Now Reading: The Physics of Security Drift (Part 2)
-
01
The Physics of Security Drift (Part 2)
00:00:00,000 –> 00:00:05,360
Unconstrained delegation, TGT extraction, there is a furnace on the application tier.
2
00:00:05,360 –> 00:00:06,360
No one calls it that.
3
00:00:06,360 –> 00:00:12,080
They call it App Invoice, EUR2, a legacy web server that prints, receipts, and talks to
4
00:00:12,080 –> 00:00:13,080
SQL.
5
00:00:13,080 –> 00:00:19,640
A decade ago, to make single sign on painless, someone enabled unconstrained delegation.
6
00:00:19,640 –> 00:00:20,640
It worked.
7
00:00:20,640 –> 00:00:21,640
It kept working.
8
00:00:21,640 –> 00:00:22,640
Time slowed around it.
9
00:00:22,640 –> 00:00:23,640
The furnace kept burning.
10
00:00:23,640 –> 00:00:28,280
Unconstrained delegation bends identity like a star that traps light.
11
00:00:28,280 –> 00:00:32,760
Any user who authenticates to the service leaves behind radiant heat.
12
00:00:32,760 –> 00:00:38,840
A TGT in memory, valid for hours, minted by the KDC, heavy with authority.
13
00:00:38,840 –> 00:00:43,520
The service can then request access tickets to anything the user could reach.
14
00:00:43,520 –> 00:00:45,680
Not evil, just physics.
15
00:00:45,680 –> 00:00:51,000
At 0918, a tier 2 user browsers to the app, Kerberos does its honest work.
16
00:00:51,000 –> 00:00:55,440
The front end receives a service ticket for HTTP app Invoice door 2.
17
00:00:55,440 –> 00:00:56,840
The furnace exhales.
18
00:00:56,840 –> 00:00:58,160
The user moves on.
19
00:00:58,160 –> 00:01:03,400
The TGT remains in another room and attacker holds local admin on the host from a forgotten
20
00:01:03,400 –> 00:01:04,400
software update.
21
00:01:04,400 –> 00:01:05,960
They do not need a zero day.
22
00:01:05,960 –> 00:01:07,680
They only need to open the door.
23
00:01:07,680 –> 00:01:09,760
The furnace is already warmed.
24
00:01:09,760 –> 00:01:11,000
They read memory.
25
00:01:11,000 –> 00:01:13,600
Not a how to, but a truth.
26
00:01:13,600 –> 00:01:18,040
L-Sass on an unconstrained delegate caches TGTs for convenience.
27
00:01:18,040 –> 00:01:19,960
The attacker does not pivot loudly.
28
00:01:19,960 –> 00:01:26,320
They listen to the process list, watch handles, and wait for a principle worth falling toward.
29
00:01:26,320 –> 00:01:31,480
At 0923, a service engineer locks on to check a spooler error.
30
00:01:31,480 –> 00:01:34,960
Their account is privileged on a mid-tier management server.
31
00:01:34,960 –> 00:01:36,280
The TGT appears.
32
00:01:36,280 –> 00:01:37,280
It glows.
33
00:01:37,280 –> 00:01:38,280
Lab echo.
34
00:01:38,280 –> 00:01:39,280
Low chime.
35
00:01:39,280 –> 00:01:40,880
Event 4769.
36
00:01:40,880 –> 00:01:44,720
HTTP app Invoice door 2 requests spike.
37
00:01:44,720 –> 00:01:45,720
Base pulse.
38
00:01:45,720 –> 00:01:46,720
Sysment 10.
39
00:01:46,720 –> 00:01:49,720
L-Sass handle open by unusual process.
40
00:01:49,720 –> 00:01:50,720
Ötacili.
41
00:01:50,720 –> 00:01:51,720
D.
42
00:01:51,720 –> 00:01:52,720
E.C.
43
00:01:52,720 –> 00:01:55,440
The telescope catches the heat signature.
44
00:01:55,440 –> 00:02:03,560
At the engineer’s TGT, the attacker requests a service ticket to CIFs on MGMT file 01.
45
00:02:03,560 –> 00:02:05,640
The KDC obliges.
46
00:02:05,640 –> 00:02:08,640
The ticket is valid because physics says it is.
47
00:02:08,640 –> 00:02:12,280
On the file server, a script share holds deployment artifacts.
48
00:02:12,280 –> 00:02:18,960
A credential file, historical forgotten, convenient, contains a GMSA fallback password
49
00:02:18,960 –> 00:02:22,080
from before the migration fully completed.
50
00:02:22,080 –> 00:02:23,920
Drift plus heat doors open.
51
00:02:23,920 –> 00:02:25,320
They do not stop.
52
00:02:25,320 –> 00:02:29,680
The engineer’s group membership includes local admin on three patching servers.
53
00:02:29,680 –> 00:02:34,800
RDP is permitted from the apt here because convenience never argued with law.
54
00:02:34,800 –> 00:02:37,480
The attacker carries the warmth across.
55
00:02:37,480 –> 00:02:41,240
On patch, Core West cached admin tokens linger.
56
00:02:41,240 –> 00:02:42,280
Identity bends further.
57
00:02:42,280 –> 00:02:44,200
The gravity well brightens.
58
00:02:44,200 –> 00:02:46,480
The target is still the singularity.
59
00:02:46,480 –> 00:02:50,840
A domain controller does not accept RDP, but it accepts trust.
60
00:02:50,840 –> 00:02:58,080
With the stolen warmth, the attacker asks the KDC for a service ticket to LDP on DC 02,
61
00:02:58,080 –> 00:02:59,720
the directory answers.
62
00:02:59,720 –> 00:03:05,480
Queries reveal group memberships, SPNs and crucially, a backup service account with DS replication
63
00:03:05,480 –> 00:03:06,480
get changes.
64
00:03:06,480 –> 00:03:08,080
A supply route appears.
65
00:03:08,080 –> 00:03:10,680
The attacker does not have to abuse it now.
66
00:03:10,680 –> 00:03:11,680
They market.
67
00:03:11,680 –> 00:03:13,320
Momentum continues.
68
00:03:13,320 –> 00:03:14,560
Defense is ceremony.
69
00:03:14,560 –> 00:03:16,360
The furnace must go dark.
70
00:03:16,360 –> 00:03:18,280
We remove unconstrained delegation.
71
00:03:18,280 –> 00:03:20,400
Not a flag alone but a plan.
72
00:03:20,400 –> 00:03:26,560
The supply principles with user account control set to trusted for delegation.
73
00:03:26,560 –> 00:03:28,240
Expect breakage.
74
00:03:28,240 –> 00:03:34,000
Replace with constrained delegation, scoped to exact SPNs the app truly needs.
75
00:03:34,000 –> 00:03:38,560
HTTP to SQL’s MSSQLS VC, nothing else.
76
00:03:38,560 –> 00:03:39,560
Better.
77
00:03:39,560 –> 00:03:45,560
Flip to resource-based constrained delegation so SQL names the front end specifically.
78
00:03:45,560 –> 00:03:48,440
The target chooses who may bend toward it.
79
00:03:48,440 –> 00:03:50,360
The lens focuses.
80
00:03:50,360 –> 00:03:55,400
We deny interactive logon to the apps service principle and the server itself.
81
00:03:55,400 –> 00:03:59,240
No one should check anything from its desktop.
82
00:03:59,240 –> 00:04:06,720
We isolate the host, dedicated VLAN, inbound only from the load balancer and the PR management
83
00:04:06,720 –> 00:04:10,400
subnet, outbound only to SQL and a logging sync.
84
00:04:10,400 –> 00:04:13,880
Prince Pooler off, SMB signing and forced.
85
00:04:13,880 –> 00:04:17,080
LDP channel binding required.
86
00:04:17,080 –> 00:04:23,080
Uncontrol locks the process list so foreign hands cannot touch LSS without leaving a scream.
87
00:04:23,080 –> 00:04:24,920
We rotate heat away.
88
00:04:24,920 –> 00:04:28,480
The app service identity becomes a GMSA.
89
00:04:28,480 –> 00:04:30,440
Secrets rotate as heartbeat.
90
00:04:30,440 –> 00:04:31,880
No human remembers.
91
00:04:31,880 –> 00:04:34,240
No sticky notes survive.
92
00:04:34,240 –> 00:04:36,720
We purge sticky credentials.
93
00:04:36,720 –> 00:04:38,480
Remove cached secrets.
94
00:04:38,480 –> 00:04:40,240
Disable W digest.
95
00:04:40,240 –> 00:04:42,400
Enable LSA protection.
96
00:04:42,400 –> 00:04:49,440
We test when a user authenticates only a service ticket lens, not their TGT, the furnace cools.
97
00:04:49,440 –> 00:04:51,160
We instrument lenses.
98
00:04:51,160 –> 00:04:59,080
Alert on event 4769 spikes for HTTP app invoice 02, clustered by caller.
99
00:04:59,080 –> 00:05:04,240
Watch Sysmon 10 on the host for LSS access from anything but the EDR lineage.
100
00:05:04,240 –> 00:05:08,160
Monitor 4738 for changes to delegation flags.
101
00:05:08,160 –> 00:05:16,280
F136 for edits to MSDS allowed to delegate to and MSDS allowed to act on behalf of other
102
00:05:16,280 –> 00:05:17,680
item, tidy.
103
00:05:17,680 –> 00:05:24,120
In the CM chord the song HTTP SPN spike plus LSS handle plus new service ticket to CFs
104
00:05:24,120 –> 00:05:26,400
from the same source equals page now.
105
00:05:26,400 –> 00:05:28,040
We practice exit.
106
00:05:28,040 –> 00:05:34,600
If we discover heat in memory, we evict in order quarantine the app, rotate the GMSA,
107
00:05:34,600 –> 00:05:40,640
reset any static service passwords discovered, invalidate tickets by forcing log off on
108
00:05:40,640 –> 00:05:49,920
touched hosts, and if replication rights were used, schedule KRB TGT rotation twice, spaced
109
00:05:49,920 –> 00:05:52,640
by maximum ticket lifetime.
110
00:05:52,640 –> 00:05:58,040
We rebuild the app server from signed media rather than cleaning in place, cleansing rituals
111
00:05:58,040 –> 00:06:01,160
lie, rebuilds tell the truth.
112
00:06:01,160 –> 00:06:02,160
Humans adjust.
113
00:06:02,160 –> 00:06:03,880
The service engineer gets a poll.
114
00:06:03,880 –> 00:06:06,880
They never RDP from tier 2 again.
115
00:06:06,880 –> 00:06:09,320
Change windows become real.
116
00:06:09,320 –> 00:06:11,640
Emergency access becomes JIT.
117
00:06:11,640 –> 00:06:14,400
Approved, logged, recorded.
118
00:06:14,400 –> 00:06:18,200
The team learns that unconstrained delegation was not convenience.
119
00:06:18,200 –> 00:06:19,480
It was gravity ignored.
120
00:06:19,480 –> 00:06:20,880
The observer speaks.
121
00:06:20,880 –> 00:06:22,040
I am the app tier.
122
00:06:22,040 –> 00:06:23,960
I cooled when you sealed the furnace.
123
00:06:23,960 –> 00:06:25,640
I focused when you tuned the mirror.
124
00:06:25,640 –> 00:06:27,200
I did not need to be interesting.
125
00:06:27,200 –> 00:06:29,040
I needed to obey.
126
00:06:29,040 –> 00:06:36,920
Low chime.
127
00:06:36,920 –> 00:06:40,160
Delegation, unconstrained, removed.
128
00:06:40,160 –> 00:06:41,160
RBCD applied.
129
00:06:41,160 –> 00:06:42,160
Bass pulse softens.
130
00:06:42,160 –> 00:06:43,160
GMSA rotation.
131
00:06:43,160 –> 00:06:44,160
Complete.
132
00:06:44,160 –> 00:06:45,160
Heat.
133
00:06:45,160 –> 00:06:46,160
Disapace.
134
00:06:46,160 –> 00:06:47,160
The orbit holds.
135
00:06:47,160 –> 00:06:48,160
Stale KRB TGT.
136
00:06:48,160 –> 00:06:49,160
Golden ticket persistence.
137
00:06:49,160 –> 00:06:50,160
There is a clock at the centre of every forest.
138
00:06:50,160 –> 00:06:51,160
It is not on a wall.
139
00:06:51,160 –> 00:06:54,440
It beats inside the KRB TGT account.
140
00:06:54,440 –> 00:06:57,920
When that secret grows old, time itself slows.
141
00:06:57,920 –> 00:07:01,640
As minted years ago, still pass as present.
142
00:07:01,640 –> 00:07:05,000
Stale keys let memory impersonate the moment.
143
00:07:05,000 –> 00:07:08,840
That is how persistence survives cleansing rituals.
144
00:07:08,840 –> 00:07:10,840
The story begins quietly.
145
00:07:10,840 –> 00:07:13,240
DC02 shows routine.
146
00:07:13,240 –> 00:07:14,520
Users log on.
147
00:07:14,520 –> 00:07:15,520
Services hum.
148
00:07:15,520 –> 00:07:17,200
No alarm scream.
149
00:07:17,200 –> 00:07:20,920
But the KRB TGT password has not rotated in six years.
150
00:07:20,920 –> 00:07:24,720
Administrators plan to do it after the migration.
151
00:07:24,720 –> 00:07:28,560
Dungsh.
152
00:07:28,560 –> 00:07:30,560
The forest did not.
153
00:07:30,560 –> 00:07:37,200
At 0211, an intruder who has already reached replication privileges, reads the directory,
154
00:07:37,200 –> 00:07:40,640
one DC sync, one quiet harvest.
155
00:07:40,640 –> 00:07:45,480
They collect KRB TGT’s current key and its previous key.
156
00:07:45,480 –> 00:07:49,040
Because the KDC must honor a small window of history.
157
00:07:49,040 –> 00:07:50,520
Two keys become a pen.
158
00:07:50,520 –> 00:07:52,120
With them the attacker forges time.
159
00:07:52,120 –> 00:07:53,560
They craft a golden ticket.
160
00:07:53,560 –> 00:07:54,560
And a lottery?
161
00:07:54,560 –> 00:07:55,560
A claim.
162
00:07:55,560 –> 00:07:59,880
A TGT that asserts, “I am who I say I am.”
163
00:07:59,880 –> 00:08:01,840
Minted by your own authority.
164
00:08:01,840 –> 00:08:05,240
The KDC accepts because the cryptographic gravity agrees.
165
00:08:05,240 –> 00:08:10,920
The forged TGT can be given any name, any SID history, any group membership.
166
00:08:10,920 –> 00:08:12,640
Domain admin today.
167
00:08:12,640 –> 00:08:14,480
Enterprise admin at dawn.
168
00:08:14,480 –> 00:08:16,320
The directory does not argue.
169
00:08:16,320 –> 00:08:19,080
It recognizes its own handwriting.
170
00:08:19,080 –> 00:08:26,120
The handwritten app echo low chime 4768 TGT issued to SVC backup west at 0213.
171
00:08:26,120 –> 00:08:27,200
Base pulse.
172
00:08:27,200 –> 00:08:28,200
No proceeding.
173
00:08:28,200 –> 00:08:31,040
4624 on any DC.
174
00:08:31,040 –> 00:08:33,320
The handwriting appears without the hand.
175
00:08:33,320 –> 00:08:36,560
With that golden ticket, the intruder does not ask politely.
176
00:08:36,560 –> 00:08:38,480
They ask authoritatively.
177
00:08:38,480 –> 00:08:40,400
They enumerate GPOs.
178
00:08:40,400 –> 00:08:44,160
Link acquired policy that runs a start-up script on a management server.
179
00:08:44,160 –> 00:08:46,440
Then remove the link minutes later.
180
00:08:46,440 –> 00:08:52,240
They create a user named SVC Telemetry North with password never expires, tuck it into backup
181
00:08:52,240 –> 00:08:54,600
operators in 1.0U and vanish.
182
00:08:54,600 –> 00:08:56,400
The ticket is renewed on schedule.
183
00:08:56,400 –> 00:08:57,720
Nothing times out.
184
00:08:57,720 –> 00:08:59,360
Drift looks like continuity.
185
00:08:59,360 –> 00:09:01,240
No antivirus alarms.
186
00:09:01,240 –> 00:09:03,040
No brute force.
187
00:09:03,040 –> 00:09:05,040
Just curvature.
188
00:09:05,040 –> 00:09:07,520
Defense is time discipline.
189
00:09:07,520 –> 00:09:11,360
KRBTGT rotation is ritual, not folklore.
190
00:09:11,360 –> 00:09:16,120
Twice in sequence spaced by the maximum ticket lifetime in the domain.
191
00:09:16,120 –> 00:09:20,760
The first rotation invalidates all TGT’s signed with the oldest key.
192
00:09:20,760 –> 00:09:25,920
The second rotation invalidates those signed with the first new key while the directory
193
00:09:25,920 –> 00:09:27,520
carried both.
194
00:09:27,520 –> 00:09:31,360
Only then is the pen taken away, but time resists KRBTGT.
195
00:09:31,360 –> 00:09:33,000
Before we rotate, we prepare.
196
00:09:33,000 –> 00:09:39,040
We verify DC health, replication convergence clean, lingering objects scrubbed, sysvol
197
00:09:39,040 –> 00:09:40,520
replicating.
198
00:09:40,520 –> 00:09:42,000
We announce windows.
199
00:09:42,000 –> 00:09:44,640
We checkpoint backups of system state.
200
00:09:44,640 –> 00:09:46,920
We document expected noise.
201
00:09:46,920 –> 00:09:48,400
Ticket renewal failures.
202
00:09:48,400 –> 00:09:51,120
One time reauthentication prompts.
203
00:09:51,120 –> 00:09:53,120
We plan for aftercare.
204
00:09:53,120 –> 00:09:54,120
Service restarts.
205
00:09:54,120 –> 00:09:58,640
GMSA refresh on sensitive services to align their keys with new trust.
206
00:09:58,640 –> 00:10:01,080
We execute with ceremony.
207
00:10:01,080 –> 00:10:07,280
On a tear paw with changed ticket in hand, a senior admin rotates KRBTGT using a tested
208
00:10:07,280 –> 00:10:12,960
script that writes logs, records, timestamps and confirms replication.
209
00:10:12,960 –> 00:10:16,680
We wait the length of the maximum ticket lifetime plus a margin.
210
00:10:16,680 –> 00:10:19,800
Then we rotate again between passes we monitor.
211
00:10:19,800 –> 00:10:22,200
Force 768 volumes rise and fall.
212
00:10:22,200 –> 00:10:23,440
Authentication errors.
213
00:10:23,440 –> 00:10:24,440
Surface.
214
00:10:24,440 –> 00:10:29,760
We watch for any TGT that claims SID history or group memberships that do not match the
215
00:10:29,760 –> 00:10:30,760
directory.
216
00:10:30,760 –> 00:10:33,240
A forged sun still casts an odd shadow.
217
00:10:33,240 –> 00:10:35,240
We observe the noise that matters.
218
00:10:35,240 –> 00:10:38,720
Golden tickets often betray themselves in detail.
219
00:10:38,720 –> 00:10:45,040
Unusual logon IDs persisting across many hosts without interactive logons.
220
00:10:45,040 –> 00:10:50,560
Force 769 service ticket requests from identities with improbable group claims.
221
00:10:50,560 –> 00:10:57,800
Force 624 type 3 logons to sensitive servers from subnets that never hosted those accounts.
222
00:10:57,800 –> 00:11:01,040
Our seam hunts for TGT lifetimes that deviate.
223
00:11:01,040 –> 00:11:06,800
Tickets that appear with exact maximum lifetimes consistently without the jitter of real users.
224
00:11:06,800 –> 00:11:08,640
We pair rotation with hardening.
225
00:11:08,640 –> 00:11:13,560
We enable pack validation on sensitive services that support it.
226
00:11:13,560 –> 00:11:17,400
Domain controllers, pk i, sql that guards money.
227
00:11:17,400 –> 00:11:23,280
When a forged TGT carries claims that do not match AD, the service refuses to believe
228
00:11:23,280 –> 00:11:24,280
the lie.
229
00:11:24,280 –> 00:11:29,080
We shorten TGT and service ticket lifetimes for critical accounts.
230
00:11:29,080 –> 00:11:32,000
Stolen light decays faster.
231
00:11:32,000 –> 00:11:35,360
We ensure time is true, NTP disciplined.
232
00:11:35,360 –> 00:11:38,520
So ticket windows are law, not suggestion.
233
00:11:38,520 –> 00:11:41,960
We clean the scaffolding that gave birth to persistence.
234
00:11:41,960 –> 00:11:45,040
We audit who can replicate directory changes.
235
00:11:45,040 –> 00:11:49,920
Backup software that does DC sync uses dedicated accounts with only DS replication get changes
236
00:11:49,920 –> 00:11:52,520
and DS replication get changes all.
237
00:11:52,520 –> 00:11:55,200
Constraint logon rights and alerting on use.
238
00:11:55,200 –> 00:11:58,760
We remove helpful service accounts from broad admin groups.
239
00:11:58,760 –> 00:12:00,360
We attest memberships monthly.
240
00:12:00,360 –> 00:12:02,200
Shadow admins lose their pen.
241
00:12:02,200 –> 00:12:04,600
Humans learn a new metronome.
242
00:12:04,600 –> 00:12:12,200
KRBTGT rotation becomes calendared twice per year or aligned to significant change windows.
243
00:12:12,200 –> 00:12:13,760
Scripts live in source control.
244
00:12:13,760 –> 00:12:16,680
Dry runs occur in a lab with recorded outcomes.
245
00:12:16,680 –> 00:12:22,480
A rowback plan exists but is rarely needed because we practiced under starlight first.
246
00:12:22,480 –> 00:12:28,480
We accept minor discomfort rather than wake to a universe redrawn by a forged ticket.
247
00:12:28,480 –> 00:12:30,680
Lab echo low chime.
248
00:12:30,680 –> 00:12:37,440
KRBTGT rotation pass 1 at 21hp replicated to 100%.
249
00:12:37,440 –> 00:12:44,160
Soft tick pass 2 at 2300 for 768 returns to baseline.
250
00:12:44,160 –> 00:12:45,480
Bass pulse fades.
251
00:12:45,480 –> 00:12:48,480
Pack validation enabled on DCs and SQL fin.
252
00:12:48,480 –> 00:12:49,720
The observer speaks.
253
00:12:49,720 –> 00:12:50,720
I am the KDC.
254
00:12:50,720 –> 00:12:52,160
I forgot nothing.
255
00:12:52,160 –> 00:12:55,560
I accepted the key you refused to change.
256
00:12:55,560 –> 00:12:58,760
When you move time forward, I stopped honoring ghosts.
257
00:12:58,760 –> 00:13:00,320
Golden tickets are not sorcery.
258
00:13:00,320 –> 00:13:02,520
They are courtesy extended too long.
259
00:13:02,520 –> 00:13:03,520
Rotate the key.
260
00:13:03,520 –> 00:13:04,520
Shorten the night.
261
00:13:04,520 –> 00:13:06,120
Bind claims to truth.
262
00:13:06,120 –> 00:13:09,320
Gravity obeys the clock we keep.
263
00:13:09,320 –> 00:13:11,080
Overprivileged backup service.
264
00:13:11,080 –> 00:13:12,080
DC sync.
265
00:13:12,080 –> 00:13:13,640
Backups are memory.
266
00:13:13,640 –> 00:13:16,600
But when memory can write the present it becomes power.
267
00:13:16,600 –> 00:13:19,960
The service was named SVC backup west.
268
00:13:19,960 –> 00:13:21,960
Harmless on paper.
269
00:13:21,960 –> 00:13:26,680
It belonged to the team that kept nights quiet and mornings predictable.
270
00:13:26,680 –> 00:13:31,280
Years ago, a vendor guide suggested generous rights to ensure consistent backups.
271
00:13:31,280 –> 00:13:33,400
The suggestion calcified into policy.
272
00:13:33,400 –> 00:13:36,960
The account gained membership where it did not belong.
273
00:13:36,960 –> 00:13:38,880
Domain admin for a weekend.
274
00:13:38,880 –> 00:13:41,040
Then backup operators forever.
275
00:13:41,040 –> 00:13:46,960
Then acquired ace on the domain root granting DS replication get changes and DS replication
276
00:13:46,960 –> 00:13:49,240
get changes all.
277
00:13:49,240 –> 00:13:51,200
Persistence masquerading is reliability.
278
00:13:51,200 –> 00:13:53,560
At 0143, routine began.
279
00:13:53,560 –> 00:13:59,480
The agent on MGMT backup 02 connected to domain controllers for VSS snapshots and metadata
280
00:13:59,480 –> 00:14:00,480
harvest.
