Please Waste My Time

okay uh let's kick off uh welcome good morning morning morning teacher it is a colge a yeah that makes sense um the talk title is please face my time uh so that's what we here for grade if not then uh still great I'm goon I also go back Q I'm from Blue Bastion security we're small consulting firm um I run the offensive security team there um and I I I used to work at sign I ran their uh pesting Team a while back anybody here from Healthcare got a few yeah all right see me afterwards got some stickers for y'all Health speciic stickers um I do some teaching after hours uh and uh we also have a blue team and as I

worked with that blue team I started thinking about the whole idea of hey we went in we got da and we walked away with your credentials we walked away with your domain ad password we walked away with your Phi it's not a win it's not what makes the pentest to win it is the idea of helping them get better next time so what I've Loved lately is I've seen some clients where they've gone from we got domain admin and patient records in two hours first time around second time around one week third time around two weeks three weeks and then as we start doing some red teaming with them some stealthy work with them then we start getting into how

do we help you stop us and if you don't have let's say for example you don't have a lot of money to to do things maybe there's some cheaper Maybe three things you can do to stop us or to detect us or maybe you just want to waste my time maybe you just want to write my story for me I got into your network and maybe what you want to do is guide me towards wherever you want me the attacker to go redirect me to something else so that's what this talk uh is about it's not about the greatest best detection out there it's more about stuff that I have seen my clients do that has pissed me

off because I thought I had something really good I thought I saw Windows Server 2003 and I got really excited about it I thought I saw some the me Adent that had a bad password and I got really excited about it and I in all that excitement I spent three hours four hours maybe even a day or two I won't admit to that um although I just did on camera apparently um and then found out that they were actually just deceiving me they were slowing me down I'm just want to give that client a high five after I cried for a um it this is also pretty useful for threat intelligence trying to see what the

attackers are doing what are the Bad actors doing when they see vulnerabilities you can sort of design that vulnerable environment for them and you can try to monitor what they are doing with that uh vulnerability it can be useful for you if you are a season pen tester it can be useful to kind of see what kind of attacks others carry out uh like I learned that two days ago that apparently you can run commands from within FTP on windows so that's a fun thing to do um you if you are a stock analyst or you want to get into cyber security watching others carry out attacks watching others do their bad things it might be a useful thing to do you can

learn from it best way to learn in fact is just watching somebody do bad things learn from that uh I heard somebody say other day uh we love being bleeding edge as long as somebody else is bleeding same way you can learn from other people from their mistakes and from their wins so before we get into how to waste time we want to talk about what are the things that make it difficult to secure the Enterprise what makes it so difficult to have good configurations in Windows environment what are some of the things that us the attackers the pent testers are exploiting every day and one of the first ones that comes to mind that has always been an easy

path to Da so much so that we make fun of it in fantastic circles um is broadcast multicast name resolution protocols quite often y yep what I from what I remember when I when I went to college one day many many months ago um when we talked about name resolution it was you go to the DNS server the DNS server tells you where that thing is you're looking for google.com you're looking for HR share the DNS server tells you where that share is but that's not the reality the other day I was helping one of my employees with troubleshooting something and what that something was he was logged onto a remote access device in the client's

environment and he is seeing um the uh traffic from his Google TV in his home on that remote access device in the client's environment so we start looking through that why is that how are you seeing it makes no sense I pull up white shark on my laptop and I see traffic from his Google TV in his home well what happens with Windows is when it wants to look for something when it wants to look for that Google TV for example it is sending out a name resolution to everybody in the network and everybody in every Network it knows meaning we it's sending out the broadcast multicast traffic asking for name resolution on the ethernet adapter

wireless adapter BM adapter the VPN adapter everything so that's how we were seeing that traffic and it's freaking us out secondly whenever we respond to that traffic and we say we are who you're looking for let's say in this case it's a file share that's being sought after we respond to that say Hey I am who you're looking for come and talk to me in Windows environment that's going to result in net nlm authentication this is going to be a hash exchange it's going to send me a hash of that user uh to authenticate so it's basically saying hey I'm the fal share if you want to talk to me though you have to authenticate so give me your

