it going be once a day like 9:00 a.m. this person's first thing they do is they open up a file share um the moment somebody requests that user you know there's somebody malicious because nobody should be talking to this user honey Service uh service principal names so this would be your service

accounts so earlier I mentioned the C where if you have a any account that has a service principal name set meaning it's a service account any domain user can request a service ticket and we can then crack that ticket offline once I have requested that ticket which a very quick process single request of the sort single request um I think it's about 30 bu in total but once I pull that service ticket from the domain controller I can just go home with that ticket wait for it to crack over the next month two months three months how often are we changing service account passwords quite often they never get changed I may even have a whole year

to crack that ticket and then come back and become that service account so what if you had an account that was a honeypop service at a heart user with a service principal name set and the moment somebody requests a ticket for that account you know there're somebody malicious otherwise there's no reason for anybody else in the network to talk to it the event ID for that is going to be 4769 you want to filter on failure code 00 uh basically uh failure code 00 would mean the request was successful the real wasn't here okay you could also um do this over a schedule task or door if you be me which I would suggest being mean make this service account

member of the main ad okay now that is a very dangerous thing to do so you got to have to monitor very closely make it a member of domain admin and make the password very long and difficult so it takes me a week to crack it but I'm going to spend that time because it's a domain Adit then and this is a guesstimate I've have read this somewhere uh was by nckl m he runs the aler security uh training a team um he mentions in one of his blog posts that you can have the main admins that are not allowed to log on in so you you have a account and you say log on deny you so even though this simp

this principal name is a domain admin I can't do anything my ability to do things with will be very limited at the same time make that pass difficult so you waste my whole week to scraping that hatch uh can anybody realize what I'm doing with the pictures in here anybody realize what that from Miss minutes yeah of Miss minutes yeah that's true oh so earli I talked about broadcast multicast name resolution your computer instead of just asking the domain name server hey do you know where this host is is asking everyone the network so what if you had an actual NE resolution request going in the network but it was a Toney POS of us nobody

should know where FS1 is nobody should know where hr1 is but somebody responded and said hey I am HR well you just cost somebody running responder in your network and you can do that with a scheduled task running the uh resolve Das DNS name command in Powershell there are a few caveats to this if you have already done the work of disabling broadcast multicasting resolution protocols in your network you're going to have to enable that on the device where you run disconnect you could do this on the Linux part instead of using power shell you could do something else to do this but coming from Windows box it will look much more real to us those reumers

trying to identify honey beforehand not make it more difficult for them so running in from of Windows box you could do this uh then you could also do uh I think it's called Uh new- SM SMB mapping which is like n use command where you can map a netbook share so I have a script that I wrote called Nate that it will use newd mapping to also you credentials so first it sends out that request to multicast name resolution request hey I'm looking for fso one does anybody know where that is if somebody responds it will create an event log entry it can also drop things lines into a log file saying hey this IP address

responded saying I am FS so1 second thing you can do if you do spe creds it will send out a username and a password in a n nlm so the red teamer is now spending time trying to crack that the default one I have in this is about 33 CS long it's going to take forever to crack it it is crackable though it will just take about 6 seven hours if you've got something like a GTX 3050 your device but again it's a HB and you have now detected the most common thing that's reumers do in network environments and I've been taught by this twice and it was I I respected that you know what

this cool show me how you did this uh and there's some paid tools that will do it but you don't need to do that if you've got time um they'll take much time to set this up and then what we do with our clients is we Lo being sent over to a s devil do do alerting and this would be once you tun it once you run it for a bit and you make sure there's no false SPS this this will be a high fality alert because somebody responded to what should not have been responded to there should not be anybody saying they are fso one and if somebody does respond to that we have a bad

actor of course you can't talk about honey without talking about con tokens the website is Con to.org is free as an organization I suggest using the paid uh paid uh commercial Appliance so you support their development but ch.org I use this on my personal computers I'll create a PDF file I will drop it on my desktop and it will be something like tax receipts or 2023 taxes and the way it works is it's going to have an image inside like a tracking pixel inside that PDF so anytime somebody opens that PDF doesn't matter to open this in a web browser in a PDF viewer something else I'm going to get an alert saying hey somebody opened that

PDF from this IP address and you can put in some notes that tell you when you dropped it so you could create one for your ahr file share one for your it file share create one for maybe just your desktop and drop it there um you could also there's quite a few different things you can do with this you can also use it to monitor Azure ad users uh DNS requests to different DNS endpoints um it AWS keys so you could have AWS Keys file the moment that key gets used you get an email alert from token saying hey somebody just used that key and here is the IP address where they came from um a bonus if you use this to

monitor commands so what the way that works is I believe it's a scheduled task that monitors what commands will want um so you can monor things like who am I those of f will be get pen testers by taking ocp we are used to running who am I or those of us who get CPS we run who am I the first thing we do when we get on a boxes we run who mind and recently a client did that they they CAU me because I ran Who Am mind so that was a fun call with them um alert on that because your typical user should not be running Jo firm has no business running or net user

