BSides Buffalo 2026: Toxic Combinations: How Active Directory Misconfigs Chain into Compromise

All right, I guess we're all set to start. Uh the next presentation is going to be from our friend Craig Burge. He'll be talking about the toxic combination of how Active Directory misconfigurations change into here zero compromise. So, just want a quick ground rules here. Um if you have your phone, please try to make sure it's on the silent. And if you need to like access to the restroom, as you go out here in the hallway, turn your left turn your right. As you go in the first left, you'll see there is a bathroom sign. Uh you can either go to left, but it's going to be pretty down there. And yeah, if you have any questions

regards to the space, anything going on, you have those two gentlemen with the yellow shirt, Ron right here, me, and we're here to assist you. So, Craig, without any further ado, please floor is yours, and give it up for Craig, PLEASE. >> THANK YOU. >> [applause] >> SO, FIRST OF ALL, THANKS FOR HAVING ME AT UH BSides Buffalo. Um spoken at a couple of BSides. So, I love connecting with BSides. So, what we're going to talk about today is what you don't know will cost you. Modern AD attack paths and toxic combinations. So, what am I really talking about here, right? So, these are the things as Active Directory administrators, we tend to not look at, right? So, we

don't look at these. We think they're safe. But these are the things that get us in trouble, from an attacker's perspective. Because attackers know that as Nico proved earlier, it's the things basically we have these misconfigurations in our environment and if we all know, or maybe you don't know, Active Directory has been around for 26 years. So, there's a lot of misconfigurations to be found. I'll just say it that way. So, who am I? So, I am Greg Birt. I'm a principal security engineer at Kayos Software. I'll talk a little bit about Kayos Software, but it's not about Kayos Software. But more importantly, I am an identity security enthusiast. I love Microsoft identity security. I host Guardians of the Directory

podcast. I have I'm going to date myself here. So, I've been around the block about 25, 26 years in Active Directory security and architecture. And throughout my career, you know, I tried to leave Active Directory several times to do other things. And then something, you know, always came back. I was always, you know, getting pulled back into identity and obviously I have a passion for it. So, fun fact, I looked back into Active Directory's birthday and we actually share the same birthday. So, maybe it was my destiny, right? I mean, who knows? It could have been my destiny. So, the other thing I will say, one plug because it's free for everybody. Kayos Software Guardian Protector.

He talked about getting visibility into seeing apples, dapples. Test it, try it. If you love it, let me know. That's the only thing I'll say there. So, how do you can you connect with me? Greg Birt on Link- from LinkedIn. Follow Guardians of the Directory podcast. So, that's enough about me. Let's talk about why Active Directory is the target. So, if we look at Active Directory as being the target, why is it the target? Well, first of all, if you run Active Directory in your business, raise your hand. Yeah. It's 98% in in enterprise. How many people run hybrid Active Directory? Raise your hand. Exactly. Right? So, Active Directory is a target because it controls

enterprise authentication. So, what does it control? Authentication, authorization into apps. >> [snorts] >> It established trust in the organization, right? And that's what it And then also there's a It's our recovery as well. We don't think of it like that, but it absolutely is. So, we have to look at recovery. So, if AD is compromised, right? Security controls, they fail. We know that, right? So, keep that in mind. What happens if Active Directory goes down? You guys hear me over there? I don't have no speakers, so. Good. So, what if your Active Directory goes down, right? Your business operations stop. If your Active Directory goes down, are you going to function? Probably not. So, that's one of the things. So, the

other thing is if compromised, our recovery assumptions break. And you probably are thinking, "Why do I say it that way?" And we'll get into that later on to the topic. So, think about that right there. Recovery assumptions break. So, attackers, and I'm not picking on Nico, right? You want to say something to the virtual world? So, we'll talk about You're a team player. I love having him in here cuz he just set me up. Attackers really build their strategy around this, absolutely. Right? They are building their strategy around if I can uh basically persist, and that's what we're going to talk about next. So, how have attacks evolved? Well, if we look at about how attacks initially started, what was

