Hudson Bush - Goodbye Hacktive Directory: Removing Active Directory default read permissions

this mic is not very loud i'm going to try and protect a little bit but um i do have a fairly loud voice you should be able to hear me if everyone's yes so um if whoever thought it was a good idea to have an axe directory [Music]

um also that walkout song would be a lot better if i actually brought the band here [Music] um so uh i have been thinking about this talk for a long time because uh it's funny i i mean my work is very technical but i've never actually given a technical talk because i'm never going to figure out how to make content like there's so much there's so many things wrong with active directory but how you only talk for an hour essentially no i and so i've given a four hour training on something that's going to be one flight i'm i've given given an eight hour training on this on on securing active directory but again this talk is not an exhaustive

discussion of active directory security one this is i don't want everyone going to sleep and then two i don't know um this is also not to talk about azure id i'm going to bring that up a few times the the name is horrible azure id if you think that it has anything to do with active directory aside from the fact that microsoft makes them both the directors for the authentication methods the everything they're not the same so no i'm only talking about active driver security most of the stuff that i'm talking about here is not um actually applicable in azure id because they fixed it and introduced some other nonsense there i will hit it up there

but again i only have an hour so this talk is focused on singularly one section of the attack matrix it is only on one technique which is discovery i'll go into the why active directory is the way it is i will go into the how to secure it i will go into the history of it but most of the things that we hate about active directory are intentional and they're very good reasons it made a lot of sense 22 years ago or even longer so um [Music] so i'm going to try and point people in the direction towards fixing those things again this is only an hour i can't do magic but um first uh

interesting i um i had to say that i'm not speaking on behalf of my company so i work very hard nothing i'm saying here has anything to do with homework and i also i don't do anything in the ics security space i am the boring side i'm i secure internal blue team so if you think i do any of the fun stuff like rob and leslie do i don't um yeah so i drove up to chattanooga this morning i love knoxville uh i i am a little bonded with this i i loved i don't know how many people came when this was essentially like codified bar hopping at the conference i loved it it was it was it was the it was

the coolest conference ever this is still awesome it has the same vibe i love i love besides nautical but i just love the whole like bar hopping it felt like like it felt like what pubs were in like the 1700s where like some drunk guy stands up and rambles about something for a while now i have less excuses but um so these are my four sections here why is active directory why is it the way it is um [Music] you know if this was at the bar afterwards i could probably ramble for an entire hour on just that why is that for you um that is fun but i actually want to get people leave

people with something that they can use uh what is it i'm going to do a very brief history lesson um points you towards some better history lessons um twist on security actually has some really good stuff and that's mostly what i'm highlighting they say it better than i do um i wanted to give a whole kind of primer into how to attack after directory from awesome um but uh i'm just going to talk briefly about how much of that directory uh if like by default it's configured to let everyone see what they want and then um removing active directory default rate permissions which is the whole point of this talk but uh i'll need to set it down

so first um [Music] did any as anyone in this room worked on active recreation before it was wow i am not old enough to have done that but i have unfortunately i've been a lot of uh yeah that is that is older than me i support it because we're a wonderful industry and we like a lot of things um okay so hands anyone windows 2080 okay 2003 wow we've got some people that have done this for a while 2008 then cool so a lot of what i'm talking about is literally things that are 25 years old um if you saw the the abstract from my talk that's the whole premise here is that this we thought about security completely

different 30 years ago um 25 years ago and then microsoft now is not really supporting non-cloud things so active directory is left on the vine for rocks so why is that okay so maybe i'm doing one okay um so i i i was going to do a whole history lesson here but actually these three swift on security threats dive into them dive into the sub threads they are much better than anything that i wrote so one active directory started off and i'm going to cover the similarities and the differences between windows nt domains um but the whole premise there is that windows nt had very little security very flat you could not um segment things out you couldn't set

um permissions on individual attributes it was very black and white um so active directory comes and improves on that the problem here is that active directory is simultaneously too large and too small they tried to include so many things i don't know how many people are familiar with like actual identity providers and iam practices but i active direct directory at its core adds active directory domain services is an identity provider but then they throw on dns they throw in all this fancy kerberos like authentication stuff they've thrown group policy which is now it can manage things they throw in uh certificate services and there's all of these things so active referee is way too large