hashes we do this using a tool called responder so what you're seeing on the left side is the uh the black screenshot that is responder tool the highlighted gold yellowish area is the uh hash so we're going to take that hash and we're going to start cracking it this happened if you look at the top of that screenshot we're responding to a name resolution request when it says mbns that's multicast domain name server L MNR is local link multicast name resolution um and what's happening is Windows is sending out that saying hey I'm looking for HR share in this case the user M type a share name you don't have to it could just be a real name it

doesn't matter we're responding with saying hey we are here we are the share you're looking for come and talk to us and we got that users hash I want to pause and see if there's any questions on this before we move on this is what I new people I don't want to Brink my coffee all right so uh we talked about broadcast multicast the solution it needs a tool you got to have a hacker tool installed but have you tried Outlook so tracking pixels in emails we we've seen those from marketing companies the C tracking pixel we respond to that of our you know Outlook or email client pulls up that pixel and that's how the marketing

company knows that we have open the email well we were R teaming a client environment and they were really good at what they had done really good controls good detection good response good configurations secure hardening uh and we were not getting anywhere it had been two weeks it was in fact Friday about 400 p.m. of the second week we had only one hour left in our pentest and um we start talking and one of the teammates points out you know Joseph said do whatever you can so what is something we can do that we've never done before so we sent Joe a status email said Hey Joe he was at point of contact he was the it manager so hence

had domain admin Hey Joe uh we haven't really gotten anywhere yet we got about one hour left so we're going to try one more thing if that doesn't work we'll move on recording in that we have the tracking pixel pointing to a UNC path the UNCC path SL slash that IP address is pointing to responder that is our responder box and we ended up getting Joe's hash that way and Joe was very happy about it he was happy for two reasons one his password was really strong so we could not crack it and two hey we got da somehow the way we got the I'll talk about a minute um the tracking pixel works over public IP addressing also

with some caveats your client may have or 445 outbound block if they have not tell them to block it there's no reason for outbound SMB secondly some isps block for 445 there are some ways to do this over webdav which is a bit more complicated and I have not really gotten to work but people claim it works so it may work ask jbd I mean that's how I bu the slides um so uh we got Jo's hash Jo's password was really strong we couldn't do anything with that password we could not crack it we only had one hour left so we couldn't just wait for a long hash long word list long Ru list for you know 10

hours 10 days to do that but their environment had a misconfiguration for I think it was two or three boxes in Windows environments once you obtain that net ntlm hash we talked about earlier using responder you can then take it over to anybody else in the network as long as they are not checking for digital signatures in that traffic meaning you take somebody's badge and you walk over to everybody else and pretend to be them that is what lag of SMB signing results in so we are using a tool called ntlm relay X in here and this tool is taking the hatches from 1.3 so the host 10.1 10013 there's a user logged on there

named FileMaker we're taking FileMaker net nlm hash and we are talking to 1.4 1.5 1.6 anybody who does not acquire SMB signing we have not crack that hash we don't know FileMaker passord we're just taking the authentication packet we're just taking that Authentication hash as is and now we log on to other boxes as FileMaker so we did that with Joe and since Joe had local admin uh on those two boxes and one of those boxes happened to be Exchange Server that was an EAS okay uh what you're seeing towards the end of that screenshot the second highlighted area that is Sam hashes by default nlm relay X will dump Sam hashes those are local hashes we'll talk about

some ways to waste my time in those ases later too but yeah that's lack of signing that's a default in Windows Windows 11 will start requiring SMB signing it is still in developer preview uh broadcast multicast name resolution is also a default which will remain a default and uh if you go into group policy and you select turn off multi-gas name resolution that only turns off llmnr it does not turn off ndns it does not turn up mbns there's some additional steps you have to do in there for that so hit me up afterwards if you want to I talk about that a bit more so we had gotten the hashes from a user we had relay them across we got some