why would they be running net user so you going learn on that and that would give you the ability to identify attackers somebody malicious in the environment even if they are not malicious it's still worth asking why would you want that um it mean that they took a class at B size and they wanted to test things out may not be a malicious thing to do but should really be doing that I mentioned key pass database out year well you could have your own ke pass database that you drop in a network share you should drop that in the it netor share uh and have the password either sitting in a different folder somewhere else or maybe s f that might

still work or you can just not have the pting anywhere and make it something that will take some time to guess and this gives you the ability because this is a password manager database you could have it could really have like a whole story around where do you want the attacker to go could really know where they go next which applications they're going to go after which websites they will try to log into to really try to waste their time with

this one note yeah so one note is way too often used by it teams to store credentials um and I think I think this is a zero day I'm going to drop right now one note is not a secure note application okay don't put notes in one note please although my favorite use of one note is malware transfer if you have access to a client environment or RDP and they have one note open up that one in a web browser on your your boot upload modware to it as an attachment one note and download it on the T place um that's that's all the form do it but yeah one not is used quite often

by it teams so maybe you have a onee notebook that is an IT one not notebook and it happens to have metor diagrams it happens to have some documentation about some vendors maybe the last pentas report and maybe it has some credentials in it but maybe some of it or all of it happens to be fake waste my time the the activities that it is performing daily that we are used to the attackers are used to the users the activities are doing every day that we the attackers are used to use those against us you're spending so much time trying to change the user behavior and this taking time and some of it is being successful some of it was

taking time well maybe we use that user Behavior Uh in a way that Wast the attack's time because we know the attack is going up for that behavior so this script uh is part of Empire C2 framework but you could do it in many different ways one of the very common things we'll do as the attackers reers is we will dump s we will dump into yes or wherever we can find some n hashes we'll take those hashes and we'll pass them for their boxes these are the NT hashes that come out of Sam and ntds what if you had same ones sitting in LSS so you can do that uh the script uses a VIN 32 API to perform that

operation another way you do this is you just create an actual user you have that user logged on to another box and then after that user logged on the box you just G your password that hash in there is no longer valid and if somebody tries to log on with that hash you know there's somebody who's malicious in the environment the tri is the user has to be real if the user is not real then you may end up giving away that but also don't just use one 100 po I Ed I went through a lot of techniques in here canadi to.org itself has 10 15 different things you can do so I've had rting engagements

where the client had 10 15 different honey users they had morei service principal L have Hy plot they had these PDF files dropped in all kinds of shares uh earlier there was a talk in here a panel about inside the threat well you can do this to find to grab the uh to already find inside the threat you know drop that PBF file call it something like 2024 acquisition plan and put that a busy Network share see who Ops it um call it CEO monthly salary or whatever and put that in a netbook share so who opens it you will find that inside the threat because quite often the inside the threat is not somebody

who's intentionally malicious they're just curious and their curiosity causes some sort of an incident or they got DED by threat actor somehow um you know there was one case where the threat actors paay somebody a lot of money to on a lank and you get that money in your bank account and you tell security team oh sorry I didn't think that was a fishing email but you making money out of that so yeah use this to find your inside too um my idea I don't have on this and it's a really stupid idea but really good idea at the same time uh one of my clients we were doing a purple team and and the end of the purple team we just

started shooting some ideas and they mentioned what if we had hundreds of users honeypop users and they had hundreds of honeypop groups those hundreds of users were members of those hundreds of groups in Nest group memberships where those hundreds of groups were also members of some other hundreds of groups and those hundreds of groups they have permission from some other hundreds of users and they all had the ability to local ad been on maybe 5 10 15 different boxes uh I think that's a really crazy idea but it's a really good idea because imagine running blood hum against that environment it will take forever and I'm going to get read excited and then I have hundreds of different paths to

verify and maybe one of them is pro but hundreds of them are not so hey if anybody wants to take it do it run it put on good help because we're not to test that out but yeah do do something like that do something really crazy uh face our time because Blood Hound is a a very common way we are finding those paths right and when we do that and you've got hundreds of fake users hundreds of fake groups hundreds of fake permissions you Wast a lot of my time and best good it's a really good thing so you want than love sponsors um bides are very importantes when it comes to cyber security um and uh I got my start in

bide so you know thank you sponsors for for doing what you did and that's me um the top slides are going to be here uh # conts and that's LinkedIn anybody wants to connect from there please do let me know uh who you are we got a l stand there too any questions have some time

yeah I ask you what if you a high level to some of those rules that you built

the other one is just

ma nice so yeah so you're running blood pound detection one of those would be if somebody's enumerating local admins and one is if somebody is going through many many devices and doing some activities there or ring them so we have had some clients detect Blood Hound so when I'm doing a true R engagement but I'm not but I am being stealy I'm not going to run Blood Hound because Blood Hound will be a bad idea there then what I use is you go to file I will RP my device if I can I'll pull up file explorer go to network Tab and there's an ad search that you can do that is coming from May

