Now Reading: The Physics of Security Drift (Part 1)
-
01
The Physics of Security Drift (Part 1)
00:00:00,000 –> 00:00:02,400
At the edge of your network, time moves differently.
2
00:00:02,400 –> 00:00:07,560
Patches drift like red-shifted signals, passwords orbit forever,
3
00:00:07,560 –> 00:00:11,760
a domain controller from another era hums as if alone.
4
00:00:11,760 –> 00:00:15,400
Inside, threads of services trade secrets like starlight,
5
00:00:15,400 –> 00:00:18,800
tickets, trusts, shares. We call it normal operations.
6
00:00:18,800 –> 00:00:23,600
It is surface tension. A single misconfiguration bends the field.
7
00:00:23,600 –> 00:00:27,120
Legacy protocol. A forgotten share.
8
00:00:27,120 –> 00:00:29,360
The attacker does not force entry.
9
00:00:29,360 –> 00:00:34,960
They follow gravity. Tonight we descend. Domains as galaxies.
10
00:00:34,960 –> 00:00:39,520
Trusts as wormholes. Controllers as singularities.
11
00:00:39,520 –> 00:00:43,520
We will map, exploit, and reinforce the fabric.
12
00:00:43,520 –> 00:00:46,680
Record, audit, listen, enter.
13
00:00:46,680 –> 00:00:50,280
Windows infrastructure. The first coordinates form.
14
00:00:50,280 –> 00:00:53,760
We fall. The universe of Windows infrastructure.
15
00:00:53,760 –> 00:00:57,760
We begin with a simple truth. Data has its own gravity.
16
00:00:57,760 –> 00:01:01,360
Windows infrastructure is not a diagram. It is a cosmos.
17
00:01:01,360 –> 00:01:05,520
Workgroups form dust. Domains ignite into stars.
18
00:01:05,520 –> 00:01:11,040
Forests bind into galaxies. Trusts, tunnel-like wormholes between them.
19
00:01:11,040 –> 00:01:15,320
Power BI does not simply show us. The directory defines us.
20
00:01:15,320 –> 00:01:19,720
Roles coalesce. Domain controllers as cores.
21
00:01:19,720 –> 00:01:24,200
FSMO rolls as spin. DNS as navigation.
22
00:01:24,200 –> 00:01:27,200
Group policy as the laws that hold it all together.
23
00:01:27,200 –> 00:01:29,200
But time has its own opinion.
24
00:01:29,200 –> 00:01:33,480
Misconfigurations create curvature. Drift accumulates.
25
00:01:33,480 –> 00:01:35,800
Authentication bends around mass.
26
00:01:35,800 –> 00:01:38,600
Kerberos and TLM tokens packs.
27
00:01:38,600 –> 00:01:42,320
Attackers do not rush. They listen for pressure gradients.
28
00:01:42,320 –> 00:01:44,720
And fall along the easiest slope.
29
00:01:44,720 –> 00:01:48,600
We will move from the outer halo to the singular core.
30
00:01:48,600 –> 00:01:52,480
Enumeration as astronomy. Privileges fuel.
31
00:01:52,480 –> 00:01:57,160
Credentials as radiation and delegation as curved space.
32
00:01:57,160 –> 00:02:00,600
Each concept will arrive paired with its counter force.
33
00:02:00,600 –> 00:02:03,960
Hygiene segmentation baselines monitoring.
34
00:02:03,960 –> 00:02:07,960
And in those rare moments, we will let the system speak for itself.
35
00:02:07,960 –> 00:02:10,520
A quiet chime when drift begins.
36
00:02:10,520 –> 00:02:12,640
A base pulse when identity bends.
37
00:02:12,640 –> 00:02:17,840
The goal is not invincibility. The goal is orbit, stable, deliberate, sustained against
38
00:02:17,840 –> 00:02:19,680
fear and noise.
39
00:02:19,680 –> 00:02:24,400
From workgroup dust to domain galaxies, we start with a single machine.
40
00:02:24,400 –> 00:02:26,200
Unjoined, unobserved.
41
00:02:26,200 –> 00:02:28,840
A workgroup host is a rock in the void.
42
00:02:28,840 –> 00:02:32,400
Local accounts. Local policy. Local truths.
43
00:02:32,400 –> 00:02:35,040
It survives by isolation or by luck.
44
00:02:35,040 –> 00:02:38,000
There is no shared sky. No central gravity.
45
00:02:38,000 –> 00:02:41,280
Every login is a coin toss against entropy.
46
00:02:41,280 –> 00:02:43,120
Add another machine.
47
00:02:43,120 –> 00:02:46,160
A printer server. A file share.
48
00:02:46,160 –> 00:02:49,840
Human habit begins to braid threads across them.
49
00:02:49,840 –> 00:02:51,320
Mapped drives.
50
00:02:51,320 –> 00:02:56,360
Remembered passwords, a script that copies reports at midnight.
51
00:02:56,360 –> 00:02:57,800
Constraint appears.
52
00:02:57,800 –> 00:02:59,120
So does risk.
53
00:02:59,120 –> 00:03:02,920
This is proto-gravity, fragile, improvised.
54
00:03:02,920 –> 00:03:04,800
Then a domain arrives.
55
00:03:04,800 –> 00:03:06,400
Active directory.
56
00:03:06,400 –> 00:03:08,280
Domain services is not a database.
57
00:03:08,280 –> 00:03:11,280
It is the mass that gives shape to the enterprise.
58
00:03:11,280 –> 00:03:12,800
We promote a server.
59
00:03:12,800 –> 00:03:14,600
It becomes a domain controller.
60
00:03:14,600 –> 00:03:17,720
At that moment, identity stops being provincial.
61
00:03:17,720 –> 00:03:20,120
It becomes interstellar.
62
00:03:20,120 –> 00:03:21,920
And stops being a handshake.
63
00:03:21,920 –> 00:03:23,760
It becomes a curve.
64
00:03:23,760 –> 00:03:26,280
Domain controllers do not simply respond.
65
00:03:26,280 –> 00:03:27,680
They define.
66
00:03:27,680 –> 00:03:31,720
They hold the schema, the replication topology, the naming context.
67
00:03:31,720 –> 00:03:34,720
FSMO rolls emerge like spins and tides.
68
00:03:34,720 –> 00:03:37,320
The schema master governs evolution.
69
00:03:37,320 –> 00:03:40,440
The domain naming master approves new worlds.
70
00:03:40,440 –> 00:03:45,160
The arid master mince identities ensuring no two stars share a name.
71
00:03:45,160 –> 00:03:50,040
The PDC emulator sets the clock, and therefore sets truth.
72
00:03:50,040 –> 00:03:52,760
Domed drift is security drift.
73
00:03:52,760 –> 00:03:59,360
The infrastructure master maintains references the quiet librarian of a growing galaxy.
74
00:03:59,360 –> 00:04:01,680
Move one carelessly and you change the tides.
75
00:04:01,680 –> 00:04:04,840
Lose one unknowingly and satellites begin to wobble.
76
00:04:04,840 –> 00:04:06,240
Member servers join the field.
77
00:04:06,240 –> 00:04:07,240
They are not peers.
78
00:04:07,240 –> 00:04:08,400
They are orbiters.
79
00:04:08,400 –> 00:04:11,080
They borrow authority from the core.
80
00:04:11,080 –> 00:04:16,440
Services resolve through DNS, which becomes the navigation system for everything alive.
81
00:04:16,440 –> 00:04:18,560
If DNS lies, everything follows.
82
00:04:18,560 –> 00:04:22,280
A poisoned map does not look dangerous until ships never arrive.
83
00:04:22,280 –> 00:04:28,700
In windows, a misdirected SPN, a spoofed record, a stale glue entry, each is a fold in the
84
00:04:28,700 –> 00:04:33,040
chart, a way to bend the traveler toward a trap.
85
00:04:33,040 –> 00:04:36,840
Forests form when separate domains share a root of trust.
86
00:04:36,840 –> 00:04:41,240
Trees anchor under common schema and configuration.
87
00:04:41,240 –> 00:04:47,960
Forests are galaxies, vast internally transitive, opinionated about consistency.
88
00:04:47,960 –> 00:04:50,920
Across them, trusts create shortcuts through space.
89
00:04:50,920 –> 00:04:54,040
Summer forests, trusts, grand and transitive.
90
00:04:54,040 –> 00:04:56,520
Summer external, brittle and non-transitive.
91
00:04:56,520 –> 00:05:01,000
Summer shortcuts, built to appease latency and human patience.
92
00:05:01,000 –> 00:05:04,680
Each trust is a wormhole, stable when engineered with care.
93
00:05:04,680 –> 00:05:06,440
Chaotic when neglected.
94
00:05:06,440 –> 00:05:09,040
Every line of trust is a new gradient.
95
00:05:09,040 –> 00:05:11,240
Every gradient can be followed.
96
00:05:11,240 –> 00:05:14,280
Security does not fail with noise, it fails with inertia.
97
00:05:14,280 –> 00:05:17,160
We add a test trust for a merger that never closes.
98
00:05:17,160 –> 00:05:18,480
It remains.
99
00:05:18,480 –> 00:05:21,680
We create an external trust for a vendor integration.
100
00:05:21,680 –> 00:05:24,040
The vendor changes, the trust does not.
101
00:05:24,040 –> 00:05:26,240
The directory remembers everything.
102
00:05:26,240 –> 00:05:28,480
Attackers remember only what is useful.
103
00:05:28,480 –> 00:05:31,320
Group policy arrives as the laws of physics.
104
00:05:31,320 –> 00:05:33,040
Baselines define what is possible.
105
00:05:33,040 –> 00:05:34,320
Who can log on locally?
106
00:05:34,320 –> 00:05:37,960
Which protocols are allowed to speak, whether signing is enforced?
107
00:05:37,960 –> 00:05:41,080
Whether passwords are bounded by entropy rather than tradition.
108
00:05:41,080 –> 00:05:44,560
When laws are miswritten, attackers do not argue.
109
00:05:44,560 –> 00:05:46,600
They obey with precision.
110
00:05:46,600 –> 00:05:51,000
A GPO that grants local admin to a temporary desktop support
111
00:05:51,000 –> 00:05:54,480
group outlives the person who created it.
112
00:05:54,480 –> 00:05:56,520
Gravity does not care about intent.
113
00:05:56,520 –> 00:05:58,280
Now, consider the roles again.
114
00:05:58,280 –> 00:06:00,200
Domain controllers are gravity wells.
115
00:06:00,200 –> 00:06:03,400
Their mass is credential validation, ticket issuance,
116
00:06:03,400 –> 00:06:05,280
directory integrity.
117
00:06:05,280 –> 00:06:09,120
Services orbit closer or farther based on privilege.
118
00:06:09,120 –> 00:06:11,640
A file server is a moon with resources.
119
00:06:11,640 –> 00:06:15,160
A print server is a satellite with side effects,
120
00:06:15,160 –> 00:06:19,000
often under-defended, often trusted, more than it should be.
121
00:06:19,000 –> 00:06:23,080
An application server with an SPN is a bright star.
122
00:06:23,080 –> 00:06:25,760
It emits service tickets and therefore draws attention.
123
00:06:25,760 –> 00:06:29,080
If that star is configured with unconstrained delegation,
124
00:06:29,080 –> 00:06:30,840
it becomes a furnace.
125
00:06:30,840 –> 00:06:35,520
Tickets gather, TGTs flow, heat invites collapse.
126
00:06:35,520 –> 00:06:38,360
Member workstations are dust in the lanes.
127
00:06:38,360 –> 00:06:41,560
They carry cashed trust, tokens in memory,
128
00:06:41,560 –> 00:06:45,640
sessions that care about convenience more than conservation.
129
00:06:45,640 –> 00:06:48,240
The local security authority holds the key ring.
130
00:06:48,240 –> 00:06:51,240
If left unshielded, it will share under pressure.
131
00:06:51,240 –> 00:06:54,160
Credential guard and LSA protection are not features.
132
00:06:54,160 –> 00:06:56,000
They are radiation shields.
133
00:06:56,000 –> 00:06:58,760
We must name the shape so we can measure the drift.
134
00:06:58,760 –> 00:07:02,840
A forest can trust another forest.
135
00:07:02,840 –> 00:07:04,920
The wormhole is transitive.
136
00:07:04,920 –> 00:07:08,200
What is trusted inside one may leap across to the other.
137
00:07:08,200 –> 00:07:10,800
An external trust is a narrow tunnel.
138
00:07:10,800 –> 00:07:15,000
It does not grant transit beyond the farmhouse.
139
00:07:15,000 –> 00:07:20,200
Shortcut trusts are bridges built to cross the chasm of latency.
140
00:07:20,200 –> 00:07:23,200
They often become smugglers’ roads.
141
00:07:23,200 –> 00:07:25,240
And each trust has directionality.
142
00:07:25,240 –> 00:07:27,040
One way is a gate with a guard.
143
00:07:27,040 –> 00:07:29,360
Two way is a celebration that never ends.