more some some more hashes maybe we correct the password or not next stage generally in our pen test is we have domain user access now we want to escalate one of the ways we'll look for that is kber roosting so when you got to the conference this morning you got a badge this badge gets you entry into this conference now you may have some workshops that you may have signed up for there's a separate sign up usually okay some conferences will have additional cost for that um maybe you go to the State Fair in Syracuse you get the admission ticket but then you need a separate ticket or separate cost for the funnel cake for

the for the rides for the ferris wheel and all that similar to that kerros another authentication mechanism in Windows Works based on tickets when you log into your network in the morning you get a TGT ticket grunting ticket that is your badge that is your admission ticket then you present that TGT to the domain controller and say Hey I want to access that file share I I want to access this msql server I want to access L can you give me a service ticket there is a ticket specific to a service that you then obtain that ticket to access services offered by that service is encrypted with that service accounts hash and that process of getting it TGT

and then TGs is not malicious there's nothing wrong with that you do that all the time in your environment without even knowing so when we get to domain user access we go and ask the domain controller give me service tickets for every single service you have we then take those service tickets offline and we start cracking them uh earlier when I showed you net nlm hashes those can be cracked uh I believe at about a billion is guesses per second on a small gaming laptop these ones so rc4 ticket that's on the bottom that can be cracked uh few hundred million guesses per second the uh A1 I think it's only about 130 million guesses something like that on my

Alienware that we use for work and I'm not bragging at all I promise well when you're not working you can play some games so that's always this one so there are multiple ticket types you can offer in your network you can have rc4 tickets you can have AES tickets in the end domain users can request that service ticket any domain user can request that service ticket and they can then CRA that offline to get the password for the service that's called Herber roosting how often do we change service account passwords not often at all I I recently a client where the service account password was set in 2005 yeah yeah that was uh that was fun times

so um hold on start to check this is 50 minutes right okay good good I have not from yet so all right so we cber roed and we got a service account password service accounts quite often have domain admin service accounts quite often have easy to guess pass passwords if you need to remember the password of your service account you're using service accounts wrong please you do not need to know your service account's password if you remember your service account password I'd like to give you a free pentest or maybe somebody else has already done that okay so that's coveros thing that also makes it difficult in our environments to secure our environments um quite often you don't have a choice

your vendor requires it you are like if you were in hospital for example quite a lot of emrs require this I used to work at Cerner before I started doing pentesting and I was doing night shift so I always got only got a call when something bad was happening otherwise it was a very good job I finished shanos Game of Thrones I learned a lot uh there's so much you can learn about pesy from G so uh I got a phone call from a hospital hey we're down something bad is happening okay start looking at this C's password has expired this makes no sense Well turns out one of my colleagues when he configured the EMR

for this client electronic medical record system he used his own account as a service account to set this up went on vacation his account had expired and the hospital was down that was fine another thing we do is pass the hash so anytime you get local admin on a device you can dump Sam hashes these are local hashes on that box for local authenication quite often we're going to be going after the local admins hash the administrator user R 500 on that box and that user if the password is the same across the board then we just take that hash without even need crack it and we just pass it across the environment we're just taking that hash going to

everybody else log as that okay Windows does not use salting for those hashes the Sam hashes there's no salting so the hash for a password is always going to be the same so this is something we do quite often if it's a pen test I'm just going to take that hash and spray it across the whole sl4 or slash6 even I'm going to light up that Sim if I have to be stealthy if I'm a red teaming this environment then pass the hash is something I'll do maybe one box at a time but this is a pretty common thing Microsoft patched it it fixed it and the fixed was you cannot do pass the hash

using a local user that is not local admin meaning you can pass the hash for a domain user you can pass the hash for a domain admin you can pass the hash for a local admin who else do I want that's it so that P was done and okay another thing we'll do CU nowadays we are seeing laps deployed laps is randomizing passwords on every single box the local admin password from one box is not the same on the other box so that hash is no longer going to work so now we are going after corpo tickets remember I told you earlier in cerus you have two tickets you have this the ticket granting ticket that