or I will go to Outlook if I have somebody's inbox access and I will look at uh Outlook address mode it doesn't give me the same info as blood hung girl but it gives me that a bit more info about the environment often times we have users the name is add some but I've have kep me running Blood Hound but not a lot I wish there was more blood hound is such a loud tool it is going to the domain controller saying hey give me all of your computers all users all group policies who has bought access and then it takes all those computers goes to each one of those computers hey give me all of your users give me all of your

local elments give me all the policies applied to you so it is a really loud activity happening in the network but your typical catch that but the biggest problem is is they have to get and then if you can search Once you search which a they you can actually the yeah so ADR AB are catching when you run Blood Hound the shot on executable specifically on the H but what if you run Blood on the py Linux box you don't have anything touching the disc so then you need something like a Sim to know there's many request coming uh to your uh I think like ours got lot we but do you use the python script yes we actually use it

several different just to see if they poten so we we were actually using several different techniques and I can't exactly say but it was one of the major players but uh one of the redmore games actually searches out specific uh tools like top tier ones like

uh wait you said turn well like top 10 I was thinking anybody get from not slide I think yes we cortex yeah yeah that's what they did and actually I was working at a company that that's how they attct us but they didn't look for the specific service that we were using and that's how we actually our pass the ticket got detected once the plan was running elastics end beame um and it has a lot those ddrs will have some sort of a Sim component to them so this one what it was doing was you got a ticket from post a that is being used in whole screaming that doesn't make any sense and that's

how they got the alert that it was the environment so we

got so what kind you have small on sad um to start conversation so um smaller let me understand your question first so you're saying what's my B for small red teams less than five people in what sense um to start like having these kinds of conversations yes well first step in that is don't disappear so that that's a difficult part right because sales te is always hounding me hey why are we spending so much time with that CL that's not available and and that's where mon teams have the trouble is you have to sort of manage your time and not spend too much extra under the Cent because you've got another Cent waiting for you um I would

say take priv of reporting and then that report talk about the positive measures a good thing they did if they did deploy a honeypop give them AOS on that what that right executive Cent that hey you had a honey that detected us that's a great job that will encourage them to do that more um talk about some of this in your in your recommendations in the recommendations you write don't just focus on fixing this problem today think about the future so don't just say change the default password of this one device say something like uh ensure that all defaults are changed before going to production Implement a secure configuration stand or something like that think of the future in your

reporting and that might help with that second thing would be to um maybe do some sort of a CTF with them that now then Ian if you're a small team you probably won't have a lot of time maybe it's once a quarter you do something on um uh Tri acne with them that might help you'll notice a lot of blue teamers they eventually want to get to the red team right so use that to help them get better see grou man service yeah so yes and not enough so group Ben service accounts are we going to talk about for roasting where you have a service principal Lan for an account and because it has a service principal Lane

anybody can request a service ticket gra it offline okay that's one issue with it second issue with service principal names is if you put a username and a password in service manager that password is scored in PL text in memory so anybody the local admin access can dump outs and see that password so group manage servus accounts is what we generally recommend because group manage servus accounts you can tell where they should log on from you don't have a password that you said the computer sets it and that is a very strong password I'm not guessing that uh three they cannot be C roasted so that is my recommendation our recommendation get rid of service accounts go to manage

service accounts problem is gmss don't play well with limit and many units or Linux typ devices so that creates a limitation secondly the a lot of times transitions have a service account that is being used on 50 devices and it's all hardcoded in those 50 devices so when you ask them to use dmsa they start worrying how am I going to go to those 50 devices and put in the new account in them and that sort of that limitation they have is how do I go to those 50 devices and chains of password them vulnerable for but GMS is I love that you mentioned it because that's really important use that um one more question and but

anything else y uh from like a blue team side how do we talk to leadership to say you know honey pots are good because we're paying for a pen test and they want to see results but then they go oh you know we paid for them to waste 30 hours and we didn't get any results out of that 30 so how do we like bridge that conversation with them that's a good question so you paid the pendas to come in and Destroy You P the pend to come in and find vulnerabilities but now you are wasting there 30 hours 40 hours in Honey Poots you know um what I would suggest is once you find their own honey don't

just let them that out maybe was like half an hour and then let them know it was a honey Po and make sure they put that in the report make them put that in the report US red teamers we need to start giving blue team some credit okay uh when blue team detects you talk about them the report what we'll generally do is we'll ask the client blue team to send us a screenshot of that alert and we'll put down the report uh the executive will talk about how this was an authorized assumed breach uh like one we did very recently the client gave us at the main ad cral uh so we talk about the report hey

this was an wise assumed breach where the client gave us a domain admin for reasons X Y and Z so the one reading the report doesn't think that is terrible and I mentioned earlier put positive measures in there too uh so yeah don't if you are if this is one of those engagements where it is a pent test and not a true red team and you are um worried about missing too much time just let them know that you caught them maybe don't tell them what the other honey BS this one just tripped about half an hour ago just let you know and then let them do their thing thank you no all folks really appreciate your time and as I

mentioned slid next is right there on that link I'll be around if you all have any questions thanks