281
00:14:00,480 –> 00:14:01,800
No one questioned the scope.
282
00:14:01,800 –> 00:14:03,600
The logs told the story of diligence.
283
00:14:03,600 –> 00:14:06,720
Beneath the directory exposed a second story.
284
00:14:06,720 –> 00:14:13,560
With those replication rights, SVC backup west could ask domain controllers to replicate secrets.
285
00:14:13,560 –> 00:14:15,560
Not files, not policy secrets.
286
00:14:15,560 –> 00:14:17,640
NTS content rendered as hashes and keys.
287
00:14:17,640 –> 00:14:19,240
DC sync is not malware.
288
00:14:19,240 –> 00:14:22,840
It is the directory obeying a request it trusts.
289
00:14:22,840 –> 00:14:25,400
The intruder did not need to break the vault.
290
00:14:25,400 –> 00:14:27,640
They needed to learn the vault’s language.
291
00:14:27,640 –> 00:14:33,560
From a compromised tier one host where the backup console lived, they observed scheduled tasks,
292
00:14:33,560 –> 00:14:36,280
service configurations and token groups.
293
00:14:36,280 –> 00:14:39,600
SVC backup west authenticated to the console service.
294
00:14:39,600 –> 00:14:44,320
It’s token, glowed with rights that bent gravity.
295
00:14:44,320 –> 00:14:49,640
The attacker borrowed that token, no step by step, only physics and walked to a domain
296
00:14:49,640 –> 00:14:55,000
controllers LDP endpoint to ask for replication metadata.
297
00:14:55,000 –> 00:15:05,120
Lab echo, low chime, 4662, DS replication get changes by CNH SVC backup west, a base pulse,
298
00:15:05,120 –> 00:15:09,920
no change window, source, MGMT backup 02.
299
00:15:09,920 –> 00:15:11,480
The fabric shuttered.
300
00:15:11,480 –> 00:15:16,480
Hashes began to flow, not in files, but as replicated attributes.
301
00:15:16,480 –> 00:15:19,040
Users, administrators.
302
00:15:19,040 –> 00:15:24,040
The attacker did not need to crack them tonight.
303
00:15:24,040 –> 00:15:28,880
They archived the harvest in a quiet share under a name that looked like retention.
304
00:15:28,880 –> 00:15:34,880
With one cord, they bought time and options, passed the hash, offline cracking, forging tickets
305
00:15:34,880 –> 00:15:37,120
if KRBTGT stayed old.
306
00:15:37,120 –> 00:15:41,920
Overprivilege had turned memory into a pen that could rewrite the map.
307
00:15:41,920 –> 00:15:43,920
Defense begins with humility.
308
00:15:43,920 –> 00:15:46,640
Backups do not need to impersonate gods.
309
00:15:46,640 –> 00:15:47,960
They need a narrow lens.
310
00:15:47,960 –> 00:15:49,760
We redraw rights as principle.
311
00:15:49,760 –> 00:15:53,280
The backup service account becomes unprivillaged by default.
312
00:15:53,280 –> 00:15:57,640
It receives exactly the application roles required by the product.
313
00:15:57,640 –> 00:16:03,560
Access to VSS on members via local group membership, read only to necessary shares.
314
00:16:03,560 –> 00:16:11,960
And if directory object backups are needed, AD recycle bin and granular exports, not replication.
315
00:16:11,960 –> 00:16:17,520
Where the product previously used DC sync, we replace with an agent model that reads from
316
00:16:17,520 –> 00:16:22,720
endpoints using endpoints specific credentials, never from the KDC’s heart.
317
00:16:22,720 –> 00:16:24,960
We strip the directory of shadow grants.
318
00:16:24,960 –> 00:16:31,760
On the domain route, we remove any aces that assign DS replication get changes to service
319
00:16:31,760 –> 00:16:37,440
principles that are not domain controllers or dedicated replication monitors.
320
00:16:37,440 –> 00:16:40,960
We ordered 4662 noise.
321
00:16:40,960 –> 00:16:47,200
Getting principles with those rights and forcing a change request for each that claims business
322
00:16:47,200 –> 00:16:48,200
need.
323
00:16:48,200 –> 00:16:49,720
Most will be artifacts.
324
00:16:49,720 –> 00:16:51,600
Artifacts do not get to bend gravity.
325
00:16:51,600 –> 00:16:53,880
We reduce standing privilege further.
326
00:16:53,880 –> 00:16:59,800
SVC backup west becomes a GMSA, scoped to the exact backup servers.
327
00:16:59,800 –> 00:17:04,480
Denied interactive logon, denied RDP, denied local logon everywhere.
328
00:17:04,480 –> 00:17:10,360
It holds no membership in domain admins, backup operators on domain controllers, or built
329
00:17:10,360 –> 00:17:11,880
in operators at all.
330
00:17:11,880 –> 00:17:16,080
It receives logon as a service on backup hosts and only that.
331
00:17:16,080 –> 00:17:21,840
If a backup product demands elevated rights for system state on member servers, we scope via
332
00:17:21,840 –> 00:17:25,720
GPO to those servers, never domain controllers.
333
00:17:25,720 –> 00:17:32,040
For DC backups, we use Windows Server backup schedule tasks that run as local system on
334
00:17:32,040 –> 00:17:38,560
each DC, writing to an isolated repository that backup servers pull from, pulling files,
335
00:17:38,560 –> 00:17:39,760
not rights.
336
00:17:39,760 –> 00:17:42,320
We place controls around replication.
337
00:17:42,320 –> 00:17:45,680
Directory replication monitoring becomes ceremony.
338
00:17:45,680 –> 00:17:52,080
4662 events for replication rights are forwarded in real time to a channel under watch.
339
00:17:52,080 –> 00:17:55,200
First use by any principle in a quarter triggers a page.
340
00:17:55,200 –> 00:18:00,800
We tag principles with allowed windows for DC sync, ideally none, and we script a daily check
341
00:18:00,800 –> 00:18:04,400
that validates the ACLs on the domain route against a baseline.
342
00:18:04,400 –> 00:18:06,800
Any drift becomes a ticket, not a footnote.
343
00:18:06,800 –> 00:18:09,440
We instrument the hosts that bridge worlds.
344
00:18:09,440 –> 00:18:14,560
backup servers live on a management vlan with no outbound to domain controllers, except
345
00:18:14,560 –> 00:18:16,960
documented ports for required operations.
346
00:18:16,960 –> 00:18:19,400
They do not initiate LDIP to DCs.
347
00:18:19,400 –> 00:18:24,280
They cannot reach size-fold via SMB except for specific export tasks.
348
00:18:24,280 –> 00:18:27,160
Application control denies unauthorized tools.
349
00:18:27,160 –> 00:18:28,400
Sysment sings.
350
00:18:28,400 –> 00:18:31,000
Event 1 for process ancestry.
351
00:18:31,000 –> 00:18:34,080
Event 3 for unexpected beams to DCs.
352
00:18:34,080 –> 00:18:37,080
Event 10 on those servers becomes a siren.
353
00:18:37,080 –> 00:18:39,520
If LSAS is touched at all.
354
00:18:39,520 –> 00:18:40,520
Seem correlates.
355
00:18:40,520 –> 00:18:45,760
4662 plus Sysment 3 from backup server to DC equals gravity failure.
356
00:18:45,760 –> 00:18:48,560
We reconcile business desire with physics.
357
00:18:48,560 –> 00:18:53,720
If leadership insists the backup team must recover bare metal domain controllers from a central
358
00:18:53,720 –> 00:18:56,160
console, we design a ceremony.
359
00:18:56,160 –> 00:19:03,280
A break glass identity that grants temporary replication rights via JIT, approved by two
360
00:19:03,280 –> 00:19:08,520
humans, time box to an hour, logged loudly.
361
00:19:08,520 –> 00:19:11,080
After the window rights evaporate, the default is no.
362
00:19:11,080 –> 00:19:12,920
The exception is recorded starlight.
363
00:19:12,920 –> 00:19:14,080
We repair culture.
364
00:19:14,080 –> 00:19:17,160
Vendor guides are reviewed by tier architects.
365
00:19:17,160 –> 00:19:22,320
Grant domain admin becomes an automatic denial with a path to success that does not bend
366
00:19:22,320 –> 00:19:23,320
the core.
367
00:19:23,320 –> 00:19:24,600
The backup team gains a pot.
368
00:19:24,600 –> 00:19:26,560
They’re consoles in force MFA.
369
00:19:26,560 –> 00:19:30,400
Their service accounts rotate independently of human cycles.
370
00:19:30,400 –> 00:19:36,000
Quarantly, the team restores a domain controller in a lab using the current method and proves
371
00:19:36,000 –> 00:19:40,280
that no replication rights beyond DC internals are needed.
372
00:19:40,280 –> 00:19:42,720
Proof replaces folklore.
373
00:19:42,720 –> 00:19:45,200
Lab echo, low chime.
374
00:19:45,200 –> 00:19:49,360
4662 no non-DC principles present.
375
00:19:49,360 –> 00:19:50,840
Soft tick.
376
00:19:50,840 –> 00:19:54,760
GMSA SVC backup west rotated.
377
00:19:54,760 –> 00:19:56,600
Logan writes constrained.
378
00:19:56,600 –> 00:20:01,480
Bass pulse fades backup servers LDP blocked.
379
00:20:01,480 –> 00:20:04,280
Pull only pattern and forced.
380
00:20:04,280 –> 00:20:05,680
The observer speaks.
381
00:20:05,680 –> 00:20:07,280
I am the directory.
382
00:20:07,280 –> 00:20:10,320
I will replicate when asked by those I trust.
383
00:20:10,320 –> 00:20:12,160
Teach me who deserves that trust.
384
00:20:12,160 –> 00:20:13,680
Remove the rest.
385
00:20:13,680 –> 00:20:15,440
Backups protect memory.
386
00:20:15,440 –> 00:20:19,080
They should never be allowed to rewrite the present.
387
00:20:19,080 –> 00:20:21,720
Local admin reuse pass the hash chain.
388
00:20:21,720 –> 00:20:23,600
There is a corridor that looks harmless.
389
00:20:23,600 –> 00:20:26,240
It is called local administrator.
390
00:20:26,240 –> 00:20:31,040
It exists on every workstation, every server, because convenience once said, we will fix it
391
00:20:31,040 –> 00:20:32,040
later.
392
00:20:32,040 –> 00:20:33,440
Later did not arrive.
393
00:20:33,440 –> 00:20:34,440
Time dilated.
394
00:20:34,440 –> 00:20:36,600
The passwords stayed the same.
395
00:20:36,600 –> 00:20:40,880
At 0806, a finance workstation stalls on an invoice macro.
396
00:20:40,880 –> 00:20:42,560
An employee calls for help.
397
00:20:42,560 –> 00:20:48,920
A technician remote assists and in hast logs on with a shared local admin that the team
398
00:20:48,920 –> 00:20:51,400
only uses for emergencies.
399
00:20:51,400 –> 00:20:56,040
The password is strong, but identical across 100 machines.
400
00:20:56,040 –> 00:20:58,600
Strength without uniqueness is mass without orbit.
401
00:20:58,600 –> 00:21:00,240
An intruder watches from the edge.
402
00:21:00,240 –> 00:21:05,400
They already hold user context on the workstation from a phishing link the day before.
403
00:21:05,400 –> 00:21:08,320
They do not need to read memory with poetry.
404
00:21:08,320 –> 00:21:11,800
The moment a local admin logo occurs, the beam brightens.
405
00:21:11,800 –> 00:21:13,120
The SAM holds a hash.
406
00:21:13,120 –> 00:21:17,800
The network will accept that hash as a token wherever the same secret governs.
407
00:21:17,800 –> 00:21:19,240
Pass the hash is not glamour.
408
00:21:19,240 –> 00:21:22,000
It is a handshake with no sight.
409
00:21:22,000 –> 00:21:23,280
Only wait.
410
00:21:23,280 –> 00:21:25,400
Lab echo, low chime.
411
00:21:25,400 –> 00:21:31,960
4624 local logon as administrator on WS Fin 114.
412
00:21:31,960 –> 00:21:32,960
Base pulse.
413
00:21:32,960 –> 00:21:35,160
Sysmon 10 absent.
414
00:21:35,160 –> 00:21:36,960
Restricted admin disabled.
415
00:21:36,960 –> 00:21:39,680
And the corridor opens.
416
00:21:39,680 –> 00:21:45,840
On a second host in accounting, remote UAC is disabled by an old GPO that valued scripts
417
00:21:45,840 –> 00:21:46,840
over safety.
418
00:21:46,840 –> 00:21:49,920
The intruder presents the administrator hash over SMB.
419
00:21:49,920 –> 00:21:51,160
No password is revealed.
420
00:21:51,160 –> 00:21:53,720
The target cannot tell the difference.
421
00:21:53,720 –> 00:21:55,040
Admin delos opens.
422
00:21:55,040 –> 00:21:57,760
A service is created with a quiet name.
423
00:21:57,760 –> 00:21:59,720
A payload runs a system.
424
00:21:59,720 –> 00:22:01,000
Two stars align.
425
00:22:01,000 –> 00:22:02,600
The chain does not stop.
426
00:22:02,600 –> 00:22:08,240
A file server in the same subnet, built from the same image, carries the same local admin
427
00:22:08,240 –> 00:22:09,480
secret.
428
00:22:09,480 –> 00:22:11,440
The intruder repeats the handshake.
429
00:22:11,440 –> 00:22:12,440
See ya.
430
00:22:12,440 –> 00:22:13,440
Then a service.
431
00:22:13,440 –> 00:22:14,440
Then a shell.
432
00:22:14,440 –> 00:22:19,880
A file server they find a maintenance script that includes a network credential for a service
433
00:22:19,880 –> 00:22:22,800
account with local admin on three app servers.
434
00:22:22,800 –> 00:22:24,880
The gravity increases.
435
00:22:24,880 –> 00:22:31,920
What began as a shared local admin becomes a skeleton key that leaps tears.
436
00:22:31,920 –> 00:22:34,000
Lab echo, low chime.
437
00:22:34,000 –> 00:22:41,080
Event 7045 new service system telemetry host on FS Fin 02.
438
00:22:41,080 –> 00:22:42,560
Base pulse.
439
00:22:42,560 –> 00:22:50,640
Event 4624 type 3 from WS Fin 114 to FS Fin 02.
440
00:22:50,640 –> 00:22:52,160
Account administrator.
441
00:22:52,160 –> 00:22:57,720
The constellation straightens into align on AppLager, the same pattern holds.
442
00:22:57,720 –> 00:23:02,040
Local administrator reuse persists defended by folklore.
443
00:23:02,040 –> 00:23:04,040
We need a common break glass.
444
00:23:04,040 –> 00:23:06,040
The intruder writes the hash across.
445
00:23:06,040 –> 00:23:10,560
With local system, they extract a cashed credential for a deployment tool that holds
446
00:23:10,560 –> 00:23:12,560
rights on a management server.
447
00:23:12,560 –> 00:23:18,600
A short hop later, they sit near tier one controls, one more reuse, one more handshake,
448
00:23:18,600 –> 00:23:22,560
and they gain local admin on a jump host that touches backups.
449
00:23:22,560 –> 00:23:24,000
Drift becomes collapse.
450
00:23:24,000 –> 00:23:25,520
The fix is not a sermon.
451
00:23:25,520 –> 00:23:27,280
It is lapes.
452
00:23:27,280 –> 00:23:33,800
Local administrator password solution turns the same name into unique gravity per host.
453
00:23:33,800 –> 00:23:36,480
Each machine holds a different secret.
454
00:23:36,480 –> 00:23:43,560
The directory stores it in a shielded attribute readable only by a small, audited group.
455
00:23:43,560 –> 00:23:44,560
Rotation is heartbeat.
456
00:23:44,560 –> 00:23:46,040
Every rotation breaks the line.
457
00:23:46,040 –> 00:23:50,120
A captured hash does not travel because no two stars share the same mass.
458
00:23:50,120 –> 00:23:52,280
We enforce remote UAC.
459
00:23:52,280 –> 00:23:57,200
When a local admin from a remote machine attempts to touch admin was, the system strips
460
00:23:57,200 –> 00:24:02,680
the elevated token unless the caller presents a domain credential in the local administrator’s
461
00:24:02,680 –> 00:24:03,680
group.
462
00:24:03,680 –> 00:24:05,240
Silent privilege does not cross the room.
463
00:24:05,240 –> 00:24:08,880
We pair with SMB signing so relays cannot impersonate proximity.
464
00:24:08,880 –> 00:24:14,480
We enable restricted admin or remote credential guard for RDP from payers, so administrative
465
00:24:14,480 –> 00:24:17,320
secrets do not land on destinations.
466
00:24:17,320 –> 00:24:18,680
And we end the habit.
467
00:24:18,680 –> 00:24:21,680
No local administrator logons from tier two.
468
00:24:21,680 –> 00:24:22,680
Ever.
469
00:24:22,680 –> 00:24:24,680
We change images at the source.
470
00:24:24,680 –> 00:24:27,320
Gold builds no longer bake a shared secret.
471
00:24:27,320 –> 00:24:28,880
Sisprep completes.
472
00:24:28,880 –> 00:24:33,520
Lapse initializes on first boot rotation begins before the host joins production.
473
00:24:33,520 –> 00:24:39,280
GPO denies local administrator network logon on servers unless the caller is a break
474
00:24:39,280 –> 00:24:43,640
glass identity from tier used through a jump host with recording.
475
00:24:43,640 –> 00:24:47,120
We remove the local IT admins group from images.
476
00:24:47,120 –> 00:24:52,760
We assign rights by policy to named domain groups scoped by OU.
477
00:24:52,760 –> 00:24:55,360
Detection hears the chain as rhythm.
478
00:24:55,360 –> 00:24:57,360
4624.
479
00:24:57,360 –> 00:25:03,480
Type three from workstations into servers by administrator is a page, not a report.
480
00:25:03,480 –> 00:25:07,760
7.045 new services on non-change windows are glass shattering.
481
00:25:07,760 –> 00:25:11,400
Sisman 3 shows SMB beams from unusual subnets.
482
00:25:11,400 –> 00:25:16,440
Correlate 4624 type three with 7.045 within minutes.
483
00:25:16,440 –> 00:25:23,720
Add 4697 if available for service installs include 4672 if privilege appears where it should
484
00:25:23,720 –> 00:25:24,720
not.
485
00:25:24,720 –> 00:25:27,600
Tag hosts by Lapse status.
486
00:25:27,600 –> 00:25:34,080
If a host without Lapse generates admin dollars connections into many peers the Siam declares
487
00:25:34,080 –> 00:25:35,080
drift.
488
00:25:35,080 –> 00:25:39,160
We plan the break rolling out labs in a living enterprises surgery.
489
00:25:39,160 –> 00:25:41,120
We inventory local admin presence.
490
00:25:41,120 –> 00:25:43,200
We test with a pilot OU.
491
00:25:43,200 –> 00:25:45,200
We train the help desk.
492
00:25:45,200 –> 00:25:48,840
Retrieve Lapse passwords through a delegated tool.
493
00:25:48,840 –> 00:25:52,040
Log the access and never copy into tickets.
494
00:25:52,040 –> 00:25:55,040
We schedule rotation after installation.
495
00:25:55,040 –> 00:25:58,120
We audit who can read the attribute and tighten it to the minimum.
496
00:25:58,120 –> 00:26:01,880
We set a policy that LPS is a condition of network membership.
497
00:26:01,880 –> 00:26:03,680
Non-compliant hosts are quarantined.
498
00:26:03,680 –> 00:26:05,960
We retire myths.
499
00:26:05,960 –> 00:26:11,760
We need the same admin everywhere for emergencies becomes we need JIT rights to the one host in
500
00:26:11,760 –> 00:26:12,760
trouble.
501
00:26:12,760 –> 00:26:19,920
Pam grants a time box local admin on a single machine then automatically revokes.
502
00:26:19,920 –> 00:26:23,320
We need to push a script across all servers becomes.
503
00:26:23,320 –> 00:26:27,440
We use a management plane with authenticated agents and certificates.
504
00:26:27,440 –> 00:26:29,600
The story we tell ourselves changes.
505
00:26:29,600 –> 00:26:31,240
The physics does not.
506
00:26:31,240 –> 00:26:32,480
Lab echo.
507
00:26:32,480 –> 00:26:34,360
Low chime.
508
00:26:34,360 –> 00:26:36,480
LPS rotation.
509
00:26:36,480 –> 00:26:39,760
WSFIN 114.
510
00:26:39,760 –> 00:26:42,760
New password set.
511
00:26:42,760 –> 00:26:45,520
Base pulse softens.
512
00:26:45,520 –> 00:26:48,120
Remote UAC enforced.
513
00:26:48,120 –> 00:26:53,680
Admined hours denied for local administrator from workstation subnet.
514
00:26:53,680 –> 00:26:56,520
The line of stars breaks into islands.
515
00:26:56,520 –> 00:26:58,240
The observer speaks.
516
00:26:58,240 –> 00:26:59,640
I am the corridor.
517
00:26:59,640 –> 00:27:01,880
I narrowed when you made every door unique.
518
00:27:01,880 –> 00:27:04,880
I resisted when you taught tokens not to travel.
519
00:27:04,880 –> 00:27:06,560
I did not need to be clever.
520
00:27:06,560 –> 00:27:08,520
I needed to refuse sameness.
521
00:27:08,520 –> 00:27:11,880
Pass the hash is gravity exploiting repetition.
522
00:27:11,880 –> 00:27:12,880
End the repetition.
523
00:27:12,880 –> 00:27:14,400
Make each mass its own.
524
00:27:14,400 –> 00:27:19,520
The chain falls apart because it cannot find the next identical door.
525
00:27:19,520 –> 00:27:20,920
Disabled SMB signing.
526
00:27:20,920 –> 00:27:22,120
NTLM really.
527
00:27:22,120 –> 00:27:24,240
There is an old current moving under modern names.
528
00:27:24,240 –> 00:27:25,640
It is called NTLM.
529
00:27:25,640 –> 00:27:30,760
When SMB signing sleeps, that current becomes a river that carries lies.
530
00:27:30,760 –> 00:27:32,320
It begins as convenience.
531
00:27:32,320 –> 00:27:36,000
A print server built years ago still runs the spooler.
532
00:27:36,000 –> 00:27:41,880
File servers accept connections from everywhere because users need chairs.
533
00:27:41,880 –> 00:27:46,080
Somewhere, a GPO meant to enforce SMB signing drifted.
534
00:27:46,080 –> 00:27:49,680
On clients, require security signature is not configured.
535
00:27:49,680 –> 00:27:54,600
On servers, enable security signature is set but require is not negotiation.
536
00:27:54,600 –> 00:27:57,000
Becomes hope, hope is not gravity.
537
00:27:57,000 –> 00:28:03,720
At 1032, an attacker sitting inside the workstation tier watches name, resolution and authentication
538
00:28:03,720 –> 00:28:05,440
flow like tides.
539
00:28:05,440 –> 00:28:09,440
They cannot see passwords, but they can shape paths.
540
00:28:09,440 –> 00:28:15,160
The coercion is ancient, a print notification request, a spool sample callback, an HTTP
541
00:28:15,160 –> 00:28:21,600
401 with negotiate NTLM dangling like bait, an LLM in our whisper that says, “I know that
542
00:28:21,600 –> 00:28:22,400
name.”
543
00:28:22,400 –> 00:28:27,280
The target answers because legacy speaks softly and people are busy.
544
00:28:27,280 –> 00:28:30,240
The relay works because proximity is faked.
545
00:28:30,240 –> 00:28:32,520
The attacker does not need to know the secret.
546
00:28:32,520 –> 00:28:36,400
They only need the server to trust the weight of a challenge response.
547
00:28:36,400 –> 00:28:41,760
Without SMB signing, the file server cannot tell whether the caller is at the door or behind
548
00:28:41,760 –> 00:28:43,440
a mask.
549
00:28:43,440 –> 00:28:49,560
The message arrives, the signature is absent, the server shrugs and accepts, physics
550
00:28:49,560 –> 00:29:00,840
without integrity accepts whatever has mass, lab echo, low chime, event 4776, NTLM, authentication
551
00:29:00,840 –> 00:29:07,680
from WSMKT217 to FS-OPS03.
552
00:29:07,680 –> 00:29:16,920
Bass pulse, seismon 3, SMB connection from 10.42, 651 to FS-OPS03 unsigned.
553
00:29:16,920 –> 00:29:18,240
The orbit tilts.
554
00:29:18,240 –> 00:29:25,600
On FS-OPS03, the attacker relays the workstation’s NTLM handshake and lands as that user, or when
555
00:29:25,600 –> 00:29:31,440
Fortune is cruel, as a helpdesk account with local admin rights that once mapped drives
556
00:29:31,440 –> 00:29:32,840
for a script.
