AD and DNS: A Match Made in Heck

foreign

[Music] hello everyone hello besides charm thank you for coming out to our talk active directory in the domain name system I am Jake and I'm Jim we are calling this the wrong direction cool [Laughter] a match made in heaven but anybody that's worked in active directory knows that's not quite true imagine in Hell a little too spicy Jake match made in heck very appropriate for our Midwestern sensibilities I'm from Ohio he's from Minnesota so yeah we're not allowed to swear so who are we well I'm Jim Sakura I'm a long time I.T generalist uh I'm on the uh a security consultant on identity security I've joined Trimark about a year ago and I'm not famous on Twitter but that's where

you're probably more likely to find me if you want to chat afterwards and my name is Jake Jake Hildreth uh I'm also a long time I.T generalist uh started programming in basic on the Commodore 64. so yes I'm old yeah uh currently run our uh active directory security assessment team at Trimark also I've been told that I'm supposed to say that I am the co-host of the twitch uh happy hour from Trimark co-host did I say co-host [Laughter] uh maintainer of the locksmith uh adcs remediation tool that was presented here last year for the first time uh and then I'm on Mastodon so come find me there for uh posting so what are we going to talk about today

we're going to talk about Addie and Dennis so who is Addie wait we skipped ahead too far didn't we okay all right all right all right uh addy is who what we call Active Directory um we don't actually use that name it's just cute uh active directory is the directory service that underlies 95 of corporate networks out there uh it combines Kerberos with an ldap database and provide some other services like Federation and the previously mentioned adcs active directory certificate services that anybody that's running an active directory environment out there I bet you're vulnerable too just saying uh Dennis is the domain name system uh Dennis was born in the early 80s Dennis helps you translate uh human

understandable names into computer understandable IP addresses uh it's essential to the modern internet and uh you've found that out if you've ever worked in operations because it's always DNS so for a little quick history on how this marriage happened um before active directory was released in in the olden days we had NT directory Services uh to do name resolution at that time you're using netbios you're using llmnr you're using wins these terrible protocols with no security built into them and that's really even if that directory service was using TCP a lot of networks back then are using ipx SPX anybody use that familiar no okay good oh we got one all right good deal uh but then in early 2000 active

directory was released it as mentioned uh directory services including DNS and they've been pretty interlinked ever since I mean active directory uses DNS to identify so many things and you know DNS stores all of its information in active directory so they're pretty codependent at this point um if you compromise A.D you're going to compromise the DNS if you compromise the DNS you could probably compromise A.D so for a little more detail on where uh this is an out of date uh we're missing a bunch of slides all right that's okay for more detail I can talk about it anyway um so all of the you know historically DNS zones and records were stored in a

Zone file with a start of authority and all the records after that whether that's bind or whatever and after directory integrated DNS can do that as well with local files but um you know doing Zone transfers and all that stuff kind of sucks but you know active directory introduced multi multimodal replication or multi-master replication and allows that to work with DNS as well through the integrated DNS zones that lets all of the DNS zones replicate across your domain forests whatever and all of the records that are in them and gives you a lot simpler if not uh just a completely different way of handling all that replication of those DNS nodes across here uh um across your network the other part of

that is that all the records for active directory integrated DNS zones are stored in what's called DNS nodes so they're stored in active directory and every DNS node is a record or has multiple records associated with it so just imagine the screenshots that would have been in the slide if we would have put put that there yep so I'm going to start out well there's there's another slide that's missing that's interesting um so this is what happens when you edit slides 15 minutes before your presentation just in case you're wondering anyway um so you know obviously we've chosen a marriage theme for our presentation which is really weird because we're weird but um the reason that we did that is because

we kind of got on this on this idea of uh the traditional wedding blessing of of Something Old Something New Something Borrowed and something blue so we're going to go through active directory integrated DNS in that theme and I'm going to start out with some uh some old things including previous research so going back to how DNS records and zones are stored in active directory which I just briefed on um they're all they're all active directory objects and you know there's been ways to manipulate DNS records inside of networks and for attackers to do uh manipulation of name resolution through things like poisoning for a long time Jake mentioned some things like llmnar or netbios name Services