it about? Ransomware, encrypted files, right? What was that? It was destructive, very fast, very noisy. But that's not what we're seeing today. What are we seeing today? It's about controlling the identity, right? It's more patient, right? Persistent, sometimes invisible. So, ransomware did not get smarter. They just got more patient. So, modern-day attacks, they're identity first. Attackers moved I'm not going to say that they don't encrypt files. Do not take that the wrong way. But, they moved just from encrypting files to being able to control the identity um control plane. To become destructive, we'll get into that. So, we can even go back to even a recent attack. There was a healthcare organization that just had a recent attack that involved

Microsoft into it. It was not a Microsoft into an attack. I guarantee you that. It was an identity attack. So, if we look at it from that aspect, right? So, going back to it really is, you know, people say ransomware. It's cyber extortion. That is the new business model. Encrypt and all of them. I know we're going to encrypt. Yes, that's still true. But, more it's moved to extract, encrypt, extort, and then sell. Right? I'm going to extort you. First of all, pay the ransom. Do you pay the ransom? No. But, I have your data. So, what if what what's my next threat? I need to threaten you to say I'm going to sell your data. If I sell your data,

or if it's your customers' data, I may even go after your customers as well. Right? So, now it's a true business model. And this business model rewards patience and the persistence and quiet access, which is actually what we're going to talk about today. So, if you chain these identity attacks the the what and what they can provide to an an attacker. So, what I want you to understand, attack paths, they're not exploits. They are an inherited trust inside of your organization. Here's a simple example, nested groups. Right? Membership change that silently expand privilege code. So, let's look at the next one. Delegated rights. Sound familiar? Permissions granted for convenience. Hey, how many of you guys ever Are you

Are you an AD admin? Anybody that's been an AD admin? Couple, right? I started my career out as an AD admin. I am guilty of all of these. And this one. Unreviewed permissions. So, let me ask you guys a question. What's the most dangerous permission out there? Go ahead. >> Is it a generic all? >> No. The one I put in yesterday. >> C- C- C- C- C- C. >> That's the truth. Why? >> Correct. >> Because I'm not going to go back and look at it again. Keep that in mind. Yes, generic all is definitely in there. >> Yeah, that's correct. >> from a different mindset, right? It's It's the permission I forgot about

yesterday. So, what happens, right? Small decisions, they accumulate. So, let's think about that. We make these changes. Active Directory, 26 years old. How many AD admins have we had in your environment? >> Too many. >> Many. First of all, do all AD admins manage Active Directory the same way? >> No. >> No. THINK ABOUT IT. I CAN tell you I was on a fairly large Active Directory team and none of us did the things the same way. Right? So, what I want you to think about right now attack paths exist whether the attackers are present or not. Think about that. So, here is a very simple Active Directory attack path. It's a nested group attack path.

And I am guilty of this one as well. So, I got a group inside of my Active Directory and there's members in this group. And then what do I do this, right? We stick in domain admins, maybe, or another group that has privileges. None of this seems un- unsafe at this point, right? Because we're going to monitor that other group. We think we are. But here's the problem. From an attacker's perspective, I just gave him tier zero. Simple administration, we do it all the time. And I'm not picking on AD admins, because I was one. So now let's understand a little bit about the threats. So let's look at how some attack vectors and then we're going to go through some

things. Misconfigurations is definitely one that we have to be aware of, right? Misconfiguration, what do they do? They create the opportunity. So what is a misconfiguration? A misconfiguration could be a firewall, an application server, Active Directory, Azure AD, right? They can have misconfigurations as well. Credential theft. What credential theft can be coming from? Phishing. We'll talk about some other areas as well. I could go buy credentials. But what does credential theft actually turn into? It turns access into authority. Then what's the holy grail? What if I'm an attacker, what do I need? I need privileges. How do I get privilege escalation? Well, you guys showed us. It expands our control, right? So you think about that.