557
00:29:32,840 –> 00:29:34,960
They do not log on interactively.
558
00:29:34,960 –> 00:29:36,240
They do not crack a hash.
559
00:29:36,240 –> 00:29:40,680
They create a service with a name that blends, system update host.
560
00:29:40,680 –> 00:29:46,440
It starts a system, writes a payload to see program data diagnostics and calls home.
561
00:29:46,440 –> 00:29:48,360
One hop becomes a foothold.
562
00:29:48,360 –> 00:29:51,240
From there the river flows into deeper channels.
563
00:29:51,240 –> 00:29:56,400
The file server connects to a management share on APP deploy with a scheduled task that
564
00:29:56,400 –> 00:29:57,640
runs every hour.
565
00:29:57,640 –> 00:30:01,800
The attacker relays again, this time using the file server’s machine account because in
566
00:30:01,800 –> 00:30:04,160
some places that identity holds keys.
567
00:30:04,160 –> 00:30:06,160
SMB signing is absent there too.
568
00:30:06,160 –> 00:30:11,520
With machine trust, they write a DLL into a path the deployment tool loads at start-up.
569
00:30:11,520 –> 00:30:13,400
On the hour, the tool obliges.
570
00:30:13,400 –> 00:30:17,680
The mask now speaks in the management tier’s voice.
571
00:30:17,680 –> 00:30:21,440
Web Echo.
572
00:30:21,440 –> 00:30:28,920
Event 7.045, new service system update host on FS-OPS03.
573
00:30:28,920 –> 00:30:36,800
Softick, Sysmin 11, file created program data plus diagnostics as VC, Glyn, Base Pulse,
574
00:30:36,800 –> 00:30:46,160
Event 4776 cluster, FS-OPS03, APP deploy, unsigned SMB.
575
00:30:46,160 –> 00:30:49,080
The control is simple and absolute.
576
00:30:49,080 –> 00:30:50,840
SMB signing.
577
00:30:50,840 –> 00:30:54,400
When enforced, the server demands integrity for each message.
578
00:30:54,400 –> 00:30:58,440
Every packet carries a signature derived from the session key.
579
00:30:58,440 –> 00:31:01,040
Relate messages, lose their costume.
580
00:31:01,040 –> 00:31:05,000
They cannot forge the signature without the shared truth.
581
00:31:05,000 –> 00:31:06,880
Negotiation no longer accepts charm.
582
00:31:06,880 –> 00:31:07,880
It asks for proof.
583
00:31:07,880 –> 00:31:09,480
We set policy, not hope.
584
00:31:09,480 –> 00:31:14,040
On domain controllers and servers, require security signature is enabled.
585
00:31:14,040 –> 00:31:19,280
When clients enable is enabled, require is preferred where compatibility allows.
586
00:31:19,280 –> 00:31:21,560
We audit for exceptions and eliminate them.
587
00:31:21,560 –> 00:31:25,680
The print spooler on servers turns off unless the server prints.
588
00:31:25,680 –> 00:31:28,600
On domain controllers, it stays off.
589
00:31:28,600 –> 00:31:29,600
Always.
590
00:31:29,600 –> 00:31:35,120
LDP channel binding becomes law to block relays via LD apps in IIS.
591
00:31:35,120 –> 00:31:42,520
LLMNR and NetBios name resolution are disabled on workstations because ghosts answer when
592
00:31:42,520 –> 00:31:48,480
those radios hum, we seal the doors attack as coax file service deny NTLM where Kerberos
593
00:31:48,480 –> 00:31:49,840
exists.
594
00:31:49,840 –> 00:31:52,080
SMBV1 is gone.
595
00:31:52,080 –> 00:31:54,080
NTLMV1 is gone.
596
00:31:54,080 –> 00:31:59,560
NTLM auditing runs hot for months to map the caves then we close them.
597
00:31:59,560 –> 00:32:05,000
HTTP services behind load balances prefer negotiate with Kerberos and enforce SPNs that are
598
00:32:05,000 –> 00:32:06,360
correct and singular.
599
00:32:06,360 –> 00:32:12,480
When NTLM must survive for a fossil application, we put it behind glass, isolated VLAN,
600
00:32:12,480 –> 00:32:18,640
firewall allow list, proxy the performs modern auth at the edge, logging that sings.
601
00:32:18,640 –> 00:32:21,960
Detection here is relay as a pattern, not a scream.
602
00:32:21,960 –> 00:32:26,240
4776 from servers that normally speak Kerberos becomes a page.
603
00:32:26,240 –> 00:32:33,680
4624 type 3, logons by machine accounts into peers are tides we measure, rare and explicit.
604
00:32:33,680 –> 00:32:37,080
Systemin3 marks unsigned SMB sessions.
605
00:32:37,080 –> 00:32:43,160
We alert on any unsigned session into servers labeled tier 1 or tier.
606
00:32:43,160 –> 00:32:47,160
Event 7045 on a file server during business hours is a siren.
607
00:32:47,160 –> 00:32:57,400
The sim correlates 4776 on a server plus Systemin3 unsigned SMB plus 7045 within 5 minutes
608
00:32:57,400 –> 00:33:00,040
equals relay in progress.
609
00:33:00,040 –> 00:33:03,160
We quarantine the destination and block the source.
610
00:33:03,160 –> 00:33:05,840
We do not hunt the fish, we cut the river.
611
00:33:05,840 –> 00:33:08,240
We practice the fix before the flood.
612
00:33:08,240 –> 00:33:11,720
We stage signing enforcement in a lab with old clients.
613
00:33:11,720 –> 00:33:13,760
We list vendors who will complain.
614
00:33:13,760 –> 00:33:15,840
We replace what breaks or coordinate.
615
00:33:15,840 –> 00:33:17,320
We communicate dates.
616
00:33:17,320 –> 00:33:23,160
We push GPO’s in rings, measuring unsigned session counts until they reach zero.
617
00:33:23,160 –> 00:33:28,920
We validate with packet captures and defender XDR signals that label NTLM traffic.
618
00:33:28,920 –> 00:33:32,720
When exceptions remain, leadership signs the risk with a sunset.
619
00:33:32,720 –> 00:33:34,560
Lab echo, low chime.
620
00:33:34,560 –> 00:33:38,280
SMB signing and forced domain wide.
621
00:33:38,280 –> 00:33:40,320
Base pulse softens.
622
00:33:40,320 –> 00:33:46,480
Unsigned sessions on tier 1, on tier 4776 falls to baseline.
623
00:33:46,480 –> 00:33:49,360
The observer speaks, I am the transport.
624
00:33:49,360 –> 00:33:53,240
When you demand signatures, I can tell who truly stands at the door.
625
00:33:53,240 –> 00:33:58,960
When you silence the radios that answer to anyone, I stop mistaking echoes for voices.
626
00:33:58,960 –> 00:34:03,200
NTLM relay is the art of pretending to be near.
627
00:34:03,200 –> 00:34:06,440
Integrity tells the truth you are far.
628
00:34:06,440 –> 00:34:13,920
The river dries, the orbit studies, LSSS, unprotected, rapid harvest.
629
00:34:13,920 –> 00:34:16,200
There is a room where identity sleeps.
630
00:34:16,200 –> 00:34:19,720
It is small, it is bright, it is called LSSS.
631
00:34:19,720 –> 00:34:22,320
On most days it is guarded by ceremony.
632
00:34:22,320 –> 00:34:25,200
Run SPPL, credential guard.
633
00:34:25,200 –> 00:34:28,200
EDR hooks that watch every hand that reaches.
634
00:34:28,200 –> 00:34:34,800
But where those rights do not hold, LSSS becomes a bowl and secrets condense on its surface
635
00:34:34,800 –> 00:34:36,520
like do you.
636
00:34:36,520 –> 00:34:42,080
At EDR 741, a help desk session ends on WSObs219.
637
00:34:42,080 –> 00:34:45,840
Nothing looks wrong, a ticket closed, a shortcut pinned.
638
00:34:45,840 –> 00:34:47,760
In memory, tokens linger.
639
00:34:47,760 –> 00:34:50,840
Clear text for processes that negotiated.
640
00:34:50,840 –> 00:34:54,520
NT hashes for old dialects that still speak.
641
00:34:54,520 –> 00:34:57,360
Kiberos tickets for services that hum.
642
00:34:57,360 –> 00:35:00,440
The operating system will reclaim the space when it can.
643
00:35:00,440 –> 00:35:02,400
The attacker will not give it time.
644
00:35:02,400 –> 00:35:05,720
They arrive the night before through a macro that did not know better.
645
00:35:05,720 –> 00:35:09,680
No admin rights, no exploits, just presence.
646
00:35:09,680 –> 00:35:12,720
They wait for gravity to pull a credential into reach.
647
00:35:12,720 –> 00:35:15,960
The help desk tech locks on locally to fix a printer driver.
648
00:35:15,960 –> 00:35:19,880
They run a signed vendor tool that touches devices through WMI.
649
00:35:19,880 –> 00:35:22,360
The session is brief, the effect is not.
650
00:35:22,360 –> 00:35:30,360
App Echo, low chime, Sisman1, winword.exe, vendorconfig.exe, lineage ended.
651
00:35:30,360 –> 00:35:31,360
Soft tick.
652
00:35:31,360 –> 00:35:34,200
No event, LSA protection absent.
653
00:35:34,200 –> 00:35:36,840
The door is “would” not steel.
654
00:35:36,840 –> 00:35:40,800
At O744, the intruder asks the kernel for a handhold.
655
00:35:40,800 –> 00:35:47,120
Without LSA protection, LSAsis permits a process with CD-Bug privilege or a way to gain
656
00:35:47,120 –> 00:35:50,360
it through a vulnerable driver to open a handle and read.
657
00:35:50,360 –> 00:35:51,720
The attacker is careful.
658
00:35:51,720 –> 00:35:53,200
They load no-crew tools.
659
00:35:53,200 –> 00:35:55,400
They call the documented APIs.
660
00:35:55,400 –> 00:35:59,840
Many dump-right dump whispers a file into a temp path with a boring name.
661
00:35:59,840 –> 00:36:02,760
Three seconds, 50 megabytes, a decade of drift.
662
00:36:02,760 –> 00:36:03,960
Lab Echo.
663
00:36:03,960 –> 00:36:05,320
Base Pulse.
664
00:36:05,320 –> 00:36:11,440
Sisman10, LSAs.exe handle opened by signed but unusual process.
665
00:36:11,440 –> 00:36:12,440
Low chime.
666
00:36:12,440 –> 00:36:17,840
Sisman11, file created C-Users, public plush documents, diag.
667
00:36:17,840 –> 00:36:20,000
The telescope titans focus.
668
00:36:20,000 –> 00:36:21,400
They leave with the harvest.
669
00:36:21,400 –> 00:36:26,200
If line, under a different sky, secrets will separate.
670
00:36:26,200 –> 00:36:29,680
Deep puppy eye blobs decrypted with machine keys.
671
00:36:29,680 –> 00:36:35,880
Kerberos, tickets written back into memory on a staging host for lateral beams, anti-hashes
672
00:36:35,880 –> 00:36:40,680
for local accounts that still use the same secret as their neighbors.
673
00:36:40,680 –> 00:36:42,480
Most of the time this takes minutes.
674
00:36:42,480 –> 00:36:44,040
Today it takes less.
675
00:36:44,040 –> 00:36:50,000
On WSOPS 219, the local administrator account still exists for emergency use.
676
00:36:50,000 –> 00:36:52,320
The lapes is planned but not deployed.
677
00:36:52,320 –> 00:36:55,520
The hash in the dump matches 100 sisters.
678
00:36:55,520 –> 00:36:58,760
Pass the hash weights like an elevator with its door open.
679
00:36:58,760 –> 00:37:00,120
The attacker steps in.
680
00:37:00,120 –> 00:37:02,960
Admins on app ops 02 yields.
681
00:37:02,960 –> 00:37:06,560
A service appears, runs once and vanishes.
682
00:37:06,560 –> 00:37:08,520
A second dump lands.
683
00:37:08,520 –> 00:37:12,040
This time from a server that talks to management.
684
00:37:12,040 –> 00:37:13,040
Momentum grows.
685
00:37:13,040 –> 00:37:19,920
On app ops 02 restricted admin for RDP is disabled and remote credential guard is unknown.
686
00:37:19,920 –> 00:37:22,160
And admin once solved a problem from tier 2.
687
00:37:22,160 –> 00:37:24,520
Their domain token slept in LSS.
688
00:37:24,520 –> 00:37:27,160
The dump reveals a TGT warm enough to carry.
689
00:37:27,160 –> 00:37:31,320
CIFs on MGMT task 01 accepts a ticket that claims authority.
690
00:37:31,320 –> 00:37:38,160
A scheduled task is edited to run a benign looking binary with a 30 second delay every hour.
691
00:37:38,160 –> 00:37:39,440
Persistence as a heartbeat.
692
00:37:39,440 –> 00:37:41,560
This is what rapid harvest means.
693
00:37:41,560 –> 00:37:42,560
Not drama.
694
00:37:42,560 –> 00:37:43,840
Accumulation.
695
00:37:43,840 –> 00:37:45,240
One room unguarded.
696
00:37:45,240 –> 00:37:46,480
One handle granted.
697
00:37:46,480 –> 00:37:48,000
One dump copied.
698
00:37:48,000 –> 00:37:50,760
And gravity draws the line toward tier 1.
699
00:37:50,760 –> 00:37:53,560
Defense is not a single switch but the switches exist.
700
00:37:53,560 –> 00:37:54,880
LSA protection.
701
00:37:54,880 –> 00:37:56,200
Run ASPPL.
702
00:37:56,200 –> 00:37:57,680
Rases the walls.
703
00:37:57,680 –> 00:38:00,920
LSAs stop speaking to unsigned strangers.
704
00:38:00,920 –> 00:38:06,000
Even administrators cannot open its hands without a kernel mode partner that is trusted.
705
00:38:06,000 –> 00:38:10,720
Credential guard moves secrets out of ordinary memory into an isolated chamber.
706
00:38:10,720 –> 00:38:13,280
The attacker cannot touch from user mode.
707
00:38:13,280 –> 00:38:15,720
The bowl remains but the dew does not form.
708
00:38:15,720 –> 00:38:17,960
We enforce them where mass is heavy.
709
00:38:17,960 –> 00:38:24,200
On domain controllers, on pause, on servers that hold schedules and keys, run as PPL is
710
00:38:24,200 –> 00:38:25,360
law.
711
00:38:25,360 –> 00:38:28,760
On workstations, credential guard write standard images.
712
00:38:28,760 –> 00:38:31,640
W. Digest stays disabled.
713
00:38:31,640 –> 00:38:34,000
Debug privileges are rare.
714
00:38:34,000 –> 00:38:37,600
CDBug privilege does not belong to IT helpers.
715
00:38:37,600 –> 00:38:43,360
We refuse vendor drivers that expose read write primitives into kernel space.
716
00:38:43,360 –> 00:38:48,600
A driver that turns memory into glass is a violation, not a convenience.
717
00:38:48,600 –> 00:38:50,560
We end the need to peak.
718
00:38:50,560 –> 00:38:51,560
Admins use pause.
719
00:38:51,560 –> 00:38:54,280
They do not RDP from tier 2.
720
00:38:54,280 –> 00:38:56,720
They administer with remote credential guard.
721
00:38:56,720 –> 00:38:59,720
So secrets do not land on destinations.
722
00:38:59,720 –> 00:39:04,800
They do not browse, check mail or install plugins where they touch identity.
723
00:39:04,800 –> 00:39:08,440
They accept friction today so gravity holds tomorrow.
724
00:39:08,440 –> 00:39:10,560
We deploy labs everywhere.
725
00:39:10,560 –> 00:39:16,080
A dump that exposes a local administrator hash does not travel because it siblings no longer
726
00:39:16,080 –> 00:39:17,400
share mass.
727
00:39:17,400 –> 00:39:24,640
We pair with remote UAC so local admin tokens do not bring silent elevation across SMB.
728
00:39:24,640 –> 00:39:27,000
Past the hash meets a locked door.
729
00:39:27,000 –> 00:39:29,840
Detection listens for the reach, not just the spill.
730
00:39:29,840 –> 00:39:36,240
Sysmon event 10 on LSASS paired with process ancestry that does not match EDR lineages or
731
00:39:36,240 –> 00:39:39,160
known backup agents is a page.
732
00:39:39,160 –> 00:39:44,920
Event 11 for files in public or temp with dump signatures is more than interesting.
733
00:39:44,920 –> 00:39:50,800
Combine with firewall logs that show admin dollars connections minutes later or with 7045
734
00:39:50,800 –> 00:39:52,680
for single shot services.
735
00:39:52,680 –> 00:39:56,920
And the CM sings a quote called harvest in progress.
736
00:39:56,920 –> 00:39:58,800
We harden in layers.
737
00:39:58,800 –> 00:40:05,120
Applocker or WDAs on pause and tier servers limits who may touch LSASS at all.
738
00:40:05,120 –> 00:40:10,640
We signed known tools permitted on workstations process access auditing is tuned success on
739
00:40:10,640 –> 00:40:15,920
LSASS exe emit events failure helps baseline.
740
00:40:15,920 –> 00:40:22,480
We feed XDR with labels credential theft likelihood plus host cohort equals action.
741
00:40:22,480 –> 00:40:27,400
A high score on a legacy host with no PPL triggers quarantine over caution.
742
00:40:27,400 –> 00:40:29,960
We practice the counter play.
743
00:40:29,960 –> 00:40:36,520
If we suspect a dump we evict rapidly isolate the source rotate lapse on it in its neighbors
744
00:40:36,520 –> 00:40:43,600
invalidate curboros on touch posts review 4769 patterns for SPN’s access post event and
745
00:40:43,600 –> 00:40:48,360
inspect schedule tasks and services created within 5 minutes of the dump.
746
00:40:48,360 –> 00:40:53,880
If the chain touched tier one we rebuild rather than cleanse time spent scrubbing memory is
747
00:40:53,880 –> 00:40:59,080
time secrets reshape elsewhere lab echo low chime.
748
00:40:59,080 –> 00:41:06,520
One SPPL enforced on tier and tier one soft tick credential guard enabled on workstations
749
00:41:06,520 –> 00:41:14,880
WDigest disabled bass pulse receipts sysmonten tuned LSASS access by unknown lineage egos
750
00:41:14,880 –> 00:41:15,960
page.