authenticates you and then and you have the service ticket thats you to a service only we're going to be going after the ticket granting ticket TGT because if I present that ticket I can log on as that user anywhere I want and that ticket is stored in Elsas ls. is a process you'll see in task manager that handles all authentication and authorization on windows so if you dump the memory of that process you're going to see a lot of credentials in there any time you log on to a device to credential is stored in there okay which is why domain admins please stop logging onto random workstations to install a printer don't do that because you're

leaving your credentials behind for me so we're using a tool called ruus uh and in the screenshot it says not rubius because I'm very creative with names and uh I I offc it and I compiled it and ran through office getter again and called it no not so using n rudus on the right side we are taking the ticket and then on the left side we are passing it back into the session now we can become that user in this case da admin um so this can be done usually in default configurations I can do this for up to 10 hours your tickets by default are sitting in that box and and usable for up to 10 hours so I can grab it I

can go to any the box in the environment pass that ticket and I can start using it I can do this on Linux take a ticket from Windows box go to my col Linux box pass it there and use it and my most favorite um we were doing a pentest section it was this just this week started writing a report yesterday and we got access to the it manager OneNote not only do we know their domain admin password from six years ago and five years ago and four years ago and three years ago and two years ago and this year we also know his wife's bank account information so that was interesting to to discover that he's

storing that in one note and he has that I was like dude come on anyway um this is something we find especially in red teaming because if I'm red teaming if I'm being stealthy and I do not want to raise alarm but I also want more credentials I'll pull up File Explorer on a Windows box I will go to the network Tab and I'll start looking for file shares I'll go through those file shares and I might even just search for the word pathw this is something I learned when I was learning to do pen testing 10 years ago and it's still something I do because it works we often find something like uh password.txt or password. XLS is my

favorite because it will have a field for the URL field for the the username and the password sometimes even security questions are going to be there so that's very helpful for me um it it's because in in my opinion password managers are difficult to use have you tried not passord oh they should have done that yes not password at txt I did want to see uh something called please don't look in this but I try getting people onto password managers and it's just so difficult we have made security difficult try getting your grandma on password manager like getting H use last pass good luck right so this is also how we get a lot of

passwords and this has been something where I have also wasted time and I'll talk about that a minute we've talked about all the different ways AC makes it difficult for us to protect the Enterprise our own practices our own habits make it difficult for us to protect the Enterprise so now how do you waste my time my favorite is honey users what you're doing in here is you're creating a real user with a real password maybe don't make that password too easy but not too difficult either so make me spend some time trying to guess that password and once I do guess that password I think I've got some access well you should be monitoring the

authentication logs and see if that user is authenticating somewhere you have just discovered it um it's it's something pretty simple you can do even with contic tokens nowadays uh it could just be a task uh schedule schedule task on a domain controller that checks the authentication log for that user's name and success message and then just email you or Dr you a note or something like that if you are requiring password resets for your users that's say 90 days 6 months one year then make sure you this user this honey user is also getting the password reset so it looks real even have this user log onto a box create a honey workstation have this

user log on the box maybe give this user local admin on that box everything is domain joined everything is real but we're monitoring it heavily it is a dangerous thing to do so you got to be careful or another thing you can do is have the box be domain joined have the user be domain joined and then kick them out of the domain it it a lot of times I've seen tools like blood hound will not fully understand that um a lot of times I've seen our pen testers will not fully understand the difference in that because they they still see some remnants on the disk of the username do domain name and they think it's the same user so you may be

able to do this I personally because I've got time on my hands will have a real user and a real workstation that the user logs on to I will just limit that user's activity afterwards and I will heavily monitor that user and that workstation and see where they go this way once that user starts moving around you know that they are being uh they got CAU compromised and you have a malicious actor in your environment how about honey SPN so the way we Define service accounts for cover roasting is they have a service principal name set SPN so if you created a service account with a password that is a little difficult we have taken that ticket