So what matters is not the technique. It is the bracket it lives in and how these overlap. So let's talk about a couple misconfigurations you might want to look at. This one. Anybody heard of SAML? Anybody hear of Solar Gate or attack? So, Golden SAML attacks, right? They didn't break authentication. It was a trust. So, SolarWinds, Solar Gate, you've probably heard of. >> Yes. >> Yes. >> Yeah, Golden SAML was the aftermath. Active Directory Certificate Services. How many people actually use AD CS? >> Not well. >> Right? What was AD CS supposed to help us with? >> Identity. >> Security. Trust. And again, thanks Nico. Man, this is too easy because you if you were for his um

class earlier, he set this up perfectly. Misconfiguration templates, they turn that trust into long-lived access. Right? So, we put in certificates to secure our environment, but if a certificate's compromised, it's silent trust. That's what I'm saying there. Hybrid Active Directory. We already talked about it. You guys raised your hands. You have hybrid Active Directory. You ever hear of the identity bridge called AD Sync or actually it's called Entra ID Connect Sync now? >> Yeah. >> Or Cloud Sync. But I'll name myself who used the AD Sync back in the day. You can use the account as a bridge into the environment. Now, here's the thing. That account is explicitly trusted by Active Directory and by Entra ID. So,

if I access the account, there's no such thing as zero trust. It's it's explicitly trusted. So, if I compromise the bridge, what happens? I have I have both on-prem Active Directory and control of your cloud. Anybody hear of the Mercury attack in 2024? That's exactly what happened. So, persistence. Here's another thing I want you to understand is I'm going if I'm an attacker, my goal is if you reboot, I stay. Hello, I'm still here. That's that's that's my goal. Because if you can reboot me and I can't survive the attack, my goal is basically survival reboot, but also, and I said this earlier, recovery. I need as an attacker, I need to be able to survive recovery. And that's what

true persistence is. So, let's look at a couple of different things here. So, password and ticket harvesting. We're not going to go into these deep, but here's a couple of them. Anybody here heard of roasting? Yeah, very very common. AS rep roasting? >> Yeah, I know some of it. >> Password spraying, most common technique, still still works in some organizations. How about directory level credential access? You dump the active directory database. There's many tools out there. DC sync attack. Anybody hear about DC sync? You're going to see it. I'll actually do that. So, at some point in every successful AD attack, these access become what? Credentials. And I'll tell you right now, credentials changes everything.

So, here's one that hopefully nobody's still worried worried about. So, if you were aren't familiar in active directory, if you don't lock this down, any user can add up to 10 machines in the domain. So, what if I'm an attacker and I compromise a regular domain user. >> [snorts] >> That's a problem if I don't have this locked down. Cuz now what can I do? I can put my attacker machine in the domain as a domain user. Oh jeez, now I have like complete trust between Active Directory and my machine. That's a huge issue. Now, hopefully we're locking this down, right? So, this exists, right? It's really for originally to scale environments. But attackers use this to manufacture

trust in the organization. With tokens. You know, if you heard about um delegation. If you haven't, unconstrained delegation. So, what's this allow us to do? Impersonate, right? I can impersonate whoever. There was you know, could be Actually, there was a meme that was going away or going around a long, long time ago. My mom and dad said I could be anything, so I became an Active Directory domain controller. >> [laughter] >> Right? Have you not seen it? Anybody seen that one? I'm a little nerdy, so yeah. So, it's true. I can abuse. Right? That's another one. Escalation to DA and privileged service accounts. Without being So, this this privilege escalation works because trust is transitive. So, think about

that. When Active Directory was built 26 years ago, there was no such there was no concept around zero trust. Right? We always thought as long as it's within our four walls of our organization, we're good. Also, there was no concept of secure by design. That just came out a couple years ago from Microsoft. I'll pick on Microsoft again. Right? So, just keep that in context. But so, if you think about that, then you know, it's fully trusted. It's not secure by design. And then what did we do with Active Directory? We simply basically said we're going to connect it to the cloud. And we didn't do anything probably to clean it up before we connected it to