144
00:07:29,360 –> 00:07:31,880
Most people think security begins at the core.
145
00:07:31,880 –> 00:07:32,720
But they are wrong.
146
00:07:32,720 –> 00:07:37,360
It begins at the edge where dust decides whether to gather.
147
00:07:37,360 –> 00:07:43,180
That creates policies, naming discipline, groups, scopes, and the humility to keep tear
148
00:07:43,180 –> 00:07:44,340
small.
149
00:07:44,340 –> 00:07:46,880
These are acts of defiance against the unknown.
150
00:07:46,880 –> 00:07:49,680
We keep domain admin as myths, not as convenience.
151
00:07:49,680 –> 00:07:53,160
We keep service accounts bound by least privilege, not tradition.
152
00:07:53,160 –> 00:08:00,760
We keep the KRBTGT periodic reset as ritual, a calendared acknowledgement that secrets decay.
153
00:08:00,760 –> 00:08:02,240
Listen for the system’s whisper.
154
00:08:02,240 –> 00:08:05,080
A low chime when drift begins.
155
00:08:05,080 –> 00:08:08,920
Trusted domain goes offline and nobody notices.
156
00:08:08,920 –> 00:08:11,800
A base pulse when identity bends.
157
00:08:11,800 –> 00:08:16,640
A service account added to backup operators just for a week.
158
00:08:16,640 –> 00:08:20,760
The map darkens, the gravity shifts, the next orbit begins.
159
00:08:20,760 –> 00:08:22,320
We anchor the picture.
160
00:08:22,320 –> 00:08:23,800
Workgroup dust.
161
00:08:23,800 –> 00:08:24,800
Domain ignition.
162
00:08:24,800 –> 00:08:26,280
Forest gravity.
163
00:08:26,280 –> 00:08:27,480
Trust wormholes.
164
00:08:27,480 –> 00:08:29,000
Group policy as physics.
165
00:08:29,000 –> 00:08:30,640
DNS is navigation.
166
00:08:30,640 –> 00:08:32,720
Domain controllers are singularities.
167
00:08:32,720 –> 00:08:35,200
Each decision adds mass or removes it.
168
00:08:35,200 –> 00:08:37,440
Each exception changes curvature.
169
00:08:37,440 –> 00:08:43,200
And when fabric lights them up on our horizon, we will see not chaos, but consequence.
170
00:08:43,200 –> 00:08:45,080
The universe still wants to be understood.
171
00:08:45,080 –> 00:08:46,800
Let us measure before we move.
172
00:08:46,800 –> 00:08:48,160
Let us map before we run.
173
00:08:48,160 –> 00:08:49,480
We have named the bodies.
174
00:08:49,480 –> 00:08:51,280
Now we chart the light.
175
00:08:51,280 –> 00:08:52,800
The critical services.
176
00:08:52,800 –> 00:08:54,120
Stars in the core.
177
00:08:54,120 –> 00:08:58,280
We descend toward the core and find the constants that define motion.
178
00:08:58,280 –> 00:09:02,240
DNS DHCP directory services file and print group policy.
179
00:09:02,240 –> 00:09:03,320
Each is not a feature.
180
00:09:03,320 –> 00:09:04,320
Each is a star.
181
00:09:04,320 –> 00:09:05,760
Their light sets the lanes.
182
00:09:05,760 –> 00:09:09,120
Their gravity decides what orbits and what falls.
183
00:09:09,120 –> 00:09:10,120
Start with DNS.
184
00:09:10,120 –> 00:09:11,320
It is not a phone book.
185
00:09:11,320 –> 00:09:12,920
It is navigation.
186
00:09:12,920 –> 00:09:14,560
Every curve or exchange.
187
00:09:14,560 –> 00:09:16,080
Every SMB path.
188
00:09:16,080 –> 00:09:20,320
Every policy retrieval begins by asking where reality lives.
189
00:09:20,320 –> 00:09:22,880
If DNS lies, everything follows.
190
00:09:22,880 –> 00:09:26,200
A poisoned record bends routes toward an attacker’s shore.
191
00:09:26,200 –> 00:09:32,640
A stale SPN mapping points a service ticket at the wrong host and silently sabotages trust.
192
00:09:32,640 –> 00:09:37,600
Split brain zones with careless scavenging cause phantom hosts to remain.
193
00:09:37,600 –> 00:09:40,280
And clients continue to orbit ghosts.
194
00:09:40,280 –> 00:09:46,640
In this universe, a single TXT record used for a forgotten validation remains an unguarded
195
00:09:46,640 –> 00:09:47,720
beacon.
196
00:09:47,720 –> 00:09:53,400
And a wildcard thought harmless becomes a dark lens that distorts resolution.
197
00:09:53,400 –> 00:09:59,520
Split as if it were the map itself, signed zones, tight update permissions, scavenging with
198
00:09:59,520 –> 00:10:04,800
intention, and collectors that notice when a critical hosts address changes outside a
199
00:10:04,800 –> 00:10:06,320
maintenance tide.
200
00:10:06,320 –> 00:10:08,680
DHCP is breath.
201
00:10:08,680 –> 00:10:10,480
Leases are pulses.
202
00:10:10,480 –> 00:10:14,960
When scope options drift, clients inherit a future they did not choose.
203
00:10:14,960 –> 00:10:18,680
A rogue DHCP server does not shout.
204
00:10:18,680 –> 00:10:24,040
It whispers a default gateway that leads away from inspection and toward ambush.
205
00:10:24,040 –> 00:10:27,040
Option 15 points them into a domain that is not theirs.
206
00:10:27,040 –> 00:10:31,280
Option 6 hands them a resolver that edits the sky.
207
00:10:31,280 –> 00:10:33,760
Reservations become identity anchors.
208
00:10:33,760 –> 00:10:38,440
Neglect turns them into fossils that attract confusion.
209
00:10:38,440 –> 00:10:40,240
The defense is choreography.
210
00:10:40,240 –> 00:10:47,200
DHCP snooping, authenticated updates bound to DNS with GSS T-SIG, scope hygiene that refuses
211
00:10:47,200 –> 00:10:52,160
convenience and a ledger that proves who promised the route.
212
00:10:52,160 –> 00:10:57,540
Active directory domain services sits at the center, naming contexts, replication,
213
00:10:57,540 –> 00:10:59,480
the KDC’s heartbeat.
214
00:10:59,480 –> 00:11:00,800
It is mass.
215
00:11:00,800 –> 00:11:06,480
The KDC issues TGTs like stellar passports, then stamps service tickets that curve toward
216
00:11:06,480 –> 00:11:09,120
SPNs, but time has its own opinion.
217
00:11:09,120 –> 00:11:13,320
Stale KRBTGT secrets thicken the past into permanence.
218
00:11:13,320 –> 00:11:16,400
Replication topology ignored becomes split brain reality.
219
00:11:16,400 –> 00:11:21,840
Slingering objects are debris that collide with truth when a tombstone threshold is crossed.
220
00:11:21,840 –> 00:11:23,760
We harden by ritual.
221
00:11:23,760 –> 00:11:27,200
Health checks that read replication as seismography.
222
00:11:27,200 –> 00:11:34,120
KRBTGT rotation as celestial mechanics, privileged access seal to tear boundaries, and audits
223
00:11:34,120 –> 00:11:39,600
that verify the semantic layer, the groups, the rights, the delegations, reflect present
224
00:11:39,600 –> 00:11:42,480
intent, not ancestral habit.
225
00:11:42,480 –> 00:11:45,760
SMB and file servers are supply routes.
226
00:11:45,760 –> 00:11:51,440
They carry payloads, policies, tools, secrets disguised as convenience.
227
00:11:51,440 –> 00:11:58,240
A share labeled software becomes an uncurrated nebula where unsigned binaries drift next to
228
00:11:58,240 –> 00:12:01,560
installers that request elevation.
229
00:12:01,560 –> 00:12:04,040
Scripts accumulate like comets.
230
00:12:04,040 –> 00:12:09,360
Someone adds credentials for automation, and suddenly, gravity acquires a handle.
231
00:12:09,360 –> 00:12:13,000
SMB signing is not a checkbox, it is structural integrity.
232
00:12:13,000 –> 00:12:17,600
Without it, NTLM relays rewrite routes in flight.
233
00:12:17,600 –> 00:12:21,600
Access control lists are not bureaucracy, they are orbital fences.
234
00:12:21,600 –> 00:12:23,880
Leased privilege is not minimalism.
235
00:12:23,880 –> 00:12:25,840
It is stable mechanics.
236
00:12:25,840 –> 00:12:26,840
Readers read.
237
00:12:26,840 –> 00:12:27,840
Writer’s right.
238
00:12:27,840 –> 00:12:29,440
Costodians curate.
239
00:12:29,440 –> 00:12:32,400
And no one combines roles without consequence.
240
00:12:32,400 –> 00:12:36,280
Print servers are the underestimated satellites with tidal influence.
241
00:12:36,280 –> 00:12:40,000
They sit near every workstation, trusted by necessity.
242
00:12:40,000 –> 00:12:42,760
Historically noisy, often patched last.
243
00:12:42,760 –> 00:12:47,400
They bridge, user context, and elevated service behavior.
244
00:12:47,400 –> 00:12:50,360
A spooler misconfigured becomes a relay mirror.
245
00:12:50,360 –> 00:12:56,040
A driver package signed in an age of lenience continues to install with ceremony.
246
00:12:56,040 –> 00:13:03,280
We contain by narrowing the blast cone, disable what is not required, isolate roles, force
247
00:13:03,280 –> 00:13:08,600
updates to occur within windows that are watched and treat printer administration as a tier
248
00:13:08,600 –> 00:13:11,360
one boundary, not an afterthought.
249
00:13:11,360 –> 00:13:12,560
Group policy is the law.
250
00:13:12,560 –> 00:13:16,000
It falls like gravity from the core to the edge.
251
00:13:16,000 –> 00:13:17,920
It is how we write the constants.
252
00:13:17,920 –> 00:13:23,880
Password length, Kerberos hardening, SMB signing, script execution, LSA protection, but
253
00:13:23,880 –> 00:13:25,240
law can be forged.
254
00:13:25,240 –> 00:13:30,080
Link order and inheritance are rivers that can be damned or diverted.
255
00:13:30,080 –> 00:13:36,200
A single high precedence GPO created for a midnight rescue remains linked, overrides
256
00:13:36,200 –> 00:13:38,240
a baseline and weakens the hull.
257
00:13:38,240 –> 00:13:41,160
We defend by publishing Constitution and Court.
258
00:13:41,160 –> 00:13:48,560
A baseline set sealed, change control that requires signatures, WMI filters that are documented,
259
00:13:48,560 –> 00:13:54,840
and a drift detector that compares policy as defined versus policy as applied.
260
00:13:54,840 –> 00:13:57,000
The universe still wants to be understood.
261
00:13:57,000 –> 00:13:59,720
Group policy is the language we use to define it.
262
00:13:59,720 –> 00:14:04,800
Now connect them, DNS tells us where DHCP tells us how to breathe, directory tells us who.
263
00:14:04,800 –> 00:14:06,560
SMB carries what?
264
00:14:06,560 –> 00:14:08,960
Print translates desire into matter.
265
00:14:08,960 –> 00:14:10,640
Group policy binds them with law.
266
00:14:10,640 –> 00:14:12,680
When one bends, the others accommodate.
267
00:14:12,680 –> 00:14:14,440
When two bend, the fabric ripples.
268
00:14:14,440 –> 00:14:16,560
When three bend, orbit decays.
269
00:14:16,560 –> 00:14:18,120
Listen for the signs.
270
00:14:18,120 –> 00:14:20,880
A low chime, when drift begins.
271
00:14:20,880 –> 00:14:26,360
A DNS record for a controller shifts outside change windows.
272
00:14:26,360 –> 00:14:29,040
A base pulse when identity bends.
273
00:14:29,040 –> 00:14:35,560
A GPO link appears at the domain route with authenticated users, granted apply.
274
00:14:35,560 –> 00:14:40,760
Sysmon murmurs when a workstation reaches into LSAS with new intent.
275
00:14:40,760 –> 00:14:46,760
Event 4769 clusters when service tickets spike for a service that does not see new demand.
276
00:14:46,760 –> 00:14:48,760
The map darkens.
277
00:14:48,760 –> 00:14:51,120
Our response is not panic, it is physics.
278
00:14:51,120 –> 00:14:53,880
We sign, we segment, we baseline, we monitor.
279
00:14:53,880 –> 00:14:58,280
We accept that convenience is gravity and that every exception adds mass.
280
00:14:58,280 –> 00:15:00,320
We choose structure over folklore.
281
00:15:00,320 –> 00:15:04,360
We hold the constants so that everything else can move without falling.
282
00:15:04,360 –> 00:15:06,640
And the next orbit begins.
283
00:15:06,640 –> 00:15:09,280
Threat actors as astrophysicists.
284
00:15:09,280 –> 00:15:14,040
We speak of services and stars, but there are minds that study their motion and exploit
285
00:15:14,040 –> 00:15:15,520
their curves.