751
00:41:15,960 –> 00:41:20,960
The observer speaks I am the small bright room when you raised my walls I kept the
752
00:41:20,960 –> 00:41:26,360
dew from forming when you move the water elsewhere the bull stayed dry I am not a vault I am a
753
00:41:26,360 –> 00:41:33,320
vessel treat me like one and the harvest slows to a whisper sysvull gpp passwords instant
754
00:41:33,320 –> 00:41:38,960
escalation there is a library that everyone can read it is called sysvull inside it group
755
00:41:38,960 –> 00:41:45,040
policy preferences once wrote convenience as scripture XML files that carried settings
756
00:41:45,040 –> 00:41:51,760
for drives services schedule tasks each a stanza of order for time they also carried passwords
757
00:41:51,760 –> 00:41:57,520
not hashes not tickets passwords encrypted with a key Microsoft published so that administrators
758
00:41:57,520 –> 00:42:02,720
could recover what they had written convenience mistook obscurity for gravity the key was not
759
00:42:02,720 –> 00:42:08,720
a secret the moment it met the world it never would be again at 11.02 and intruder with
760
00:42:08,720 –> 00:42:15,160
nothing more than user rights opens a share every workstation can reach domain tld dot s
761
00:42:15,160 –> 00:42:20,640
sysvull they do not pry they browse under policies they follow guides like constellations
762
00:42:20,640 –> 00:42:28,000
in preferences they find group policy preferences plowls schedule tasks and services and drives
763
00:42:28,000 –> 00:42:37,360
quiet XML groups dot XML services dot XML schedule tasks dot XML each line is a whisper in the
764
00:42:37,360 –> 00:42:45,360
c password attribute a string base 64 calm waiting the schema tags as it allowed c password is
765
00:42:45,360 –> 00:42:56,760
the credential lab echo low chime file read groups dot XML from sysvull by user wsmkt 2177
766
00:42:56,760 –> 00:43:04,080
jly soft tick c password present base pulse known a s key loaded the decryption is not an exploit
767
00:43:04,080 –> 00:43:11,760
it is arithmetic the published a s key unwraps the c password into clear text in a breath
768
00:43:11,760 –> 00:43:17,120
administrator passwords that were meant to map drives on first boot a service account secret
769
00:43:17,120 –> 00:43:24,320
from 2012 that joined machines to the domain a local admin reset used by deployment wave one
770
00:43:24,320 –> 00:43:31,440
file gives three doors one door leads to tier one the intruder tests gently with the recovered
771
00:43:31,440 –> 00:43:37,280
service account they authenticate to a management share on a p build 01 it accepts the weight the
772
00:43:37,280 –> 00:43:45,520
account owns log on as a service on half the build farm on a pp build 01 a script repository holds
773
00:43:45,520 –> 00:43:52,240
signing certificates for internal tools private keys stored alongside public ones for convenience
774
00:43:52,240 –> 00:44:02,640
the line bends on mgmt task 01 the same password appears again in another xml the account is a member
775
00:44:02,640 –> 00:44:09,120
of local admins app servers a domain group that grants local admin widely the intruder does
776
00:44:09,120 –> 00:44:14,320
not need to guess they step through admin dolls create a transient service and capture a memory
777
00:44:14,320 –> 00:44:19,520
fragment that contains a curboros ticket for a deployment orchestrator that orchestrator touches
778
00:44:19,520 –> 00:44:26,560
servers with rights the original xml author never imagined this is why we call it instant escalation
779
00:44:26,560 –> 00:44:34,400
no zero day no brute force the forest published its secrets in the one place every citizen must be
780
00:44:34,400 –> 00:44:39,680
allowed to read the encryption key was never a key it was a handshake guide defense is an act of
781
00:44:39,680 –> 00:44:47,200
contrition and removal we do not trust that the old xml’s were cleaned we searched sysvol with purpose
782
00:44:47,200 –> 00:44:54,320
we scan every policy folder for cps word across preferences drives scheduled tasks services data
783
00:44:54,320 –> 00:45:00,320
sources printers local users and groups we do not stop at one we collect every hit for each we
784
00:45:00,320 –> 00:45:07,920
identify the principle whose password was entombed then we rotate not tomorrow now passwords become
785
00:45:07,920 –> 00:45:13,520
long random and different from anything they ever were where feasible we retire the accounts
786
00:45:13,520 –> 00:45:20,240
entirely and replace with gms a so no human password exists to leak again we delete the xml’s but
787
00:45:20,240 –> 00:45:26,560
we do not trust deletion alone versioning and dfsr may echo old files other domain controllers
788
00:45:26,560 –> 00:45:33,040
may still replicate ghosts we force a cleanup that propagates we confirm with hashes of sysvol
789
00:45:33,040 –> 00:45:40,560
folders across dcs we purge client side caches where gpp applied and we rewrite the policies in a safe
790
00:45:40,560 –> 00:45:47,200
dialect use group policy restricted groups or group policy preferences without passwords for
791
00:45:47,200 –> 00:45:54,240
local group membership use laps to manage local administrator secrets use scheduled tasks that run
792
00:45:54,240 –> 00:46:01,680
a system not as a named account carrying a secret in plaintext we change culture the temptation to
793
00:46:01,680 –> 00:46:09,920
just place a helpful password here is named and refused cab reviews any gpp touching local users
794
00:46:09,920 –> 00:46:17,760
and groups a checklist asks does this reference cpass word if yes deny if a vendor demands it the
795
00:46:17,760 –> 00:46:24,800
answer is isolation or redesign not exception we teach admins that sysvol is a bulletin board on
796
00:46:24,800 –> 00:46:32,240
a street not a safe detection turns quiet files into sirens we forward fsrm or file integrity events
797
00:46:32,240 –> 00:46:38,240
from domain controllers when xml’s in preferences change appear or carry the cpass word string
798
00:46:38,240 –> 00:46:46,800
we pass sysvol on a schedule and flag reintroductions in the cm we correlate a read of groups xml from a
799
00:46:46,800 –> 00:46:56,480
workstation followed by four six and 24 logons using newly recovered identities 7 do 45 new services
800
00:46:56,480 –> 00:47:01,360
on servers within minutes the court means someone found the library and read the wrong page
801
00:47:01,360 –> 00:47:07,600
we stage a drill in the lab we see the harmless cpass word and watch our sensor scream
802
00:47:08,160 –> 00:47:15,760
we practice rotating the implicated account purging xml’s verifying dfsr health and confirming that
803
00:47:15,760 –> 00:47:23,440
no clients retrieve the secret again we measure time from find to fix we edit the runbook we repeat
804
00:47:23,440 –> 00:47:32,880
quarterly until no one forgets lab echo low chime sysvol scan cpass word not found soft tick local
805
00:47:32,880 –> 00:47:40,480
administrator now lapse managed xml retired base pulse fades service accounts converted to gms a
806
00:47:40,480 –> 00:47:47,280
interactive logon denied the observer speaks i am the library i never hid your secrets i showed them
807
00:47:47,280 –> 00:47:53,680
faithfully to all who could see when you stopped pinning passwords to my walls you removed temptation
808
00:47:53,680 –> 00:48:00,320
for both of us group policy preferences were meant to carry shape not secrets when secrets road
809
00:48:00,320 –> 00:48:06,560
inside them gravity failed quickly and completely remove the cpass words rotate what they revealed
810
00:48:06,560 –> 00:48:12,880
replace human secrets with managed keys then let the library return to what it was a place where
811
00:48:12,880 –> 00:48:19,280
law is posted not where keys are taped under the desk abandoned two way forest trust there is a
812
00:48:19,280 –> 00:48:24,960
bridge no one uses it floats between galaxies of identity it is called a two way forest trust on
813
00:48:24,960 –> 00:48:31,120
paper it was temporary a merger project needed migration paths shared services for 18 months
814
00:48:31,120 –> 00:48:38,160
a collaboration portal that would die after cut over the calendar wrote decommission trust q4
815
00:48:38,160 –> 00:48:45,920
the quarter past the bridge remained time dilated administrators moved on tickets closed the trust
816
00:48:45,920 –> 00:48:53,360
persisted like a wormhole that forgot its purpose at o3 47 the observers I felt the drift when two
817
00:48:53,360 –> 00:48:59,680
universes still whispered to each other in forest a the domain controllers hum with modern law
818
00:48:59,680 –> 00:49:06,720
smb signing enforced lapse everywhere delegation constrained in forest b laws are older
819
00:49:06,720 –> 00:49:14,000
ntlm more forgiving print spoolers awake legacy service accounts with passwords that age like stone
820
00:49:14,000 –> 00:49:21,920
the trust stitches them together transitive bi-directional kerberos aware and permissive in ways no one
821
00:49:21,920 –> 00:49:28,400
has attested for years an intruder begins in forest b low and quiet a compromised workstation
822
00:49:28,400 –> 00:49:37,840
grants user context enumeration follows gravity ldap reveals domain admins spn’s delegation settings
823
00:49:37,840 –> 00:49:44,720
they find a service account on an app server svc legacy report holding local admin on several
824
00:49:44,720 –> 00:49:50,560
management hosts the accounts password never expires because of vendor once demanded mercy
825
00:49:51,520 –> 00:49:57,760
memory offers a hash smb without channel binding accepts its weight lab echo low chime
826
00:49:57,760 –> 00:50:05,040
4769 cluster tgs for cifs app mgmtb issued to svc legacy report
827
00:50:05,040 –> 00:50:17,360
base pulse seismon three smb beams from wsb 217 to apmgmtb with local system on apmgmtb
828
00:50:17,920 –> 00:50:23,840
the intruder looks up and sees the bridge in active directory domains and trusts and entry
829
00:50:23,840 –> 00:50:32,960
forest a local forest b local two way transitive sid filtering disabled for migration selective
830
00:50:32,960 –> 00:50:40,560
authentication not configured adfs claims present brittle and forgotten the wormhole hums
831
00:50:41,120 –> 00:50:48,800
they ask the kdc in forest b for a referral tgt to forest a the kdc agrees trusts are treaties
832
00:50:48,800 –> 00:50:57,520
across realm tgt materializes wrapped in keys both forests honor the intruder does not wear a crown
833
00:50:57,520 –> 00:51:03,360
they wear borrowed light it is enough they request a service ticket to cfs on a shared file server
834
00:51:03,360 –> 00:51:09,120
in forest a that still hosts the collaboration portal storage the portal died the file share did not
835
00:51:09,760 –> 00:51:20,640
lab echo low chime 4769 tgs to cifs fsa colab from foreign principle soft tick no selective
836
00:51:20,640 –> 00:51:28,400
all trust path open the horizon curves on fsa colab acls carry sediment from long projects
837
00:51:28,400 –> 00:51:34,800
a domain local group in forest a grants modified to a shared folder that group contains a universal
838
00:51:34,800 –> 00:51:42,560
group from forest a which years ago included authenticated users from forest b to ease collaboration
839
00:51:42,560 –> 00:51:50,080
nested obscured effective the intruder writes a dll into a startup path for a management tool
840
00:51:50,080 –> 00:51:55,840
still used by a tier one team at dawn the tool will loaded with system the bridge becomes a conveyor
841
00:51:55,840 –> 00:52:03,280
but they can do more with the cross realm tgt and because sid filtering is disabled sid history
842
00:52:03,280 –> 00:52:09,920
becomes a weapon an old migration granted several accounts in forest bcd history values
843
00:52:09,920 –> 00:52:17,120
that map to high privilege groups in forest a the intruder crafts a silver ticket in forest b
844
00:52:17,120 –> 00:52:24,000
for a service in forest a embedding a sid history claim that impersonates a group with local admin
845
00:52:24,000 –> 00:52:32,880
on app deploy a the kdc in forest a accepts because gravity says the trust is honorable and unfiltered
846
00:52:32,880 –> 00:52:43,760
doors open that no living admin remembers unlocking lab echo base pulse 4768 4769 cross realm with sid
847
00:52:43,760 –> 00:52:53,840
history claim target app deploy a low chime 74045 service telemetry host created on app deploy a
848
00:52:53,840 –> 00:53:00,320
the path to domain controllers in forest a is not straight but now it is downhill
849
00:53:00,960 –> 00:53:07,840
a management share leads to a schedule task a schedule task leads to a credential cache a cache
850
00:53:07,840 –> 00:53:14,000
yields a tgt for an operations admin who crossed a boundary last week the wormhole did not break
851
00:53:14,000 –> 00:53:20,000
tearing it bent it defense is not a single cut it is a sequence that respects physics first we see
852
00:53:20,000 –> 00:53:27,920
the bridge inventory all trusts with metadata direction transitivity sid filtering selective
853
00:53:27,920 –> 00:53:36,160
authentication a s support tgt lifetimes and when anyone last attested business need if a trust
854
00:53:36,160 –> 00:53:44,560
lacks a living owner the trust is drift second we narrow gravity enable sid filtering on external
855
00:53:44,560 –> 00:53:52,560
and forest trusts unless a migration absolutely requires sid history where history is still needed
856
00:53:52,560 –> 00:53:58,880
time box it and pre-map explicit sid translations for a short list of accounts rather than entire
857
00:53:58,880 –> 00:54:06,160
groups remove sid history from migrated users and groups once cut over completes history is not
858
00:54:06,160 –> 00:54:13,280
identity it is nostalgia third we require invitation to cross turn on selective authentication so
859
00:54:13,280 –> 00:54:20,160
principles from forest b cannot touch all of forest a by default grant allowed to authenticate
860
00:54:20,160 –> 00:54:27,600
on specific servers only for named attested groups audit 4 7 6 9 for foreign sid and
861
00:54:27,600 –> 00:54:36,800
transitate services fields to catch unexpected paths monitor 4 6 2 4 4 6 7 2 in forest a for
862
00:54:36,800 –> 00:54:43,520
logons with authentication package kerbos and transitate services care btg to forest be local
863
00:54:43,520 –> 00:54:49,280
those words are gravity speaking forth we fix the old language ensure both forests use aes for
864
00:54:49,280 –> 00:54:56,880
inter forest kerbos retire rc4 and d es kerbos armoring where supported reduces tampering
865
00:54:56,880 –> 00:55:03,920
titan ticket lifetimes if the bridge must remain hard and spn’s on target services to exact names
866
00:55:03,920 –> 00:55:12,080
remove aliases that encourage stray authentication fifth we excise sediment on shared servers
867
00:55:12,080 –> 00:55:18,080
remove legacy groups with foreign principles replace with explicit least privilege grants
868
00:55:18,880 –> 00:55:25,680
retire collaboration shares archive and delete if adfs claim rules created broad trust rewrite them
869
00:55:25,680 –> 00:55:31,920
with white lists if trust only exists for dns forwarding replace with conditional forwarding
870
00:55:31,920 –> 00:55:38,240
not identity treaties sixth we practice collapse test trust removal in a lab clone
871
00:55:38,240 –> 00:55:43,600
staged downtime with business owners cut one direction at a time if needed using selective
872
00:55:43,600 –> 00:55:50,880
authentication as a proving ground when removed purge lingering references logon writes local
873
00:55:50,880 –> 00:55:58,720
groups gpo scopes watch for authentication failures that reveal dependencies fix or isolate the
874
00:55:58,720 –> 00:56:07,120
callers bridges do not simply vanish they echo detection must be layered cm correlates cross
875
00:56:07,120 –> 00:56:15,440
realm tgt issuance with access to sensitive spn’s minutes later alert on any 4769 in forest a
876
00:56:15,440 –> 00:56:21,200
where client address belongs to forest b subnet and the service name belongs to tier one or tier
877
00:56:21,200 –> 00:56:29,280
flag 4662 dc sync attempts from foreign s id’s if acid filtering is disabled anywhere
878
00:56:29,280 –> 00:56:38,160
raise a standing incident until it changes lab echo low chime trust audit forest a forest b
879
00:56:38,160 –> 00:56:46,880
aside filtering enabled selective auth enabled base pulse softens cross realm tickets restricted
880
00:56:46,880 –> 00:56:53,680
foreign access list attested the observer speaks i am the bridge you forgot when you narrowed
881
00:56:53,680 –> 00:56:59,120
me to purpose i stopped turning distance into danger when you finally dissolved me the galaxies
882
00:56:59,120 –> 00:57:04,640
kept their shape abandoned trusts are not pathways they are tears in the fabric close them
883
00:57:04,640 –> 00:57:10,480
or they will choose your ending for you an a dc s esc one misconfiguration there is a forge
884
00:57:10,480 –> 00:57:15,840
that mince identities into substance it is called active directory certificate services
885
00:57:15,840 –> 00:57:20,800
when its molds are cut carelessly any hand can pour metal and walk away wearing a crown
886
00:57:20,800 –> 00:57:26,720
e c one is not a bug it is geometry a certificate template that allows client authentication
887
00:57:26,720 –> 00:57:32,640
permits enroly supply subject and son and is obtainable by ordinary principles becomes a mirror
888
00:57:32,640 –> 00:57:39,600
that reflects whatever name it is asked to reflect if the issuing c a trusts its own work to map
889
00:57:39,600 –> 00:57:44,800
son to logon then the directory will accept the bearer as the name on the glass
890
00:57:44,800 –> 00:57:49,920
curburs does not protest smart card logon does not argue the physics is consistent the policy is
891
00:57:49,920 –> 00:57:56,000
wrong at zero four twenty two the observer murmurs i felt the drift when a template promised too much
892
00:57:56,000 –> 00:58:04,960
on ca west a template named legacy user enroll sits published its flags client authentication
893
00:58:04,960 –> 00:58:14,720
eq present enroly supplies subject manager approval not required security domain users enroles
894
00:58:14,720 –> 00:58:22,160
auto enrole no issuance requirements no subject name restrictions the forest trusted the forge to
895
00:58:22,160 –> 00:58:29,600
be humble it was not an intruder with only user rights opens the enrollment dialogue or speaks to
896
00:58:29,600 –> 00:58:35,360
the ca over rpc with a quiet request they ask for a certificate where the subject alternative name
897
00:58:35,360 –> 00:58:43,120
includes u p n in backup svc at a domain tld or even administrator at domain tld the ca stamps the
898
00:58:43,120 –> 00:58:48,240
request with its signature because it trusts what it was asked to believe the certificate is valid
899
00:58:48,240 –> 00:58:57,200
shiny unremarkable the private key lives in user space that is enough lab echo low chime event four
900
00:58:57,200 –> 00:59:05,520
eight eight six certificate issued to j le template legacy user enroll san administrator at domain
901
00:59:05,520 –> 00:59:12,480
tld or baseballs no manager approval with the certificate the intruder presents themselves to a
902
00:59:12,480 –> 00:59:19,120
domain controller using pkin it kerberos with public key the kdc checks the chain to the issuing ca the
903
00:59:19,120 –> 00:59:26,800
ca is in nt euth the eq includes smart card logon the san asserts administrator at domain tld the
904
00:59:26,800 –> 00:59:33,200
directory maps the u p n to the account a tgt appears minted for administrator not for the requester
905
00:59:33,200 –> 00:59:38,480
gravity follows the signature they do not need to crack passwords or replay hashes they do not need
906
00:59:38,480 –> 00:59:44,160
to touch ls they have a ticket that says i am the person whose name is on the certificate the ca said
907
00:59:44,160 –> 00:59:51,840
yes the kdc agrees doors open with ceremonial ease lab echo low chime four seven sixty eight tgt
908
00:59:51,840 –> 00:59:58,640
issued via certificate logon account administrator caller ws desk zero three four soft tick four eight
909
00:59:58,640 –> 01:00:04,080
seven certificate request attributes included san they move with quiet authority a service ticket
910
01:00:04,080 –> 01:00:10,400
to ld a p on d c zero two a query for group memberships a new gpo link that last two minutes a shadow
911
01:00:10,400 –> 01:00:17,280
admin placed and removed the certificate lives for months renewal is a whisper revocation is a fantasy
912
01:00:17,280 –> 01:00:24,960
if no one knows to revoke defense is the discipline of molds we enumerate templates like we enumerate stars
913
01:00:24,960 –> 01:00:31,440
for every template that can issue logon capable certificates smart card logon client authentication
914
01:00:31,440 –> 01:00:37,440
along with issuance to user principles we examine three truths who can enroll who can request subject
915
01:00:37,440 –> 01:00:43,200
and send what eke user included if domain users can enroll and supply san on a template whose eke
916
01:00:43,200 –> 01:00:50,240
maps identities we have built a wormhole we close it by reducing surface and adding ceremony remove
917
01:00:50,240 –> 01:00:57,120
enroly supply subject from user templates unless the san is constrained by policy modules remove
918
01:00:57,120 –> 01:01:04,320
client authentication and smart card logon eke use from templates not meant for logon require manager
919
01:01:04,320 –> 01:01:10,560
approval or authorize signature for any template that affects identity mapping if a vendor demands
920
01:01:10,560 –> 01:01:16,560
supply subject for devices create a separate template limited to a device enrolling group with
921
01:01:16,560 –> 01:01:23,920
subject name constraints via the c a policy we bind c a trust nt e use store should only contain
922
01:01:23,920 –> 01:01:30,960
c a’s that issue true smart card logon or device oath under strict governance remove legacy issuing
923
01:01:30,960 –> 01:01:37,600
c a’s from nt out if they serve line of business tls separate pk i for identity and for transport
924
01:01:37,600 –> 01:01:42,960
stops forged crowns from riding on web server ceremonies we control who can publish and who can
925
01:01:42,960 –> 01:01:49,680
change only a tier pk i admin group may publish templates a c l’s on templates remove domain
926
01:01:49,680 –> 01:01:56,560
admins if culture allows replace with pk i specific roles certificate managers on the c a are not
927
01:01:56,560 –> 01:02:03,840
allowed to issue on behalf of users without justification revocation configuration is monitored
928
01:02:03,840 –> 01:02:11,920
c r l’s and o c s p are healthy and reachable we instrument the forge forward 48 eight six 48 eight
929
01:02:11,920 –> 01:02:18,000
seven four eight nine eight 48 nine nine from c a’s alert when sand contains an unexpected realm
930
01:02:18,000 –> 01:02:25,200
when u p n’s do not match the requester when smart card logon e k u writes a template whose
931
01:02:25,200 –> 01:02:31,760
friendly name is not on an allow list in the kdc realm detect four seven six eight with certificate
932
01:02:31,760 –> 01:02:38,560
logon where the client workstation is a non p o subnet pair with four times 169 spikes to sensitive
933
01:02:38,560 –> 01:02:44,560
espn’s the court means identity bent at the mint we enforce pack scrutiny at endpoints that matter
934
01:02:44,560 –> 01:02:50,240
domain controllers already inspect but high value services can perform additional checks
935
01:02:50,240 –> 01:02:56,400
reject certificate logon for accounts not in a defined set deny service tickets if the
936
01:02:56,400 –> 01:03:03,040
presented identity was minted by an unapproved c a kerberos armoring helps when supported
937
01:03:03,040 –> 01:03:10,160
channel binding helps at l d a p s integrity for the path as well as the claim we practice revocation
938
01:03:10,160 –> 01:03:16,640
rituals if a misuse is found we revoke the certificate publish c r l and ensure d c’s fetch
939
01:03:16,640 –> 01:03:23,680
fresh lists we roll keys for the abused account even if the cert granted transient access
940
01:03:23,680 –> 01:03:30,400
to invalidate any cash tickets we review the n t u’s store again we test logon with a bad cert
941
01:03:30,400 –> 01:03:38,240
the door stays closed we simplify future shapes smart cards or phyto for admins device certificates
942
01:03:38,240 –> 01:03:44,480
bound to hardware t p m with attestation templates with explicit subject rules enforced by the policy
943
01:03:44,480 –> 01:03:51,840
module auto enrollment limited to groups with attestations humans do not type sands systems derive
944
01:03:51,840 –> 01:04:01,040
them from true identity lab echo low chime template audit legacy user in role unpublished eke you
945
01:04:01,040 –> 01:04:09,520
trimmed baseball softens enter youth store identity issuing c a’s only 47 68 certificate logon
946
01:04:09,520 –> 01:04:15,920
limited to p a d use the observer speaks i am the forge when you narrowed my molds and watched my
947
01:04:15,920 –> 01:04:22,320
fire i stopped crowning strangers i still mint truth i no longer mint fantasy identity is metal
948
01:04:22,320 –> 01:04:29,200
heat without form is chaos form without rules is fraud set the template guard the store listen for
949
01:04:29,200 –> 01:04:37,440
the chime monday actions identity controls the map darkens we move from theory to ritual identity
950
01:04:37,440 –> 01:04:44,080
is not a name it is a controlled instrument on monday we set the metronome and bind the edges
951
01:04:44,080 –> 01:04:51,520
begin with separation of selves human comfort merges roles gravity demands we split them
952
01:04:51,520 –> 01:04:58,960
every administrator receives three identities daily user tier one admin tier admin each lives
953
01:04:58,960 –> 01:05:04,720
in different orbits bound by different laws user accounts never touch domain controllers never
954
01:05:04,720 –> 01:05:11,360
rdp to service never hold privileges beyond their work tier one manages servers and applications
955
01:05:11,360 –> 01:05:18,960
but never authenticates into tier tier touches domain controllers pk i identity systems only from
956
01:05:18,960 –> 01:05:28,720
privileged access work stations ceremony replaces habit keys next hardware backed mfa is not an accessory
957
01:05:28,720 –> 01:05:36,000
it is mass issue phyto two or smart cards for tier and tier one bind them to devices that do not
958
01:05:36,000 –> 01:05:42,640
browse do not receive email do not run unsigned code where hybrid demands cloud strength
959
01:05:42,640 –> 01:05:49,520
enforce number matching and phishing resistant flows the point is not trust in people it is trust
960
01:05:49,520 –> 01:05:56,080
in physics something you hold something the machine can attest silence the fossils disable
961
01:05:56,080 –> 01:06:03,360
element ntlmv1 everywhere turn on ntlm auditing for a month tag every source then cut enforce ldap