responder came out in 2012 anybody familiar with responder yeah so um and there's probably people were doing DNS poisoning maybe before responder but like that's when it really hit the market um responder really only works within your local um your local network um and I forgot some words right there but that's cool um but the thing of it is is that DNS records when it comes to name resolution from a Windows client um you have host file DNS records and then below that in the pecking order all of your multi um uh resolution uh where they're where they're doing broadcast resolution so a while ago a person named Kevin Robertson did a bunch of research into active

directory DNS and started off with abusing Dynamic DNS updates Dynamic DNS updates are what let your computers Windows computers other computers um create a DNS record in active directory integrating DNS and then update their own record as they change IP addresses it change functions so Kevin was able to abuse Dynamic DNS records and he could create DNS records with that but he couldn't create a wild card record now a wild card record in DNS will let you do much the same thing that responder does um by advertising anytime somebody makes a a name query for something that doesn't exist responder will say that's me that's me send your authentication to me well a wild crowd record will do that

same thing in a little bit a different way in a higher priority and across any broadcast domain so you know he could he couldn't create Wild Card records with it but he did a little bit more research and you know active directory integrated as DNS is just active directory objects and you can create manipulate and read active directory objects with ldap because ldap is a fundamental part of actroductory so Kevin found that a little bit of reverse engineering you could create DNS nodes for any object that didn't already exist including Wild Card records with ldap and Kevin created a tool called powermad which uses ldap and still the the Dynamic DNS updates to manipulate and

abuse DNS records and also manipulate and abuse computer objects um I wasn't really quite done with that one yet but that's cool um so DNS poisoning can do a lot of weird things can redirect traffic to an attacker machine just like responder DNS poisoning can create single name UNC pass which is interesting in a Windows Network because a single name UNC path will end up being in your internet Zone which for a computer running web client is going to have some different controls around it than a multiple a full uh fully qualified DNS record right Much More Much More trusted in the network yep so all this works because Addie and Dennis are joined at the hip but most

importantly it works because by default any authenticated user in active directory can create those DNS roads um and we're missing a screenshot there that's awesome um I don't know what happens when you when you do last minute slide updates but we do know now um so imagine that there was a screenshot of uh from ldp.exe of uh a DNS Zone showing that authenticated records or authenticated users can create any child node um so it's all prior knowledge that any authenticated user can create any DNS node that doesn't already exist they can't just edit any of them uh with some exceptions but while digging into the actual directory schema and some of the the protocol specs we notice that

authenticated users can create some other things in DNS in active directory that were introduced with server 2016 and they're not really Farley you broadly used or really well all that well known from what I've seen but there's a thing called DNS zone scope containers and Zone Scopes that you can create underneath a Zone for the purposes of using DNS policies to create split brain DNS scenarios and control other types of policies so what I found is that any authenticated user could create a zone scope container under which any authenticated user could create a zone scope under which on if any any authenticated user can create a zone or a DNS node and this is on any

DNS server active directory integrated that's server 2016 or newer so we took a a power bad function and modified it and created a new ad integrated gns zone scope command and on the next slide we got a before up here so on the on the left hand side you'll see what DNS managers show us about a test DNS Zone and then you'll see the same thing in adsi edit after running new adns zone scope you'll see that the DNS manager looks exactly the same but now in adsi edit we have the Zone the zone scope container and a malicious zone scope so unfortunately that appeared to be a little bit of a dead end for what

authenticated users could do with that um the DNS Zone Scopes were as I said created to work in conjunction with the DNS policies from uh from server 2016 and newer um and those DNS policies are stored on each individual DNS server whereas that's replicated depending on the scope of the Zone the policies themselves are not replicated they are per DNS server and in this case the DNS servers are domain controllers so they're stored in the registry um in a place where really only administrators in the domain have access to them um but there's there's some things maybe we could do with a little bit later on and some environmental specific things that might allow an attacker that's low