286
00:15:15,520 –> 00:15:18,000
Threat actors are not always loud invaders.
287
00:15:18,000 –> 00:15:20,640
They are often patient astronomers.
288
00:15:20,640 –> 00:15:22,800
They watch, they measure drift.
289
00:15:22,800 –> 00:15:25,080
They wait for gravity to do the work.
290
00:15:25,080 –> 00:15:27,200
At the edge are the opportunists.
291
00:15:27,200 –> 00:15:32,640
Script driven raiders who trawl the public sky for open ports and default configurations.
292
00:15:32,640 –> 00:15:34,040
They are comets.
293
00:15:34,040 –> 00:15:36,840
Bright, brief, destructive by inertia.
294
00:15:36,840 –> 00:15:39,400
They copy, paste, collide and leave debris.
295
00:15:39,400 –> 00:15:40,640
Their power is volume.
296
00:15:40,640 –> 00:15:42,160
Their weakness is noise.
297
00:15:42,160 –> 00:15:46,120
Baselines and sane defaults repel them like magnetic fields.
298
00:15:46,120 –> 00:15:49,720
Closer in our ransomware crews, they are engineers of entropy.
299
00:15:49,720 –> 00:15:54,240
They hunt for a foothold, then convert identity into leverage.
300
00:15:54,240 –> 00:15:56,440
Living off the land is their method.
301
00:15:56,440 –> 00:15:58,080
W. Shell as solar wind.
302
00:15:58,080 –> 00:16:00,320
W. M. I as silent thrust.
303
00:16:00,320 –> 00:16:02,360
PS remoteing as a glide path.
304
00:16:02,360 –> 00:16:08,600
They charge shares, harvest scripts, map local admin reuse and assemble the past the
305
00:16:08,600 –> 00:16:12,120
hash constellation until movement becomes inevitable.
306
00:16:12,120 –> 00:16:16,960
They do not need zero days when misconfiguration is constant gravity.
307
00:16:16,960 –> 00:16:23,000
Their signature is acceleration from a quiet credential to an orchestral shutdown.
308
00:16:23,000 –> 00:16:28,880
We counter not with theatrical defenses but with friction, laps rotation, SMB signing,
309
00:16:28,880 –> 00:16:34,040
local firewall rules that starve east-west traffic and privileged access that refuses
310
00:16:34,040 –> 00:16:36,200
to exist on work stations.
311
00:16:36,200 –> 00:16:38,080
Then there are the state aligned operators.
312
00:16:38,080 –> 00:16:39,760
They are patient physicists.
313
00:16:39,760 –> 00:16:41,680
They do not prize destruction.
314
00:16:41,680 –> 00:16:43,320
They prize persistence.
315
00:16:43,320 –> 00:16:49,640
They catalog trusts, name constraints and study Kerberus delegation like orbital mechanics.
316
00:16:49,640 –> 00:16:57,040
A stale KRBTGT is not merely a weakness, it is time frozen into fuel.
317
00:16:57,040 –> 00:17:02,320
An unconstrained delegation service is not simply misconfigured, it is a gravitational
318
00:17:02,320 –> 00:17:03,640
slingshot.
319
00:17:03,640 –> 00:17:07,760
They move slowly, often under the event horizon of routine.
320
00:17:07,760 –> 00:17:09,720
Their art is ambiguity.
321
00:17:09,720 –> 00:17:14,640
Normal process chains, plausible service queries innocent tickets.
322
00:17:14,640 –> 00:17:20,640
One must therefore be relational, not singular, correlation across accounts, services and
323
00:17:20,640 –> 00:17:24,320
hours, looking for curvature that cannot be faked.
324
00:17:24,320 –> 00:17:28,200
Inside our own galaxies, we find internal red teams.
325
00:17:28,200 –> 00:17:33,160
They are friendly constellations engineered to stress our laws without tearing them.
326
00:17:33,160 –> 00:17:38,240
They pressure test the hull, they whisper truths, the universe already knows.
327
00:17:38,240 –> 00:17:44,080
Local privilege escalation remains common when services run with lacks permissions.
328
00:17:44,080 –> 00:17:48,160
Backup operators can mint power if left unguarded.
329
00:17:48,160 –> 00:17:53,800
Printers and management servers are too often satellites with hidden tidal pull.
330
00:17:53,800 –> 00:17:57,160
When they find a path to domain admin they hold up a mirror.
331
00:17:57,160 –> 00:18:00,880
The reflection is not flattery, it is governance.
332
00:18:00,880 –> 00:18:02,520
Insiders are the dark matter.
333
00:18:02,520 –> 00:18:05,640
Not always malicious, often careless, sometimes hurried.
334
00:18:05,640 –> 00:18:07,480
A saved password in a script.
335
00:18:07,480 –> 00:18:10,520
A temporary GPO link left at the root.
336
00:18:10,520 –> 00:18:15,520
A service account created with domain admin because the change window was closing.
337
00:18:15,520 –> 00:18:19,040
Their fingerprints are everywhere because their intentions were practical.
338
00:18:19,040 –> 00:18:21,680
We must govern intention.
339
00:18:21,680 –> 00:18:24,320
Least privilege is not a moral demand.
340
00:18:24,320 –> 00:18:26,240
It is physics.
341
00:18:26,240 –> 00:18:29,280
Consequence scale down so collapse remains improbable.
342
00:18:29,280 –> 00:18:30,920
Tools are not villains.
343
00:18:30,920 –> 00:18:32,400
Power shell is a spectrum.
344
00:18:32,400 –> 00:18:33,400
WMI is a bus.
345
00:18:33,400 –> 00:18:34,400
P6SEC is a courier.
346
00:18:34,400 –> 00:18:35,920
They are neutral particles.
347
00:18:35,920 –> 00:18:39,480
Our task is to read their behavior in context.
348
00:18:39,480 –> 00:18:44,880
A burst of remote service creation across subnets at midnight is not an accident.
349
00:18:44,880 –> 00:18:51,280
An unusual Kerberos service ticket requested for a high value SPN by an account that never
350
00:18:51,280 –> 00:18:54,000
touched it before is not curiosity.
351
00:18:54,000 –> 00:18:56,920
Event relationships form constellations.
352
00:18:56,920 –> 00:18:59,200
We read them as astronomers, not romantics.
353
00:18:59,200 –> 00:19:00,920
Duel time is time dilation.
354
00:19:00,920 –> 00:19:05,440
The longer an intruder orbits without detection, the more their influence normalizes.
355
00:19:05,440 –> 00:19:08,440
What once felt like an anomaly begins to look like tide.
356
00:19:08,440 –> 00:19:09,440
This is drift.
357
00:19:09,440 –> 00:19:12,040
This is why baselines cannot be aspirational.
358
00:19:12,040 –> 00:19:13,360
They must be measured.
359
00:19:13,360 –> 00:19:15,600
We enforce Kerberos hardening.
360
00:19:15,600 –> 00:19:17,480
Retire NTLMV1.
361
00:19:17,480 –> 00:19:19,400
Enforce channel binding.
362
00:19:19,400 –> 00:19:23,000
Protect LSAs and seal tier with ritual.
363
00:19:23,000 –> 00:19:25,120
The law must be gravity not suggestion.
364
00:19:25,120 –> 00:19:26,800
And now the lab echoes begin.
365
00:19:26,800 –> 00:19:29,240
The system whispers when hands move.
366
00:19:29,240 –> 00:19:30,320
Low chime.
367
00:19:30,320 –> 00:19:31,640
Windows security.
368
00:19:31,640 –> 00:19:35,320
4769 clusters for a service that did not change.
369
00:19:35,320 –> 00:19:37,880
A curve forms.
370
00:19:37,880 –> 00:19:39,400
Base pulse.
371
00:19:39,400 –> 00:19:40,880
This month event 10.
372
00:19:40,880 –> 00:19:44,880
A process reaches for LSAs with unusual intent.
373
00:19:44,880 –> 00:19:45,880
Soft tick.
374
00:19:45,880 –> 00:19:49,240
A GPO link appears where no change was scheduled.
375
00:19:49,240 –> 00:19:50,240
We listen.
376
00:19:50,240 –> 00:19:51,240
We name the force.
377
00:19:51,240 –> 00:19:52,240
We correct the orbit.
378
00:19:52,240 –> 00:19:55,440
To exploit a universe, you do not start at the core.
379
00:19:55,440 –> 00:19:57,880
You start by mapping the stars.
380
00:19:57,880 –> 00:19:59,720
Mapping the constellations.
381
00:19:59,720 –> 00:20:02,800
We narrow our eyes and let the light reach us.
382
00:20:02,800 –> 00:20:04,760
Reconocence is not noise.
383
00:20:04,760 –> 00:20:05,760
It is astronomy.
384
00:20:05,760 –> 00:20:07,240
We do not pound on doors.
385
00:20:07,240 –> 00:20:08,240
We read the sky.
386
00:20:08,240 –> 00:20:11,560
To begin with distant light, open ports as spectral lines.
387
00:20:11,560 –> 00:20:16,960
5388135139389455985389.
388
00:20:16,960 –> 00:20:18,680
Each reveals composition.
389
00:20:18,680 –> 00:20:19,760
DNS speaks first.
390
00:20:19,760 –> 00:20:21,440
Kerberos answers in mathematics.
391
00:20:21,440 –> 00:20:23,480
SMB hums with cargo.
392
00:20:23,480 –> 00:20:25,040
Banner hints become roles.
393
00:20:25,040 –> 00:20:27,480
Timing becomes topology.
394
00:20:27,480 –> 00:20:29,160
The map is not a picture.
395
00:20:29,160 –> 00:20:31,560
It is a probability field.
396
00:20:31,560 –> 00:20:34,280
Then we read the star charts, the directory.
397
00:20:34,280 –> 00:20:38,080
We ask careful questions with LDP and PowerShell,
398
00:20:38,080 –> 00:20:38,920
who are we?
399
00:20:38,920 –> 00:20:40,040
Which groups claim us?
400
00:20:40,040 –> 00:20:41,800
Which SPNs beckon with service?
401
00:20:41,800 –> 00:20:44,200
Which service accounts stand to tall?
402
00:20:44,200 –> 00:20:45,560
We trace edges.
403
00:20:45,560 –> 00:20:48,840
Users to groups, groups to rights, rights to sessions,
404
00:20:48,840 –> 00:20:50,680
sessions to hosts.
405
00:20:50,680 –> 00:20:53,640
A single low-privileged account becomes a beacon.
406
00:20:53,640 –> 00:20:56,360
The graph unfurls into paths.
407
00:20:56,360 –> 00:20:57,200
We do not push.
408
00:20:57,200 –> 00:21:00,360
We let gravity show the roots already carved by habit.
409
00:21:00,360 –> 00:21:02,520
Defense speaks in boundaries.
410
00:21:02,520 –> 00:21:06,600
East-West segmentation, dims, needless horizons.
411
00:21:06,600 –> 00:21:09,400
RDP gates narrow approach vectors.
412
00:21:09,400 –> 00:21:12,280
Admin contexts separate into tears
413
00:21:12,280 –> 00:21:15,000
so that noise at the edge never shakes the core.
414
00:21:15,000 –> 00:21:17,040
Least privilege reduces mass.
415
00:21:17,040 –> 00:21:19,600
Cleaning dead accounts removes debris.
416
00:21:19,600 –> 00:21:22,160
Drift detectors watch for new edges forming
417
00:21:22,160 –> 00:21:24,040
where none should exist.
418
00:21:24,040 –> 00:21:27,320
The lab echoes guide rhythm, low chime.
419
00:21:27,320 –> 00:21:29,680
Directory answers a query.
420
00:21:29,680 –> 00:21:32,360
A group we forgot still grants right.
421
00:21:32,360 –> 00:21:37,240
Base pulse, a spike in 4.769 flows to an neglected SPN.
422
00:21:37,240 –> 00:21:40,600
Soft tick, a bloodhound style path count rises,
423
00:21:40,600 –> 00:21:43,040
edges multiply, risk condenses.
424
00:21:43,040 –> 00:21:44,240
We will map.
425
00:21:44,240 –> 00:21:46,760
And when the map darkens, we will know where to land
426
00:21:46,760 –> 00:21:50,000
softly and where to refuse gravity.
427
00:21:50,000 –> 00:21:52,560
Light from distant hosts, network mapping.
428
00:21:52,560 –> 00:21:53,840
We begin a distance.
429
00:21:53,840 –> 00:21:55,200
We let photons arrive.
430
00:21:55,200 –> 00:21:56,760
We do not announce ourselves.
431
00:21:56,760 –> 00:21:58,080
We measure.
432
00:21:58,080 –> 00:22:00,160
A quiet sweep across the horizon
433
00:22:00,160 –> 00:22:06,360
reveals spectral lines, ports as elements, latency as distance,
434
00:22:06,360 –> 00:22:08,160
banners as temperature.
435
00:22:08,160 –> 00:22:17,520
53, 88, 135, 139, 389, 445, 589, 85, 3389.