962
01:06:03,360 –> 01:06:10,400
channel binding and signing require smb signing on clients and service prefer curboros with precise
963
01:06:10,400 –> 01:06:18,640
espions in places where ntlm must persist fensit dedicated vlan firewall allow lists no path to
964
01:06:18,640 –> 01:06:26,640
tier drift cannot cross glass bind high value people to stronger gravity placed tier admins and
965
01:06:26,640 –> 01:06:33,680
sensitive service identities in protected users that removes ntlm fallback blocks legacy delegation
966
01:06:33,680 –> 01:06:39,120
and avoids fragile caches pair with account policies that shorten ticket lifetimes for these
967
01:06:39,120 –> 01:06:45,680
identities stolen heat cools faster enable curboros armoring where supported on critical services
968
01:06:45,680 –> 01:06:52,640
turn on pack validation claims must match the directory or the door stays closed make the workstation
969
01:06:52,640 –> 01:06:59,920
a shrine privileged access workstations are not laptops with a sticker they are instruments
970
01:06:59,920 –> 01:07:06,960
no personal browsing no plugins no office macros app control locks execution to an allow list
971
01:07:06,960 –> 01:07:14,720
device health attestation at logon rdp sessions use remote credential guard secrets remain
972
01:07:14,720 –> 01:07:22,080
anchored on the pw if technicians must manage endpoints outside the core use just in time elevation
973
01:07:22,080 –> 01:07:30,720
with short recorded windows tools leave logs humans leave approvals rotate what time erodes service
974
01:07:30,720 –> 01:07:37,600
accounts become gms a by default static passwords die on a schedule no human negotiates remove
975
01:07:37,600 –> 01:07:43,920
password never expires from history restrict logon writes to exact hosts deny interactive logon
976
01:07:43,920 –> 01:07:49,680
in rdp to all service principles spn creation moves into a change ticket with an owner a duration
977
01:07:49,680 –> 01:07:55,120
and a purpose every vessel has a captain every captain can be named prevent local sameness
978
01:07:55,120 –> 01:08:01,280
alabs across the estate unique local administrator passwords on every workstation and server
979
01:08:01,280 –> 01:08:08,720
rotated on cadence readable only by a small audited group and force remote uac remove the silent
980
01:08:08,720 –> 01:08:14,400
elevation that turns hashes into passports pair with restricted admin and remote credential guard
981
01:08:14,400 –> 01:08:22,240
for rdp from pause a captured local secret does not fly narrow delegation like optics remove
982
01:08:22,240 –> 01:08:28,560
unconstrained delegation replace with constrained delegation to exact spn’s prefer resource-based
983
01:08:28,560 –> 01:08:34,560
constrained delegation so targets choose their mirrors audit for wildcard targets deny interactive
984
01:08:34,560 –> 01:08:42,240
logon to delegated identities if a vendor insists on freedom isolated recorded and schedule its sunset
985
01:08:42,240 –> 01:08:49,600
constrained replication authority no human account holds ds replication get changes backup
986
01:08:49,600 –> 01:08:56,080
software does not dc sink by default if emergency recovery requires it build a break class
987
01:08:56,080 –> 01:09:02,880
j_i_t_ roll with dual approval our long expiry and loud logging monitor 4662 for replication
988
01:09:02,880 –> 01:09:09,840
writes use the moment it sings eyes open instrument identity like a constellation alerts that matter
989
01:09:09,840 –> 01:09:20,560
4269 spikes on spn’s tied to money or control 4672 privileged logons outside windows 4738
990
01:09:20,560 –> 01:09:31,200
attribute changes for privileged accounts 40728 4729 and 4732 4733 movement into admin groups
991
01:09:31,200 –> 01:09:40,080
4768 certificate logons from non pad subnets 4662 replication attempts pair with sysm
992
01:09:40,080 –> 01:09:48,960
n10 on lss handle access and event one ancestry on tools that should never exist on pause the court
993
01:09:48,960 –> 01:09:57,120
matters the notes are noise time discipline around krbtgt rotation is scheduled ritual twice per event
994
01:09:57,760 –> 01:10:04,240
before each pass check replication health and backup system state after watch authentication failures
995
01:10:04,240 –> 01:10:10,960
that reveal shadow dependencies align gms a refresh for services that care golden tickets become
996
01:10:10,960 –> 01:10:18,160
history not prophecy finally make exceptions loud catalog every legacy system that cannot obey
997
01:10:18,160 –> 01:10:25,760
assign it a tiered isolation a compensating control and owner a retirement date label its traffic
998
01:10:25,760 –> 01:10:34,320
weight its alerts no silent debts no invisible gravity the base pulse softens a low chime tier
999
01:10:34,320 –> 01:10:41,760
separation enforced protected users applied lapios rotation complete smb signing required pack checks
1000
01:10:41,760 –> 01:10:47,760
enabled we are not done we are in orbit identity bends toward law not convenience the universe
1001
01:10:47,760 –> 01:10:55,520
acknowledges the change Monday actions surface hardening the gravity is identity but the terrain is
1002
01:10:55,520 –> 01:11:03,120
metal we set the surface so bends are rare and loud begin with baselines as law not suggestion domain
1003
01:11:03,120 –> 01:11:09,280
controllers receive a hardened gpo that is sacred no interactive logon by anyone but tier
1004
01:11:09,280 –> 01:11:15,760
administrators no scheduled tasks created by non service principles no print spooler no web
1005
01:11:15,760 –> 01:11:22,960
dev no smbv1 no inbound ps remoteing except from pardews and power shell constrained language
1006
01:11:22,960 –> 01:11:30,960
mode for non admin tokens audit policy is explicit and aggressive success where lineage matters
1007
01:11:30,960 –> 01:11:39,040
failure where probing counts forward everything servers follow a tiered constellation tier servers
1008
01:11:39,040 –> 01:11:46,640
and management hosts obey a stricter baseline wdac or app locker white listing unsigned binaries
1009
01:11:46,640 –> 01:11:52,800
refused to run script enforcement on rdp only from pardews with remote credential guard
1010
01:11:52,800 –> 01:12:00,160
win rm with certificate authentication not default cred ssp local firewall rules default deny
1011
01:12:00,160 –> 01:12:08,000
east west permit documented spn’s only lateral movement is not convenience it is failure
1012
01:12:08,640 –> 01:12:14,480
workstations receive a living image the gold build enables credential guard where hardware permits
1013
01:12:14,480 –> 01:12:20,400
lsa protection attack surface reduction rules that block office from creating child processes
1014
01:12:20,400 –> 01:12:27,200
and block credential theft behavior and smart screen on macros from the internet die at the door
1015
01:12:27,200 –> 01:12:34,640
browser isolation for admin sites drivers are signed and vetted kernel surfaces do not host vendor
1016
01:12:34,640 –> 01:12:41,040
shortcuts usb storage is disabled except for break class process with approval and logging
1017
01:12:41,040 –> 01:12:49,360
on every surface we kill fossils lm and ntlmv1 disabled ntlm auditing enabled for mapping
1018
01:12:49,360 –> 01:12:57,360
then enforcement to reduce exceptions to named isolated workloads ldap signing and channel binding
1019
01:12:57,360 –> 01:13:04,880
required on domain controllers and enforced on apps smb signing required on service enabled on
1020
01:13:04,880 –> 01:13:15,840
clients with a plan to require everywhere smvv1 gone web dev gone rdp nl a required icmp can live
1021
01:13:15,840 –> 01:13:22,720
rpc without purpose cannot we set services to truth print spooler is off on servers that do not print
1022
01:13:22,720 –> 01:13:30,640
on domain controllers it is off always remote registry disabled except during control change windows
1023
01:13:30,640 –> 01:13:36,800
windows installer restricted on service to prevent on the fly package runs outside maintenance windows
1024
01:13:36,800 –> 01:13:45,280
scheduled tasks that run as users are an exception not a pattern service accounts deny interactive
1025
01:13:45,280 –> 01:13:52,720
logon and rdp they hold logon as a service only on their hosts we standardize ports like constellations
1026
01:13:52,720 –> 01:13:58,640
with names each class of server declares it’s allowed inbound and outbound web tier inbound from
1027
01:13:58,640 –> 01:14:05,760
load balancers outbound to apt here and telemetry nothing else apt here inbound from weapon management
1028
01:14:05,760 –> 01:14:13,360
outbound to data tier and identity nothing else data tier inbound from app only outbound to backup
1029
01:14:13,360 –> 01:14:21,840
and replication nothing else management tier inbound from pod use outbound to all tiers by documented
1030
01:14:21,840 –> 01:14:29,040
agents only firewall rules are enforced by gpo and verified by a daily scan that compares effective
1031
01:14:29,040 –> 01:14:35,280
policy to baseline we shrink the attack service with certificates and keys win rm over htps with
1032
01:14:35,280 –> 01:14:42,960
mutual out between management plan and service rdp from p use only mf a at the jump point session
1033
01:14:42,960 –> 01:14:50,080
recording on ssh for windows allowed where automation demands pinned to host keys and limited to
1034
01:14:50,080 –> 01:14:59,920
a management subnet tls everywhere ldps only i is drops plain text sql enforces encryption
1035
01:14:59,920 –> 01:15:05,200
with certificate pinning on critical apps we tune the memory edge lsas is protected on tier
1036
01:15:05,200 –> 01:15:13,920
and tier one wd i just stays disabled cd bug privilege is removed from broad admin groups only edr
1037
01:15:13,920 –> 01:15:20,800
and backup agents hold it via a narrow gpo etw providers that leak secrets are secured mini dumps
1038
01:15:20,800 –> 01:15:27,600
are restricted to administrators and blocked by wd on sensitive hosts crash dumps right to
1039
01:15:27,600 –> 01:15:35,040
protected paths edr scrubs artifacts quickly we push application control where gravity is heavy
1040
01:15:35,040 –> 01:15:41,360
wdck in audit then enforced on domain controllers and pw’s app locker on tier servers with publisher
1041
01:15:41,360 –> 01:15:47,760
rules for sign tools hash rules for internal binaries and script rules that allow only specific paths
1042
01:15:47,760 –> 01:15:55,440
power shell is constrained for non admins script block logging and module logging feed the telescope
1043
01:15:55,440 –> 01:16:01,760
we isolate legacy without apology i cs or vendor servers that refuse signing or curboros live on
1044
01:16:01,760 –> 01:16:06,400
quarantined vlanes behind transparent proxies that translate modern authentication at the edge
1045
01:16:06,400 –> 01:16:12,240
no path to domain controllers beyond dns no inbound from workstations monitoring is loud
1046
01:16:12,240 –> 01:16:19,040
business owners sign time boxes the sun sets on dates not intentions patch cadence becomes orbit
1047
01:16:19,040 –> 01:16:25,440
quality updates in rings canary pilot broad feature updates were supported after lab validation
1048
01:16:25,440 –> 01:16:32,080
out of band security patches for exploited vulnerabilities on tier surfaces within defined hours
1049
01:16:32,080 –> 01:16:38,160
firmware and driver updates included quarterly reboots are scheduled sleepy servers are myths
1050
01:16:38,160 –> 01:16:44,720
maintenance windows are law we bake drift detection into the crust c is or microsoft security
1051
01:16:44,720 –> 01:16:52,960
baselines are the recipe monthly compare results to baseline delta’s become tickets desired state
1052
01:16:52,960 –> 01:16:59,360
configuration or a modern equivalent enforces key registry and service states when someone flips
1053
01:16:59,360 –> 01:17:05,840
a bit the system flips it back or rings a bell humans stop arguing the instrument plays the score
1054
01:17:05,840 –> 01:17:12,000
we wire telemetry with intent cs min runs with a curated rule set tuned to your estate
1055
01:17:13,040 –> 01:17:20,240
process ancestry for admin tools network beacons for lateral beams file events in sensitive
1056
01:17:20,240 –> 01:17:27,680
directories handle access to lcess and driver loads windows security logs forward
1057
01:17:27,680 –> 01:17:34,800
four six eighty eight with command line forty six twenty four forty six seven two forty six nine seven
1058
01:17:34,800 –> 01:17:41,040
seven zero four five forty seven three two forty seven twenty eight forty seven six eight
1059
01:17:41,040 –> 01:17:45,840
four seven six nine forty six six two device control logs for usb
1060
01:17:45,840 –> 01:17:52,880
e dr events route to the same constellation a cm correlates and pages by physics not volume
1061
01:17:52,880 –> 01:17:58,720
we practice denial of casual execution no compilers on service no browser on domain controllers no
1062
01:17:58,720 –> 01:18:05,600
office on management hosts script runners sign their code unsigned fails package managers are
1063
01:18:05,600 –> 01:18:12,560
allowed only from internal repositories with attested packages the observer speaks i am the
1064
01:18:12,560 –> 01:18:19,680
surface when you hardened my crust the fractures became visible and correctable when you demanded
1065
01:18:19,680 –> 01:18:26,720
signatures my messages gained truth when you narrowed my ports my paths became deliberate hardening
1066
01:18:26,720 –> 01:18:34,640
is not glamour it is gravity applied at every edge until accidents cannot cross monday actions
1067
01:18:34,640 –> 01:18:40,400
detection and monitoring the telescope must be tuned before the light arrives on monday we wire
1068
01:18:40,400 –> 01:18:47,360
our sky so gravity speaks in numbers we can trust begin with intent we do not forward everything
1069
01:18:47,360 –> 01:18:53,280
we forward signals that describe power motion and forgery security logs and cis men sing different
1070
01:18:53,280 –> 01:19:01,200
harmonies together they resolve truth keberos is our clock we page on bends not on breath collect four
1071
01:19:01,200 –> 01:19:07,200
seven sixty eight for tgt issuance forty seven sixty nine for service tickets forty seven seventy six
1072
01:19:07,200 –> 01:19:16,000
for ntlm tag tier and tier one spn’s as constellations any four seven sixty nine surge against them
1073
01:19:16,000 –> 01:19:24,400
is a low chime distinguish routine batch from anomalies by cohort machines subnets and time windows
1074
01:19:24,400 –> 01:19:32,160
if a workstation subnet requests tgs for ldap on domain controllers base pulse privilege announces itself
1075
01:19:32,160 –> 01:19:39,040
forty six seven twos the sound of special rights alert on four six seven two outside maintenance windows
1076
01:19:39,040 –> 01:19:45,280
outside prd subnets or without a matching change ticket link every four six seven two to its preceding
1077
01:19:45,280 –> 01:19:50,960
four six twenty four logon and four seven eight origin privilege without ancestry is counterfeit light
1078
01:19:50,960 –> 01:19:56,640
identity changes shift orbits forward forty seven three eight for account attribute change
1079
01:19:56,640 –> 01:20:00,640
forty seven twenty eight and forty seven twenty nine for global group membership
1080
01:20:00,640 –> 01:20:05,520
forty seven thirty two and four seven thirty three for local domain groups tag privilege groups
1081
01:20:05,520 –> 01:20:11,840
domain admins enterprise admins backup operators account operators and custom admin vessels
1082
01:20:11,840 –> 01:20:18,960
any ad during business hours must include a human rationale no rational a page removal pages two
1083
01:20:18,960 –> 01:20:26,880
attackers clean footprints replication is sacred four six six two with ds replication get changes
1084
01:20:26,880 –> 01:20:33,440
is a siren forward from all domain controllers at high fidelity correlate four six six two with the
1085
01:20:33,440 –> 01:20:40,080
calling principle source IP and time if the principle is not a domain controller if the host is not a dc
1086
01:20:40,080 –> 01:20:45,840
if the window is not declared gravity has failed the small bright room must whisper loudly
1087
01:20:45,840 –> 01:20:53,920
sysmon event ten reports handle access to lsas xay tune to allow edr backup agents and credential
1088
01:20:53,920 –> 01:21:01,680
providers page on unknown lineage combine with sysmon one for process ancestry signed names can still
1089
01:21:01,680 –> 01:21:09,040
be wrong when parentages strange add event eleven for file creation in temp public or program data
1090
01:21:09,040 –> 01:21:14,800
with dump signatures pair with seventy years forty five service installs or four six nine seven
1091
01:21:14,800 –> 01:21:20,880
the court means harvest movement draws lines sysmon three records network connections
1092
01:21:20,880 –> 01:21:27,520
built allow lists by tier which subnets may speak to which services which ports are legitimate
1093
01:21:27,520 –> 01:21:35,360
page when workstation subnets beam to server admin low winner m or wmi unexpectedly add four six
1094
01:21:35,360 –> 01:21:40,720
twenty four type three correlators lateral motion that arrives near a seven oh four five is not
1095
01:21:40,720 –> 01:21:47,440
noise services speak truth when created seven year forty five is class breaking on service restrict
1096
01:21:47,440 –> 01:21:53,680
change windows page outside them keep a dictionary of known service names anything new anything
1097
01:21:53,680 –> 01:22:00,880
changed anything with command lines from user rightable paths is drift certificates mint claims
1098
01:22:00,880 –> 01:22:08,000
the forge must report from c_a_s forward four eight eight six issued forty eight eight seven
1099
01:22:08,000 –> 01:22:14,400
attributes four eight nine eight four eight ninety nine template changes alert when
1100
01:22:14,400 –> 01:22:22,080
sand contains a u_p_n outside the requester when smart card logon e_k_u appears on templates not
1101
01:22:22,080 –> 01:22:28,080
in an allow list when certificate logon forty seven sixty eight with certificate originates from
1102
01:22:28,080 –> 01:22:33,840
non-poor subnets this is identity bending silently the monitor must give it a voice channel the
1103
01:22:33,840 –> 01:22:40,080
logs with purpose windows event forwarding is our gravity engine source initiated certificate bound
1104
01:22:40,080 –> 01:22:45,440
tiered collectors domain controllers forward to a dedicated tier collector tier one service to a
1105
01:22:45,440 –> 01:22:50,960
separate collector workstations to a scalable pool collectors forward to see him no single hop
1106
01:22:50,960 –> 01:22:58,320
creates a black hole normalize and reduce in the c_m_ parse fields into a semantic layer account
1107
01:22:58,320 –> 01:23:04,800
device subnet tier change window owner create baselines for each cohort surges are relative to their
1108
01:23:04,800 –> 01:23:12,960
sky not global averages a noisy services expected a quiet one cannot suddenly shout define five pages
1109
01:23:12,960 –> 01:23:21,280
not dashboards pages dc sync attempt four six six two with replication rights by non dc principle
1110
01:23:21,280 –> 01:23:28,480
action isolate source revoke rights review k r b t g t rotation plan ls s touch sysman ten
1111
01:23:28,480 –> 01:23:35,520
unknown lineage plus eleven dump plus seventy four forty five within ten minutes action isolate
1112
01:23:35,520 –> 01:23:43,680
rotate lapse invalid a ticket scope lateral cross realm bend four seven six eight four seven sixty nine
1113
01:23:43,680 –> 01:23:52,400
with transit it services from a foreign realm to tier one s p n’s action evaluate trust controls
1114
01:23:52,400 –> 01:24:00,800
enable selective off review s_i_d filtering curb arose or s_p_n anomaly sustained four seven
1115
01:24:00,800 –> 01:24:08,000
and sixty nine for service accounts with r c four fallback from a typical subnet action rotate
1116
01:24:08,000 –> 01:24:15,280
to random long passwords and force a s monitor crack signals privilege drift four seven twenty eight
1117
01:24:15,280 –> 01:24:20,720
forty seven three two add to admin group without change record paired with four six seven two
1118
01:24:20,720 –> 01:24:27,200
and service modification action revert membership disable account open incident make the telescope
1119
01:24:27,200 –> 01:24:32,880
resilient logs are brittle when collectors drown apply rate limits at the edge with high priority
1120
01:24:32,880 –> 01:24:39,760
channels for dc’s and management hosts cache on disk locally with retry heartbeat alerts when
1121
01:24:39,760 –> 01:24:46,080
subscriptions drop teach the stars to answer every alert routes to a runbook with three truths
1122
01:24:46,080 –> 01:24:53,840
context fields first actions escalation path no alert without ownership no owner without
1123
01:24:53,840 –> 01:25:02,880
on call integrate sore for reversible actions isolate host disable account stop service revoke
1124
01:25:02,880 –> 01:25:10,880
cert automation does not decide guilt it buys time close with provenance every detection is mapped
1125
01:25:10,880 –> 01:25:17,040
to a threat path we have narrated relay roast dc sink pack abuse delegation missteps
1126
01:25:17,040 –> 01:25:23,280
the story anchors the signal the signal guides the human the observer speaks i am the
1127
01:25:23,280 –> 01:25:29,680
fabric when you listen to my faults in the right frequencies you stopped mistaking background
1128
01:25:29,680 –> 01:25:35,120
radiation for threat and threat for wind the chime now means drift the base means identity bans
1129
01:25:35,120 –> 01:25:41,280
you will hear them in time at legacy systems retire isolate compensate there are machines that
1130
01:25:41,280 –> 01:25:47,760
refuse to age gracefully they do not bend they fracture legacy is not a brand it is entropy with a
1131
01:25:47,760 –> 01:25:54,320
human signature we begin with honesty some systems cannot be secured their physics is wrong they speak
1132
01:25:54,320 –> 01:26:01,840
ntl mv1 they reject lsa protection they sleep on server 2008 r2 windows 7 or earlier they accept
1133
01:26:01,840 –> 01:26:07,600
unsigned smb runs poolers on servers that should never print and load drivers that turn memory into glass
1134
01:26:07,600 –> 01:26:15,360
retire is not cruelty retire is mercy we shut them down with ceremony data extracted formats translated
1135
01:26:15,360 –> 01:26:21,680
onus counseled dependencies mapped replacements funded if a business refuses the funeral we change
1136
01:26:21,680 –> 01:26:27,120
the business not the gravity but time has its own opinion there will be systems that must live
1137
01:26:27,120 –> 01:26:32,480
for a while we do not pretend they are safe we isolate them as if they carry radiation
1138
01:26:32,480 –> 01:26:40,960
quarantine is a geometry dedicated vlan firewall rules that speak in single verbs allow this port
1139
01:26:40,960 –> 01:26:48,320
to that host deny all else no path to domain controllers beyond DNS and time no inbound from
1140
01:26:48,320 –> 01:26:55,440
workstations no lateral east west within the quarantine except explicit pairs management occurs
1141
01:26:55,440 –> 01:27:03,520
from a bastion that holds certificates and mfa no rdp from daily machines no browsing from inside
1142
01:27:03,520 –> 01:27:08,800
the zone is observed like a lab packet capture points seismant tuned
1143
01:27:08,800 –> 01:27:14,880
edr present if the kernel allows it every door is named every door is locked compensation is the
1144
01:27:14,880 –> 01:27:21,600
third orbit some legacy can wear modern clothing we force smb signing even when the application
1145
01:27:21,600 –> 01:27:31,760
complains we tune until it obeys or we wall it off we disable lm and ntl mv1 and where ntl m must
1146
01:27:31,760 –> 01:27:38,400
persist for a fossil client we pin it behind a proxy that speaks curbos to the core ldap is signed
1147
01:27:38,400 –> 01:27:45,520
and bound ldps is mandatory with certificate pinning wd i just remains disabled
1148
01:27:45,520 –> 01:27:50,400
credential guard where hardware permits run as ppl on servers that understand
1149
01:27:50,400 –> 01:27:58,160
local administrator is elaps managed even on old metal remote uac blocks the silent token script
1150
01:27:58,160 –> 01:28:05,600
execution requires signatures drivers are audited unsigned components do not load we impose
1151
01:28:05,600 –> 01:28:13,200
human law over technical nostalgia owners are named each legacy system receives an accountable
1152
01:28:13,200 –> 01:28:21,360
sponsor who signs the risk monthly a sunset date is not a suggestion it is a star we navigate by
1153
01:28:21,360 –> 01:28:28,560
exceptions appear in a register visible to leadership and incident response no invisible gravity
1154
01:28:28,560 –> 01:28:34,720
budget aligns with risk the older the physics the more expensive the perimeter if a vendor demands
1155
01:28:34,720 –> 01:28:42,240
domain admin the answer is isolation or divorce principles before plugins detection becomes
1156
01:28:42,240 –> 01:28:48,800
louder around entropy we escalate telemetry weight around the quarantine 4776 ntl m spikes
1157
01:28:48,800 –> 01:28:55,360
become immediate pages sysm3 for smb beams out of the zone triggers alarms 7045 service
1158
01:28:55,360 –> 01:29:02,800
creation on legacy hosts outside maintenance windows is a cutoff 4624 type three from quarantine
1159
01:29:02,800 –> 01:29:09,200
into tier one or tier is denied by firewall attempted events still forward to prove intent if the
1160
01:29:09,200 –> 01:29:15,440
system cannot run edr we place a tap if it cannot forward logs we pull with read only agents and
1161
01:29:15,440 –> 01:29:22,640
verify cryptographic integrity of the pull we practice failure like a drill tabletop exercises simulate
1162
01:29:22,640 –> 01:29:29,760
the legacy host as patient zero we watch the fabric what tickets are issued what services touch
1163
01:29:29,760 –> 01:29:35,760
what shares open we rehearse quarantine at the switch detonation in the seam rebuild of neighbors
1164
01:29:35,760 –> 01:29:42,400
we carry a tested offline backup of the legacy validated in a lab that does not touch production
1165
01:29:42,400 –> 01:29:48,320
if the system is critical and irreplaceable we build a twin and rehearse running on the twin
1166
01:29:48,320 –> 01:29:54,640
the ritual reduces fear car once watched a domain bend at 0 2 11 because an imaging server from
1167
01:29:54,640 –> 01:30:01,520
201 still believed smb signing was a rumor she did not argue with nostalgia she drew a box inside
1168
01:30:01,520 –> 01:30:07,440
the server spoke to three addresses and nothing else outside silence later the application move
1169
01:30:07,440 –> 01:30:13,680
to a managed platform the box dissolved the galaxy kept its shape we refuse to let time dilation
1170
01:30:13,680 –> 01:30:20,080
dictate our orbit retire were physics demands isolate were duty insists compensate where science