privilege to create them let's go so next thing I want to skip on to is some other prior research from jerkian malema and Elijah Samir a Brown dacal abuse and tying into Kerberos so some of the research from these two shows possibilities for relaying um Kerberos unconstrained delegation and also abusing resource-based constrained delegation uh in actor directory so this ties back to some of the research that Kevin did in active directory with DNS and the powerbad tool and some tricky dackle issues that exist on a lot of computer objects by default especially the additional DNS hostname and allowed to act on behalf of other identity which is the resource-based constrained delegation mechanism for allowing access and spns

as well So This research shows ways that active directory integrated DNS and Kerberos interact and can be abused so when combined with vulnerable tackles so adacle is a discretionary Access Control list so that's the permissions on an object the whole picture of the permissions on a DNS object stored in actor directory this can open up some attack avenues that many Defenders aren't really even thinking about yet and I hadn't been thinking about them before starting the stock different types of DNS zones have different types of dackles and different DNS nodes get different permissions depending on where how and who creates them if a DNS node which is a record is created in a certain way any

authenticated user can change it because they'll have generic right on that record for for example and we're going to have some resource slides and Links at the very end um of all this stuff so assuming those didn't get deleted as well um so there's basically four ways to store a DNS Zone there could be a forest domain Legacy and files we're going to skip the files that's the old way with Zone files um it doesn't really integrate with ad um but the screenshot on the left shows a forest Zone and it shows what it looks like in adsi edit so it's in its own partition um in its own container and on the right hand side we've got the dackle of that

Forest DNS zone so Forest DNS zones are stored in that particular Forest DNS zones partition and they're replicated to every domain controller in the actor directory forest in an active directory the forest is the security boundary um they have the strictest tackle out of any of the the DNS zones and they don't even allow like a DNS admin any access special access to it um the most common uh Forest replicated zone is going to be the msdcs subdomain uh which was introduced in Server 2003 it's always going to be a forest DNS Zone by default even if you have a single domain Forest um in modern AED this Zone replicates to everything in the forest and that is how

clients and domain controllers locate other domain controllers ldap endpoints Kerberos kdcs Etc so and and yes even in my my lab the DNS is broken uh demanding Essence ones are probably going to be the most common type of active directory integrated DNS Zone they're also stored in their own separate partition which is the domain DNS zones and they replicate with all DCS in the domain not the forest the dackle is still pretty strict but we'll see over on the right hand side that domain admins gets full control whereas they didn't on the the forest um and DS DNS admins gets a special dacalon here which is almost full control but not quite next slide and then

the last thing here which is really probably pretty hard to see from here is the main legis the main DNS head object for all of active directory integrated DNS is stored under the main uh forests uh standard naming convention under system and then Microsoft DNS and like that Microsoft DNS in the system is what I call like the DNS head object because that controls all of the active directory integrated DNS hosts and the permissions that they have it inherits its permissions from domain root and permissions that damn domain rud are sometimes pretty atrocious and then also you'll see under here that Legacy zones are stored in this head unit and the root DNS servers are stored

in that same container also can inherit their permissions from domain root and here yeah just kind of showing The Inheritance and how that skips down um and looking at what it looks like in DNS manager next from the uh something old is uh abusing DNS admins um back in 2017 Shea bear came out with released some research on uh a dll's uh loading issue um so you could use DNS command to uh replace dlls on a DNS server again that DNS server is probably a domain controller so this was released in 2017 and Microsoft patched it with cve 2021 40469 so this was publicly known and available in the wild to exploit DNS servers and domain controllers to go