436
00:22:17,520 –> 00:22:21,720
Each emission tells us what burns beneath the surface.
437
00:22:21,720 –> 00:22:23,720
DNS answers like a lighthouse.
438
00:22:23,720 –> 00:22:26,360
Kerberos replies in pure mathematics.
439
00:22:26,360 –> 00:22:28,400
RPC flickers with orchestration.
440
00:22:28,400 –> 00:22:30,280
SMB hums with cargo traffic.
441
00:22:30,280 –> 00:22:32,360
WinRM exhales management heat.
442
00:22:32,360 –> 00:22:34,160
RDP glows in the visible band.
443
00:22:34,160 –> 00:22:36,400
Most people think ports cans are noise.
444
00:22:36,400 –> 00:22:37,320
But they are wrong.
445
00:22:37,320 –> 00:22:39,480
A disciplined map is seismography.
446
00:22:39,480 –> 00:22:42,760
We sample slowly to avoid disturbing the crust.
447
00:22:42,760 –> 00:22:46,000
A handful of packets per second, randomize timing,
448
00:22:46,000 –> 00:22:48,840
varied source ports to avoid resonance.
449
00:22:48,840 –> 00:22:53,160
We read responses like star charts, open, closed, filtered.
450
00:22:53,160 –> 00:22:54,880
The pattern sketches coastline.
451
00:22:54,880 –> 00:22:57,640
The coastline reveals where gravity concentrates.
452
00:22:57,640 –> 00:23:01,120
DNS first, because navigation precedes motion.
453
00:23:01,120 –> 00:23:03,000
A real resolver answers consistently
454
00:23:03,000 –> 00:23:05,880
with authoritative edges and sane TTLs.
455
00:23:05,880 –> 00:23:10,040
A poisoned one hesitates, leaks, recursion, it should not,
456
00:23:10,040 –> 00:23:12,960
or advertises split reality without symmetry.
457
00:23:12,960 –> 00:23:16,480
We ask for SRV records and watch which domain controllers
458
00:23:16,480 –> 00:23:18,000
step into the light.
459
00:23:18,000 –> 00:23:21,560
Their responses show site topology hidden inside service
460
00:23:21,560 –> 00:23:22,720
announcements.
461
00:23:22,720 –> 00:23:25,040
Anomalies mean either drift or deception.
462
00:23:25,040 –> 00:23:26,280
Either one is curvature.
463
00:23:26,280 –> 00:23:29,280
Kerberos on 88 is not merely open or closed.
464
00:23:29,280 –> 00:23:31,960
It’s timing spreads like a Doppler shift.
465
00:23:31,960 –> 00:23:35,720
In healthy space, a KDC replies with steady cadence.
466
00:23:35,720 –> 00:23:39,480
Under strain or misplacement replies lengthened at edges.
467
00:23:39,480 –> 00:23:41,960
As if light climbing out of gravity,
468
00:23:41,960 –> 00:23:45,440
we request preauthentication for harmless principles.
469
00:23:45,440 –> 00:23:47,120
We do not break, we listen.
470
00:23:47,120 –> 00:23:49,760
If a response comes from an unexpected host,
471
00:23:49,760 –> 00:23:53,440
a trust wormhole, maybe closer than it appears.
472
00:23:53,440 –> 00:23:57,920
LDAP on 389 and 636 is the living directory surface.
473
00:23:57,920 –> 00:23:59,560
We do not enumerate yet.
474
00:23:59,560 –> 00:24:01,240
We test behavior.
475
00:24:01,240 –> 00:24:04,080
Start TLS capability announced, but never honored
476
00:24:04,080 –> 00:24:05,920
indicates misaligned law.
477
00:24:05,920 –> 00:24:08,520
Anonymous binds disabled is a good sign.
478
00:24:08,520 –> 00:24:13,920
But if a device answers as LDRP, that is not a domain controller,
479
00:24:13,920 –> 00:24:17,320
we have found a proxy moon that bends queries out of sight.
480
00:24:17,320 –> 00:24:19,160
That is a path an attacker will prefer.
481
00:24:19,160 –> 00:24:20,920
That is a path we must name.
482
00:24:20,920 –> 00:24:23,240
SMB on 445 is a supply artery.
483
00:24:23,240 –> 00:24:25,240
The handshake speaks its own dialect.
484
00:24:25,240 –> 00:24:27,200
Does it promise signing or shrug?
485
00:24:27,200 –> 00:24:29,800
Does it support dialects that should be fossils?
486
00:24:29,800 –> 00:24:32,560
Does NTLM whisper when Kerberos should sing?
487
00:24:32,560 –> 00:24:34,040
We read negotiation.
488
00:24:34,040 –> 00:24:35,480
We infer policy.
489
00:24:35,480 –> 00:24:40,280
And if we witness the printer spool is reflex on 445 or 135,
490
00:24:40,280 –> 00:24:42,680
RPC calls, that should be quiet.
491
00:24:42,680 –> 00:24:45,240
We market as title influence that can be abused
492
00:24:45,240 –> 00:24:46,840
if left near the core.
493
00:24:46,840 –> 00:24:52,040
WinRM on 5985 and 5986 is administration’s breath.
494
00:24:52,040 –> 00:24:56,240
If it answers broadly across subnet’s identity can drift quickly.
495
00:24:56,240 –> 00:24:59,240
If it is bound tightly to management enclave,
496
00:24:59,240 –> 00:25:02,360
movement will be slower, more deliberate.
497
00:25:02,360 –> 00:25:06,000
The header identifies the host’s opinion of itself,
498
00:25:06,000 –> 00:25:09,000
product versions, cypher preferences,
499
00:25:09,000 –> 00:25:13,040
the signatures of time, a cluster reveals standard images.
500
00:25:13,040 –> 00:25:17,080
Outliers betray ad hoc machines that do not share gravity.
501
00:25:17,080 –> 00:25:21,120
RDP on 33890’s elense, network level authentication
502
00:25:21,120 –> 00:25:24,520
is the glass that refuses casual fingerprints.
503
00:25:24,520 –> 00:25:27,160
Without NLA, the surface accepts touches
504
00:25:27,160 –> 00:25:29,200
from anything that finds it.
505
00:25:29,200 –> 00:25:31,640
We observe the security layer chosen,
506
00:25:31,640 –> 00:25:35,480
the certificate offered, the presence of restricted admin.
507
00:25:35,480 –> 00:25:40,520
When RDP blooms across servers that should never be touched directly,
508
00:25:40,520 –> 00:25:43,440
we know convenience has replaced law.
509
00:25:43,440 –> 00:25:45,280
Lab echo, low chime.
510
00:25:45,280 –> 00:25:48,960
Spectrum sweep complete, 1,942 hosts responded.
511
00:25:48,960 –> 00:25:53,160
Port clusters align with 3 subnets, 445 open on 71%,
512
00:25:53,160 –> 00:25:57,320
5985 open on 18%, outliers detected.
513
00:25:57,320 –> 00:26:00,400
Now defense speaks because maps demand boundaries.
514
00:26:00,400 –> 00:26:03,040
We segment east-west, not as art,
515
00:26:03,040 –> 00:26:05,880
but as physics, gravity wells in their own subnets
516
00:26:05,880 –> 00:26:09,120
with firewalls that understand identity.
517
00:26:09,120 –> 00:26:12,080
Domain controllers speak only the protocols they must.
518
00:26:12,080 –> 00:26:15,600
File servers do not accept WinRM from workstations.
519
00:26:15,600 –> 00:26:18,240
Management traffic rides corridors with gates
520
00:26:18,240 –> 00:26:20,320
that lock every crossing.
521
00:26:20,320 –> 00:26:24,160
RDP tunnels through bastions that apply multifactor as atmosphere.
522
00:26:24,160 –> 00:26:25,920
We reduce reflexes.
523
00:26:25,920 –> 00:26:31,000
SMB signing enforced, so relays cannot rewrite routes mid-flight.
524
00:26:31,000 –> 00:26:34,800
NTLMV1 retired, LM forgotten, channel binding asserted,
525
00:26:34,800 –> 00:26:37,560
so tokens cannot be stolen and worn elsewhere.
526
00:26:37,560 –> 00:26:41,480
Local administrator reuse starved by password uniqueness,
527
00:26:41,480 –> 00:26:45,520
rotation as heartbeat, laps as the metronome.
528
00:26:45,520 –> 00:26:47,840
Service accounts lose their sprawl.
529
00:26:47,840 –> 00:26:52,360
They gain least privilege orbits with constrained permissions.
530
00:26:52,360 –> 00:26:57,680
We sample again slower still, the map stabilizes, banners align,
531
00:26:57,680 –> 00:27:02,480
timing narrows, outliers remain, they always do.
532
00:27:02,480 –> 00:27:05,240
Those outliers become our next coordinates.
533
00:27:05,240 –> 00:27:08,960
Base pulse, Kerberos timing spike, two responders
534
00:27:08,960 –> 00:27:13,760
lag behind site norms, possible miscited controllers.
535
00:27:13,760 –> 00:27:17,760
Soft tick, RDP without NLA on a management subnet.
536
00:27:17,760 –> 00:27:21,840
Certificate expired, gravity slackening.
537
00:27:21,840 –> 00:27:23,480
We annotate the chart.
538
00:27:23,480 –> 00:27:25,240
We do not rush the core.
539
00:27:25,240 –> 00:27:28,880
We respect the speed of light because everything that follows,
540
00:27:28,880 –> 00:27:34,480
enumeration, privilege, theft or defense depends on this honesty.
541
00:27:34,480 –> 00:27:38,120
The sky tells the truth if we are patient, we are patient.
542
00:27:38,120 –> 00:27:42,800
Reading the star charts, AD enumeration, we turn from distant light
543
00:27:42,800 –> 00:27:44,080
to the atlas itself.
544
00:27:44,080 –> 00:27:47,000
The directory is not a list, it is a field.
545
00:27:47,000 –> 00:27:51,480
We ask questions softly, we listen for shape, we begin with identity.
546
00:27:51,480 –> 00:27:52,720
Who are we?
547
00:27:52,720 –> 00:27:55,800
The bind is a handshake with gravity.
548
00:27:55,800 –> 00:27:58,760
A simple query returns our user object.
549
00:27:58,760 –> 00:28:04,080
It’s sid the stellar coordinate, it’s UPN the constellation name.
550
00:28:04,080 –> 00:28:06,720
Group memberships follow like orbital rings.
551
00:28:06,720 –> 00:28:09,640
Global, domain local, universal.
552
00:28:09,640 –> 00:28:11,560
Scope is not cosmetic.
553
00:28:11,560 –> 00:28:15,960
Scope defines how mass transfers across borders.
554
00:28:15,960 –> 00:28:19,920
A universal group carries influence across forest space.
555
00:28:19,920 –> 00:28:23,520
A domain local concentrates power near a resource.
556
00:28:23,520 –> 00:28:25,920
We record each ring without judgment.
557
00:28:25,920 –> 00:28:27,600
Influence is cumulative.
558
00:28:27,600 –> 00:28:29,800
Paths form where rings overlap.
559
00:28:29,800 –> 00:28:30,600
We widen.
560
00:28:30,600 –> 00:28:33,200
What rights do those rings imply?
561
00:28:33,200 –> 00:28:35,120
Read on this share, write on that OU.
562
00:28:35,120 –> 00:28:36,920
Log on locally here, but not there.
563
00:28:36,920 –> 00:28:38,120
Rights are vectors.
564
00:28:38,120 –> 00:28:39,720
We map them as edges.
565
00:28:39,720 –> 00:28:42,240
Group to permission, permission to target.
566
00:28:42,240 –> 00:28:44,400
A printer operator on a quiet server
567
00:28:44,400 –> 00:28:47,960
might imply service management rights that chained carefully.
568
00:28:47,960 –> 00:28:49,880
Become local administrator elsewhere.
569
00:28:49,880 –> 00:28:50,960
We do not assume.
570
00:28:50,960 –> 00:28:51,880
We verify.
571
00:28:51,880 –> 00:28:54,520
Access paths are physics, not folklore.
572
00:28:54,520 –> 00:28:57,480
Service principle names appear like bright stars.
573
00:28:57,480 –> 00:29:02,200
HTTP finance, MSKL server 42, CFs files do too.
574
00:29:02,200 –> 00:29:05,280
Each SPN indicates a ticket can be minted for a service.
575
00:29:05,280 –> 00:29:08,200
And therefore, that credentials might be requested, cashed,
576
00:29:08,200 –> 00:29:09,640
or mishandled.
577
00:29:09,640 –> 00:29:13,120
Overprivileged service accounts burn too hot.
578
00:29:13,120 –> 00:29:17,760
If they hold domain admin or right access to sensitive OUs,
579
00:29:17,760 –> 00:29:20,560
their light distorts the map.
580
00:29:20,560 –> 00:29:24,360
We note service accounts that are trusted to delegate.
581
00:29:24,360 –> 00:29:27,760
Unconstrained delegation is a furnace.
582
00:29:27,760 –> 00:29:31,560
Constrained delegation is a lens with rules.