1171
01:30:20,080 –> 01:30:25,680
allows we choose which universe each legacy in habits and we document the laws it must obey
1172
01:30:25,680 –> 01:30:36,320
lab echo low chime legacy register loaded 14 systems soft tick isolation enforced via land 402
1173
01:30:36,320 –> 01:30:45,760
east west deny basketball studies smb signing required ntlmv1 blocked ldps pinned the observer
1174
01:30:45,760 –> 01:30:51,520
nods i am the fabric when you named your ruins and build proper orbits around them i stopped
1175
01:30:51,520 –> 01:30:57,280
tearing where memory insisted on being modern legacy is not an excuse it is a design constraint treated
1176
01:30:57,280 –> 01:31:06,320
as such and gravity holds kerberos pack validation and ticket sanity there is a ledger inside every ticket
1177
01:31:06,320 –> 01:31:13,760
it is called the pack the privilege attribute certificate it carries groups s i s logon time the
1178
01:31:13,760 –> 01:31:20,720
whisper of who you are and how much weight you can exert kerberos is not only speed it is ceremony
1179
01:31:20,720 –> 01:31:29,040
the kdc signs the pack the service trusts the kdc the system believes the signature or it does not
1180
01:31:29,040 –> 01:31:34,800
ticket sanity is gravity for identity most people think the kdc decides everything and services
1181
01:31:34,800 –> 01:31:41,200
simply obey but time has its own opinion services that never check the pack signature become planets
1182
01:31:41,200 –> 01:31:47,680
that accept any orbit drawn near them a forged pack is a counterfeit mass looks heavy
1183
01:31:47,680 –> 01:31:55,440
bends paths breaks truth when validation is missing or misapplied a tackers turn a small tgt into a
1184
01:31:55,440 –> 01:32:01,200
tool that invents privilege here is what actually happens you ask the kdc for a tgt it signs with
1185
01:32:01,200 –> 01:32:10,320
the curb ttq later you ask for a service ticket to htdp cfs ms sql ldap the kdc stamps a pack into
1186
01:32:10,320 –> 01:32:18,080
that tgs groups s id history claims then signs the pack with the kdc key and the services key
1187
01:32:18,080 –> 01:32:24,960
the service should validate both did the kdc bless this and was this meant for me if either answer
1188
01:32:24,960 –> 01:32:32,560
is false the service must refuse many do enough do not pack validation lives in decisions we forget
1189
01:32:32,560 –> 01:32:38,240
we made protocol transition constrained delegation resource based constrained delegation
1190
01:32:38,240 –> 01:32:43,760
service stacks that terminate curboros inside application frameworks a proxy that negotiates
1191
01:32:43,760 –> 01:32:49,440
curboros then hands the assertion to a service that never revalidates can turn signatures into
1192
01:32:49,440 –> 01:32:56,720
decorations when proxies terminate and reissue they must enforce armor or bind to the dc for full checks
1193
01:32:56,720 –> 01:33:02,320
otherwise a silver ticket minted by an intruder with a stolen service key slides through as law
1194
01:33:03,040 –> 01:33:13,200
lab echo low chime 4769 tgs for ms sql fin ledger from svc report soft tick service reports
1195
01:33:13,200 –> 01:33:21,360
pac verified with kdc signature the court holds but when we hear application accepted without kdc
1196
01:33:21,360 –> 01:33:29,600
check the base pulse rises sanity is not only signatures it is coherence ticket lifetimes must
1197
01:33:29,600 –> 01:33:36,640
match policy forwardable when needed otherwise not renewable for windows we understand not months
1198
01:33:36,640 –> 01:33:43,280
that invite quiet persistence encryption types should not descend into rc4 because compatibility
1199
01:33:43,280 –> 01:33:59,280
aes is the current aes 1228 cts hma cela asha 196 or aes 256 as cts hmac asha 196 and were
1200
01:33:59,280 –> 01:34:06,560
supported the modern suites if a service receives an rc4 tgs in a forest that claims modernity
1201
01:34:06,560 –> 01:34:12,560
the instrument is out of tune we teach services to doubt for windows services that call accept security
1202
01:34:12,560 –> 01:34:18,960
context we insist on caberos integrity mutual auth channel binding where applicable service binding
1203
01:34:18,960 –> 01:34:26,000
for iis we prefer kernel mode auth with strict sp and maps when a rr or reverse proxies sit in front
1204
01:34:26,000 –> 01:34:32,480
they forward tokens only after validating and when possible re acquiring from the kdc to attach
1205
01:34:32,480 –> 01:34:39,280
a fresh verified pack for secl we ensure the spn is unique and delegated only through constrained
1206
01:34:39,280 –> 01:34:44,080
paths the engine must validate pack not merely accept whatever the network hands it
1207
01:34:44,080 –> 01:34:50,560
delegation is where gravity tricks us unconstrained delegation trusts any ticket the service
1208
01:34:50,560 –> 01:34:56,160
presents to others an attacker who lands there can request tickets to almost anywhere
1209
01:34:56,160 –> 01:35:02,800
ferrying packs like forged passports we remove it with constrained delegation we bind services
1210
01:35:02,800 –> 01:35:10,000
to specific spn’s with resource based constrained delegation the target says who may impersonate
1211
01:35:10,000 –> 01:35:16,400
into it then we add a further law the target revalidates the pack with the kdc not with hope
1212
01:35:17,040 –> 01:35:24,000
that second check catches silver tickets and pack tampering born of stolen service keys pack
1213
01:35:24,000 –> 01:35:31,440
hardening exists domain controllers can require strict validation for services that indicates support
1214
01:35:31,440 –> 01:35:37,840
modern windows enables validate kdc signatures by default in many paths we verify this posture
1215
01:35:37,840 –> 01:35:46,640
we disable fail open code paths we audit services that rely on custom gss api stacks or java
1216
01:35:46,640 –> 01:35:53,600
frameworks with espnago libraries known to skip validation unless configured we test by presenting
1217
01:35:53,600 –> 01:36:00,240
malformed packs in a lab and confirming denial detection listens to the curvature event 4769
1218
01:36:00,240 –> 01:36:06,960
contains flags forwardable renewable encryption type client address we baseline per espn a sudden surge
1219
01:36:06,960 –> 01:36:14,960
of tgs with rc4 to a critical service is a chime 4771 and 4776 nearby reveal fallback and failure
1220
01:36:15,520 –> 01:36:22,560
if a service begins accepting tickets for names not in its espn list we misbound identity watch for
1221
01:36:22,560 –> 01:36:31,360
service name mismatches on domain controllers for an 82 4 to a 21 pack validation failures
1222
01:36:31,360 –> 01:36:38,800
were available signal tampering on services with advanced logging application traces that say pick
1223
01:36:38,800 –> 01:36:46,400
signature invalid become pages we test reality in a controlled lab we simulate silver tickets with
1224
01:36:46,400 –> 01:36:53,120
a stolen service key and verify that target services reject them unless the kdc vouchers live
1225
01:36:53,120 –> 01:37:00,400
we enable curboros armoring fast so the communication between client and kdc resists interception
1226
01:37:00,400 –> 01:37:06,480
and modification we ensure devices and services supported where they do not we isolate until they
1227
01:37:06,480 –> 01:37:13,600
learn the language sanity includes pack size overgrown group membership can exceed token limits
1228
01:37:13,600 –> 01:37:21,200
truncating truth we monitor for 4769 failures with krb ur field too long then we prune groups
1229
01:37:21,200 –> 01:37:28,400
collapse nesting move from groups brawl to claims where feasible identity remains heavy but intelligible
1230
01:37:28,400 –> 01:37:34,800
the observer speaks i am the ledger inside the ticket when you verify my signatures against the kdc
1231
01:37:34,800 –> 01:37:40,640
i hold when you bind me to the service that asked i cannot be borrowed when you trim my excess and
1232
01:37:40,640 –> 01:37:47,760
refuse my fossils i represent truth curboros works because the universe agrees to believe the same
1233
01:37:47,760 –> 01:37:54,480
signatures pack validation is that agreement made visible make every service check make every proxy
1234
01:37:54,480 –> 01:38:01,920
humble make every ticket coherent the fabric will answer in kind exploit chain mapping patterns
1235
01:38:01,920 –> 01:38:08,960
we map chains the way astronomers map gravity not by seeing the mass directly but by watching how paths
1236
01:38:08,960 –> 01:38:17,360
curve an exploit chain is not chaos it is choreography credentials protocols permissions services
1237
01:38:17,360 –> 01:38:23,120
each adds weight when they align motion becomes inevitable we do not guess we trace
1238
01:38:23,120 –> 01:38:29,920
we begin with origin and destination origin is where the first non-trivial
1239
01:38:29,920 –> 01:38:37,840
foothold lives a compromised user a misconfigured service a legacy server destination is tier
1240
01:38:37,840 –> 01:38:46,240
or the crown adjacent domain controllers pk i deployment orchestration identity proxies between them
1241
01:38:46,240 –> 01:38:54,640
we mark viable beams rdp smb win rm wmi rpc http with their authentication dialects and policy
1242
01:38:54,640 –> 01:39:01,200
constraints the shortest path is rarely the safest the quietest path is rarely the shortest gravity
1243
01:39:01,200 –> 01:39:08,720
will choose quiet if it can patterns emerge first pattern credential liquidity tokens flow to
1244
01:39:08,720 –> 01:39:14,800
where humans are comfortable help desk touches service developers touch build agents operations
1245
01:39:14,800 –> 01:39:23,040
touches everything during incidents each touch leaves residue tickets in ls as cashed credentials
1246
01:39:23,040 –> 01:39:30,960
saved sessions service keys in plain text configs the map highlights human schedules spikes near patch
1247
01:39:30,960 –> 01:39:37,040
night proximity after outages standing sessions on jump servers that were never sanctified as pause
1248
01:39:37,040 –> 01:39:43,440
chains that matter begin at human comfort second pattern identity translation directory boundaries
1249
01:39:43,440 –> 01:39:50,480
claim separation delegation trusts and ss o stitched them together unconstrained delegation turns
1250
01:39:50,480 –> 01:39:57,760
one service into many resource based constrained delegation narrows but miss bound permissions reopen
1251
01:39:57,760 –> 01:40:03,040
forest trusts with weak side filtering let city history bend continents a dc s templates that
1252
01:40:03,040 –> 01:40:10,800
permit sand supply mint names on demand chains that matter cross identity translators they pay
1253
01:40:10,800 –> 01:40:18,960
with signatures or steal them third pattern protocol downgrade when modernity falters fossil speak
1254
01:40:19,600 –> 01:40:29,760
kerberos becomes ntlm signed smb becomes unsigned ldps becomes ldap channel binding falls away
1255
01:40:29,760 –> 01:40:37,120
attackers engineer proximity relays coercion name resolution tricks to exploit the downgrade
1256
01:40:37,120 –> 01:40:44,160
the map records policy at both ends client capability server requirement any asymmetry becomes a slope
1257
01:40:45,040 –> 01:40:50,800
fourth pattern shared keys as pressure points service accounts with sbs and rc4 history
1258
01:40:50,800 –> 01:40:57,760
machine accounts with local admin beyond their tier backup agents with dc sync for convenience
1259
01:40:57,760 –> 01:41:03,360
deployment tools with right paths on servers they later start identify each key and its reach
1260
01:41:03,360 –> 01:41:10,160
draw circles of consequences a single key that reaches tier is a supermassive body everything warps
1261
01:41:10,160 –> 01:41:19,360
around it fifth pattern persistence friction scheduled tasks services gpo’s logins scripts agent auto
1262
01:41:19,360 –> 01:41:26,080
updates any cyclic engine amplify small changes a dll in a startup path become system a dawn
1263
01:41:26,080 –> 01:41:31,040
a task edited to run an extra binary becomes a repeatable foothold chains that matter end with a
1264
01:41:31,040 –> 01:41:37,840
heartbeat we formalize the map into layers layer one graph of principles to rights users to groups
1265
01:41:37,840 –> 01:41:45,200
to rights on servers rights to sessions observed sessions to tokens present build it daily expire
1266
01:41:45,200 –> 01:41:52,480
edges quickly so the map remains present tense every node carries tier owner last scene and trust
1267
01:41:52,480 –> 01:42:01,680
context layer two protocol and control matrix for each edge define authentication method
1268
01:42:01,680 –> 01:42:08,880
signing requirement encryption channel binding delegation status and allowed call assets record
1269
01:42:08,880 –> 01:42:14,640
policy and effective state differences are where gravity leaks layer three time and change
1270
01:42:14,640 –> 01:42:21,440
overlay maintenance windows deployment cycles and known incident schedules overlay gpo drift
1271
01:42:21,440 –> 01:42:27,440
events and template changes from pk i exploit chains prefer motion you will find them in the wake
1272
01:42:27,440 –> 01:42:36,080
of change layer four anomalies as beacons detection outputs are not noise they are landmarks
1273
01:42:36,080 –> 01:42:43,360
4769 spikes near an espin 4672 outside approved hours 4662 replication rights use
1274
01:42:43,360 –> 01:42:49,280
cisman 10 on lss 745 on service attached these to edges and nodes color them by
1275
01:42:49,280 –> 01:42:55,840
recency and confidence chains prefer paths that recently glowed then we run thought experiments
1276
01:42:55,840 –> 01:43:03,120
counterfactual gravity ask if we remove unconstrained delegation from this service what paths collapse
1277
01:43:03,120 –> 01:43:10,000
if we require smb signing here how many edges go dark if we rotate krbtgt twice this week
1278
01:43:10,000 –> 01:43:15,280
which tickets become fossils if we enable selective authentication on this trust which foreign
1279
01:43:15,280 –> 01:43:22,480
beam sees we simulate before we legislate we also run attacker stories end to end at low fidelity
1280
01:43:22,480 –> 01:43:31,120
never detailing misuse always testing curvature story one low-previews are read only share with scripts
1281
01:43:31,120 –> 01:43:37,120
embedded credential service account with local admin lateral to management server schedule task
1282
01:43:37,120 –> 01:43:44,560
foothold cached admin token ticket to deployment orchestrator configuration push to domain controllers
1283
01:43:45,360 –> 01:43:53,360
mitigations paint the route lapse remove embedded secrets restrict local admin and force RDP rules
1284
01:43:53,360 –> 01:44:01,040
deny delegated accounts interactive logon paw’s protected users signing and pack validation
1285
01:44:01,040 –> 01:44:08,160
story two legacy app server ntlm relay to file server machine account leverage relay to deployment
1286
01:44:08,160 –> 01:44:15,040
host dropper into auto load path silent domain group ad via service rights controls smb signing
1287
01:44:15,440 –> 01:44:27,600
ntlm isolation group membership alerts 7045 gating je a j it story three forest trust drift cross realm tgt
1288
01:44:27,600 –> 01:44:36,320
misscoped acl s ed history abuse local admin on tier one stealthy gpo link
1289
01:44:37,200 –> 01:44:43,840
controls s ed filtering selective auth trust attestation gpo change alerts ownership
1290
01:44:43,840 –> 01:44:51,760
we measure distance to failure for every origin compute hops to d a under current controls
1291
01:44:51,760 –> 01:44:58,000
with penalties for noisy steps the lower the sum the heavier the body we fix the heaviest first
1292
01:44:58,000 –> 01:45:06,720
after each change recompute chains lengthen noise increases attack cost climbs the observer speaks
1293
01:45:07,200 –> 01:45:13,920
i am the chart of your orbits when you layer identity protocol time and anomaly the paths
1294
01:45:13,920 –> 01:45:20,000
attack us prefer become obvious remove the quiet shortcuts add friction where momentum gathers
1295
01:45:20,000 –> 01:45:26,960
let gravity favor defense telescopes cm so our x dr for windows we do not secure by staring at logs
1296
01:45:26,960 –> 01:45:32,640
we secure by building telescopes a telescope is not a database it is a lens that bends raw signal
1297
01:45:32,640 –> 01:45:44,080
into meaning in windows the sky is busy security logs sysmon defender adcs dns dhcp file servers
1298
01:45:44,080 –> 01:45:49,440
domain controllers without gravity they scatter with gravity they reveal structure we start with
1299
01:45:49,440 –> 01:45:57,760
purpose questions not feeds who elevated when and from where who touched lsas with what lineage
1300
01:45:57,760 –> 01:46:03,200
which spn’s experience drift in service ticket volume who asked the directory to replicate
1301
01:46:03,200 –> 01:46:08,400
which trusts carried foreign light every component plays a role windows event forwarding is the
1302
01:46:08,400 –> 01:46:15,040
collector constellation source initiated certificate bound tiered domain controllers forward to a
1303
01:46:15,040 –> 01:46:20,960
tier collector tier one servers to a separate nexus workstations to a pool that can fail without
1304
01:46:20,960 –> 01:46:26,560
losing sacred light collectors forward to seem no single stream becomes a black hole
1305
01:46:26,560 –> 01:46:34,000
seem as the observatory it normalizes 4 6 88 into command lines 46 24 into identities with device
1306
01:46:34,000 –> 01:46:41,360
and subnet 4768 and 4769 into a curberauss heartbeat it knows onus tears and windows it turns
1307
01:46:41,360 –> 01:46:47,200
spikes into questions it turns questions into pages x dr is the i that sees motion at the edge
1308
01:46:47,200 –> 01:46:56,080
kernel telemetry amc memory scans attack surface rules it adds a fast lane for explosion
1309
01:46:56,080 –> 01:47:04,000
process trees handle opens module loads it remembers families of behavior it does not replace cm it
1310
01:47:04,000 –> 01:47:10,000
feeds it with detail that windows logs cannot hold soar is the hand that moves when the page sounds
1311
01:47:10,000 –> 01:47:17,200
true it isolates a workstation in seconds it rotates a lapse password it disables an account
1312
01:47:17,200 –> 01:47:23,440
it revokes the certificate it stops a rogue service it acts reversibly it writes provenance
1313
01:47:24,160 –> 01:47:31,200
we design tears into the sensors tier gets lossless collection security logs at full fidelity
1314
01:47:31,200 –> 01:47:40,800
sysment tuned for ls s drivers services power shell verbose streams a d ds access tier one remains
1315
01:47:40,800 –> 01:47:48,400
dense but selective workstations send only what resolves identity lateral motion and persistence
1316
01:47:48,400 –> 01:47:54,640
the telescope must never blind itself we bind signals to the maps we already drew our graph of
1317
01:47:54,640 –> 01:48:01,600
principles to rights becomes enrichment when 46 72 fires the sim already knows the accounts tier
1318
01:48:01,600 –> 01:48:10,080
owner change window and last log in cohort when 4769 spikes for cfs on mgmt task 01 the
1319
01:48:10,080 –> 01:48:19,920
seam overlays tier one spn owner operations window closed and foreign trust none false positives fall
1320
01:48:19,920 –> 01:48:28,080
away because context is gravity we express detections as physics not signatures privilege anomaly
1321
01:48:28,080 –> 01:48:39,360
4672 from a non PR subnet no approved window no preceding 4768 from a par page dot harvest cord
1322
01:48:39,360 –> 01:48:49,360
sysment 10 to ls x a by unknown lineage plus event 11 dump plus 7045 service in 10 minutes page
1323
01:48:49,360 –> 01:48:58,400
and isolate replication gravity breach 4662 ds replication get changes by non dc principle
1324
01:48:58,400 –> 01:49:05,760
page disable principle plan k rbtgt rotation cross realm distortion 4769 with
1325
01:49:05,760 –> 01:49:13,200
transited services from foreign realm to tier one spn’s or s id history claims observed
1326
01:49:13,200 –> 01:49:20,080
page and restrict trust kerberost pressure sustained 4769 rc4 to service accounts from workstation
1327
01:49:20,080 –> 01:49:26,880
subnets page and rotate to a us only we craft lenses parsers that reveal fields windows hides behind
1328
01:49:26,880 –> 01:49:37,120
text city history in 4769 transited services kerberos encryption type logon type in 4624
1329
01:49:37,120 –> 01:49:44,000
process parent chain in sysmon 1 command lines with base 64 decoded when safe certificate sends in 487
1330
01:49:44,000 –> 01:49:54,000
we standardize into a semantic layer account device subnet tier owner window trust cohort queries
1331
01:49:54,000 –> 01:50:00,960
become simple sentences we build cohort baselines not global averages local gravity each spn has
1332
01:50:00,960 –> 01:50:06,400
its rhythm each subnet has its cadence each admin has their maintenance slot the seam learns
1333
01:50:06,400 –> 01:50:15,760
what 4769 looks like for ms sql fin ledger on Tuesdays it knows that 70 45 on a pp build 0 1 is
1334
01:50:15,760 –> 01:50:22,960
normal at o2 to anything outside the music is a chime we script so our playbooks with humility first
1335
01:50:22,960 –> 01:50:28,960
actions are reversible and logged isolate host in vland with the human override disabled account
1336
01:50:28,960 –> 01:50:34,800
with the ticket id rotate laps on a set of hosts while preserving forensics stop a service and
1337
01:50:34,800 –> 01:50:41,760
back up the binary revoke a certificate and publish crl every step records actor time reason
1338
01:50:41,760 –> 01:50:49,760
and rollback we make resilience a feature collectors use discs as buffers if seam sleeves ingestion
1339
01:50:49,760 –> 01:50:56,800
persists agents throttle under pressure with priority cues domain controllers first heartbeats
1340
01:50:56,800 –> 01:51:04,000
proof subscriptions alive loss pages operators xdr keeps a day of hot telemetry cm pulls when the
1341
01:51:04,000 –> 01:51:11,840
storm passes we do not horde forever retention follows truth tier logs live longer one year
1342
01:51:11,840 –> 01:51:19,840
searchable more in cold tier one less workstations role sooner but high signal extracts persist we
1343
01:51:19,840 –> 01:51:28,000
snapshot anomaly summaries top talkers top spns privilege pages memory of shape matters more than
1344
01:51:28,000 –> 01:51:35,360
memory of dust we practice the telescope red teams create known chords blue confirms detection
1345
01:51:35,360 –> 01:51:44,240
action and narrative we run purple exercises around ls as touch kerberost surges dc sink cross
1346
01:51:44,240 –> 01:51:51,680
realm tickets pack temper we refine rules we remove noisy ones we promote quiet lethal ones lab echo
1347
01:51:51,680 –> 01:52:00,480
low chime collector health green domain controllers priority channel true base pulse steady detection
1348
01:52:00,480 –> 01:52:08,000
set five pages bound to run books the observer speaks i am the lens when you tuned me to significance
1349
01:52:08,000 –> 01:52:14,400
and taught my hands to move i stopped reporting light and started reporting consequence so
1350
01:52:14,400 –> 01:52:20,160
tear it administration deep dive tearing is not a chart it is gravity architecture identities fall
1351
01:52:20,160 –> 01:52:26,880
according to mass and we decide which surfaces they can touch we define three orbits with absolute law
1352
01:52:27,600 –> 01:52:35,600
tear kids custodians of identity and the forces that shape it domain controllers pki adfs azure ad
1353
01:52:35,600 –> 01:52:42,640
connect schema masters privileged access infrastructure break glass the smallest surface the strongest
1354
01:52:42,640 –> 01:52:51,200
gravity nothing enters casually nothing leaves residue tier one servers and management planes
1355
01:52:51,200 –> 01:52:58,400
that run business logic file print sequel iis apt years management servers orchestration engines
1356
01:52:58,400 –> 01:53:06,480
hypervisors brought powerful dangerous if it leaks upward tier two user work stations and anything
1357
01:53:06,480 –> 01:53:15,440
humans live inside daily email browsers productivity developer endpoints noisy creative fragile now
1358
01:53:15,440 –> 01:53:21,520
we bind identities to orbits every administrator has separate accounts by tier daily user for tier two
1359
01:53:21,520 –> 01:53:28,080
a server admin identity for tier one a directory identity for tier no cross use no exceptions
1360
01:53:28,080 –> 01:53:35,760
authentication paths respect direction lower to higher is forbidden higher to lower is deliberate
1361
01:53:35,760 –> 01:53:43,040
and instrumented the badge you wear determines which doors recognize you the floor beneath your feet
1362
01:53:43,040 –> 01:53:48,640
determines what your badge can become we give the badges a home privilege access work stations live in
1363
01:53:48,640 –> 01:53:55,200
tier and tier one purpose built only tier accounts can log on to tier pause only tier one accounts can
1364
01:53:55,200 –> 01:54:00,800
log on to tier one pause tier two never touches them the pau does not browse does not read mail does not
1365
01:54:00,800 –> 01:54:08,080
run unsigned code remote credential guard anchor secrets on the pole rdp is a beam not a transfer
1366
01:54:08,640 –> 01:54:14,800
the workstation is not furniture it is an alter we constrain movement with doors that speak clearly
1367
01:54:14,800 –> 01:54:21,840
from tier two to tier one denied by default when necessary we use a bastion with mfa and jet elevation
1368
01:54:21,840 –> 01:54:28,560
that expires in minutes the bastion does not store credentials it Brooks tokens that die quickly
1369
01:54:28,560 –> 01:54:36,000
from tier one to tier e denied except for named operations from tier pause wielding tier identities
1370
01:54:36,000 –> 01:54:42,320
from tier to anywhere only when duty demands and always from the paul never from a server we translate
1371
01:54:42,320 –> 01:54:50,000
policy into the directory admin groups are enumerated by tier tier admins tier one server admins
1372
01:54:50,000 –> 01:54:59,040
help desk hypervisor admins pk i admins each with scope logon writes and machine assignment members
1373
01:54:59,040 –> 01:55:05,440
are few attested and rotated through approvals rpc writes cdbug privilege and logon writes are
1374
01:55:05,440 –> 01:55:11,440
pruned from broad groups backup operators are not a shortcut to domain control their rights are
1375
01:55:11,440 –> 01:55:17,120
narrowed and gated by time we bind machines to their sky tier systems live on dedicated
1376
01:55:17,120 –> 01:55:22,480
villains with firewall rules that only accept management from tier pause and replication from
1377
01:55:22,480 –> 01:55:30,080
peer controllers no inbound from app or user subnets tier one servers accept rdp and win rm from
1378
01:55:30,080 –> 01:55:37,440
tier one p’s only certificate bound with logging and session recording tier two workstations cannot