the cloud. So, what did we do? We extended our control plane. Anything that was messy in Active Directory was now messy in the cloud. I don't know. Maybe you should go back and look at that if you fall fall into that. So, I'm just going to pause here for a second. What do you guys think the new attack surfaces are? In the Microsoft ecosystem. Cuz I know we're going to get all kinds of other ones. >> AI. >> AI? Something like that? In the Microsoft ecosystem. I'm going to I'll make it easier. What do you think the new attack surfaces are? >> 365. >> 85. >> Azure. >> He He What did you say? >> Like 80 attack vectors in software.

>> Yeah, everything there. Yeah. So, let's look at some of these emerging threats today, right? So, some of these are you might have heard of, some of you may have not. So, Azure AD permissions. Anybody use Azure AD? >> No. >> Apps. Graph API permissions. Anybody hear of Midnight Blizzard? >> No. >> For those of you with Midnight Blizzard attack that happened Oh, so let me break this down. It was actually an attack against Microsoft. It started out I actually do this talk about the attack. I'll talk about it real quick. It started out with a password spray. Remember I said that still it worked. They used password sprayed Microsoft test tenant. The test tenant actually had

a application inside of there, and that user that they password sprayed was an application owner over that Azure AD application. That Azure AD application had some high privileges in Graph API permissions, right? So, Graph API. And then what they were able to do is they found out that not only did that app have high permissions, it had actually rights to their production tenant. So, they you know, lateral movement, full privilege escalation. They'll It was all over the news, right? How many of you guys use VMware? >> Not as much as I used to. >> Yeah. Probably not as much. Okay. Were you guys aware aware about the VMware ESX authentication bypass? Some people are shaking their heads. Yeah?

If you're not, there was a group that I can directly go ESX admins. And before a patch, if I was in that group, I could take over your ESX environment. Full control, root. And then I'll have to say this because we have this every almost patch, right? AD old up vulnerability. Right? Or the next big zero day. Right? There's always the next. So, we'll talk about that. And then really, when I say the next big zero day, that's it's really a bigger problem because of things like Cloud Mitre, those. Both. AI. You guys mentioned some of those things. Those zero days become very quick to exploit. But that's not it, right? Microsoft Teams. How many of you guys use

Microsoft Teams in your organization? Oh, yeah. What about this one? This has been going around you know, some of the news every day, right? Teams external access, malware delivery via chat. Any Any red teamers? Any red teamers in here? Nope. What What Okay, we have one. Have you ever heard of Combo C2? >> I've been using Combo C2. >> So, Combo C2 is a red team tool that was used for penetration of Microsoft Teams. It allows you to web hook. I can do web hooking. I can actually do this. This actually became something that I didn't know about until probably uh maybe 4 months ago, 5 months ago. It's called Conversational C. So they I'm thinking it was combo C2. But,

basically what they're going here is they're impersonating IT support and then basically telling them to run PowerShell. Great conversational C. There was one ransomware group actually ransomware variant called Magic Bus. It's still highly available and they actually still do this. So, we always say fishing, right? Fishing is where we do social engineering. Uh yes, it is true. But, Teams is the new playground for social engineering. I'm going to tell you that right now. From Microsoft perspective, absolutely true. Now, I'm going to talk about the other side. The device. Right? Did you know that you can make your device look compliant in Microsoft Intune? >> Yeah. >> Yeah. Token theft and replay. Here's one we were we were talking

about. So, again, it masks device wiping because you can actually do that within Microsoft Intune. So, think about that. You probably heard of the Stryker attack that happened. Big deal. So, now we're going to shift for a minute. So, any blue teamers in here? >> [snorts] >> No blue teamers? So, we're going to So, we're going to look at it from a defender to the attacker. And there's a There's So, the attacker man in the middle. So, as defenders, what do we do? Right? We look at the audit objects, true? Maybe we look at some settings. You know, we'll do some snapshots of our environment to see how things are moving along. What do attackers do?