it's more it's more than it should be and then simultaneously it's too small you see um the bottom one here you can't i'm gonna read it because that's actually really small if you're in the back um act the problem with active directory is scope it's not big enough it's funny because i said it's too big it's a system that was sold without tools to make it successful password self-service easy group management automation of per service delegation lack of management tool enrollment naivete and then advocation because of course swift on security so they their own work but the point there being wow we're going to build this system that makes it super easy for people to

manage their networks and then we're not going to actually maintain it and give people the tools they need so there's a lot of things so there are a lot of tools to extend on active drive for the most part i would recommend you can use the cloud there's reasons you can't i will actually get into some of that but um probably every i think it's something like 97 percent of fortune 500 has active directory because you need it um even the company i'm at dragos we started out completely cloud first we had no on-premise anything but then okay we have a firewall and we have esx we have these legacy things that don't support saml so now we have to do we have to

integrate with bell that would be active directory so it's it's very hard to escape while there's still legacy stuff out there um and then so this top one i kind of jumping around here but um active directory has ldap it has dns it has kerberos it has you can do certificates it's it's it's insane but then also the naivete that top right one i can't understate it enough active directory is a product that believes in humans and expertise it defines exposes innumerable interfaces that give you power however you desire to demand what power you should not have it is the core without the rubber bumper so why um i'm going to get i'm actually going

to unpack some of some of that in organizational context in a second but active directory replaced nt domains in 2000 um windows ng domains were flat or no domain trees no forest no organizational units again if you don't know fully what those are in trusts that's not in scope here but um it was flat didn't happen it didn't have all the things you'd expect that an identity provider to have um even five years later uh you could not set permissions at the attribute level which is going to be really key to some of the stuff i'm going to talk about and security priorities were different in the year 2000 um we used to believe so firmly in the

perimeter in the firewall we used to think that we were safe inside of our network and we really needed to focus everything in that perimeter uh there's fancy words around that now deparamentarization and zero trust and all that but we now assume breach we do not and there were people even back then assuming breach um i mean cliff there's all sorts of stuff but security priorities were different in the year 2000 so people weren't thinking well i need to you know um yeah i need to make it so people can't see these things we weren't thinking that um well i especially wasn't because i was not old enough to be thinking these things but um

active directory has made some major improvements in 08 and 2016 um but those were mainly like the bare minimum um things that people been asking for for almost 16 years but active directory has had no functional improvements in the last six years literally no change except for security patches so that's why we are where we are um that we're most of our networks at the core of it and most of our identity systems at the core of it is a system that is not built for the problems we have today now here organizational context generally when i'm talking about the directory you fall into two scopes uh help desk people assist admins who think i've used active directory i'm an expert

on it uh this is a problem and and this is not gatekeeping i do not this is not gatekeeping but the problem is active directory is actually back to that problem of being too big and too small at the same time most people use one functionality in it and they think that they know how to use it they think they know how to secure it and i i've interviewed a ton of people that will claim like they're an active directory expert and when you go into it they've never used anything out of ada active directory users and computers which essentially is how you manage users and computers groups and all that but um that is a

major problem because we you assume that it is easy and you assume it's easy to secure or secure out of the box now generally that's early in your career once you see a bit of active directory you finally go wait this thing is completely unsecured let's throw it out you can't use it it's not going to be secure but it's in your network so you tend to just ignore it because you think it's too complicated so you have people over here thinking it's too it's super easy don't have to secure it people over here are thinking it's super hard to secure let's not even try it um so like said it is trick people into thinking it doesn't

need much attention um then also it is business critical system so um even if you might can be convinced that you need to change it and you can change it people can say no no don't touch it for the most part i i've seen active directory domains running 2003 uh even just a few years ago that are just running and doing everything you need so why am i changing this um [Music] but the thing is that's why i am coming at just one problem just the discoverability here because this is one of the biggest problems getting up to 26 active directory um functional level 2016 can get rid of a lot of the insecure crypto and the ntlm and all of