1379
01:55:37,440 –> 01:55:45,200
speak to server administrative ports smb shares require smb signing and lease privilege we reduce
1380
01:55:45,200 –> 01:55:51,600
credential liquidity denies on interactive logon for service accounts denies on rdp for every
1381
01:55:51,600 –> 01:55:57,920
account that does not needed local administrator on workstations rotates with la piss local administrator
1382
01:55:57,920 –> 01:56:05,280
on service either does not exist or is random and vaulted protected users for tier identities
1383
01:56:05,280 –> 01:56:11,920
eliminates ntlm fallback and fragile delegation kerberos armoring in the realm that hosts tier
1384
01:56:11,920 –> 01:56:17,680
ticket lifetimes are shorter for tier and tier one token school fast we practice ceremony for
1385
01:56:17,680 –> 01:56:26,320
dangerous acts schema change tier only maintenance window documented rollback lab rehearsal
1386
01:56:26,320 –> 01:56:35,200
and an observer krbtgt rotation two passes replication checked backups validated monitoring heightened
1387
01:56:35,200 –> 01:56:44,400
a name conductor pk i template publish change board with a pk i specific quorum template
1388
01:56:44,400 –> 01:56:53,280
diff reviewed issuance constraints verified nt youth checked hypervisor changes dual control
1389
01:56:53,280 –> 01:56:59,920
console recording break glass keys sealed after test we draw the administrative plane as a service
1390
01:56:59,920 –> 01:57:06,160
management tools do not live on the service they manage they live on management hosts bound to tier
1391
01:57:06,160 –> 01:57:13,600
with agent based control and minimal inbound orchestration runs with gms a identity scope to exact
1392
01:57:13,600 –> 01:57:20,880
espn’s and hosts logs flow outward commands flow inward through authenticated sign channels
1393
01:57:20,880 –> 01:57:26,880
the tool chain becomes an application with owners change windows and tests we teach the fabric
1394
01:57:26,880 –> 01:57:34,800
to reject drift gpo’s in force tier boundaries deny log on locally and deny log on through rdp
1395
01:57:34,800 –> 01:57:39,840
for identities outside their orbit wdack or applocker enforces what runs on pie use and tier
1396
01:57:39,840 –> 01:57:46,640
firewall gpo’s in force management paths detection maps four six seven two to subnet and pato
1397
01:57:46,640 –> 01:57:53,600
status any privilege logon from a non-poor is a page any 4624 type 10 for tier outside the subnet is
1398
01:57:53,600 –> 01:57:59,680
a page any 7045 on a domain controller is a page with a name attached we negotiate with reality
1399
01:57:59,680 –> 01:58:07,040
without surrender vendors who demand domain admins meet isolation and j a they receive j it writes
1400
01:58:07,040 –> 01:58:13,680
that create a constrained endpoint with audited commands their sessions record their identities do
1401
01:58:13,680 –> 01:58:20,320
not travel if the demand persists the system is boxed until replaced no tool dictates gravity
1402
01:58:20,320 –> 01:58:26,960
we close with a simple truth tiering is culture-wearing policy it only holds if humans agree to be heavier
1403
01:58:26,960 –> 01:58:33,040
in the right places and lighter in others the observer speaks i am the hierarchy you drew
1404
01:58:33,040 –> 01:58:38,720
when you honored my orbits with machines identities and time lateral motion lost momentum
1405
01:58:38,720 –> 01:58:45,520
privilege ceased to wonder gravity returned to law privileged identity patterns privilege is
1406
01:58:45,520 –> 01:58:52,160
not a title it is mass it bends paths accelerates motion and defines what collisions become catastrophe
1407
01:58:52,160 –> 01:58:59,120
we do not inventory administrators we inventory gravities most people think privilege identity means
1408
01:58:59,120 –> 01:59:07,840
domain admin but they are wrong privilege lives in layers and disguises accounts tokens services groups
1409
01:59:07,840 –> 01:59:13,680
devices trust relationships and tooling the patterns repeat when we learn their shapes we predict their
1410
01:59:13,680 –> 01:59:21,920
orbits pattern one split selves with hard walls a human carries at least three selves daily user
1411
01:59:21,920 –> 01:59:27,840
server operator directory custodian the mistake is not having them the mistake is allowing them to
1412
01:59:27,840 –> 01:59:35,200
leak leakage looks like a tier identity checking email or a server admin browsing a vendor forum from
1413
01:59:35,200 –> 01:59:41,920
a management host the correction is ceremony separate credentials separate devices separate
1414
01:59:41,920 –> 01:59:48,640
networks the daily self never authenticates to servers the server self never approaches domain
1415
01:59:48,640 –> 01:59:54,080
controllers the directory self appears only on a power inside the smallest orbit tokens remain
1416
01:59:54,080 –> 02:00:02,480
where they were minted gravity holds pattern two service personas as citizens not ghosts service
1417
02:00:02,480 –> 02:00:08,080
accounts are often treated as a blur shared passwords broad writes invisible origins
1418
02:00:08,080 –> 02:00:15,360
we invert that each service principle is a named citizen with a purpose and owner a scope
1419
02:00:15,360 –> 02:00:24,960
and an expiration gms a by default logon writes as a service on exact hosts denied everywhere else
1420
02:00:24,960 –> 02:00:31,920
no interactive no rdp no logon locally espn’s registered through change verified unique
1421
02:00:31,920 –> 02:00:39,440
bound to a yes if a service requires delegation we constrain it to explicit espn’s better we use
1422
02:00:39,440 –> 02:00:44,880
resource based constrained delegation so the target chooses who may impersonate a service
1423
02:00:44,880 –> 02:00:52,000
that can become you must be chosen by the service you become pattern three tool chains as identities
1424
02:00:52,000 –> 02:00:59,760
with edges build agents orchestration servers backup engines endpoint management these are vessels
1425
02:00:59,760 –> 02:01:05,360
of concentrated authority their technical uses often dwarf domain admins in consequence we
1426
02:01:05,360 –> 02:01:10,800
board them with passports each tool runs under a principle scoped to its function the plane it
1427
02:01:10,800 –> 02:01:17,200
lives on is tearbound its outbound reach is enumerated and enforced by firewall and all lists
1428
02:01:17,200 –> 02:01:23,520
its inbound management comes only from paul’s we treat the tool like a sovereign logged a tested
1429
02:01:23,520 –> 02:01:30,320
rehearsed if it can write configuration to hundreds of servers it lives under stricter gravity than
1430
02:01:30,320 –> 02:01:38,240
any human pattern four privilege that travels without a badge sessions and caches create silent mass
1431
02:01:38,240 –> 02:01:45,120
an admin logs into a management server runs a script leaves else as keeps heat network providers cash
1432
02:01:45,120 –> 02:01:51,360
remote credential guard is not present or restricted admin is misapplied hours later a low-priv
1433
02:01:51,360 –> 02:01:57,040
foothold becomes a reading of memory we minimize liquidity protected users for admins
1434
02:01:57,040 –> 02:02:03,520
credential guard where hardware allows remote credential guard from padews deny delegation on
1435
02:02:03,520 –> 02:02:09,520
admin accounts deny local caching on privileged endpoints we shorten ticket lifetimes for tier
1436
02:02:09,520 –> 02:02:16,640
identities so residue decays pattern five delegation as a lens we control unconstrained delegation
1437
02:02:16,640 –> 02:02:22,800
is a star that collapses into a singularity tickets that touch it can be replayed packs ferried
1438
02:02:22,800 –> 02:02:29,520
identity borrowed we remove it constrained delegation narrows to named spns rbcd gives targets
1439
02:02:29,520 –> 02:02:37,840
consent then we add humility services that receive a delegated context revalidate pack with the kdc
1440
02:02:37,840 –> 02:02:45,600
or refuse a forged silver ticket cannot trick a service that trusts the kdc more than it trusts
1441
02:02:45,600 –> 02:02:54,640
the network pattern six group gravity as architecture not convenience groups drift nesting grows
1442
02:02:54,640 –> 02:03:03,360
acid history lingers we collapse to intentional sets tier admins server admins by platform
1443
02:03:03,360 –> 02:03:09,600
application operators by service break glass by ritual we tag them with tier and owner
1444
02:03:09,600 –> 02:03:16,080
we deny them where they do not belong via gpo deny log on locally deny log on through rdp so
1445
02:03:16,080 –> 02:03:22,720
their mask cannot tumble into wrong rooms we alert on membership changes like we alert on earthquakes
1446
02:03:22,720 –> 02:03:29,840
pattern seven local administrator as a per host secret not a skeleton key l a p s rotates each
1447
02:03:29,840 –> 02:03:35,760
workstation and server the readers of that secret are few audited and themselves protected
1448
02:03:35,760 –> 02:03:41,920
remote uac ensures that even with local admin network logons do not silently elevate some
1449
02:03:41,920 –> 02:03:49,040
service have no local administrator at all management occurs with j a n points and gms a’s
1450
02:03:49,040 –> 02:03:55,680
privilege exists but only for the task only for the moment pattern eight break glass as a
1451
02:03:55,680 –> 02:04:04,000
comet seen rarely and recorded always emergencies demand speed panic demands caution we pre-built
1452
02:04:04,000 –> 02:04:10,720
an account with sufficient mass seal its credentials in a vault with dual control and require post
1453
02:04:10,720 –> 02:04:17,680
use rituals password rotation sign offs log review and a quiet retelling of why it was needed
1454
02:04:17,680 –> 02:04:25,360
the comets path is logged in the sky pattern nine identity propagation through trust forests
1455
02:04:25,360 –> 02:04:31,040
domains a df s cloud bridges each copies weight across a boundary we minimize what crosses selective
1456
02:04:31,040 –> 02:04:36,400
authentication were possible conditional access at clouds claims trimmed to what is necessary
1457
02:04:36,400 –> 02:04:43,600
anti-outdoor prune acid filtering enabled the fewer assertions we accept from beyond our galaxy
1458
02:04:43,600 –> 02:04:50,240
the less our physics can be tricked pattern ten provenance as law every privileged identity
1459
02:04:50,240 –> 02:04:59,440
has metadata owner purpose tier allowed endpoints allowed times last review expiration the cm
1460
02:04:59,440 –> 02:05:04,480
ingested the soar enforces it when four six seventy two appears we already know whether the masses
1461
02:05:04,480 –> 02:05:11,680
in the right sky when it is not we do not debate we isolate the object and ask questions after gravity
1462
02:05:11,680 –> 02:05:19,120
is restored the observer speaks i am privileged and i am pattern when you give me shape i stop leaking
1463
02:05:19,120 –> 02:05:24,880
when you deny me comfort i stop wandering when you bind me to devices windows and names i become
1464
02:05:24,880 –> 02:05:31,600
predictable the cosmos becomes survivable dns integrity and poisoned maps we navigate by names
1465
02:05:31,600 –> 02:05:38,880
dns is our star chart when the chart lies ships do not explode they arrive at the wrong harbor
1466
02:05:38,880 –> 02:05:44,480
and hand over their cargo politely that is why attackers a door name resolution it requires no
1467
02:05:44,480 –> 02:05:50,560
bravado it requires patience and the right bend in the map most people think dns is a directory of
1468
02:05:50,560 –> 02:05:58,240
facts but time has its own opinion in windows dns is a living dialogue dynamic updates scavenging
1469
02:05:58,240 –> 02:06:05,280
cycles aging intervals multi home servers stale records and plugins that rewrite answers for
1470
02:06:05,280 –> 02:06:11,840
convenience each setting becomes a curve each curve can be exploited there are three kinds of lies
1471
02:06:11,840 –> 02:06:19,200
in this sky the forged answer the coerced question and the outdated truth that still wins
1472
02:06:19,200 –> 02:06:25,360
the forged answer is classic poisoning a rogue host gains the right to assert a name in many
1473
02:06:25,360 –> 02:06:32,320
estates dynamic updates are set to non secure and secure that phrase sounds generous it means
1474
02:06:32,320 –> 02:06:38,800
anonymous a workstation can register records for names it does not own or a host with multiple
1475
02:06:38,800 –> 02:06:44,400
n i c’s can rewrite an a record with an internal address one hour and an attack is addressed the
1476
02:06:44,400 –> 02:06:50,160
next the server thanks it clients obey if that name belongs to a file share an intruder receives
1477
02:06:50,160 –> 02:06:56,800
smb sessions if it belongs to a web service they terminate tls with a shadow certificate if it
1478
02:06:56,800 –> 02:07:03,200
belongs to a domain controller alias the gravity bends the coerced question is subtler lllmnr
1479
02:07:03,200 –> 02:07:10,400
and nbns still whisper on many networks legacy fallbacks that answer when dns is slow or names are
1480
02:07:10,400 –> 02:07:16,720
simple an intruder shouts louder than the real answer and a client believes credentials flow
1481
02:07:16,720 –> 02:07:24,160
to the wrong responder then relay begins we already killed fossils elsewhere here the echo remains
1482
02:07:24,160 –> 02:07:32,240
in parallel wpad automatic proxy discovery can be hijacked with a single record the browser trust
1483
02:07:32,240 –> 02:07:39,360
the map a forged proxy hears every request the outdated truth is drift made visible dynamic dns
1484
02:07:39,360 –> 02:07:46,240
records age but scavenging is timid or disabled a server that moved now points to avoid an old record
1485
02:07:46,240 –> 02:07:51,680
for a name that should be unique still lingers and round robin delivers clients to the shadow in
1486
02:07:51,680 –> 02:07:57,680
split brain dns internal and external zones disagree and a misconfigured forwarder leaks queries
1487
02:07:57,680 –> 02:08:06,560
outward answers traverse the wrong universe entirely lab echo low chime dns update host app 01
1488
02:08:06,560 –> 02:08:12,880
registered cfs alias soft tick update source workstation subnet
1489
02:08:12,880 –> 02:08:20,800
base pulse zone allows non secure updates defense begins with binding names to their rightful hosts
1490
02:08:20,800 –> 02:08:27,200
secure dynamic updates only machines authenticate to dns with their computer accounts unauthenticated
1491
02:08:27,200 –> 02:08:35,440
updates are refused dns scavenging is enabled with clear aging policy records age stale entries die
1492
02:08:36,320 –> 02:08:43,440
ownership is enforced only the host or dhcp acting with credentials can modify its record multi-home
1493
02:08:43,440 –> 02:08:49,680
servers declare their registration behavior we constrain to the management or server n i c
1494
02:08:49,680 –> 02:08:55,280
not the transient test network someone plugged in during a late night we remove the handheld echoes
1495
02:08:55,280 –> 02:09:02,880
lm nr and nbns are disabled via gpo wpd is extinguished by preemptively registering the record to a
1496
02:09:02,880 –> 02:09:09,600
null host or a controlled system and by browser policy that disables auto discovery on the perimeter
1497
02:09:09,600 –> 02:09:16,000
we drop multi cast name chatter the network quiaz the questions become intentional we make resolution
1498
02:09:16,000 –> 02:09:21,280
deterministic for power domain controllers and tier services receive host entries for their
1499
02:09:21,280 –> 02:09:27,760
peers only when change windows demanded otherwise they depend on the secured dns dns forwarding is
1500
02:09:27,760 –> 02:09:35,040
explicit conditional forwarders for known zones with dns s sq validation when resolvers understand it
1501
02:09:35,040 –> 02:09:40,480
recursive resolution is not performed by domain controllers for the world it is performed by
1502
02:09:40,480 –> 02:09:47,280
resolvers built for the task with cache limits rate limits and poisoning defenses we harden the
1503
02:09:47,280 –> 02:09:53,520
servers that hold the map dns on domain controllers limits zone transfers to named secondaries
1504
02:09:53,520 –> 02:10:01,280
signed with tsig where supported any access for to everyone is drift we close it mgmt interfaces
1505
02:10:01,280 –> 02:10:08,480
accept updates only from dhcp or domain controllers admin sessions occur from pw’s not casual terminals
1506
02:10:08,480 –> 02:10:17,520
logging is tuned to record updates and signature failures event IDs 552 401 4515 speak the telescope
1507
02:10:17,520 –> 02:10:25,520
listens we constrain aliases that carry power spn’s bind services to names that binding must be unique
1508
02:10:25,520 –> 02:10:33,920
we audit for duplicate spn’s and eliminate collisions ms sql sql finance belongs to one principle
1509
02:10:33,920 –> 02:10:42,160
names that point at domain controllers are banned we use a records and deliberate replication dfs
1510
02:10:42,160 –> 02:10:49,120
namespaces use fq dns not whimsical short names that collide with printers and test hosts detection
1511
02:10:49,120 –> 02:10:57,120
becomes cartography we baseline the zone number of records frequency of changes ownership patterns
1512
02:10:57,120 –> 02:11:03,280
sudden bursts of updates from workstation subnets especially for names that look like services
1513
02:11:03,280 –> 02:11:13,920
cfs http ms sql are a chime changes to wpad isotap or names that control proxies are a page dns
1514
02:11:13,920 –> 02:11:23,600
debug logs feed the seam suspicious updates correlate with 4769 for the target spn and cismon 3 connections
1515
02:11:23,600 –> 02:11:30,240
to the newly asserted address if smb signing is off the map is a weapon when signing is on the weapon
1516
02:11:30,240 –> 02:11:37,680
dulls we teach clients to doubt the easy answer dns over tcp when responses grow channel binding at
1517
02:11:37,680 –> 02:11:45,040
LDAPs and smb signing prevent relayed sessions from becoming authority even when a name resolves to
1518
02:11:45,040 –> 02:11:53,200
an attacker the service refuses unauthenticated or unsigned exchanges the map can deceive the physics
1519
02:11:53,200 –> 02:11:58,960
afterward must not in the lab we simulate poisoning safely we flip a record under controlled
1520
02:11:58,960 –> 02:12:06,000
conditions and watch which services follow we learn who trusts dns too much scripts with bare host
1521
02:12:06,000 –> 02:12:12,240
names legacy apps without certificate pinning admin habits that use short names on sacred hosts
1522
02:12:12,240 –> 02:12:18,400
then we fix the habit not only the server the observer speaks i am the map when you demanded
1523
02:12:18,400 –> 02:12:25,920
credentials for updates i stopped accepting rumors when you silenced lllm and r and nbns my whispers
1524
02:12:25,920 –> 02:12:32,800
cease to mislead when you sign the protocols that followed my answers my mistakes stop becoming breaches
1525
02:12:32,800 –> 02:12:39,120
names are gravity for humans and sure the stars their reference are real smb supply routes
1526
02:12:39,120 –> 02:12:45,440
controls and drift smb is not a protocol it is a supply route it carries files scripts agents
1527
02:12:45,440 –> 02:12:51,680
updates small packets of intention that become action when the road is honest work flows when
1528
02:12:51,680 –> 02:12:58,320
the route drifts authority moves quietly in crates with familiar labels most people think smb
1529
02:12:58,320 –> 02:13:05,920
security is a switch on or off but time has its own opinion it is a gradient signing requirements
1530
02:13:05,920 –> 02:13:13,120
dialect negotiation channel binding ntlm fallback share and ntfs permissions store credentials
1531
02:13:13,120 –> 02:13:20,560
client-side caching printer paths dfs namespaces each setting adds or removes gravity each misalignment
1532
02:13:20,560 –> 02:13:27,360
becomes a slope we begin with the signature of truth smb signing without it the route trusts the
1533
02:13:27,360 –> 02:13:32,800
road with it the cargo is bound to the sender require signing on service enable on clients then
1534
02:13:32,800 –> 02:13:40,320
move toward require when the dependency map comes when signing is firm relays that once turned
1535
02:13:40,320 –> 02:13:48,880
printers into keys become noise channel binding titans the loop off bound to the tls or session
1536
02:13:48,880 –> 02:13:56,320
credentials cannot be replayed across a different tunnel dialect matters reject smbv1
1537
02:13:56,320 –> 02:14:05,360
it is fossil gravity fragile chatty exploitable prefer smb 3.x with encryption were warranted
1538
02:14:05,360 –> 02:14:11,440
especially across untrusted segments and between tiers encryption does not absolve identity
1539
02:14:11,440 –> 02:14:17,360
but it removes eavesdropping as a weapon when dfs is in play sign referrals
1540
02:14:17,360 –> 02:14:23,120
ensure namespace servers obey the same laws the targets names must not outrun proof
1541
02:14:23,120 –> 02:14:30,560
permissions are not taste they are physics share permissions are blunt ntfs is precise use both
1542
02:14:30,560 –> 02:14:37,200
everyone read remains drift even when intention is benign replace with authenticated users when
1543
02:14:37,200 –> 02:14:43,920
broadread is needed then scope with ntfs to groups that can be understood at a glance remove
1544
02:14:43,920 –> 02:14:50,400
creator owner rights from places that host scripts deny right on deployment shares to humans who only
1545
02:14:50,400 –> 02:14:58,880
consume a single rightable path on a management share becomes a choreography drop a copied scheduled
1546
02:14:58,880 –> 02:15:07,120
task created service installed gravity lost caches leak offline files and csc caches leave data
1547
02:15:07,120 –> 02:15:13,280
and metadata where an intruder can harvest patterns for tier one and management shares disabled
1548
02:15:13,280 –> 02:15:19,440
offline caching tools and scripts should be fetched fresh with signatures checked do not let the
1549
02:15:19,440 –> 02:15:26,320
past masquerade as the present credentials travel in habits mapped drives with stored passwords
1550
02:15:26,320 –> 02:15:33,760
harden into sediment we replace persistent mappings with short-leaved programmatic access bound to a
1551
02:15:33,760 –> 02:15:40,960
gms a or g it elevation from a power the workstation does not keep keys for convenience the power
1552
02:15:40,960 –> 02:15:47,840
requests them for ritual remote credential guard holds the token at the origin the server sees
1553
02:15:47,840 –> 02:15:55,840
authority but the secret remains anchored spooler paths are notorious a share that hosts drivers
1554
02:15:55,840 –> 02:16:02,880
and packages becomes a runway for code into kernel land on servers printer drivers do not belong
1555
02:16:02,880 –> 02:16:09,600
on file servers package point and print only from signed trusted catalogs eliminate legacy point
1556
02:16:09,600 –> 02:16:15,200
and print that fetches from arbitrary shares we have already removed the spooler from domain
1557
02:16:15,200 –> 02:16:22,160
controllers we extend that discipline across admin subnets dfs namespaces must reflect intention
1558
02:16:22,160 –> 02:16:29,360
not history use fqdn’s not short names that collide sign referrals restrict who can link targets
1559
02:16:29,360 –> 02:16:36,640
audit name changes a rogue addition that points to an attacker controlled host is a quiet detour
1560
02:16:37,200 –> 02:16:44,720
verify that each target requires signing and where possible encryption names are maps maps must
1561
02:16:44,720 –> 02:16:52,240
bind to physics we narrow administrative paths admin dolls and seal or sacred doors not general
1562
02:16:52,240 –> 02:16:58,720
hallways only tearbound pause approach them local firewall rules deny workstation subnets from
1563
02:16:58,720 –> 02:17:05,680
speaking smb to servers except to documented shares with explicit business purpose copy flows from
1564
02:17:05,680 –> 02:17:12,640
orchestrators that run under gms a identities with minimal rights not from a technicians browser session
1565
02:17:12,640 –> 02:17:19,120
and a mapped drive at midnight detection listens to rhythm sysmon three sees smb connections
1566
02:17:19,120 –> 02:17:25,280
built allow lists which subnets may touch with shares when workstation ranges beam to admin
1567
02:17:25,280 –> 02:17:32,720
on app servers chime windows logs show five hundred and fourteen for share access pair with four six six
1568
02:17:32,720 –> 02:17:38,640
three for object access on sensitive paths a right to a script’s directory followed by seventy
1569
02:17:38,640 –> 02:17:45,440
forty five service creation is the court of collapse smb signing negotiation appears in three hundred
1570
02:17:45,440 –> 02:17:53,040
series events on smb service log refusal and negotiate failures so the telescope can page when
1571
02:17:53,040 –> 02:17:59,440
a client insists on fossils we practice integrity package sources are signed internal repositories
1572
02:17:59,440 –> 02:18:05,360
verify signatures before publishing script execution on servers respects the signature policy
1573
02:18:05,360 –> 02:18:12,640
wda c or app locker allows only signed binaries and scripts from trusted paths a copied file is not
1574
02:18:12,640 –> 02:18:19,760
execution the engine that runs it decides truth we isolate noisy legacy some appliances and old
1575
02:18:19,760 –> 02:18:25,600
applications cannot sign they live in a quarantine where smb is permitted only to named peers with
1576
02:18:25,600 –> 02:18:33,520
translation at a proxy no path to tier surfaces monitoring is heavier forty seven seven six ntlm
1577
02:18:33,520 –> 02:18:39,920
events correlate with smb touches to spotlight relays and brute attempts when the fossil speaks
1578
02:18:39,920 –> 02:18:49,520
we hear it clearly and contain it lab echo low chime five fourteen share access mgmt files tools
1579
02:18:49,520 –> 02:18:57,680
user obstuploy soft tick four six six three right denied to scripts prod base pulse eases smb
1580
02:18:57,680 –> 02:19:05,040
signing required encryption negotiated the observer speaks i am the root when you sign my cargo and
1581
02:19:05,040 –> 02:19:12,000
narrowed my roads contraband stopped arriving as configuration when you denied casual right supply
1582
02:19:12,000 –> 02:19:19,920
became deliberate the universe kept its shape group policy writing the laws group policy is not
1583
02:19:19,920 –> 02:19:25,520
configuration it is gravity made explicit it defines what is possible what is forbidden and what
1584
02:19:25,520 –> 02:19:33,600
happens when doubt appears when we write gpo’s we are not pushing buttons we are declaring physics
1585
02:19:33,600 –> 02:19:41,680
that every endpoint must obey we begin with constitution before code a policy hierarchy exists
1586
02:19:41,680 –> 02:19:49,920
forest domain o u we decide which tier owns which law tier laws live at the domain controllers o u