from a DNS admin to full system or full domain compromise from May 2017 through November 2021 it's been patched now so any uh you know current OS is going to have this patch but DNS admins is still a lot more powerful than a lot of people expect and it's not protected by admin SD holder so on the left we see what DNS admins group looks like it has explicit access controls entries account operators has full control over it inheritance from the domain root and again a lot of places have very poor permissions models on their domain route unfortunately on the right is what admin SD holder looks like by default in this lab and this is a dackle that would get stamped

on any protected object in ad like a member of domain admins or something like that it's a more strict dackle inherence is disabled so it's not getting any uh permissions from the root whereas on the left hand side DNS admins it is so this means that there's a lot of paths from a standard user in a lot of environments that I've seen from or from a standard user or a low privilege like help desk user to DNS admins whether that's at the Domain through account operators or just weird permissions on the user containers yeah yeah and uh DNS admins also has an explicit access control on the that DNS head object and for domain DNS zones and

Legacy DNS zones they don't have full control but they do have modified permissions and modify owner as we can see up here a DNS admin could Grant permissions to any arbitrary service security principle and cause that to inherit down to the Legacy zones or root hints and also if you are or can become the owner of an object an actor directory this by default is even more powerful than having full control generic all and if you watch the Trimark content Hub in the next couple weeks we'll have more on that and then Now for Something Completely Different um I'll be talking about something newer things that have happened upon while exploring ADI DNS and I'm sorry I'm not

used to talking into a mic so I'm I'm messing that up a little bit but we'll we'll keep working on it um Defenders sometimes utilize things called DNS sinkholes to prevent access to malicious or unwanted domains but what if an attacker could sinkhole traffic that might get them caught uh something that we came up with called evil uh sinkhole there will not be a domain name bot for this I don't know about that I might I might buy evilsakehold.com today so DNS admins can uh slide please so DNS admins can create new DNS domain DNS zones and Legacy zones and local zones um DNS zones for an external domain that's in the internal DNS um

Zone will mirror the concept of split brain DNS and split brain DNS allows the internal DNS server to look up external queries and provide an answer for that without recursing to an external DNS server so this local DNS server thinks it's authoritative and it won't recur so it's gonna it's gonna return the IP address that the DNS admin created which is 192.168.1.1 instead of whatever the actual real external IP address for application insights that cloudsim.com would be and you'll notice that you know Dennis admin which is a DNS admin of course because why not keep up the bit is is the owner on the object and has full control over the object so DNS admins can also create

conditional forwarders these are also replicated throughout the domain and conditional forwards give you a little bit more control over what's going on but it'll forward any query for that entire DNS namespace to uh explicitly Define DNS servers for lookup and those explicitly Define DNS servers could be an attacker control DNS server an attacker control DNS box um or just nothing because if it uh if the query doesn't forward it just times out and that's what we see that's what would have been on that slide um so what what could you use evil sinkholes for well you know you could you could uh I've seen some edrs that you could actually blind with DNS um thankfully most of them have figured

this out and uh understand that hey it's always DNS and put some some Fail-Safe IPS in there um but you can kind of mess with the Telemetry of some edrs you can mess with Sims whether they're hosted internally or in the cloud um you can Update hosts for and mess with like patching and AV signatures AV uploads um redirect traffic to trusted sites or Internet zones but it's really loud it's you can see it in the GUI it applies to everything in that entire namespace uh so I'm just wondering if there was a quieter way and I looked at some of the stuff in server 2016 which was those DNS policies that got introduced they're a little bit more interesting

because they don't show up in the GUI the primary interface is through Powershell um the fun thing about this is it's really a post compromise scenario because these DNS policies uh can only be created uh by an administrator on each individual DNS server that's because the DNS policies are stored in the registry on the DNS server AKA domain controller they're stored in hkey local machine software Microsoft Windows blah blah and all the administrators and system trusted installer have access to that registry Key by default an attacker with administrative rights AKA post compromise could perform some really targeted DNS manipulation to block or redirect traffic and you could do that in concert with those domains those DNS zone scope containers and