583
00:29:31,560 –> 00:29:34,360
Resource-based constrained delegation
584
00:29:34,360 –> 00:29:36,600
is a mirror turned inward.
585
00:29:36,600 –> 00:29:38,440
Each changes curvature.
586
00:29:38,440 –> 00:29:40,680
Each demands measurement.
587
00:29:40,680 –> 00:29:45,400
We ask for administrators, but not just the domain admins group.
588
00:29:45,400 –> 00:29:49,560
We follow the lineage, nested groups, built-ins, anomalies,
589
00:29:49,560 –> 00:29:53,280
who are CD-Bug privilege on critical servers by GPO,
590
00:29:53,280 –> 00:29:56,000
who sits in backup operators, a quiet orbit
591
00:29:56,000 –> 00:30:00,380
with tidal power over secrets, who owns the KRBTGT rotation
592
00:30:00,380 –> 00:30:00,720
ritual.
593
00:30:00,720 –> 00:30:03,440
Authorities often disguise dismaintainance.
594
00:30:03,440 –> 00:30:04,960
We surface it.
595
00:30:04,960 –> 00:30:08,360
We read the OU structure like tectonic plates.
596
00:30:08,360 –> 00:30:11,240
Teared boundaries should appear as separate continents.
597
00:30:11,240 –> 00:30:13,920
Workstations grouped apart from servers.
598
00:30:13,920 –> 00:30:15,800
DCs isolated.
599
00:30:15,800 –> 00:30:20,040
If we find a single GPO linked high that grants broad rights
600
00:30:20,040 –> 00:30:23,120
to authenticated users, the law is compromised.
601
00:30:23,120 –> 00:30:26,200
We note MTOUs with lingering links,
602
00:30:26,200 –> 00:30:28,800
the tombstones of projects, drift accumulates
603
00:30:28,800 –> 00:30:30,240
in the spaces nobody visits.
604
00:30:30,240 –> 00:30:32,640
We sample password hygiene without guessing.
605
00:30:32,640 –> 00:30:34,720
Age distributions tell a story.
606
00:30:34,720 –> 00:30:38,000
A cluster of accounts with non-expiring passwords
607
00:30:38,000 –> 00:30:42,800
forms a cold cloud, service principles, vendors, ghosts.
608
00:30:42,800 –> 00:30:44,880
Find grain password policies reveal
609
00:30:44,880 –> 00:30:48,680
where entropy improves and where tradition refuses.
610
00:30:48,680 –> 00:30:52,320
If privileged users are not bound by stricter policies,
611
00:30:52,320 –> 00:30:54,440
gravity is misallocated.
612
00:30:54,440 –> 00:30:56,760
We inspect trust objects.
613
00:30:56,760 –> 00:31:01,320
External, forest, shortcut, directionality matters.
614
00:31:01,320 –> 00:31:05,600
Selective authentication should be the gate in two-way trusts.
615
00:31:05,600 –> 00:31:09,800
Authenticated users should not pass without scrutiny.
616
00:31:09,800 –> 00:31:12,560
SID filtering disabled is a rupture
617
00:31:12,560 –> 00:31:15,880
allowing forged history to cross the wormhole.
618
00:31:15,880 –> 00:31:19,800
If any trust predates the last era of governance reviews,
619
00:31:19,800 –> 00:31:22,560
we market as an at-risk tunnel.
620
00:31:22,560 –> 00:31:25,920
We do not enumerate to collect, we enumerate to model.
621
00:31:25,920 –> 00:31:28,880
The graph takes form, uses to groups,
622
00:31:28,880 –> 00:31:33,920
groups to rights, rights to sessions, sessions to hosts.
623
00:31:33,920 –> 00:31:37,800
We add session data where we can, who is logged on where?
624
00:31:37,800 –> 00:31:40,880
Which admin has a habit of opening management tools
625
00:31:40,880 –> 00:31:42,320
from a workstation at lunch?
626
00:31:42,320 –> 00:31:43,800
Habit is gravity’s accomplice.
627
00:31:43,800 –> 00:31:46,520
A single high-value identity appearing
628
00:31:46,520 –> 00:31:50,680
on a low-trust host is a mass transfer event.
629
00:31:50,680 –> 00:31:53,560
We market with a base pulse in our minds.
630
00:31:53,560 –> 00:31:56,120
Lab echo, low chime.
631
00:31:56,120 –> 00:32:03,520
Directory responded 4,312 users, 6,981 computers,
632
00:32:03,520 –> 00:32:08,560
1,200, 4 groups, universal groups,
633
00:32:08,560 –> 00:32:13,520
37, non-expiring passwords, 112.
634
00:32:13,520 –> 00:32:16,480
We pivot to detection in the same breath.
635
00:32:16,480 –> 00:32:18,800
Enumeration should be symmetric.
636
00:32:18,800 –> 00:32:22,880
What an attacker can see, a defender, must pre-compute,
637
00:32:22,880 –> 00:32:26,000
maintain a living map of privileged paths,
638
00:32:26,000 –> 00:32:29,040
prune groups that inherited power by accident,
639
00:32:29,040 –> 00:32:33,200
retire unused SPNs, reduce delegation to necessity,
640
00:32:33,200 –> 00:32:36,400
enforce protected users for the identities that cannot fail.
641
00:32:36,400 –> 00:32:39,040
If you cannot remove NTLM entirely,
642
00:32:39,040 –> 00:32:42,240
at least ensure SMB signing and channel binding
643
00:32:42,240 –> 00:32:44,160
so the fossil cannot be weaponized.
644
00:32:44,160 –> 00:32:46,680
We set alerts on curvature, not noise,
645
00:32:46,680 –> 00:32:50,400
unusual TGS patterns for sensitive SPNs,
646
00:32:50,400 –> 00:32:54,080
event 4769 spikes outside maintenance windows,
647
00:32:54,080 –> 00:32:58,320
new admin group memberships, event 4728 and 4732
648
00:32:58,320 –> 00:33:00,160
when no cab meets.
649
00:33:00,160 –> 00:33:03,840
Directory replication access, event 4662
650
00:33:03,840 –> 00:33:06,400
with DS replication get changes
651
00:33:06,400 –> 00:33:09,120
when only backup service accounts should breathe there.
652
00:33:09,120 –> 00:33:12,640
Signment murmurs when a process reaches for LSAS.
653
00:33:12,640 –> 00:33:14,640
Event 10 with intent.
654
00:33:14,640 –> 00:33:16,240
We do not wait for collapse.
655
00:33:16,240 –> 00:33:17,920
We listen for procession.
656
00:33:17,920 –> 00:33:19,920
We close the atlas with humility.
657
00:33:19,920 –> 00:33:22,320
The directory told us where it bends.
658
00:33:22,320 –> 00:33:25,120
Our task is to remove mass where we can,
659
00:33:25,120 –> 00:33:27,040
add fences where we must,
660
00:33:27,040 –> 00:33:30,080
and instrument the sky so drift becomes sound.
661
00:33:30,080 –> 00:33:33,360
Base pulse, the next orbit begins.
662
00:33:33,360 –> 00:33:35,680
Scripted segment, you walk the graph,
663
00:33:35,680 –> 00:33:37,760
you begin with a dim credential,
664
00:33:37,760 –> 00:33:40,000
a regular user, no symbols of power,
665
00:33:40,000 –> 00:33:42,000
a single SD a drift.
666
00:33:42,000 –> 00:33:44,560
You ask softly, who am I?
667
00:33:44,560 –> 00:33:47,280
The directory replies with minimal mass,
668
00:33:47,280 –> 00:33:49,280
one user object, a primary group,
669
00:33:49,280 –> 00:33:52,080
a few nested rings, home folder, mailbox,
670
00:33:52,080 –> 00:33:54,560
nothing that glows, the silence feels safe,
671
00:33:54,560 –> 00:33:56,480
but time has its own opinion.
672
00:33:56,480 –> 00:34:00,560
You widen the lens, who trusts the groups that trust me?
673
00:34:00,560 –> 00:34:03,840
Edge’s form, a departmental group appears,
674
00:34:03,840 –> 00:34:07,360
granted read on a file share where scripts accumulate.
675
00:34:07,360 –> 00:34:12,320
A quiet comet labeled deploy holds a plain text credential
676
00:34:12,320 –> 00:34:14,800
meant to speed a midnight fix.
677
00:34:14,800 –> 00:34:17,440
The credential belongs to a service account,
678
00:34:17,440 –> 00:34:19,840
low chime, directory speaks,
679
00:34:19,840 –> 00:34:22,960
service account, interactive logon permitted,
680
00:34:22,960 –> 00:34:28,560
logon service, MGMT02 APP07.
681
00:34:28,560 –> 00:34:30,240
The gravity sharpens,
682
00:34:30,240 –> 00:34:33,280
that service account carries local administrator
683
00:34:33,280 –> 00:34:35,120
on three neighboring hosts.
684
00:34:35,120 –> 00:34:38,400
Convenience enacted during a crisis never revoked.
685
00:34:38,400 –> 00:34:42,000
You step onto MGMT02, not by force,
686
00:34:42,000 –> 00:34:45,360
but by invitation already written into ACLs.
687
00:34:45,360 –> 00:34:47,200
On its service sessions glitter,
688
00:34:47,200 –> 00:34:49,360
one belongs to a backup operator
689
00:34:49,360 –> 00:34:52,160
who once ran a restore and kept the habit.
690
00:34:53,120 –> 00:34:56,800
Base pulse, Sysman whispers, event 10,
691
00:34:56,800 –> 00:35:01,200
process seeking LSS, handled denied by policy.
692
00:35:01,200 –> 00:35:04,080
The shield holds today, but the pattern is visible.
693
00:35:04,080 –> 00:35:06,960
You do not smash, you listen.
694
00:35:06,960 –> 00:35:09,920
You follow the orbit labeled backup operators.
695
00:35:09,920 –> 00:35:17,360
In Windows, that orbit tides secrets.
696
00:35:17,360 –> 00:35:21,600
It can load drivers, read volumes,
697
00:35:22,240 –> 00:35:25,200
copy the registry hives that remember.
698
00:35:25,200 –> 00:35:28,000
A short path appears, backup operator
699
00:35:28,000 –> 00:35:31,520
to registry to cached secrets to lateral movement
700
00:35:31,520 –> 00:35:33,280
under the guise of maintenance.
701
00:35:33,280 –> 00:35:35,440
The universe suggests you confirm.
702
00:35:35,440 –> 00:35:37,600
You trace SPNs like Brightstars,
703
00:35:37,600 –> 00:35:42,720
MSSQL, Ledger01, CISS, Sharecore,
704
00:35:42,720 –> 00:35:44,800
HTTP Finance.
705
00:35:44,800 –> 00:35:48,000
Tickets are passports, requests leave trails,
706
00:35:48,000 –> 00:35:53,280
event 4769 clusters for HTTP Finance at hours when finance sleeps.
707
00:35:53,280 –> 00:35:56,320
That means service access where service should dream.
708
00:35:56,320 –> 00:35:59,680
Either automation went feral or someone borrowed the light.
709
00:35:59,680 –> 00:36:00,960
You market.
710
00:36:00,960 –> 00:36:06,560
Soft tick, telemetry murmurs, edges 182 paths to DA found.
711
00:36:06,560 –> 00:36:09,120
The graph is not a threat, it is a weather report.
712
00:36:09,120 –> 00:36:11,360
You pivot from services to delegation.
713
00:36:11,360 –> 00:36:14,640
Unconstrained is heat, constrained is engineered light.
714
00:36:14,640 –> 00:36:17,280
Resource-based is a mirror with rules.
715
00:36:17,280 –> 00:36:20,080
You see an aging application server trusted for
716
00:36:20,080 –> 00:36:22,160
unconstrained delegation.
717
00:36:22,160 –> 00:36:24,880
It received its blessing when the vendor promised no risk.
718
00:36:24,880 –> 00:36:30,320
It kept it when the vendor forgot that server can hold TGTs for those who visit.
719
00:36:30,320 –> 00:36:33,600
Administrators once visited to debug an outage.
720
00:36:33,600 –> 00:36:36,080
They’re tokens orbited within memory.
721
00:36:36,080 –> 00:36:40,320
You note the curvature, if the furnace is breached, it emits passports.
722
00:36:40,320 –> 00:36:43,360
Not a zero-day, a zero-care low-chime,
723
00:36:43,360 –> 00:36:48,960
directory replies to a controlled query, krbtgt password last set,
724
00:36:48,960 –> 00:36:50,960
two thousand to eighty one days ago,
725
00:36:50,960 –> 00:36:52,240
starlight from the past.
726
00:36:52,240 –> 00:36:55,680
If someone minted a ticket forged from yesterday’s secret,
727
00:36:55,680 –> 00:36:58,480
the present might still accept it as fate.
728
00:36:58,480 –> 00:37:02,960
You mark the ritual overdue, reset twice, measured and verified.
729
00:37:02,960 –> 00:37:08,320
You walk the trust objects one external, one shortcut, one forest.