offline in cracking again so maybe make me spend 10 hours on that if you make that service account juicy enough I spend a week on that okay real thread actor may even spend six months on it so set up some honey spns uh some honey service service uh principal names service accounts give them an rc4 um encryption when you create a user in the uh user properties in ad you have an option you know where it says unlock account similar area you can say something like uses a s 128 or uses a AES 256 maybe this one doesn't have that check um in addition to having a honey pot service account another way to detect kber roosting is most of the pen

testing tools by default request an rc4 ticket so if all of your service accounts are using AES tickets and somebody requests rc4 you know there's somebody malicious in the environment but if you want to waste my time though make that path where something is going to take a long time to guess give that user some sort of high privileges in the environment or at least make it look like it does have that like for example you could give that user um local admin rights on a box that does not exist like the box was domain joined and has been shut off and this user has local admin on it when I run Blood Hound it's going to tell me the Box exists

because it is joined to ad but the box has been shut down I'm not going to know that generally because I'm just going to wait till I get this ticket and then I'm going to try to log on that box just wasted my time um so honey part service accounts a really good way of detecting us making us waste our time has happened in the past uh fun times another one one of the the first things we do in networks especially in Windows Networks is we one responder to find broadcast multi-gas name resolution request so what if you were sending out those requests intentionally waiting for somebody to respond what if you sent that request

for a box a name that should not exist in the network so nobody should respond to that but the moment I respond and say hey I am that box you're looking for you know there's somebody malicious in the environment I was messing around with the um some B Bas on CL request and we built a Honeypot for this the tool called netbase we built uh when I say we it's me and Chad gbt um I think one of us did most of the work I can't say for sure who um and what this tool is going to do is a p shell tool it's going to send out a request it's really just poers shell

command uh I think it's uh what is it get a resolve D DNS is the command so if you do res - DNS and you give it some sort of a name Windows is going to send out broadcast mul name resolution try to resolve a name but so you have to run this from a box that does not have broadcast multigas name resolution disabled and you have it run this script this script you can specify which name to look for my favorite thing in this is you can spew some credentials you can have it sent out some sort of a net ENT LM hash maybe that's a valid user maybe it's not uh if you require SB signing everywhere

and you make that password very difficult I'm going to be sitting in there for a week trying to crack that hash you just wasted my time you could also use this to direct the attacker towards whatever you want them to go so maybe you do give them real credentials and that user has some sort of access on a real box where you want them to go and you're monitoring to see what tools they're going to run what activities are they going to carry out okay um so that's one of the tools that we've been us utilizing in our sock and we've had some really good success with it my pentesters hate it and we also love

it can tokens yes is that is that Bas on subet is it with just the subet uh it's within your broadcast domain so it may go around some depending on how you've got your out whiches so the broadcast multicast traffic can Traverse your routers and switches depending on if you're letting out layer two traffic okay so it all depends on your configuration of routers and switches and I'm saying it like that because I have no idea how networking works I've not been in networking class forever but I have seen it come across subnets in my responder so I I I know it works it's just I don't know how there tokens this website you should

bookmark if you are going to be using this in your organiz ation you should pay for their Appliance because they do some really good work so Canary tokens is going to build canaries for you it's going to build honey pots for you that you can deploy for example you can have it build a PDF document that PDF document has a track and pixel in it so when it gets opened you're going to get an email saying hey this document just got open from this IP address using this browser um you can do this with a word do also you can have awss you can have even they even give you a uh forget they do I think they do

schedule task you can monitor commands run on a box if you're going to monitor a command that's run on a box to identify Bad actors look for who am I every single one of us who did ocp or C or you know bnpt or whatever we learned to run who the moment we got in a box that's how you catch us look for who am I and uh you got us so can.org maybe create a PDF doc that says something like a 2024 Financial picture or it says something like passwords PDF passwords dox or password. XLS whatever you think will work and drop it in your network shares it's going to help in two ways one it's going to help you catch a