that nonsense that gives attackers one click access there's a lot of other stuff that needs to be fixed too but to me there's comparability so what i the the thesis here on this slide is active directory can be secured you need to give it some attention and there are actually ways to go about it carefully without breaking anything so um do not nothing is black and white don't fall into and for anything don't fall into these camps that are like oh that's super super insecure we can't secure it no actually that's directly has all of the tools you need to secure it pretty damn well it does i also don't love the whole concept that the more bugs you find in

some we think this is an industry the more bones found in something the less secure it is i tend to actually think the opposite for the most part active directory has so many vulnerabilities detected because it is so widely used with so many eyes on it now there are some problems but i don't think it's necessarily inherently less secure than much else it just has some security faults that are complete nonsense and need to be reverted but that goes to the other piece of microsoft phase problem that actually i think such as fixing is that microsoft's security problem is that they backward they are backwards compatible forever active directory domains in 2016 are built where every single user in this

group called is in a group called pre windows 2000 compatibility because we need to be backwards compatible with everything and that's actually one of the key problems i'll talk about but um with windows 11 i think is showing as much as people like to eat on windows 11 in it and blah blah blah the ui they're just trying to make it look like mac the key thing to me is a security practitioner and someone who cares about microsoft products because they run our organizations is that they are not supporting all hardware they actually got rid of a ton of backwards compatibility and not as much as i would like but windows 11 shows that they are willing to break

old things so there is hope will microsoft ever do that for active directory no because they don't make any money off of it and they want to move to the cloud so but that just being my point that microsoft a key problem here is that microsoft needs to be backwards compatible forever um and that's just yeah um it's a major problem in our organization so the effects surface i am not this is not a primer in i feel like i'm spending a lot of time but um active directory so this is not a primer on the mitre attack framework this is i'm literally talking about one thing and just from the frame of active directory

so here is these very zoomed out by their attack framework i'm going to zoom in for a second these are a bunch of techniques tactics techniques and procedures that attachers use to target your systems and don't know about it read about it but right there there are 30 techniques i think in my my abstract i said 26 apparently there are 30 in discovery so you can't read all these we'll walk out but i tried to fit everything here so these are 30 techniques i highlighted all of the ones that are by default discoverable in active directory these are things that i'm going to talk about very soon here about how we can get rid of but

um account discovery um if you think with azure id then the next to the cloud service discovery cloud infrastructure discovery domain trust discovery can't really get rid of that but unfortunately file and directory discovery group policy discovery fixing that in one of these slides um network service and network share discovery password policy discovery permission groups discovery all of these things and then what i love about thinking about it this direction is it's well there's a couple reasons i like thinking about it this direction one i think attacker attackers pen testers anyone on the the offense the red team side is um spoiled especially by active directory makes it too easy they do a couple clicks they see everything they

want um you get rid of things that they're used to just being able to double to to just see they get confused very quickly um they're like wait no no acting correctly you can't get rid of that you've broken your action directly now now you can hide these things um i have not been able to make it so that bloodhound does not pull anything i i'm trying desperately to make bloodhound um which if you don't know what bloodhound is it's you you have to try it on an environment it is i assume most people at this point do but i don't know who's in the audience so it's a great tool for finding all of

these tech pathways in a directory but one of my goals is to figure out how to make your environment almost invisible i don't know if it's possible without breaking things but um [Music] this isn't security by obscurity it's there are a couple slides in here i hate security biosecurity but i'm gonna highlight a couple things this is literally just why would your users need to see these things there are so many things here that like your users just a user does not need to see only the reason a user would need to see it if they're actually an attacker for the most part so think about this through lens of principle of least privilege lease

functionality let's let's lock things down again there were those concepts back in 2000's built but we were so spoiled back then by thinking that the perimeter would save us so um some of these are nonsense system time discovery doesn't tell me enough i don't know why that's a whole technique that you can tell me if you're on on a red team and you think that's useful um system owner and user discovery is one that actually yeah i would love if that was more discoverable most environments did not actually input as a system owner and you just look and there you go these screen tests so um yep so here's the crux of it removing directory default