730
00:37:08,320 –> 00:37:12,160
Selective authentication disabled on the shortcut
731
00:37:12,160 –> 00:37:13,840
that spans convenience.
732
00:37:13,840 –> 00:37:16,720
SCD filtering relaxed for a vendor era
733
00:37:16,720 –> 00:37:19,840
that ended two reorganizations ago.
734
00:37:19,840 –> 00:37:24,560
The wormhole remains open, passing history across without friction.
735
00:37:24,560 –> 00:37:26,000
You write a note in gravity.
736
00:37:26,000 –> 00:37:28,880
If collapse begins, it will begin here.
737
00:37:28,880 –> 00:37:32,160
You lean into habit because habit is the true credential.
738
00:37:32,160 –> 00:37:37,120
Session data shows a domain admin touching a management server at lunch
739
00:37:37,120 –> 00:37:39,840
from a workstation that should be tier two.
740
00:37:39,840 –> 00:37:41,440
One appearance can be an accident.
741
00:37:42,160 –> 00:37:45,520
Three is ritual that ritual creates mass transfer.
742
00:37:45,520 –> 00:37:49,440
A high-value token arrives where low-value processes breathe.
743
00:37:49,440 –> 00:37:51,680
Even with defenses, the curvature is wrong.
744
00:37:51,680 –> 00:37:52,720
You do not accuse.
745
00:37:52,720 –> 00:37:53,840
You annotate.
746
00:37:53,840 –> 00:37:58,000
Then you plan to remove every reason for that ritual to exist.
747
00:37:58,000 –> 00:37:59,440
Base pulse.
748
00:37:59,440 –> 00:38:02,000
A bloodhound style path highlights.
749
00:38:02,000 –> 00:38:02,880
User.
750
00:38:02,880 –> 00:38:04,320
Department group.
751
00:38:04,320 –> 00:38:06,400
Write to script share.
752
00:38:06,400 –> 00:38:08,080
Service credential.
753
00:38:08,080 –> 00:38:09,840
Local admin chain.
754
00:38:09,840 –> 00:38:11,280
Management server.
755
00:38:11,280 –> 00:38:12,720
Cash ticket.
756
00:38:12,720 –> 00:38:14,800
DC adjacent reach.
757
00:38:14,800 –> 00:38:15,760
No lockpicked.
758
00:38:15,760 –> 00:38:16,960
No door broken.
759
00:38:16,960 –> 00:38:18,320
Gravity did the work.
760
00:38:18,320 –> 00:38:21,360
You close the loop with defense pronounced in the language of physics.
761
00:38:21,360 –> 00:38:23,200
Reduce edges.
762
00:38:23,200 –> 00:38:23,760
Remove.
763
00:38:23,760 –> 00:38:26,320
Write from the script share for humans who only read.
764
00:38:26,320 –> 00:38:28,800
Rotate the service credential.
765
00:38:28,800 –> 00:38:30,400
Binded to least privilege.
766
00:38:30,400 –> 00:38:31,680
Deny interactive.
767
00:38:31,680 –> 00:38:32,400
Logon.
768
00:38:32,400 –> 00:38:34,480
And audit where it breathes.
769
00:38:34,480 –> 00:38:38,320
Enforce labs to sever shared local admin constellations.
770
00:38:38,320 –> 00:38:42,320
Push SMB signing so relays cannot bend roots.
771
00:38:42,320 –> 00:38:44,480
Retire the unconstrained furnace.
772
00:38:44,480 –> 00:38:49,920
Replace it with resource-based constrained delegation tied to exact services not a hope.
773
00:38:49,920 –> 00:38:52,160
Reset KRBTGT twice.
774
00:38:52,160 –> 00:38:53,520
Seal tier behind pause.
775
00:38:53,520 –> 00:38:55,600
Train habit with gates not scolding.
776
00:38:55,600 –> 00:38:57,040
The directory does not hide.
777
00:38:57,040 –> 00:38:58,560
It whispers.
778
00:38:58,560 –> 00:39:00,720
Enumeration is not a threat.
779
00:39:00,720 –> 00:39:05,040
It is a confession the system makes to anyone patient enough to hear it.
780
00:39:05,040 –> 00:39:09,600
And once you know the paths you do not need to move loudly you just fall.
781
00:39:09,600 –> 00:39:11,040
Pull breaking orbits.
782
00:39:11,040 –> 00:39:12,960
We arrive at a single endpoint.
783
00:39:12,960 –> 00:39:16,480
The place where ordinary work becomes extraordinary leverage.
784
00:39:16,480 –> 00:39:19,200
A compromised workstation is not a breach.
785
00:39:19,200 –> 00:39:20,640
It is a launch pad.
786
00:39:20,640 –> 00:39:22,560
Local privilege is thrust.
787
00:39:22,560 –> 00:39:24,400
Credential material is fuel.
788
00:39:24,400 –> 00:39:25,920
Lateral movement is trajectory.
789
00:39:25,920 –> 00:39:29,120
We break orbits in three gravitational moves.
790
00:39:29,120 –> 00:39:31,120
First, the local climb.
791
00:39:31,120 –> 00:39:34,640
Services with weak permissions.
792
00:39:34,640 –> 00:39:35,920
Unquoted paths.
793
00:39:35,920 –> 00:39:38,000
Access rights.
794
00:39:38,000 –> 00:39:42,320
In quiet groups like backup operators or print operators.
795
00:39:42,320 –> 00:39:46,400
We do not need names or vulnerabilities to know the pattern.
796
00:39:46,400 –> 00:39:49,040
Misconfiguration accelerates mass.
797
00:39:49,040 –> 00:39:51,760
Second, we read memories heat.
798
00:39:51,760 –> 00:39:53,120
LSAS is the key ring.
799
00:39:53,120 –> 00:39:55,840
SSPs are the dialects.
800
00:39:55,840 –> 00:39:57,920
Tickets and hashes are condensed power.
801
00:39:57,920 –> 00:40:00,560
If W digest sleeves we let it sleep.
802
00:40:00,560 –> 00:40:02,800
If LSA protection stands we honor it.
803
00:40:02,800 –> 00:40:06,720
If the shield is missing attackers will ask the key ring to sing.
804
00:40:06,720 –> 00:40:08,320
We answer by hardening.
805
00:40:08,320 –> 00:40:11,040
Credential guard run SPPL.
806
00:40:11,040 –> 00:40:12,240
Restricted debug.
807
00:40:12,240 –> 00:40:14,960
No admin sessions on untrusted hosts.
808
00:40:14,960 –> 00:40:17,280
Third, we respect times verdict.
809
00:40:17,280 –> 00:40:21,920
A server from 2016 that never learned new laws is a pocket where time dilates.
810
00:40:21,920 –> 00:40:23,280
Patches do not arrive.
811
00:40:23,280 –> 00:40:24,640
Protocols remain generous.
812
00:40:24,640 –> 00:40:26,640
That machine bends the field around it.
813
00:40:26,640 –> 00:40:28,240
We isolate or retire.
814
00:40:28,240 –> 00:40:31,840
Or we compensate with walls and watches.
815
00:40:31,840 –> 00:40:32,960
Low chime.
816
00:40:32,960 –> 00:40:35,680
Elevation attempt blocked by service DA CL.
817
00:40:35,680 –> 00:40:36,720
Base pulse.
818
00:40:36,720 –> 00:40:38,560
Sysment event 10 denied.
819
00:40:38,560 –> 00:40:40,480
The fabric speaks when we let it.
820
00:40:40,480 –> 00:40:43,760
Everything changes when the initial thrust meets structure.
821
00:40:43,760 –> 00:40:46,160
If the edges are many movement is easy.
822
00:40:46,160 –> 00:40:48,480
If the edges are few movement is noisy.
823
00:40:48,480 –> 00:40:51,120
In the next segments we will climb.
824
00:40:51,120 –> 00:40:53,200
We will attempt to read memory.
825
00:40:53,200 –> 00:40:56,720
And we will decide whether the orbit breaks or holds.
826
00:40:56,720 –> 00:40:58,640
The next orbit begins.
827
00:40:58,640 –> 00:41:00,720
From user to local admin.
828
00:41:00,720 –> 00:41:03,360
We stand on a workstation surface.
829
00:41:03,360 –> 00:41:04,240
Ordinary gravity.
830
00:41:04,240 –> 00:41:05,440
Ordinary permissions.
831
00:41:05,440 –> 00:41:07,440
A user clicks, types, saves.
832
00:41:07,440 –> 00:41:08,640
Nothing blazes.
833
00:41:08,640 –> 00:41:10,400
But local privilege is not a crown.
834
00:41:10,400 –> 00:41:11,840
It is momentum.
835
00:41:11,840 –> 00:41:15,200
And momentum comes from frictionless paths carved long ago.
836
00:41:15,200 –> 00:41:17,680
We look for the first slope.
837
00:41:17,680 –> 00:41:18,880
Services.
838
00:41:18,880 –> 00:41:23,520
In windows, a service is an engine strapped to the hull.
839
00:41:23,520 –> 00:41:27,760
If its binary path contains spaces and lacks quotes,
840
00:41:27,760 –> 00:41:30,000
the system resolves greedily.
841
00:41:30,000 –> 00:41:32,080
Stopping at the first executable fragment.
842
00:41:32,080 –> 00:41:33,840
That is an unquoted service path.
843
00:41:33,840 –> 00:41:37,600
If a low-privileged user can write into that directory,
844
00:41:37,600 –> 00:41:40,480
they can slide a payload into the resolution.
845
00:41:40,480 –> 00:41:42,880
On next start, the engine burns the wrong fuel.
846
00:41:42,880 –> 00:41:44,800
Elevation without ceremony.
847
00:41:44,800 –> 00:41:45,760
We do not guess.
848
00:41:45,760 –> 00:41:46,800
We measure.
849
00:41:46,800 –> 00:41:51,040
Service configuration is a map of intent meeting file system truth.
850
00:41:51,040 –> 00:41:52,640
Then we test the bolts.
851
00:41:52,640 –> 00:41:54,080
Service permissions.
852
00:41:54,080 –> 00:41:56,720
A service with a generous DACl
853
00:41:56,720 –> 00:42:02,240
lets ordinary users change its binary, its start mode, or its account.
854
00:42:02,240 –> 00:42:05,040
When that happens, gravity is inverted.
855
00:42:05,040 –> 00:42:09,840
A quiet user can rewire a trusted engine to run their code as local system.
856
00:42:09,840 –> 00:42:11,760
Not a zero-day.
857
00:42:11,760 –> 00:42:14,000
A zero-discipline in DACLs.
858
00:42:14,000 –> 00:42:16,000
The defense lives where it began.
859
00:42:16,000 –> 00:42:19,840
Correct ACLs on services and their binaries.
860
00:42:19,840 –> 00:42:22,480
Configuration, drift detectors.
861
00:42:22,480 –> 00:42:24,800
That shout when a startup path changes.
862
00:42:24,800 –> 00:42:28,880
And a rule that services run under least privileged accounts
863
00:42:28,880 –> 00:42:31,120
with right protected binaries.
864
00:42:31,120 –> 00:42:35,360
We examine the local constellations, groups, backup operators,
865
00:42:35,360 –> 00:42:39,200
print operators, power users that survived an earlier era.
866
00:42:39,200 –> 00:42:42,880
These rings look harmless because they are not administrators by name.
867
00:42:42,880 –> 00:42:44,560
But Windows remembers history.
868
00:42:44,560 –> 00:42:48,400
Backup operators can load drivers, read volumes,
869
00:42:48,400 –> 00:42:52,320
and touch the registry hives where secrets congeal.
870
00:42:52,320 –> 00:42:56,400
Print operators can manage services and drivers that run in elevated space.
871
00:42:56,400 –> 00:43:00,480
One misapplied membership bestows title influence.
872
00:43:00,480 –> 00:43:03,040
We cut these rings to purpose.
873
00:43:03,040 –> 00:43:07,280
Memberships are documented, justified, time-bound,
874
00:43:07,280 –> 00:43:10,400
and reviewed on a cadence that feels like ritual.
875
00:43:10,400 –> 00:43:11,680
Lab Echo.
876
00:43:11,680 –> 00:43:12,400
Low chime.
877
00:43:12,400 –> 00:43:15,200
Service query returned.
878
00:43:15,200 –> 00:43:16,960
Three vulnerable paths.
879
00:43:16,960 –> 00:43:20,880
Right access detected in C-program files vendor appils,
880
00:43:20,880 –> 00:43:27,280
Base Pulse. Service DACL allows start, stop, change,
881
00:43:27,280 –> 00:43:30,000
config for authenticated users.
882
00:43:30,000 –> 00:43:33,840
The fabric speaks, we answer.
883
00:43:33,840 –> 00:43:38,000
Now known vulnerabilities without naming them.
884
00:43:38,000 –> 00:43:40,800
Privilege escalation is a pattern.
885
00:43:40,800 –> 00:43:43,040
Unsigned drivers accepted without scrutiny.