They look for this, relationships. They look for overlap. They We for team permissions. The difference in this perspective, I'm going to tell you right now, is why these attacks keep working. If we only look at object settings and snapshots, and we don't put ourselves in the mind of the attacker mental model, we're going to be dealing with the same stuff over and over again. No one stopped ransomware, right? And I'm not saying anybody can stop ransomware, but we can get better. We can slow it down, for sure. So, if we look at the cybersecurity attack team, right? And this is normally starts with reconnaissance. So, I'm going to I'm going to leave reconnaissance aside. So, we look at initial, right? Some kind

of initial access. We get credential access. We move to privileged access. And then really from there, you go to our destructive. So, that is traditional. I want to flip it around a little bit. So, let's look at it from an identity perspective. We still have to get initial access. How I get that initial access? Phishing. Really doesn't matter. It doesn't. Could be phishing. But there's access brokers out there. I can go buy credentials. So, initial access. And then once this really becomes my initial access could be coming from a vulnerability. Right? We talked about that. Once I get credential materialization, this changes the game. Because if we look at it from an identity perspective, credentials allow me to do what?

Authenticate. And then I can do this. We can use what's inherent to Active Directory, cuz it's delegated and trust abuse. I meant I said that earlier. Active Directory has no concept of zero trust. If it's supposed to be if it was it's supposed to be trusted, it's automatically trusted. And then from an identity perspective, once they abuse that trust, this is what changes the game. Persistence. Again, as my job as the attacker, I do not want to get rebooted out of the system, right? I want to persist. And then what do I do? I clean up my blind spots. How many of you guys use SIM technology? Everybody, right? Probably. What if I change your audit policy?

How effective is your SIM? What if I clear your logs? How effective is your SIM? It's not. So, I'm going to tell you right now, every step relies on authorized behavior. So, now this So, I'm going to say also, this is key. This is where defenders believe the incident is over. If we look at that left side, we believe everything's over. And this is where the attackers know it's not. Because they go for that persistence and they've cleaned up their blind spots. Look at the attack data. It's it's out there. So, now we're going to get into toxic combination. Right? Some of you might have some heard some of these, some of you may not. What

I'm going to say though is single issues can usually be survivable. But when combinations, right? They can become catastrophic. Let that sink in. So, what is a toxic combination? I'm going to talk about a couple here. The first one is and we Who has probably done this, right? We have group policy. Have we used group policy? >> Yeah. >> Yeah, absolutely, right? Anybody do go in and give someone rights or a group rights to do something in a group policy. And then maybe you're like, "Ah, that person left and you delete that account or that group gets deleted." Do you think the apples get cleaned up? No. They get unresolved SIDs. Right? So, unresolved SIDs with in group

policy what does that lead to? Ghost admin privileges. What about this one? I'm actually going to do this one today. I'll do a live attack. It's a really live attack. We'll have to reboot everything up. But DC sync. Okay, so DC sync normally gives you what? Hashes. If I perform a DC sync attack normally, I just get hashes. >> [snorts] >> But if I have reversible passwords, what's that do? Gives me plain text. So, first of all, let me ask you guys a question. If you have a password policy that says that says, "Do not allow reversible password encryption in your domain." Do you think you're safe? No, because there's actually an attribute on the user account that says,

"I don't care. Store my account in you know." So, they know. This leads to instant credential theft. AdminSDHolder. You guys know what the AdminSDHolder really does? Right? So, it was built by Microsoft to really protect active directory in certain areas. There's a back-end process. We used We all in the industry called it SDProp until Jim Secora corrected us. There's a back-end process that runs every 60 minutes in active directory. By default. It looks at this object called AdminSDHolder inside of your organization and it takes those permissions and uses those permission rule template. And it takes those permissions and puts them on the apples of your most protected groups? Your domain admins, your schema admins, right?