permissions so i'm going to be showing mostly uh screenshots and walking through why this is wrong and how to fix it so that's actually very small but i'm gonna walk through it anyways um this is just a default ou so an ou is an organizational unit it is not a group it is a container of other objects so in this one i have one called computers so you see that authenticated users has read and by defaults how this one was configured it's just how microsoft ships it out of the box that me so authenticator users is not a group it's a service principle it's dynamic it means anyone authenticated so differentiate that to the one on the top

there everyone authenticated users will still least less like it's still better than everyone everyone means even if you're that's scary you see that used in a lot of places it is just frightening um you see a lot of times like network shares people are like well i just want to give everyone access to this no people so so authenticated users feel better authenticated can read everything in this w uh if you hit the fans you can see this object in sub objects but i'm also showing this because most people don't realize how it could be no dude i'm going to say don't don't try these things abroad i realize i haven't said that yet do not just go that is

nonsense this person shouldn't be able to read that clip because authenticated users is also a misnomer computers are users too this is authenticated objects authenticated principles there could be a lot of better names for it but whatever we're dealing with what we have here that's my thought so computers are user objects that you just don't have to set the password for they dynamically update their password um [Music] so i will talk about it in other slides that a lot of times when you might have the urge to just say get rid of authenticated users you could replace them with domain computers in a lot of places there are obviously computers need to see almost everything in active

talk a little bit about what they do and don't need to see users do not need to see everything computers need to be able to see if that user is able to authenticate in all sorts of other things they need to see group policies they need to know what applies to them do not just remove things this is more so highlighting that this is the problem they should not be able to read let's figure out how to fix some of this um and i'm also mostly talking here about default settings you need to i will talk in my final slide about schools like ping castle and bloodhound and uh ad explorer they're great um to discover some of this but you may

have weird things i actually have the privilege of having only a three-year-old active director doing that i managed here that is wonderful there is not a lot of old weird crud but i have seen some nonsense out there i've seen all sorts of people really well meaning the worst is i came into an environment when i was doing a merger acquisition and i saw domain not the main users or yeah domain users was in the admin the built-in administrator screen why well everybody we need people to be able to rdp to their desktops over the vpn so like and and that this is the replica when we go down for a second um that is the single sort of thing that

gets us into these problems it's like well no it's just our users they're not gonna do anything better there's even a built-in remote desktop users group there's so many better ways to do this even if you just want to give everyone rdp to everything people don't realize that like if what administrator the administrator account can do um don't use your domain admins accounts for anything except for the administration um [Music] yeah you need to have privilege groups there's a hun i'm going into all the hundred things that i think that you should do with that director i'm trying to focus on discovery um so i'm going to before the biggest problem here a lot of you

probably first heard about this with print nightmare um the pre windows 2000 compatible access group i'm going to call like three different things here i do not want to spell that out um i call it pre-win2k for the most part on these slides um not a lot of other things called that so frequently um if you did not have authenticated users in this then you weren't vulnerable to most of the things in print nightmare most people up until that stuff came out did not realize that you could actually do anything about this they just thought well acting directory is people it's a feature not above it is unfortunately a feature but we can fix it um

there's a funny one here so this group it says in the description here that it is a backward compatibility group which allows read access on all users and groups in the domain because again we needed systems to be compatible with windows nt if you don't have windows nt you do not need authenticated users but also do not just remove it do not just remove active do not just remove authenticated users from this group because you don't see a reason why um i'm gonna tell two stories here one for the most part i see that people assume so people either assume you can read everything in active directory or no one can read anything um so in that other campaign no one can

read anything i will see people create service accounts for ldap binds with domain admin rights because they assume who but domain admins would be able to see all of my objects and my password who what account but now for if you have your domain set up this way by default you do not need to put domain admins your your ldap account in ldap bind accounts in um you don't have any domain users would do it technically no group would do it because it's just authenticated users so um yeah people are either can't oh well i don't i'm just going to put them in domain users because well or i'm going to put them intelligent admins because obviously this is an

elevated service account um so this group is why any user can be used as an ldap bind account um [Music] i also want to point out this is i'm we're only really talking about the user's um user object here authenticated users is separately graded in full read on every group object not talking about breaking that right now this is a bigger problem so how would i do this how would you remove this like i said do not just delete it and leave this group empty um there's a reason that yes you are using this you are taking advantage of this feature for the most part so what i like to do is remove authenticated users and add