malicious actor and two it's going to tell you who your Snoopy employees are who your curious employees are breaches don't always occur with be a bad intent breaches also occur because somebody got a little too curious you're in a hospital and you're looking at your kids medical records and if you're a doctor and you're looking at your neighbor's Medical Records I was working with a hospital in Atlanta and they work with a lot of celebrities so if a celebrity is having a baby in this hospital they had a lot of serious monitoring happening on that patient record because people are going to get Snoopy people just get curious so dropping those PDF files docx files

maybe a good way to find your Snoopy your curious employees but also a bad

actor fake password walls we dropping password.txt everywhere maybe we drop an actual password.txt with a bad password in it maybe you use this to also direct the attacker to wherever you want them to go you can also do something that so A while back I got access to it Network share and it had key pass database so the password manager database it had the password for that key pass manager database in a text file next to it and it also has the installer of ke so so that was a fun day I got access to a lot of passwords so that got me thinking what if these passwords were wrong or what if these passwords were

taking me towards something they wanted me to follow so you could have your password wall configured in a way or your one notes it saves stuff in one note all day long put some passwords in there maybe they're real maybe they're not waste my time with that okay maybe use chat CPT to write out actual it documentation that looks real enough uh maybe start drawing some diagrams and put those in there if you ever did any lab work in college it's like five years ago and put that in there make it look like it's your actual Enterprise work we're going to start reading some documentation nobody reads documentation like a pent tester during a pent

test so in Empire ire framework there is a script called new Honey hash what this script does is uses window v32 API windows's own apis to inject a fake credential into elsat so you could have a fake credential sitting in Elsas and in Sam that when I dump those files those uh hashes from those I get something I think is real start using it it doesn't work there's an easier way to do this without using a script from GitHub just create a user and then disable it when I do the Sam dump it doesn't tell me if the user is enabled or not I'm just looking at the output of username the red LM hash and

N so create local user and maybe have it on four or five different boxes same password and just disable that user now you have have hash sitting in different boxes that one whenever I dump Elsas or I dump Sam that's a loud event you're going to hear about it from your EDR if you don't hear about it from your EDR change your EDR okay even Defender will detect on that now um secondly I will be one trying to crack that hash two try to use it if that hash doesn't work I'm still going to try to crack it what I'm hoping for is it will tell me something about your password practices that if the password in there was kous

College 123 maybe the new password is 1 2 3 4 so I'm still going to try to crack that hash and you still wasted my time um one quick side note on this one of my favorite ways of dumping elas you tell Windows diagnostic utility that lsass.exe process has crashed and I need diagnostic information for it to be able to troubleshoot it and windows diagnostic utility will dump Elsas for you so that doesn't look too malicious um monitor the use of reg command in your environments why is Joe at front desk utilizing reg command should not be doing that but reg command is used quite often by us reg save hklm Sam R save hklm system to dump Sam and and LSA

credentials okay so monitor the use of that R command so that's it that is the top that is how you going to waste my time please do so we love it when when time is wasted because if I can show in my pentest report that it took me more time this year to get to where I got to than last year that's progress there's always going to be a breach there will be a breach it's just a matter of do you know there's a breach okay uh there's always going to be a pentest it's either you paid for the pentest with money or with your patient reords so utilizing good security hygiene uh utilizing some uh honey pots

to waste time just just expand that time that the attacker has to take to get to where they want to get to and if I can show more time was taken on my end to get to where I got to you can then go to your board of directors and say hey look we slowed them down the money you gave us last year it worked now give us 2 million more we want that brand new sim um all right questions so how do you balance between wasting time getting your money worth on if the pentester is going this way and you still have these vulnerabilities you not made aware of because it's a good question question is how do you balance

time between you paid the pentester for 40 hours but what if they end up spending 10 hours just wasted because of Honey Poots two things one the time they wasted your honey pots you actually did get some money of your worth because you just verified your detection and response Works two we always like to have at least it it's not common practice everywhere but I've seen more of this happen lately open communication with a client daily check-ins hey here's what we've gotten to also what we see our clients do and we ask them to do especially if we help them set up these honey Poots is if you see us in a Honeypot and this is a pen test you uh