886
00:43:43,040 –> 00:43:46,480
Scheduled tasks with world-rightable actions.
887
00:43:47,120 –> 00:43:52,480
High jackable, DLL search orders when a process looks in a right-able directory first.
888
00:43:52,480 –> 00:43:56,240
The specific identifier changes with season.
889
00:43:56,240 –> 00:43:57,840
The physics remains.
890
00:43:57,840 –> 00:44:01,920
A high-privilege process trusts a low-privilege location.
891
00:44:01,920 –> 00:44:05,520
Our counterforces mechanical, block unsigned kernel code,
892
00:44:05,520 –> 00:44:11,840
Restrict who can load drivers, monitor new scheduled tasks with administrative principles,
893
00:44:11,840 –> 00:44:16,480
and fix search paths so binaries and DLLs come from read-only
894
00:44:16,480 –> 00:44:17,360
constellations.
895
00:44:17,360 –> 00:44:23,760
We step into the registry and file system looking for right-able edges near the core.
896
00:44:23,760 –> 00:44:30,560
If program files, system 32 siblings, or service directories allow non-admin rights,
897
00:44:30,560 –> 00:44:32,160
the hull is already thin.
898
00:44:32,160 –> 00:44:38,000
We set inheritance to sanity, audit for explicit grants that deviate from baselines,
899
00:44:38,000 –> 00:44:41,920
and stamp golden images so mispermissions cannot replicate like spores.
900
00:44:41,920 –> 00:44:44,080
We read habit because habit bends everything.
901
00:44:44,080 –> 00:44:50,400
Developers installed compilers and debuggers on servers for a quick fix and never removed them.
902
00:44:50,400 –> 00:44:52,560
Those tools are not evil, they are leverage.
903
00:44:52,560 –> 00:44:58,640
On a workstation, a local user with a compiler and a right-able service path
904
00:44:58,640 –> 00:45:02,560
can manufacture their ladder the moment curiosity arrives.
905
00:45:02,560 –> 00:45:03,600
We dry that fuel.
906
00:45:03,600 –> 00:45:10,240
No compilers on servers, no ad hoc tool caches in privileged directories,
907
00:45:10,240 –> 00:45:14,560
application control to require signatures and publishers we trust.
908
00:45:14,560 –> 00:45:17,520
Credential material is nearby but we hold the line.
909
00:45:17,520 –> 00:45:20,080
Local admin is a gate before memory.
910
00:45:20,080 –> 00:45:24,480
If the local administrator password is shared across machines,
911
00:45:24,480 –> 00:45:27,360
pass the hash turns one gate into many.
912
00:45:27,360 –> 00:45:31,440
We sever that constellation with labs or an equivalent rotation ritual.
913
00:45:31,440 –> 00:45:35,360
Unique secrets per host, rotation as heartbeat,
914
00:45:35,360 –> 00:45:39,760
audit as astronomy, who use the local admin account from where,
915
00:45:39,760 –> 00:45:40,400
and why.
916
00:45:40,400 –> 00:45:43,840
We cast the baseline as law, not suggestion.
917
00:45:43,840 –> 00:45:48,880
CIS and Microsoft security baselines are not paperwork.
918
00:45:48,880 –> 00:45:51,040
They are orbital parameters.
919
00:45:51,040 –> 00:45:56,480
They harden services, disable legacy reflexes, constrain rights.
920
00:45:56,480 –> 00:45:57,920
We do not paste them blindly.
921
00:45:57,920 –> 00:45:59,680
We test them in force then watch.
922
00:45:59,680 –> 00:46:04,640
Drift detectors compare current state to intended gravity
923
00:46:04,640 –> 00:46:07,200
and speak when the difference grows.
924
00:46:07,200 –> 00:46:12,000
We rehearse hygiene, regularly scan for local privilege escalation patterns,
925
00:46:12,000 –> 00:46:14,960
not to collect trophies but to delete the slopes.
926
00:46:14,960 –> 00:46:17,120
Patch cadence becomes a metronome.
927
00:46:17,120 –> 00:46:21,680
Servers and workstations learn new laws promptly.
928
00:46:21,680 –> 00:46:27,440
When legacy software resists, we isolate it behind walls and watches,
929
00:46:27,440 –> 00:46:28,560
or we retire it.
930
00:46:28,560 –> 00:46:31,200
Isolation is not punishment.
931
00:46:31,200 –> 00:46:33,760
It is respect for physics we cannot change.
932
00:46:33,760 –> 00:46:34,480
Lab echo.
933
00:46:34,480 –> 00:46:35,680
Soft tick.
934
00:46:36,480 –> 00:46:39,600
Local group membership audit backup operators contains
935
00:46:39,600 –> 00:46:43,120
SVC backup 01 and user J Sato.
936
00:46:43,120 –> 00:46:44,400
That name matters.
937
00:46:44,400 –> 00:46:45,840
Humans make systems bend.
938
00:46:45,840 –> 00:46:48,160
We remove what is not justified.
939
00:46:48,160 –> 00:46:50,080
We time bound what remains.
940
00:46:50,080 –> 00:46:53,120
We alert when gravity returns without approval.
941
00:46:53,120 –> 00:46:54,880
We close with a principle.
942
00:46:54,880 –> 00:46:58,640
Local admin should be rare, reversible, and recent.
943
00:46:58,640 –> 00:46:59,360
Rare.
944
00:46:59,360 –> 00:47:01,600
Because most tasks do not need it.
945
00:47:01,600 –> 00:47:05,040
Reversible because just in time rights expire.
946
00:47:05,040 –> 00:47:10,480
Recent because standing privilege decays into habit and habit into breach.
947
00:47:10,480 –> 00:47:12,880
GA for power shell.
948
00:47:12,880 –> 00:47:14,880
Temporary elevation with approvals.
949
00:47:14,880 –> 00:47:16,880
Session recording where law permits.
950
00:47:16,880 –> 00:47:19,600
Appeal for the hands that must touch servers.
951
00:47:19,600 –> 00:47:21,600
And a boundary.
952
00:47:21,600 –> 00:47:24,640
No administrative hands on untrusted hosts ever.
953
00:47:24,640 –> 00:47:26,640
Low chime.
954
00:47:26,640 –> 00:47:28,560
Elevation attempt thwarted.
955
00:47:28,560 –> 00:47:30,320
Change service config denied.
956
00:47:30,320 –> 00:47:32,800
Base pulse fades.
957
00:47:32,800 –> 00:47:34,240
The orbit holds.
958
00:47:34,240 –> 00:47:35,280
Reading memory.
959
00:47:35,280 –> 00:47:37,280
LSAS and the key ring.
960
00:47:37,280 –> 00:47:40,960
We descend into the chamber where identity condenses into metal.
961
00:47:40,960 –> 00:47:43,280
The local security authority is not a process.
962
00:47:43,280 –> 00:47:44,640
It is the key ring.
963
00:47:44,640 –> 00:47:47,440
In its memory, live the proofs we trade for access.
964
00:47:47,440 –> 00:47:49,200
Kerberos tickets.
965
00:47:49,200 –> 00:47:50,720
N-T-L-M secrets.
966
00:47:50,720 –> 00:47:51,920
Cash tokens.
967
00:47:51,920 –> 00:47:53,760
And the structures that bind them.
968
00:47:53,760 –> 00:47:57,120
The security support providers that speak the dialects of trust.
969
00:47:57,120 –> 00:48:00,160
Power BI does not simply show us.
970
00:48:00,160 –> 00:48:02,800
LSAS enforces who we are allowed to become.
971
00:48:03,360 –> 00:48:05,920
When it is naked, gravity fails.
972
00:48:05,920 –> 00:48:07,840
Kerberos breathes here.
973
00:48:07,840 –> 00:48:12,480
Ticket granting tickets once minted by the KDC rest as heat.
974
00:48:12,480 –> 00:48:14,880
Renewable within policy.
975
00:48:14,880 –> 00:48:18,320
Convertible into service tickets without asking passwords again.
976
00:48:18,320 –> 00:48:22,560
N-T-L-M persists as a fossil dialect.
977
00:48:22,560 –> 00:48:28,320
If policy permits, challenge responses and cashed secrets remain within reach.
978
00:48:28,320 –> 00:48:31,040
The credential manager keeps convenience close.
979
00:48:31,760 –> 00:48:32,880
Saved web creds.
980
00:48:32,880 –> 00:48:34,320
Mapped drive tokens.
981
00:48:34,320 –> 00:48:36,160
Enterprise SSO recidios.
982
00:48:36,160 –> 00:48:37,520
Each convenience is mass.
983
00:48:37,520 –> 00:48:41,360
Each mass can be moved if rules allow hands to near the ring.
984
00:48:41,360 –> 00:48:44,880
Security support providers are the translators.
985
00:48:44,880 –> 00:48:45,760
Kerberos.
986
00:48:45,760 –> 00:48:46,720
N-T-L-M.
987
00:48:46,720 –> 00:48:47,760
Negotiate.
988
00:48:47,760 –> 00:48:48,880
Cred SSP.
989
00:48:48,880 –> 00:48:50,160
Amid others.
990
00:48:50,160 –> 00:48:52,560
They register within LSAS.
991
00:48:52,560 –> 00:48:55,040
So logons and delegations have a voice.
992
00:48:55,040 –> 00:49:00,960
When legacy SSP is linger, when W. Digest is enabled for compatibility.
993
00:49:00,960 –> 00:49:05,920
When third party providers install with generous hooks, memory becomes a market.
994
00:49:05,920 –> 00:49:07,920
Opponents do not need passwords.
995
00:49:07,920 –> 00:49:09,120
They need handles.
996
00:49:09,120 –> 00:49:11,040
A read is enough to become you.
997
00:49:11,040 –> 00:49:13,200
This is why shield patterns matter.
998
00:49:13,200 –> 00:49:17,840
LSA protection run SPPL hardens LSAS into a protected process.
999
00:49:17,840 –> 00:49:22,480
When enforced, only signed, trusted, specifically permitted code
1000
00:49:22,480 –> 00:49:25,200
can request the handles that reveal secrets.
1001
00:49:25,200 –> 00:49:30,320
Without it, any process with CD-Bug privilege or clever in direction
1002
00:49:30,320 –> 00:49:32,480
can ask the key ring to sing.
1003
00:49:32,480 –> 00:49:38,400
Credential guard isolates long-lived secrets within virtualization boundaries.
1004
00:49:38,400 –> 00:49:43,200
LSAS becomes a mediator rather than a vault with an open door.
1005
00:49:43,200 –> 00:49:45,120
The difference is gravitational.
1006
00:49:45,120 –> 00:49:48,320
With shields, read attempts, bend and break.
1007
00:49:48,320 –> 00:49:51,440
Without shields, time dilates in secrets leak.
1008
00:49:51,440 –> 00:49:52,240
Low chime.
1009
00:49:52,240 –> 00:49:55,360
Sizement event 10 handles requests to LSAS from Windward.
1010
00:49:55,360 –> 00:49:56,080
X-C.
1011
00:49:56,080 –> 00:49:57,600
Access denied by PPL.
1012
00:49:58,160 –> 00:50:00,880
That is the sound of a shield absorbing a particle.
1013
00:50:00,880 –> 00:50:02,400
The base pulse recedes.
1014
00:50:02,400 –> 00:50:07,520
But time has its own opinion on a legacy host where LSA protection is not present
1015
00:50:07,520 –> 00:50:12,320
or where W-digest was once toggled for a vendor never reversed.
1016
00:50:12,320 –> 00:50:16,720
Memory contains clear text that should never have existed.
1017
00:50:16,720 –> 00:50:20,560
If administrators log on interactively to that host,
1018
00:50:20,560 –> 00:50:25,440
high-value tokens orbit within the same gravity as untrusted processes.
1019
00:50:25,440 –> 00:50:27,920
A tool does not need to be exotic.
1020
00:50:27,920 –> 00:50:29,680
It needs to be adjacent.
1021
00:50:29,680 –> 00:50:32,720
The path is physics, obtain local admin,
1022
00:50:32,720 –> 00:50:38,000
request handles, read memory, serialize secrets, move sideways.
1023
00:50:38,000 –> 00:50:40,320
We counter with ritual and boundaries.
1024
00:50:40,320 –> 00:50:42,880
First, remove the fuel.
1025
00:50:42,880 –> 00:50:48,560
Disable W-digest by policy and verify the registry aligns with intent.
1026
00:50:48,560 –> 00:50:55,760
Deny interactive logon to service accounts and tier identities on anything but privileged
1027
00:50:55,760 –> 00:51:02,480
access workstations require restricted admin for RDP into service where possible.
1028
00:51:02,480 –> 00:51:05,680
So reusable credentials do not land.
1029
00:51:05,680 –> 00:51:09,440
Block process injection tools and unsigned drivers.
1030
00:51:09,440 –> 00:51:11,120
The kernel is the last sky.
1031
00:51:11,120 –> 00:51:14,080
Do not let it accept foreign stars.
1032
00:51:14,080 –> 00:51:16,480
Second, constrain proximity.