domain computers and domain users at first that is still much better because that means if you're you're you're you're not having guest accounts you're you're you're toning it down a little bit now secondary go get a list of everything that should be running a sql service account or in all that fund now unfortunately you probably don't have a good asset inventory so your admin is not going to even give you all of these so this is why i do this possibly so you set up an account called like allow that find or something now there there are better delegated ways to do this but for now even just having five six counts in this 312k here i'm fine

so you get you you get these this list you add those what i like to do slowly because you you have a lot of groups in your domain is okay remove domain computers and maybe you have another computer's group like maybe you have a bunch of sites around the world and you have your users grouped up into different sites you can slowly remove those and i like to break one or two things at a time so you know what broke if you break this too quickly your management is just going to say hey stop you don't need to do this do it slowly slowly pair it down and there's someone's this is what you call the

screen test okay you all are you may not have imagined context but you everyone here has probably done a screen test what's this computer doing i have no idea let me unplug let me unplug the nick and see who screams this vm it doesn't have an owner it's been running for 16 years with a bunch of uptime let me just disconnect from it we've all done screen tests it is unfortunate it is like the um it's like the fire drill of like asset inventories it's like who owns this well if someone cares enough they'll tell me so that this is a screen test unfortunately there are ways if you have good monitoring to find all of this it is not

easy it is just easier trust me to do it slowly you got to communicate to your users i'm not on your change advisory board i don't fully care how you do it but they will tell you you got to communicate to your users [Music]

[Music] the different ways to discover and how to create the proper delegation but slowly swap it out as you find something add it into that other group do it do it slowly do it slowly um and this is pretty easy to revert um if you have a large domain if you're reverting this revert it on the most local dimension folder so it gets fixed quickly um so you don't have four sinks but yeah i mean those are again that's just fun administrative stuff so um i've talked about bloodhound a bit um this is another this isn't actually an active directory change this is more this is a change on your endpoints it connects to active directory but

by default your everyone authenticated users can enumerate network sessions to everything okay why does someone in hr need to know who is connected to like who has a file share weapon they don't they don't so um there is this is a fairly manual process but there is a powershell script down there um to look up next see netflies but if there's [Music] so run this on your domain controllers bare minimum and again do it slowly test it on one level all that stuff don't don't have freezing prod but if you do make sure you're ready to revert it um [Music] what you would do though is you would run this on your you would run this once

on like windows 10 machine but then you'd export the reg key and import it into your policy or just create attitudinal news what i will say is that bloodhound is super stinky and i'm trying to find every single way to catch it um anyone here drops i'm sorry i really want to be here guys harder anyone this should be my job but unfortunately active directory just makes things too easy for the attackers right now but this will get rid of one of the major ways that enumeration of accounts accessing shares um cisco all sorts of things so um password policies this was a change in 2008 i believe um using fine-grained password policies the way that password policies legacy were

set up um again i'm not finding all these things for you gpo i'm assuming people know if not have a lot of reading it's just fun to me it may not be but in about 2008 findering password policies became a thing in 2012 there's a gui to manage it um john install a third-party tool to manage it don't start weird on your domain controllers please use the microsoft tool that you haven't seen involved um there almost needs to be like a road map of like i'm sure someone has it needs to be like a road map of when certain security features were installed based on you know so for example fine-grained password policies at pvps

they're also called um security office um this is how you would set password policies now in the past you used the default domain controller policy the default domain policy um but that meant you had one password policy so moving away from my main subject here one of the beauties of fgpps or psos um is that you can you can say service accounts you have 25 character passwords and change this off and have stricter lockout but your normal user population can have a 12 character password you can set these things more fine you could not do that even if you thought you were doing it with your policy it was not working um my because you could only really have

one the beauty for my actual discoverability talk here is that psos are only viewable to users who are applied to that password security object so um you might think that's not that big a deal actually though i mean it helps if you know that service accounts have 25 character passwords well actually that may scare an attacker away that actually may be a good thing to expose but if they can see that maybe you even have something that's stricter that only has a non-stricter looser that only has eight whatever they can use that information you just don't want to give it you don't want to give legit information to your um to attackers whenever possible hey if