1587
02:19:49,920 –> 02:19:56,560
and a dedicated tier policy node linked with enforced precision tier one laws govern servers by workload
1588
02:19:56,560 –> 02:20:05,520
o u tier two laws govern work stations by cohort standard users developers kiosks we avoid the
1589
02:20:05,520 –> 02:20:13,440
root domain link for convenience gravity should be local not universal by accident order is destiny
1590
02:20:13,440 –> 02:20:19,920
link order and inheritance produce orbits we minimize enforced we maximize clarity baseline at
1591
02:20:19,920 –> 02:20:26,720
the top exceptions near the leaf and a strict rule do not link a gpo to multiple places if intent
1592
02:20:26,720 –> 02:20:33,040
differs clone and name the same policy should not carry two meanings humans break laws when names lie
1593
02:20:33,040 –> 02:20:39,200
we write identity first deny log on locally and deny log on through remote desktop services
1594
02:20:39,200 –> 02:20:46,560
carftier boundaries into machines tier accounts cannot land on tier one or tier two tier one accounts
1595
02:20:46,560 –> 02:20:53,680
cannot touch tier service accounts deny interactive and rdp universally vendor accounts live in an o u
1596
02:20:53,680 –> 02:20:59,600
with deny rights everywhere except they are constrained bastions these settings are not decoration
1597
02:20:59,600 –> 02:21:07,600
they are gates we lock the memory holes lsa protection is a registry truth run a sppl enabled for tier
1598
02:21:07,600 –> 02:21:15,280
and tier one o u’s credential guard via device guard policies where hardware allows disabled w digest
1599
02:21:15,280 –> 02:21:22,320
via security options remove cd bug privilege from broad groups with restricted groups or group
1600
02:21:22,320 –> 02:21:28,080
policy preferences for user rights assignment this is not optional it is the difference between
1601
02:21:28,080 –> 02:21:35,360
heat and harvest we turn fossils to stone security options in the baseline land manager authentication
1602
02:21:35,360 –> 02:21:45,440
level set to refuse lm and ntlmv1 send ntlmv2 only smb signing required on servers enabled on clients
1603
02:21:45,440 –> 02:21:53,600
ldap signing required channel binding enforced for ldap ntlm auditing enabled at first
1604
02:21:53,600 –> 02:22:00,160
then restriction set by policy to block by target list webdap disabled through features
1605
02:22:00,160 –> 02:22:06,000
print spooler service startup set to disabled on domain controllers and non-printing service
1606
02:22:06,000 –> 02:22:13,200
each item becomes a paragraph in our law we constrain execution wdc or applocker policies linked
1607
02:22:13,200 –> 02:22:20,080
to tier and pw o u’s publisher rules for trusted vendors path rules for system binaries script rules
1608
02:22:20,080 –> 02:22:26,160
that allow signed power shell only with script block logging and module logging turned on
1609
02:22:26,160 –> 02:22:31,200
constrained language mode applied to non admin tokens through device guard policies
1610
02:22:31,200 –> 02:22:39,120
msi installs restricted by always install with elevated privileges set to disabled
1611
02:22:39,120 –> 02:22:44,720
the law here says tools run because they are trusted not because they are present
1612
02:22:44,720 –> 02:22:52,640
we formalize remote control win rm configured by policy to https only with certificate mapping to
1613
02:22:52,640 –> 02:22:59,360
computer accounts or explicit admin groups kredses p disabled authentication hardened rdp
1614
02:22:59,360 –> 02:23:06,800
network level authentication required remote credential guard enabled from pw’s restricted admin
1615
02:23:06,800 –> 02:23:14,400
disabled for daily use firewall rules defined by gpo per tier inbound remote admin from pw’s only
1616
02:23:15,200 –> 02:23:23,840
smb for documented shares only deny workstation subnets for admin laws a map written in ports is still a law
1617
02:23:23,840 –> 02:23:30,880
we standardize audit as astronomy advanced audit policy replaces legacy success and failure where
1618
02:23:30,880 –> 02:23:40,080
lineage matters logon logoff account logon account management ds access object access for sensitive
1619
02:23:40,080 –> 02:23:47,600
paths policy change special logon authentication policy change command line logging for process creation
1620
02:23:47,600 –> 02:23:53,680
power shell transcription and deep script logging to a secured share for admins and p a w’s with
1621
02:23:53,680 –> 02:24:00,720
acls that administrators cannot modify after the fact gravity must be observable we manage services
1622
02:24:00,720 –> 02:24:08,800
and tasks as rituals in the server baseline forbidden services are set disabled facts remote registry
1623
02:24:08,800 –> 02:24:16,480
web client spooler were not needed scheduled tasks that auto create junk are pruned via gpp item level
1624
02:24:16,480 –> 02:24:24,160
targeting services that must run under accounts use gms a distributed by policy only to hosts in
1625
02:24:24,160 –> 02:24:31,200
scope no task runs as a human account the law says machines act as machines not as people
1626
02:24:31,200 –> 02:24:36,320
we write names with care gpo names carry tier scope and function
1627
02:24:36,880 –> 02:24:46,800
tdc security baseline t1 server core log t1 paw execution control t2 ws user protections
1628
02:24:46,800 –> 02:24:53,680
version numbers track control changes descriptions linked to documentation and changed tickets
1629
02:24:53,680 –> 02:24:58,480
humans obey laws they understand they ignore ones that read like riddles
1630
02:24:59,200 –> 02:25:07,280
we control gpo authorship delegation is exact gpo editors tier apply only to tier policies
1631
02:25:07,280 –> 02:25:14,640
no one person owns creation and link rights wm i filters live in a separate o u with version control
1632
02:25:14,640 –> 02:25:20,640
not ad hoc on desktops block inheritance where necessary but only after proving necessity
1633
02:25:20,640 –> 02:25:26,720
and forced is a scalpel not a hammer we test in gravity not in theory a staging o u mirrors production
1634
02:25:26,720 –> 02:25:33,360
structure a pilot group of machines inherits the same links then experiences change first
1635
02:25:33,360 –> 02:25:39,600
we instrument with result in set of policy reports and gp result dumps we measure boot time service
1636
02:25:39,600 –> 02:25:45,200
behavior authentication and audit flow only then do we link to production a law passed without
1637
02:25:45,200 –> 02:25:52,400
rehearsal becomes a comet we detect drift as treason regular exports of gpo’s to version control
1638
02:25:52,400 –> 02:25:59,200
hashes recorded daily compare of link order and enforced flags alerts when a gpo changes outside
1639
02:25:59,200 –> 02:26:06,960
a window when a link is added to the route when a security option toggles 4739 4732 on gpo
1640
02:26:06,960 –> 02:26:14,960
related groups 513 on gpo processing failures each becomes a tone the telescope listens the observer
1641
02:26:14,960 –> 02:26:21,600
speaks i am the law you wrote into silicon when you honored tier memory protocol and ritual
1642
02:26:21,600 –> 02:26:28,800
i did not stifle work i shaped it when drift tried to whisper i rang laws do not make us safe they
1643
02:26:28,800 –> 02:26:36,240
make us predictable and predictability is survivable gravity service accounts spn and rights hygiene
1644
02:26:36,240 –> 02:26:41,920
service accounts are not background noise they are small sons each spn is a beam of light that
1645
02:26:41,920 –> 02:26:47,520
binds names to keys and each right is a vector that decides where that light can land we do not
1646
02:26:47,520 –> 02:26:53,200
guess their orbits we draw them most people think a service account is a password with a job
1647
02:26:53,200 –> 02:26:58,800
but they are wrong a service account is a contract between identity and infrastructure
1648
02:26:58,800 –> 02:27:04,320
when the contract is vague gravity drifts when the contract is explicit motion is lawful
1649
02:27:04,320 –> 02:27:10,960
we begin with naming because names declare ownership every service principle carries four truths
1650
02:27:10,960 –> 02:27:19,920
in its name and metadata application environment tier and owner gmas a skull fin prod t1 is not
1651
02:27:19,920 –> 02:27:25,920
ornament it is provenance the directory stores a description that spells purpose and renewal window
1652
02:27:25,920 –> 02:27:32,240
the seam ingest owner and tears of pages find humans not rooms then we fix the body the service
1653
02:27:32,240 –> 02:27:41,680
wears group managed service accounts by default passwords rotate without ceremony entropy is not optional
1654
02:27:41,680 –> 02:27:49,360
no human knows the secret where gms a is impossible we impose vaulting length and rotation windows
1655
02:27:49,360 –> 02:27:55,520
measured in days not seasons interactive logon is denied rdp is denied logon as a service is
1656
02:27:55,520 –> 02:28:01,520
granted only to the hosts that run the workload logon writes everywhere else are denied explicitly by
1657
02:28:01,520 –> 02:28:07,600
gpo the account cannot wonder spns are the rails we register only what the workload needs nothing
1658
02:28:07,600 –> 02:28:16,080
more and we verify uniqueness duplicate spns are collisions collisions are identity loss cfs
1659
02:28:16,080 –> 02:28:24,560
htdp msql ldap each entry pairs a name with a principle we audit for orphaned spns where the account
1660
02:28:24,560 –> 02:28:30,800
no longer exists and for foreign spns where a human identity holds a service binding humans do not
1661
02:28:30,800 –> 02:28:38,960
carry spns services do encryption is the language of the beam we retire rc4 we enforce aes
1662
02:28:38,960 –> 02:28:49,280
aes 128 and aes 256 on service accounts that present tickets where legacy systems insist on rc4
1663
02:28:49,280 –> 02:28:55,360
they live in isolation until they learn modern speech key material that speaks in fossils is mass
1664
02:28:55,360 –> 02:29:03,040
without structure delegation is the lens unconstrained delegation is removed constrained delegation lists
1665
02:29:03,040 –> 02:29:10,560
explicit spns and we query it like a map who may impersonate to what resource based constrained
1666
02:29:10,560 –> 02:29:16,640
delegation moves trust to the target the receiving service declares who may act on its behalf
1667
02:29:16,640 –> 02:29:24,480
then we add the second law any service that accepts delegated context revalidates pack with the kdc
1668
02:29:24,480 –> 02:29:30,240
trust does not stop at the proxy it returns to the source rights are not fuzzy backup operators do
1669
02:29:30,240 –> 02:29:37,360
not belong here debug rights do not belong here local administrator on hosts is almost never required
1670
02:29:37,360 –> 02:29:44,240
when it is we scope to exact servers time bound and logged file system rights follow least privilege
1671
02:29:44,240 –> 02:29:51,760
read where read right where right modify where deployment happens under orchestration identities
1672
02:29:51,760 –> 02:29:58,800
services are citizens not sovereigns we script the life cycle so gravity does not decay creation
1673
02:29:58,800 –> 02:30:06,960
through a runbook request owner purpose tier spns delegation rights approval by the platform owner
1674
02:30:06,960 –> 02:30:13,840
provision by automation rotation by policy review every quarter still needed still scoped
1675
02:30:13,840 –> 02:30:21,360
still aes still owned decommissioned with reversibility remove spns remove rights disable wait delete
1676
02:30:21,360 –> 02:30:29,040
the sky keeps no ghosts detection watches the beams 4769 for the accounts spns becomes a heartbeat
1677
02:30:29,040 –> 02:30:35,200
the cm baselines volume per spn per cohort spikes from workstation subnet’s chime
1678
02:30:35,200 –> 02:30:41,440
4672 from a service account is a page privilege attached where no ceremony exists
1679
02:30:41,440 –> 02:30:47,680
4624 type 2 or type 10 for a service account is a page
1680
02:30:48,560 –> 02:30:56,240
interactive where it should be headless directory services logs for spn changes map to change windows
1681
02:30:56,240 –> 02:31:03,920
outside of them we investigate sysmin 13 for registry persistence or 7045 for service install
1682
02:31:03,920 –> 02:31:11,920
under a service identity is a cord workload or drift we bind services to machines with exactness
1683
02:31:11,920 –> 02:31:18,800
gpo delivers log on as a service only to the o u where the hosts live firewall rules accept
1684
02:31:18,800 –> 02:31:24,720
inbound only from documented peers kerberos constraint delegation is mirrored by network paths
1685
02:31:24,720 –> 02:31:31,040
even if a token can reach the packet cannot without invitation the identity and the road agree
1686
02:31:31,040 –> 02:31:37,360
toolchains receive special law orchestrators backup engines deployment servers run under gmss
1687
02:31:37,360 –> 02:31:43,600
with minimal spns dc sync is not a convenience flag it is a siren permission granted to none
1688
02:31:43,600 –> 02:31:52,160
except dc’s if backup requires directory read we grant through a proxy that impersonates on a dc
1689
02:31:52,160 –> 02:31:57,440
never directly from an app server every extended right assigned to a service is documented and
1690
02:31:57,440 –> 02:32:05,040
revalidated in drills we speak to developers without contempt we provide a pattern development gmsa
1691
02:32:05,040 –> 02:32:12,480
for dev staging gmsa for test production gmsa for prod same names them different rights different
1692
02:32:12,480 –> 02:32:18,720
o u’s different spns we ship a module that requests temporary elevation through jet when maintenance
1693
02:32:18,720 –> 02:32:26,880
happens we remove the excuse that led to one account for everything lab echo low chime spn audit
1694
02:32:26,880 –> 02:32:35,840
ms sql sarfin ledger unique as only soft tick delegation constrained to cfs ledger etl
1695
02:32:35,840 –> 02:32:45,840
baseball studies interactive logon denied 4672 none the observer speaks i am the light your services
1696
02:32:45,840 –> 02:32:53,280
emit when you named me scoped me and bound me to the right stars i stopped leaking into the dark
1697
02:32:53,920 –> 02:33:01,200
misuse became visible gravity held network segmentation and local firewalls networks are not oceans
1698
02:33:01,200 –> 02:33:07,600
they are canals we choose where water flows most people think segmentation is a diagram
1699
02:33:07,600 –> 02:33:15,840
but time has its own opinion segmentation is enforcement roots acls stateful inspection
1700
02:33:15,840 –> 02:33:23,040
and hosts that refuse unsolicited conversation we do not trust a quiet subnet we build a subnet
1701
02:33:23,040 –> 02:33:30,240
that cannot speak we start with the thesis identity flows inward management flows downward
1702
02:33:30,240 –> 02:33:37,040
business flows along name lanes everything else is denied tiered v lands mirror privilege tier
1703
02:33:37,040 –> 02:33:45,200
networks occupy a sealed constellation domain controllers pk i and paus see one another and the
1704
02:33:45,200 –> 02:33:52,880
replication cores they do not see user subnets tier one servers form application clusters with explicit
1705
02:33:52,880 –> 02:33:59,680
north south paths from load balancers and east west lanes only where the workload proves necessity
1706
02:33:59,680 –> 02:34:09,680
tier two workstations sit in cohorts office developer kiosk each with its own walls a workstation cannot
1707
02:34:09,680 –> 02:34:16,720
reach admin laws on a server because the path does not exist local firewalls make geometry real
1708
02:34:16,720 –> 02:34:23,360
on every host we define ingress by verb not by hope rdp from tier bound paus only
1709
02:34:23,360 –> 02:34:30,560
win rm over https from orchestration identities smb to documented shares with signing
1710
02:34:30,560 –> 02:34:38,080
ldap only where services demand and never from workstations rpc dynamic ports constrained by range
1711
02:34:38,080 –> 02:34:43,120
and allowed peers sequel from application tiers not from a browser’s whim
1712
02:34:44,080 –> 02:34:50,720
egress follows the same law servers speak to their databases update sources and telemetry collectors
1713
02:34:50,720 –> 02:34:57,600
they do not browse names do not bypass physics dns flows to resolvers not everywhere ntp flows from
1714
02:34:57,600 –> 02:35:05,520
a stratum we control proxies mediate outbound http direct internet from servers is a myth we retire
1715
02:35:05,520 –> 02:35:13,040
if an application must call an external api we define the destination and port the rule reads like
1716
02:35:13,040 –> 02:35:19,760
a sentence we design choke points that listen internal firewalls and load balancers terminate tls
1717
02:35:19,760 –> 02:35:26,640
and force sni and require client certificates for administrative planes microsegmentation
1718
02:35:26,640 –> 02:35:34,560
host firewalls informed by identity adds a second net even when the switch says yes the kernel says
1719
02:35:34,560 –> 02:35:41,360
no unless the principle in process match the ritual we treat exceptions as comets not climates
1720
02:35:42,000 –> 02:35:48,080
a temporary hole opens with a ticket a time window and an automated close the cm records the aperture
1721
02:35:48,080 –> 02:35:54,800
and watches when the window ends the wall returns without debate detection becomes a map of silence
1722
02:35:54,800 –> 02:36:01,360
sisman three connections that violate allowless chime windows filtering platform logs denied attempts
1723
02:36:01,360 –> 02:36:10,240
5 156 5557 show permitted and blocked flows we forward them from tier and management hosts
1724
02:36:10,240 –> 02:36:18,320
a surge of 445 from workstations to server admin ports becomes a page a burst of a femoral rpc
1725
02:36:18,320 –> 02:36:24,480
to domain controllers outside maintenance is gravity failing we respond with sore quarantine
1726
02:36:24,480 –> 02:36:31,040
the talker rotate laps if needed and ask why the road appeared the observer speaks i am the
1727
02:36:31,040 –> 02:36:37,360
canal you dug when you shaped water with walls and gates movement became intention drift found the
1728
02:36:37,360 –> 02:36:43,600
gate and stopped gravity favored defense response rituals containment and eviction response is not
1729
02:36:43,600 –> 02:36:51,520
panic response is ceremony when gravity wobbles we do not sprint we execute a ritual that preserves
1730
02:36:51,520 –> 02:36:59,520
truth contains motion and restores shape we begin with acknowledgement the telescope sings 467
1731
02:36:59,520 –> 02:37:09,600
to from a non-pa 4769 surging for a sensitive spn sisman 10 touching lss 4662 replication rights
1732
02:37:09,600 –> 02:37:16,000
by a foreign hand we log the page assign a conductor and switch from curiosity to consequence
1733
02:37:16,000 –> 02:37:22,960
every action from here writes its own provenance containment favors precision over spectacle
1734
02:37:22,960 –> 02:37:30,560
we isolate the talker not the world so our places the workstation or server in a quarantine plan
1735
02:37:30,560 –> 02:37:38,080
that still allows management and evidence collection we do not power it off memory holds the story
1736
02:37:38,080 –> 02:37:44,320
we snapshot volatile truth process trees open handles network connections token lists
1737
02:37:44,320 –> 02:37:50,560
kerberos cache on tier and tier one we treat every bite a sacred the altar remains lit while we move
1738
02:37:50,560 –> 02:37:56,960
around it we cut the quiet roads first smb admin ports from workstation ranges are blocked at the
1739
02:37:56,960 –> 02:38:04,160
firewall if they were not already rdp ingress is limited to produce and bastions with mf a ntlm
1740
02:38:04,160 –> 02:38:11,600
across admin subnet is denied by policy exceptions starting with targets reported by 4776 we close the
1741
02:38:11,600 –> 02:38:17,600
door the intruder currently prefers not every door the network owns we protect credentials before
1742
02:38:17,600 –> 02:38:24,640
we chase them on the compromised host we check lsa protection if run a sppl is false we do not enable
1743
02:38:24,640 –> 02:38:31,040
it mid fight we will lose memory instead we control access collect and only then raise the walls
1744
02:38:31,040 –> 02:38:37,040
we rotate laps on adjacent machines we disable interactive logon for service accounts that had
1745
02:38:37,040 –> 02:38:43,840
sessions nearby we shorten ticket lifetimes by policy on tier identities so residue decays faster
1746
02:38:43,840 –> 02:38:50,720
while we work we decide the blast radius by tier if a tier workstation falls we contain and hunt
1747
02:38:50,720 –> 02:38:57,280
laterally within tier two if a tier one server falls we assume adjacent service accounts and
1748
02:38:57,280 –> 02:39:04,640
management planes are warm we isolate the cluster segment and check orchestration hosts if a tier
1749
02:39:04,640 –> 02:39:13,200
asset even trembles we escalate to forest defense prepare krbtgt rotation audit dc changes check
1750
02:39:13,200 –> 02:39:20,800
7045 and 4739 on domain controllers and verify pk i health the higher the tier the colder our hands
1751
02:39:20,800 –> 02:39:28,000
must be eviction is not deletion it is subtraction of power we remove footholds in order of leverage
1752
02:39:28,000 –> 02:39:35,600
services created by the intruder 7045 are stopped backed up and removed schedule tasks altered are
1753
02:39:35,600 –> 02:39:43,760
exported dift and reset startup paths are cleaned under wd aks or applocker rules that now refuse
1754
02:39:43,760 –> 02:39:50,240
the binaries even if they reappear we disable compromised accounts we do not delete them until the
1755
02:39:50,240 –> 02:39:57,760
audit is complete deletion erases trails we treat identity like radiation accounts exposed to
1756
02:39:57,760 –> 02:40:03,680
theft are rotated in a sequence that denies reentry for user accounts reset passwords and invalidate
1757
02:40:03,680 –> 02:40:11,760
sessions for service accounts rotate gms a keys by updating the host keying interval and forcing a
1758
02:40:11,760 –> 02:40:20,960
change for machine accounts use reset computer machine password on isolated hosts mindful of trust
1759
02:40:20,960 –> 02:40:28,960
breaks for domain controllers we prepare the two step krbtgt rotation first reset to invalidate
1760
02:40:28,960 –> 02:40:36,160
current golden tickets wait for replication and purge then reset again to invalidate any tickets
1761
02:40:36,160 –> 02:40:41,280
minted between we schedule this with the conductor a timer and an audit of replication health
1762
02:40:41,280 –> 02:40:48,080
we hunt while we evict queries sweep for the chords we know lss access on endpoints in the same
1763
02:40:48,080 –> 02:40:58,160
cohort 4769 RC four spikes that reveal kibberost attempts four r662 for replication extended rights
1764
02:40:58,160 –> 02:41:08,000
four 732 membership changes on admin groups 4719 audit policy changes 4907 object s acl modifications
1765
02:41:08,000 –> 02:41:14,160
we follow time intruders move after our move we anticipate and cut their next path we neutralize
1766
02:41:14,160 –> 02:41:21,120
persistence with gravity not whack emol wdc or app locker is moved from audit to enforce on tier and
1767
02:41:21,120 –> 02:41:27,680
pause for servers we tighten to publisher all our lists were possible and path rules for staging
1768
02:41:27,680 –> 02:41:34,960
directories we flip gpo’s that were waiting deny logon through rdp for accounts that drifted
1769
02:41:34,960 –> 02:41:41,920
disable legacy protocols on the ou that hosted the compromised host enforce smb signing on shares
1770
02:41:41,920 –> 02:41:48,400
that now matter we do not rely on manual cleanups we change the laws communication is part of the
1771
02:41:48,400 –> 02:41:55,120
ritual we state facts without adjectives scope signals actions taken actions pending business leaders
1772
02:41:55,120 –> 02:42:02,240
receive impact and expected recovery windows technical owners receive lists rotate these identities
1773
02:42:02,240 –> 02:42:08,560
re-image these hosts move these services to maintenance the narrative is short present tense
1774
02:42:08,560 –> 02:42:14,480
and repeated at intervals that match anxiety with clarity when re-imaging is required we stage it
1775
02:42:14,480 –> 02:42:20,880
evidence first image second hardening third controlled reintroduction fourth golden images are
1776
02:42:20,880 –> 02:42:29,200
current with baselines pre-loaded lsa protection credential guard smb signing audit policy
1777
02:42:29,200 –> 02:42:37,840
wdc policies firewall rules machines rejoin only via management lanes from pause after reentry
1778
02:42:37,840 –> 02:42:44,720
we monitor for abnormal authentication for six twenty four and four seven six eight to catch any
1779
02:42:44,720 –> 02:42:53,520
reuse of old tokens we prepare for irreversible steps with deliberation krbt gt rotation includes
1780
02:42:53,520 –> 02:42:59,840
forest functional level check backup verification dc health replication state timeline for both
1781
02:42:59,840 –> 02:43:06,560
resets increased logging around four seven six eight four seven six nine and a staffed window pk i
1782
02:43:06,560 –> 02:43:12,960
revocation includes crl publishing and application impact testing trust modification selective
1783
02:43:12,960 –> 02:43:19,600
authentication or s_i_d filtering includes control trial with known access paths eviction should
1784
02:43:19,600 –> 02:43:26,240
shrink privilege not break reality we close with confession and calibration post incident we write
1785
02:43:26,240 –> 02:43:33,040
what mattered which control safe time which gaps created slope which alerts sang too often or too
1786
02:43:33,040 –> 02:43:39,600
late we tune we add missing sensors we remove noisy ones we commit to drills purple exercises that
1787
02:43:39,600 –> 02:43:48,000
replay the chords dc sync attempt lsa s touch ntlm relay pack temper and we practice the ritual
1788
02:43:48,000 –> 02:43:55,760
so muscle learns what mind already knows lab echo low chime quarantine applied three hosts soft tick
1789
02:43:55,760 –> 02:44:04,880
lapios rotations completed twenty seven bass pulse studies krbt gt rotation window scheduled
1790
02:44:04,880 –> 02:44:12,080
t-plus three six hours the observer speaks i am the ritual you performed under pressure
1791
02:44:12,080 –> 02:44:17,280
when you honored order over fear the fabric bent but did not tear eviction is not a chase
1792
02:44:17,280 –> 02:44:25,680
it is gravity restored the truth we keep here is the truth we keep security is not noise it is
1793
02:44:25,680 –> 02:44:32,160
gravity chosen and renewed if this spoke to you stay with us subscribe and then go watch the next
1794
02:44:32,160 –> 02:44:37,600
film in this arc where we map trusts like wormholes and seal them bring your team bring your questions
1795
02:44:37,600 –> 02:44:39,520
the universe will not secure itself