All those, you know, protected groups. But, there was a problem there cuz it was really meant to only have certain permissions in there. Anybody start out with Microsoft Exchange on prem in their environment? Yeah. How do you guys move to the cloud? Right? And there's And no longer have any Exchange on prem. Probably a lot. How many of you guys went back and audited admin SD holder for Microsoft Exchange groups? Probably nobody. Anybody early adopter of Microsoft 365 who maybe started out with AD sync? Yeah, I got a couple, right? What account got added to the admin SD holder by default? That went so well. Right? So, those are attack paths. Inherited trust. This is hidden shadow admins.

I love this one. They can pick your whole domain down. Service connection points. Anybody use SCCM? Anybody doing hybrid joined devices? Like there's a lot of service connection points out there. What if I don't audit the permissions to my service connection points? Can I use a service connection point to be a jump off? Absolutely. What another one, right? I can actually use it to siphon credentials. Can actually redirect you and do command and control. This is super dangerous. Did you get a copy of this? I saw you got it. So, now let's talk about some social and And we're all guilty of this. Myself, everyone in this room. Anybody have kids? Right? Any of your kids getting ready to

graduate and start a real career, or maybe an internship. All right. First of all, if your name's Sally Sue, >> [laughter] >> it's not about you, right? This is the scenario. I'll just throw that out there because we did have someone named Sally in the room, but her name was not Sally Sue. All right, so Sally Sue, who is she? She's getting an internship at a large healthcare company. All right? So, she got this internship, she's happy, she's excited. What is she going to be doing? She's going to be working on the service desk. So, what does she do? You all do it. All right? She's like, "Oh, I'm so excited. I got an internship at, you know, this large

healthcare company working at the service desk." She updates it, she puts it on LinkedIn. Large healthcare provider. It could be >> [clears throat] >> I mean, this scenario it could be anybody. It could be anything. What happened? We're going to get into the shadow access part, but really, what I want you to understand is any reconnaissance starts long before the network entry. Let's just realize that. Public queues open doors. It opens doors for organizations. So, I'm going to talk about what I'm going to show you as an attack here in a minute. So, I want you to understand, Sally is an intern. She is getting ready to get onboarded. What is she expecting? She's expecting an email with some

onboarding information. Doesn't seem out of the out of the normal. Remember also, Sally is an intern. She's not a security expert. Not yet. She's She's not going that way. So, Sally gets fished. Anybody hear of EDR silencer or EDR killer? They're real. EDR killer has gotten better, actually. EDR silencer is what I'll use here. So, EDR silencer kills off the EDR. Then what happens? Right, reverse shell. That's most common command and control. Anybody here of who am I? Where can I find who am I? Every Windows machine out there. I don't need PowerShell. Who am I? Native. Who am I {slash} groups does what? Shows me the group membership of that user. Is that going to trip an EDR? Nope,

that's normal. Delegated rights enumeration, right? PowerShell. Anybody hear of DS Ackles? DS Ackles, very powerful. Very powerful. Right? So, then hidden access, right? We're going to use a group called IT admins. Happens to have generic all. So, we'll talk about that. So, really this becomes privileged without domain admins right? Visibility without alerts. This is all normal activity. I have not done anything suspicious in this organization. Then I'm going to show you because generic all has extended rights inside of Active Directory. We're going to perform a DC sync attack. Ever heard of Mimikatz? Anybody heard of Mimikatz? >> Yeah. >> Yeah. Right? Normally, you get the NTLM pass or the hash. But with reversible password changes the game.

Right? And once I have control, I can do pretty much anything. Golden ticket. So, what I'm going to tell you is DC sync is not magic. It's two permissions. DS replicate get changes. Yes, can replicate get changes all. What is it? It's a consequence of trust. It's needed. You're not going to abuse that trust. Right? Credential theft is the outcome of delegated authority. It's not a prerequisite. So, then we're going to go through here, log into the domain server. I'm going to skip through this and I'm going to just get to it. And then we're going to launch a little simulation of a ransomware. All right. I'm going to go back to my machine here.