you wanted to create like a honey pso here and tricked them into 175 [Music] weird things and i don't think but um yeah let's do one more thing again one of the techniques there on the minor framework in so under the discovery technique password policy um so i'm back to this slide but i'm not privileged to count opsec i um privileged accounts so like previously microsoft would call these like tier zero but anything that is used to administer your domain um figure out ways to hide it honestly so what i what i would do is create a privileged accounting group administrative i actually hate word privilege because i always think it needs to be earlier in the word so i

tend to use administrative instead of privilege just so but that has nothing to do with not only that um but create a special group for your domain admins and for things like that where you you have less privileges um on there test test your accounts there um so that again in fact you can't do great things there is a cool tool called offline i did not get any money for it they are actually super cheap um so this is i'm not showing it's like 45 a user for perpetual license clock light is an mfa tool that essentially is a schema update to active directory that allows it to support um [Music] both tokens not oh tokens and then other

otps so you can use the ub key but not in fighter 2 i can get on to all those logistics but what is really cool about offline is that you would you wouldn't put any of your users into domain admins it dynamically adds them to that group by sid only when you are um only when you plug in with your yubikey so it's another one this is kind of falling in that security lineup security what i really liked there though is attackers your domain admins and they don't wait there's none except for their default domain admin and their their break glass account what and then so i love it because it's one of those it's there they can still use it but the

attackers if they don't know what offline is they just immediately go what and then they they're trying to target your brake class you know you have your brake glass account i don't know how many people follow the office or watch the office as closely as me but i think that your domain admin specifically your break glass account should almost um generate if you know wolf is um in the office it should generate that many alerts for you you should get a fax and a text and someone can show up to your front door and you should get like every way of notifying you should scream at you every time someone logs in as a domain admin especially your breakbooks

because that just should not happen very often so that's one of that's that's there's a lot of ways so this could mean i could not have those slides i tried right here i could not have a size of covering it verbally there are so many just things that you should be considering here with your privileged accounts how to make them less discoverable um honey that means rename your do not use your default administrator account don't stop using it you're probably using it someone is i i worked at it this was ada's names to go now but i was at a company large man a large automotive manufacturer that um their default admin there were so many

logs and logins to their default admin so they're like you can't reset it like you can't reset it's password will be tried everyone's using it so what i did is ask every single person i met hey i forgot that admin password could you give it to me and i listed every single like looked at their badge and took a note of every single person in the company who told me the admin account it was like 160 people by the end not kidding but then i had a list and i'm like so fun this is the problem but two now i know who's using it so we can work on this so what i'm saying is if you have it

enabled people are using your admin account so this again i hate security by obscurity but let's use what we have for us what i love to do with the administrator account is rename it to something rename it to a user rename it to john doe or generate crazy names there yeah wall of art states and come up with some crazy names and and so attackers can still find it because there is a built-in sit but create another account that no privileges called administrator give it admin count one and add it to that same policy that you have to alert the hell out of you when someone tries to log in now at first you're gonna have to tune it because you

have things that are trying to log into it but create a honey user that'd be a cool way to find these things um that's another upset i there's a lot of ways but the key here is try and hide your domain admins if you are hiding them try to rename them to something that's not obviously like domain admin hudson books don't do that like sure you can and i get you always have to weigh like usability don't just give them like numerical usernames because we don't want it to be too complicated but figure out a way that works within your company to obfuscate your domain admins so um default domain policy this is uh i i do

actually have to have words on this one but um a couple things one do not rename your people when you follow don't do it don't make major changes to this that is but what i'm highlighting here is that security filtering on all group policies when you create them is set to authenticated users which means that all again we've talked about authenticated users already that means all authenticated users can read and enumerate everything in your policies which means that attackers can see whatever good or bad things you have in there they can see maybe you have dedicated boxes that have less print like less hardly you know they could use this for all sorts of things there is a i