dns's on Scopes because the query policies in here allow you to Define subnets that you want to manipulate the queries to come from so you could create that subnet down to a slash 32 and just use one host that you want to mess with the traffic on and lets you either filter queries out or replace those queries with the things that you put in the zone scope um so you know if an attacker could get you know system or trusted installer on the DNS server they can manipulate that that DNS record also but it's a domain controller so again post compromise but if the ad environment is poorly configured enough um which which we see all the time which

we see all the time um there's sometimes overly permissive dackles at the Domain root or like weird permission issues on Group Policy objects that are applied to the domain root or to The Domain controllers OU that might allow somebody to execute code on the DC as system or make registry modifications that would allow you to manually create these same DNS policies across all domain controllers but again that would be post compromise um just remember these DNS policies in server 2016 plus are not just for malicious traffic this is really the Microsoft recommended way now to implement Sprint split brain DNS if you actually need to do that it's also great for filtering out malicious queries

malicious sites and if you don't have like a forward or something to do that for you and this is uh what we originally called uh Jim's big new hair being idea dangling spns so I want to I want to ask you uh how many of you ever have configured an SPN on an object in active directory raise your hands if you 've got two two how many of how many of you have deleted an SPN off of an object in after directory okay good good all right cleaning up somebody else's mess that's great um so this is more of a thought experiment or a theory than a working concept for now um but you know and while I think I know

Kerberos every day I'm reminded um by Kerberos how much I don't know um so where after directory integrated DNS relies on active directory to function many parts of active directory rely on DNS to function that includes Kerberos more specifically Kerberos relies on user principle names service principle names it's and especially that host part of the SPN all rely on DNS so there's a couple of blog posts out there that inspired this idea um there's one from Charlie Clark another one from dirkian uh Kevin Robertson and then also alad Shamir which isn't there now cool all right so those those um those blog posts cover some ways of manipulating an existing computer object to add an SPN to it then create a

hostname and a DNS record for it to manipulate it for relaying Kerberos on constrained delegation or manipulating it to get resource-based constrained delegation to work but I've noticed a lot of times looking at active directory environments especially in really large organizations that spns get created and added to service accounts but they rarely get taken away nobody wants to break anything so if there's an SPN out there that points to a host that no longer exists can we take that SPN and that hostname and manipulate DNS to redirect that Kerberos traffic and get it to go to an attacker control machine or to a higher value Target and that would depend on whether it's unconstrained delegation or

constrained delegation and now that I've kind of went through something old and something new to celebrate uh Addy and Dennis's 23rd anniversary celebration uh you might be thinking about or wondering like maybe I should just ditch after directory integrated DNS or maybe you already did uh Outsource all your DNS functions to a third party like bind or uh maybe some hosted uh DNS solution there's there's a bunch of now Cloud DDI Solutions out there uh I just want you to think about as critical as actor directory is to DNS DNS is critical to active directory in that control plane for active directory and if you Outsource that DNS to that that provides all your records for tier

zero DCS for Kerberos for ldap and everything to a third party you're giving a part of your control over active directory to that third party or maybe even um your network Engineers uh so instead of thinking about that let's let's have Jake tell us about Something Borrowed yeah so we're calling this something borrowed because all of these already exist there's I mean this is not new knowledge by any means so ways to defend your DNS environment number one not really DNS related sorry but it still needs to be included disable llmnr disable nbns and maybe disable multicast DNS the first two are not required in a modern Network haven't been for a while get rid of them the third one might be

but you probably can get rid of it too uh next up here we've got a wild card record as Jim mentioned power mad will create can create a wild card record if it does not exist however it can't create a wild card record if it does exist so be proactive get out there create your wild card record uh it's a little touchy on exactly what you need to do if you are in a single domain oh I need to read my notes Here If you are in a single single domain Forest uh you should create a wild card record that is an a record um if you are in a forest with multiple domains in a DNS suffix search order