First I'm going to do is lock my scissor lift. Now, I got to pray to the demo gods, right? I mean, that's what we all have to do when we're doing live demos. So, there's your prayer to the demo gods.

Let me know. All right.

Oh no. >> Oh, the hacker locked you out already. >> [applause] >> Ooh. >> Maybe. >> No, not quite. >> He would have got me. All right. So, what are we doing? Let's Is that exact step? >> Can we make it a little bit bigger so you can see? >> So, let's walk through this a little bit. So, this is a simulation. I'm not hacking any of these machines, I promise. So, remember, Sally is expecting onboarding. Right? The phisher, EDR silencer, it's real. I'm not going to tell you where to get it. It disables EDRs. There's something called EDR killer. Command and control, very simple, right? There's way many ways [cough] to do reverse shell.

Who am I? This is the key. So, who am I allows me to see a group called service desk admins here today. Once I find service desk operators, DS admins, right? I can scan to see what that has. I can find a group or OU called IBM. Might have something called identity management in your environment, not too far-fetched right? Oh, look. Service desk operators has full control, right? Over user objects, so they can reset passwords, go right members. Very common. Your help desk, are they able to add members to groups? Yeah usually. So little Look, I did some add. That was me adding to the group. There's a group called IGA admins that has these rights.

So, think about this. Everything I did was above board, right? It's above board. She has access. It's her job to do to have these permissions. Nothing is out of the norm. That is key. All right. So, we're going to close that stuff out. We're going to do two more steps, and then we'll go back to the slides.

Oh man.

Yeah, I'm going to leave it the way it is.

All right, good.

>> Poor Sammy. Damn it. I just spoke her name wrong. That's what I did. I got a picture of my one hand, so I'll blame that. There we go. So, let's get to you.

This this one. All right. So, let's run the next down. Remember, Mimikatz. We use Mimikatz before. So, if you're not familiar with Mimikatz, it usually dumps the password hash, which you can see. But, guess what? It's not just the password hash that I get, because reversible password encryption was not set on that account. And I'm going to tell you, I've worked in I've worked in multiple big companies, and gone out and done work with other organizations, and done assessments etc. And I often find a lot of these mistakes. And these mistakes can lead to exactly what I'm I'm about to show you next. All right. So, let's launch this last part of the attack. Oh no.

>> [snorts] >> So, we got the cleartext password. So, you all know this password now. But, I can't type it. What the heck?

All right. Hold on.

All right. >> All right. >> All right. Well, you're not seeing through the screen though. Are you doing that? I don't know. Something changed. Uh I went back to the extended.

All right. We're good, dude. It's just got to be the password policy. All right, you can see it. >> All right. >> Can we see it? Notice the background cuz it's kind of interesting. Let's walk through this. I'm going to then do this. So, I'll give you a I was a little story background. I'm flying to Miami to do this this talk. And I'm sitting on the plane and I'm rehearsing this on the plane. And I'm got my headphones on. I'm jamming ready. Practicing, getting ready. The guy next over is like looking at me strange. I don't think anything of it. So, then you know, I continue to work. He looks at me again like when I got off

the plane. And I'm thinking, "Okay, why is this guy looking at me funny?" And then I realize he saw this. Ooh. >> [snorts] [laughter] >> He probably thought I was hacking someone on the plane. I was surprised I didn't get arrested. >> [laughter] >> And he probably saw this part is what made him a little nervous. So, again, this is simulation. But, this is real. This is exactly how it goes. They usually don't give you a countdown, right? I'll I'll just tell you that. They don't usually give you a countdown. Once they get in, they don't give you a countdown. My domain controller is dead, right? Gone. Keep that in mind. It's gone. I have I

no longer have a domain controller. All right. So, let's go back. Switch to settings. How am I doing on time? >> About 10 minutes. >> Uh I'm good. I'm going to get a couple more. All right. We're going to go back to slides. We might have to work through these slides.