mean i do have a resource slide at the end but there's a tool called uh grouper 2 by mike loss who actually built group policy back in the day australian dude um he made the product that eventually became group policy but um he has a tool called grouper2 that goes and pulls all your policy information and finds all your misconfigurations so one of the biggest ways to fix this is do not keep authenticated users in there authenticated users is given default scope on group policy objects as you create them this is tricky because microsoft actually in 2008 changed the way that your policies are applied so you may think i'm applying user settings when you do a glimpse to a user oh you why

isn't it working group policies are applied to computers they're the computers are what needs to be in scope here users actually don't need to read them um it's just how it's applied trust me um so domain computers as a scope is a good quick fix here with so what i'm saying is remove authenticated users and you can without almost without breaking anything you can add domain computers to every one of your your group policies unless you have a loopback policy if you have a loopback policy add domain users again but but for the most part domain computers go in your group calls you take good quick fix now fortunately if your users are admins and your attackers or admins

then they can run a system this still gets rid of a lot of this um but but you really should be scoping so that only people who need to only computers specifically or users of loopback but domain domain computers good quick fix but you should be scoping this down to just the computers that need that policy um you have it just for hr computers or just your jump boxes create creators microsoft has ways to create there there's already scripts for um for like what they call them but it's like shadow groups where you can map group to one of you there's all sorts of cool stuff here but the key is go well i'm actually when i get to

resources i'm going to talk about group or two of this one but just just try and do it almost immediately and remove all kind of users and doing computers um oh i'm already under research so i'm going to talk about each of these tools what they do uh reading there is so much reading you can do but really um three of the biggest people that i follow are um ned pyle um pyrotech which is uh indeed uh from that gap and android so but this is where like don't attack yourself first test these things what if you think that you can't see anything in an active directory test these things look at this internals microsoft tool

ad explorer just open it up and see what your users can see by default just look through your active directory see all the attributes that are just exposed um grouper two so on top the discoverability here is crazy and it'll show you stupid configurations like if you're not using laps yet and you're setting passwords and you have um passwords decryptable in in group policy it'll show you that fault that that password if i've seen some crazy things where like someone is running an executable at startup for every computer but then that executable is writable by the everyone group so an attacker could could change that executable and put a malicious executable and it's already in

your they don't even have to do anything really they just throw it melissa's executable and you've already told it to run so grouper 2 is great because it will tell you every single thing that is misconfigured in your policy pin castle everything i've talked about on paint castle covered much better i did um it's cool report um you can use so pink castle it does a bunch of miscomparing it'll also do kind of bloodhound light stuff that will tell you some like face attack wave but bloodhound is the okay if i wanted to get to the crown jewels i want to get into a domain controller what accounts have access to something you know it shows you the

whole map so um [Music] use these three things audit get scared get scared shitless about what you can see and then this will motivate you to actually fix some um bloodhound enterprise and so i i threw a little bit of shade towards spectre up so i'm going to come back if you are on the glue team though bloodhound enterprise is not that expensive it runs it means you don't have to run your own neo4j and it can generate reports for you bloodhound enterprise will save you a lot of time and actually give you executive reports until you have fixed and stuff so grouper 2 so [Music] they're not made for us you have to kind of do some tweaking and

some squinting of your eyes to look and see them through the lens that we need pin castle absolutely it's made for defenders um also they have papers and throw them on because they're great but yeah um [Music] uh yeah that is it um i so if the best way to ask any questions um i will not be doing questions or too much you can find me drinking or um i mean my handle is homework tech um the world's greatest irony because i now am allergic to gluten and i cannot bring beer but i used to um so um but i kind of made the feel like the thing so but um all that to say that i

it's completely fine me i i will pop up because i love to talk about these things i'm just no q a right now um but i will be hopefully releasing a report template that i've used in the past when i was consulting um that you could use to essentially report your these findings to your um to your c-suite to your cso to your key manager whoever it is um i haven't ready the only problem is that i am locked out of my github because i don't have my old email address or i cannot figure out how to how to upload it but when i fix that there will be um these slides will be available on my website ombretech.com

for clash talks and that template will be there so again thank you for all of you math kids who thought active directory at nine in the morning would be good idea but i hope i informed you of something