with DNS suffix search order setup you need to create that as a text record or else uh non-fully qualified domain name queries are not going to work that being said just use fully qualified domain names anyway uh and then we also have uh the wpad record as we talked about uh earlier we mentioned it we didn't really talk about it uh it's the web proxy Auto Discovery record uh this kind of tells your clients where there's a proxy in your network you might need it you might not in your environment if you do you know make sure it's set to the correct address if you don't create a txt record any any request for that wpad record are just going to fail

um empty out your DNS admins we've shown I think we've shown how easy DNS admins can be to attack and the XS writes that DNS admins tends to carry in most environments um yeah just keep it empty let your 80 admins do do their thing uh second to last here eliminate Legacy zones a legacy Zone when you're creating a DNS Zone and it's got that option that says you know Windows 2000 compatible don't choose that one get rid of those Windows 2000 has been end of life for over a decade please clean up your uh and then the last one is uh just taking a look at your uh Global query block lists this is a list that lives on

each DNS server that says these are host names that I am not going to resolve um they're by default the wpad record and isotap are included um there were well known attacks for a while on those there are ways to bypass the global query list but just make sure those two at the minimum are included and then it's time to dig into everybody's favorite thing auditing uh number one here is not exactly auditing it's actually configuration but DNS as it exists currently allows you to set up a service account to do Dynamic updates on DNS nodes so what this is instead of Jim's computer saying I want to create a DNS node called gym and now Jim's

computer owns that gym record now Jim says I need a DNS node called gym the service account creates that record has ownership has full control over that record uh what this gives you then is you are able to lock down those zones quite a bit tighter and remove authenticated users from having the rights to create dnso nodes that makes that second point there auditing your DNS tackles a lot easier as as Jim showed there's a lot of interconnected stuff when you get in into DNS if you can minimize the amount of possibilities of what will work your auditing becomes a lot easier uh third there audit DNS zones these are available in your DNS console

you should be able to look through them and say hey uh maybe hacker.io shouldn't be a zone that we have maybe it maybe it is for you I don't know uh same thing with Zone Scopes do they make sense in your environment same thing with policies do they make sense in your environment now I mentioned that you know DNS zones you can see those in the DNS console Zone Scopes you cannot see in the DNS console you're gonna have to take a look using Powershell or adsi edit or ipam to see these Zone Scopes so be aware of that and then the policies because those are stored on each um DNS slash DC server those need to be queried individually

they you know they're stored in the registry that makes it difficult so use Powershell um to look at those and then for dangling spns if you hate yourself you could probably find these all in active directory users and computers or adsi edit but I don't wish digging into every single object in your environment through the GUI on anyone even Jim so instead Powershell use that uh you know enumerate those and and find out those hosts that no longer exist so it's all well and good it sounds like a lot of stuff but we got something blue for you it is the blue tuxedo so Jim often wore blue Tuxedo in high school back in high school we were

really looking for a picture of him and his blue tuxedo back in the day uh blue tuxedo will be released later this year um hopefully at Wild West hack confessed in their Tool Shed because that perfect place to uh release tools but we're gonna go through we're going to search for those dangling spns that we talked about so again that's an SPN where the host name host portion no longer exists which even if you can abuse those with DNS you should still clean that up yeah that's right again clean your up um I'm gonna check DNS admins membership so again we're going to try and get that as close to zero as possible if it can't be gotten to zero for

whatever reason we're gonna check and make sure that at least those users are in other groups that are protected by the Admin SD holder object so that would you know minimize the amount of abuse that they could take then we'll scan for both the wild card and wpad records and then you know depending on exactly what's found uh offer some different suggestions so if it's a txt record in most environments for both of those it's going to be good to go since an a record a little a little suspicious depending on again your exact environment if you find an NS record set up for wild card uh straight to jail like it is it is

time to figure figure out what's going on in your environment and then if you have none of those if you if they don't exist the blue tuxedo will offer to create them for you so you know again proactively taking care of your environment uh we'll dig into the global uh Global query block list make sure that those two settings uh wpad and isotap are both exist or they both exist and then list the other ones too because as we talked about uh earlier today while editing these slides poorly um we've realized that DNS admins may be able to create a different sinkhole using the global query block list so DNS admins can enable disable and modify the