All right. So, again, what we showed was that, right? So, we're going to go through here. Cuz the one I really really understand is ransomware is is the symptom. It's only the symptom. Identity failure is the cause. It's not the zero days that everyone I mean, yes, zero days are important. Identity is key. If I don't have identity, I can't move on. So, what I want you to understand is why these key changes are missed, [clears throat] right? So, as again, blue versus red, unfortunately. Right? So, defenders, what do they assume? Permissions are authorized. We assume this. Right? Attackers assume privilege always exists, and they pile. Give you a perfect example. When you're on boarded, you get added to

the group. Right? Maybe you're you start out in one org or one department. Right? You move to another department. You get added to that department. A lot of times, your group didn't go away. We're really good I I'll say this right now. As admins, again, I'll pick on myself. As admins, we're really good at adding people to groups. But as as an admin, we're really bad about removing people from groups. Because we were given a ticket to add somebody. We were never given a ticket to remove somebody. Unless you have automation huh. Good luck. >> And And there's not always a clear demarcation between what is required for the new position that is passed through

from the old position. >> And yeah, no, it's not all admin. I agree. Absolutely. >> But also no clear definition of roles through business either, as well. >> Absolutely. But again, we're really good at giving them. We're really bad at giving away. At taking away. We also assume every delegation is tracked. I I got my service now ticket. I did my work. I know that's in there. You come back and ask me what I did yesterday? Again, what I tell you? What's the most dangerous permission? The one I did yesterday. I don't know. I have like how many people wear multiple hats in their work? You don't have Yeah, you have time to go back and say, "Okay,

what I did for this, this, and this?" No. I mean, there might be a paper trail. >> If I find anything in ServiceNow that has been transferred >> [laughter] >> So, >> it might as well be in a black hole. >> So, we assume legacy access is never audited. So, we're good. The other thing that we really believe in, or we at least what we did back then is recovery wipes the slate clean. I can recover, right? Restore my backup. I'm good. Restoring Active Directory is a little bit different. Let's just say that way. Now, what I'm going to tell you is, I think how attackers think. Remember, persistence is key. Back doors, right? They survive the reboot.

If I put in a golden ticket in your environment using Mimikatz or other solutions, if I use Mimikatz, that golden ticket is good for 10 years. Golden ticket allows me to impersonate anybody. If I can impersonate anybody for 10 years, and you just recover me, and I still have the KRBTGT account password, and I have that golden ticket, you think that matters? No. I'll tell you why. Because unless you double tap that account, that's going to survive. I actually worked with an organization. They said, "Hey, Craig, we were breached three times in 6 months." And I'm like, "Wow. They're about security. But three times in 6 months, that's unheard of. They were not breached three times in 6 months.

They restored their backup. Their backup had persistence. In fact, another one that is great that survives persistence is giving yourself rights to the adminSDHolder. What I found is authenticated users had full control over the adminSDHolder. Does that not make every hair stand up on the back? Yeah, it does. So, I'm going to just tell you right now, one side is living in delusion. I'll let you guys decide which side is living in delusion. I will say one side is really living a lie, in my opinion. So, attackers live in what we stop revisiting. Now, I'm not going to say it that way because it's very important. Because you might do pen testing. And pen testing's good. Do not take me

wrong. You may do an AD audit. A one-time scan. But let me ask you a question. Is identity static? No. So, if it's not static, why do we think a static control is going to solve the problem? It won't. It absolutely will not solve the problem we're dealing with today. So, final takeaway. Right? Defenders hunt techniques. Right? We're looking at a basic, you know, accounts. Snapshots, as I mentioned, right? The surface. That's not how attackers hunt. Right? They hunt for combinations. Those chains that I talked about. So, that's the key difference. And this is why it keeps working time and time again. If we can't start thinking like an attacker from that aspect and have something that does continuous,

then we're in trouble. That's the end of my presentation. Thank you.

>> [applause]