tell us maybe about an hour later tell us 30 minutes later and send me a screenshot of that detection so I can put that in my report to show a positive measure that you caught it or you did something so you can balance it by open communication and let them know don't don't just sit there and wait till the end because of course they going to get money good question yeah how often are you actually see users uh is it more of like one off it's very few very rare unfortunately question is how often am I seeing honey hashes honey users so in my pen testing career I have only seen it maybe five times and organizations are not doing it

for multiple reasons one they don't know about it uh two it still does take some time time it may it may be a free Activity Set up but it's going to take time to monitor it you need to have a tool to monitor so not as much as I would like to hence please waste my time you haven't been in mind I don't know I want to yes so you mentioned you you had put a tracking pixel and an email got cashr how did that cash go into time how did you get that cash so Outlook is looking to so the question is how do I get that hash from Outlook well Outlook desktop client is going to be doing a that ntlm

hash uh handshake with because the tracking pixel is from a uncp so it's like a file share it's like Outlook is accessing a file share to access that tracking pixel and in Windows whenever you access file shares you hand over your net andm has to hunic get to it okay so that's how I get the uh credential layer yeah does that pixel have to be legitimate or will it just try to will all the CR grab it anyway it will grab it anyway in this case there was nothing on the other end that's why you see that X and the weird icon it could just be just a small one pixel something you can do this in Microsoft

Word too in Microsoft Word you can add ActiveX controls one of those ActiveX controls is Windows Media Player so you can add Windows Media player to Outlook to um Microsoft Word and you can have it access the video to load in the media player from a UNCC path where your responder is running and you get the hash out also had a vulnerability recently where it was the the ding the audio that it plays for the calendar inite was loaded from a remote box so you get the hash that way I bet there's like 20 other ways to do this I just don't know about them yet and I'm sure that's going to be fun but we find

out any other questions yeah one question I want to ask

um so the question is regarding adcs AC certific services do we see any retim against that and what kind of detection response in that um we are seeing retim activity against it uh and especially with the Spectre Ops is um uh certified I think it was like what 3 four years ago now um all these EC vulnerabilities are talked about so we are seeing more Rec activity from there what we are seeing also is pent testers don't go after it because they have 20 other things they could do for so um the activity against adcs and Reckoning activity we generally only see in matur environment detection response to that would be maybe you don't need

adcs in the environment and you spin up anyway and see who interacts with it maybe you do need adcs but you are not needing any sort of net NL communication against it so you still spin up web enrollment and you who using it uh maybe you give so one of the vulnerabilities that Spectra talked about in there was uh why really AOS over here and I'm way away from the camera uh so one activities I talked about was uh you've got uh a user able to request a certificate for domain admin as a subject alter uh subject alternative name maybe you make a specific user vulnerable to that and then you monitor activity of that user so yeah you can do

that good question what else what's your opinion as far as pen testing where you you have an internal from third party where you put them on your put them in the data center you put them um so question is where do you put a pen tester in your environment in a data center user workstation environment servers environment I think it depends on what you're trying to do if it's your very first time I would put them in the user works that your in mind because quite often most actually not quite often more common than not you're getting popped via fishing so it's going to be a user that has po user workstation maybe you start from there

um and then see if they can get to your servers if their segmentation does that work or not maybe next time you put them in the servers and I would one thing I would suggest is don't do the same thing every year modify it do something different quite often we'll start with a complete blackbox pen test uh next time we'll do with the domain user next time maybe with a local admin one time quite often that's one time um clients that are ready mature sometimes will start with domain admit what if you got domain admin what controls do you have in place in the environment to stop domain admins or to slow them down for example does the

domain admin really need access to your EMR that should be something that Biomet gener handles not it so do you have controls against that so modify your approach the pesters every year and if it's if they're like no there's only one thing we can do find somebody

else all right thank you everybody [Applause]