the global query block list so and that's a per DNS server setting uh it is not synced trajectory correct uh and then we will check to make sure that you've got a DHCP Dynamic update service account set if that doesn't exist we'll let you know if it does exist we'll let you know if the password is old because uh in the environments that we assess 90 of the service accounts never have password changes or you know they're over three years old and yeah just terrible uh no thing related to that the the tackles we are going to look and make sure that the decals on your various DNS items make sense authenticated users should not have you know right

permissions to your DNS head object for example additionally we've we're still working this out but it seems like some of these DNS attack tools like power mad kind of have a signature to when they when they modify dackles so take a look at that if we see that we can indicate hey this looks this looks like power mad created this uh and then one thing that we meant or had on the slide didn't really mention was Tombstone DNS records when a DNS record becomes tombstoned it becomes World writable also bad uh conditional forwarder auditing we're going to list those for you make sure that the conditional forwarders make sense in your environment yet again uh you know is google.com going to a

Russian IP uh Pro you might want to delete that one I don't know maybe um auditing same thing do you know what they are if you don't you probably don't need to have these set up in your environment and then two things that we did not touch on at all in this this talk but are important are your forwarders uh you when you deploy DNS server out of the box no forwarders are are configured and instead all of your queries are going to the DNS root servers it's slow it's inefficient it's possibly insecure and it's an iterative process I mean it starts at the DNS root and then Works its way down whereas uh normal

forwarding process is recursive it works its way up Etc did you have something you wanted to say there Jim oh I was just going to mention and remind everybody that the the DNS root hints object exists in a pretty uh insecure area where uh all the permissions are inherited down from the domain root right and then the last thing on the list here is um kind of the the part security part hygiene um when your DNS servers are making requests out to forwarders they randomize their Source ports by default it's 2500 ports that's good you can go up to a maximum of ten thousand we're just going to tell you to do that and uh you know we have not seen any uh

impact on performance so why not do the maximum so hopefully with you know a blue Tuxedo in any wedding is going to make sure that that wedding lives happily ever after so thank you all for coming out like you didn't have to come out we love that you're here I want to thank Kevin Robertson Shea bear Charlie Clark dirkian malema elad Shamir B-side charm for having us try Mark for paying for us to be here Jim for his first presentation [Applause] thanks thanks Jake [Applause] so if you have any questions I saw that we've got like less than five minutes left um we can we can do some questions anybody yeah what you got

oh boy we were mostly looking at active directory integrated DNS not Azure active directory integrated DNS for this specific talk but it's a whole nother ball game yeah there's there's there's a lot of stuff there too and and I haven't even dug into it yeah we have not even touched that yet

oh from that aspect absolutely um we see a lot of stuff from you know yeah so we know we look at Azure ad we haven't looked at Azure DNS um be very clear about that thanks Danny um so yeah see a lot of stuff with active directory on-prem and Azure ID where people are like uh syncing privileged roles from on-prem ad up into Azure ID and and having those as be like Global administrators and stuff like that so that opens up opportunities where somebody can get control of on-prem AD they can most likely compromise your your Azure active directory tenant as well yeah there's there's a lot of attack pass with that um and I think Christina just yeah

Christina on some of the low-hanging fruit for that Christina barrillo will be releasing is it later this week Danny yes later this week uh what's that next weekend uh hub.tryymarksecurity.com man having a marketing guy in your front front row that's terrible yeah so I guess uh do we have um we have the reference slides at the end of this assuming that we didn't delete all those but I just wanted to uh I promise you there exists we'll fix that and we'll put some slides that actually have all the stuff we were talking about uh on the internet later but I just want to remind everybody you know that that there's one thing uh that's really true in active directory

um I just want to say you know I'm Jim this is Jake but it's not DNS there's no way it's DNS it was DNS thank you