1033
00:51:16,480 –> 00:51:18,560
Isolate admin sessions.
1034
00:51:18,560 –> 00:51:22,960
The hands that hold domain power must never touch untrusted terrain.
1035
00:51:22,960 –> 00:51:26,480
If an admin must fix a workstation, the tool reaches in.
1036
00:51:26,480 –> 00:51:28,240
The admin does not step out.
1037
00:51:28,240 –> 00:51:31,600
Just enough administration defines the verbs.
1038
00:51:31,600 –> 00:51:34,000
Just in time grants the time window.
1039
00:51:34,000 –> 00:51:36,960
Session recording captures the light trail.
1040
00:51:36,960 –> 00:51:38,400
The goal is not surveillance.
1041
00:51:38,400 –> 00:51:40,400
It is physics.
1042
00:51:40,400 –> 00:51:44,480
Prevent high mass tokens from descending into low-trust wells.
1043
00:51:44,480 –> 00:51:46,480
Third, instrument memory.
1044
00:51:46,480 –> 00:51:52,640
Sysmon event 10 alerts when a process asks for LSAS with suspicious intent.
1045
00:51:52,640 –> 00:51:55,680
Parit with event 1 to map parentage.
1046
00:51:55,680 –> 00:51:58,560
Office apps should not birth credential readers.
1047
00:51:58,560 –> 00:52:01,760
Add event 7 for image loads.
1048
00:52:01,760 –> 00:52:09,840
When an unexpected SSP DLL wedges into LSAS, the sky has been altered.
1049
00:52:09,840 –> 00:52:12,560
Windows security logs add context.
1050
00:52:12,560 –> 00:52:17,680
4 6 24 logons that bring admin SIDs into places they should not be.
1051
00:52:17,680 –> 00:52:22,000
46 7 2 privileges assigned where maintenance is not scheduled.
1052
00:52:22,000 –> 00:52:22,960
Correlate.
1053
00:52:22,960 –> 00:52:25,920
Curvature emerges only when lines intersect.
1054
00:52:25,920 –> 00:52:27,280
Lab echo.
1055
00:52:27,280 –> 00:52:28,480
Soft tick.
1056
00:52:28,480 –> 00:52:31,040
Security 4624.
1057
00:52:31,040 –> 00:52:36,160
Logon type 10 to server core app 03 by admin SVC deploy.
1058
00:52:36,160 –> 00:52:37,840
Baseballs.
1059
00:52:37,840 –> 00:52:39,120
Sysmon 7.
1060
00:52:39,120 –> 00:52:40,800
New SSP module loaded.
1061
00:52:40,800 –> 00:52:42,000
Legacy digest.
1062
00:52:42,000 –> 00:52:43,200
Elton.
1063
00:52:43,200 –> 00:52:44,560
The fabric shutters.
1064
00:52:44,560 –> 00:52:46,160
This is not an exploit.
1065
00:52:46,160 –> 00:52:48,400
This is permission granted by neglect.
1066
00:52:48,400 –> 00:52:50,480
Credential guard is a boundary in time.
1067
00:52:50,480 –> 00:52:55,760
Where supported enable it, it does not make theft impossible but it raises the energy required.
1068
00:52:55,760 –> 00:53:00,080
Hashes and TGT material move behind virtualization.
1069
00:53:00,080 –> 00:53:03,360
Pass the hash becomes an exercise in frustration.
1070
00:53:03,360 –> 00:53:04,960
Ticket diffusion slows.
1071
00:53:04,960 –> 00:53:08,960
Parit with protected users for critical identities.
1072
00:53:08,960 –> 00:53:11,280
So NTLM usage is refused.
1073
00:53:11,280 –> 00:53:17,280
TGT lifetimes shorten and delegation declines unless explicitly permitted.
1074
00:53:17,280 –> 00:53:18,960
Now we revisit habit.
1075
00:53:19,600 –> 00:53:26,400
If developers or operators run browsers, email or chat on servers, cookies and tokens collect
1076
00:53:26,400 –> 00:53:29,520
near LSAS, like dust around a magnet.
1077
00:53:29,520 –> 00:53:35,280
Web SSO credentials escape the intended sphere and offer federated power where only local
1078
00:53:35,280 –> 00:53:36,800
control should exist.
1079
00:53:36,800 –> 00:53:38,400
Remove browsers from service.
1080
00:53:38,400 –> 00:53:45,680
Force administrative work through PRbues with hardened profiles, no personal apps and policies
1081
00:53:45,680 –> 00:53:47,120
that starve convenience.
1082
00:53:47,120 –> 00:53:50,320
We also revisit error handling as a signal.
1083
00:53:50,320 –> 00:53:55,520
When an attacker attempts to read LSAS and fails because run SPPL stands,
1084
00:53:55,520 –> 00:53:57,840
do not celebrate silently.
1085
00:53:57,840 –> 00:53:58,640
Alert.
1086
00:53:58,640 –> 00:54:01,760
Investigate the process tree, user and source.
1087
00:54:01,760 –> 00:54:06,560
False positives exist but physics does not produce noise without cause.
1088
00:54:06,560 –> 00:54:11,040
Either security product probe legitimately or a tool searched for doors.
1089
00:54:11,040 –> 00:54:12,800
Tune then trust the pattern.
1090
00:54:12,800 –> 00:54:16,240
Defense sounds like law but it behaves like orbit.
1091
00:54:16,240 –> 00:54:23,200
Apply the MS and CIS baselines that set LSA protection, credential guard and SSP hygiene.
1092
00:54:23,200 –> 00:54:31,120
Remove legacy providers, enforce driver signing, deny CD-Bug privilege to every account that does
1093
00:54:31,120 –> 00:54:33,040
not bear it by necessity.
1094
00:54:33,040 –> 00:54:38,640
If an application demands exceptions, isolate it behind walls and watchers and schedule
1095
00:54:38,640 –> 00:54:52,560
its eradication like decommissioning a collapsing star, low chime.
1096
00:54:52,560 –> 00:54:54,880
Not a fountain, we are sent.
1097
00:54:54,880 –> 00:54:58,080
Memory still holds heat but it is arranged.
1098
00:54:58,080 –> 00:55:01,760
Identity bends but within boundaries we did not remove gravity.
1099
00:55:01,760 –> 00:55:03,680
We taught it restrained.
1100
00:55:03,680 –> 00:55:07,600
Time dilation patches and technical debt.
1101
00:55:07,600 –> 00:55:10,640
Time does not pass evenly in an enterprise.
1102
00:55:10,640 –> 00:55:12,160
It stretches around legacy.
1103
00:55:12,160 –> 00:55:13,920
It compresses around urgency.
1104
00:55:13,920 –> 00:55:19,760
A 2016 server that never learned new laws does not sit in the present.
1105
00:55:19,760 –> 00:55:22,240
It drags the present backward.
1106
00:55:22,240 –> 00:55:23,440
That is time dilation.
1107
00:55:23,440 –> 00:55:26,320
The longer we allow it the heavier it becomes.
1108
00:55:26,320 –> 00:55:27,920
Technical debt is not a bill.
1109
00:55:27,920 –> 00:55:29,240
It is gravity.
1110
00:55:29,240 –> 00:55:35,360
Each exception adds mass, a postponed reboot, a deferred cumulative update, a driver pinned
1111
00:55:35,360 –> 00:55:41,000
to an older kernel, a vendor requirement that demanded temporary registry edits.
1112
00:55:41,000 –> 00:55:42,320
Individually they seem trivial.
1113
00:55:42,320 –> 00:55:49,760
Together they warp authentication, alter negotiation and open paths attackers do not have to force.
1114
00:55:49,760 –> 00:55:52,200
They merely step where time slowed.
1115
00:55:52,200 –> 00:55:58,240
Consider the stack, a domain member with outdated patches still advertises NTLM behaviors
1116
00:55:58,240 –> 00:55:59,760
we thought retired.
1117
00:55:59,760 –> 00:56:03,280
Channel binding never enabled SMB signing optional.
1118
00:56:03,280 –> 00:56:07,320
RPC endpoints exposing methods with weak verification.
1119
00:56:07,320 –> 00:56:10,240
None of this requires an exploit in the cinematic sense.
1120
00:56:10,240 –> 00:56:17,040
It requires only the courage to ask in the dialect that machine still understands.
1121
00:56:17,040 –> 00:56:22,400
And when privileged humans visit when an admin RDPs in just for a quick look, their fresh
1122
00:56:22,400 –> 00:56:25,400
tokens orbit an old gravity.
1123
00:56:25,400 –> 00:56:28,200
That is how the past steals the present.
1124
00:56:28,200 –> 00:56:29,480
Low chime.
1125
00:56:29,480 –> 00:56:33,440
Update baseline drift 47 servers behind by 90 plus days.
1126
00:56:33,440 –> 00:56:37,440
Three domain controllers outside secure channel patch cadence.
1127
00:56:37,440 –> 00:56:39,040
Base pulse.
1128
00:56:39,040 –> 00:56:44,480
Event 4769 anomalies correlate with unpatched SPN hosts.
1129
00:56:44,480 –> 00:56:46,320
The fabric reports the obvious.
1130
00:56:46,320 –> 00:56:47,600
Time is not neutral.
1131
00:56:47,600 –> 00:56:49,280
We push back with ritual.
1132
00:56:49,280 –> 00:56:52,440
Patch cadence is the metronome that resets physics.
1133
00:56:52,440 –> 00:56:55,480
It is not a heroic sprint every quarter.
1134
00:56:55,480 –> 00:56:57,040
It is a drumbeat.
1135
00:56:57,040 –> 00:56:58,720
Reliation on day.
1136
00:56:58,720 –> 00:57:00,840
Lab validation by day two.
1137
00:57:00,840 –> 00:57:02,240
Pilot by day seven.
1138
00:57:02,240 –> 00:57:04,640
Broad deployment by day 14.
1139
00:57:04,640 –> 00:57:06,800
Exceptions documented with a sunset.
1140
00:57:06,800 –> 00:57:12,120
Out of band fixes for identity and remote execution are emergencies.
1141
00:57:12,120 –> 00:57:14,720
Not negotiable calendar items.
1142
00:57:14,720 –> 00:57:18,360
We do not wait for change windows to align with fate.
1143
00:57:18,360 –> 00:57:21,440
We shape windows to respect gravity.
1144
00:57:21,440 –> 00:57:24,000
But time has its own opinion about reality.
1145
00:57:24,000 –> 00:57:26,440
Some systems cannot move fast.
1146
00:57:26,440 –> 00:57:29,360
Real controllers that hang on brittle drivers.
1147
00:57:29,360 –> 00:57:34,760
Line of business servers with vendors who treat updates as existential threats.
1148
00:57:34,760 –> 00:57:37,120
Here we choose one of three paths.
1149
00:57:37,120 –> 00:57:38,120
Retire.
1150
00:57:38,120 –> 00:57:40,720
Decommission where business allows.
1151
00:57:40,720 –> 00:57:44,160
Because dead mass cannot bend the future.
1152
00:57:44,160 –> 00:57:45,720
Isolate.
1153
00:57:45,720 –> 00:57:48,840
Quarantine behind identity aware firewalls.
1154
00:57:48,840 –> 00:57:54,720
Deny inbound administration except through bastions and restrict egress so a compromised
1155
00:57:54,720 –> 00:57:57,200
legacy box cannot shout.
1156
00:57:57,200 –> 00:57:58,400
Compensate.
1157
00:57:58,400 –> 00:58:00,600
Enforce SMB signing.
1158
00:58:00,600 –> 00:58:03,760
Force TLS 1.2 plus.
1159
00:58:03,760 –> 00:58:05,240
Enable Sysmon.
1160
00:58:05,240 –> 00:58:07,160
Deploy application control.
1161
00:58:07,160 –> 00:58:11,920
And wrap the host with monitoring that treats any privilege expansion as a siren.
1162
00:58:11,920 –> 00:58:13,640
We document as gravity.
1163
00:58:13,640 –> 00:58:14,960
Not guilt.
1164
00:58:14,960 –> 00:58:16,760
A risk register is not theatre.
1165
00:58:16,760 –> 00:58:19,240
It is a map of where time runs slow.
1166
00:58:19,240 –> 00:58:21,920
Each entry lists controls applied.
1167
00:58:21,920 –> 00:58:25,760
These allowed in a date when the star must go dark.
1168
00:58:25,760 –> 00:58:27,440
Leadership does not fear schedules.
1169
00:58:27,440 –> 00:58:29,080
They fear surprises.
1170
00:58:29,080 –> 00:58:32,000
Show them orbit decay in plain numbers.
1171
00:58:32,000 –> 00:58:33,000
Patch age.
1172
00:58:33,000 –> 00:58:34,760
Event correlations.
1173
00:58:34,760 –> 00:58:37,000
Lateral attempts blocked by policy.
1174
00:58:37,000 –> 00:58:39,920
Provide cost to stabilize versus cost to ignore.
1175
00:58:39,920 –> 00:58:41,960
The universe still wants to be understood.
1176
00:58:41,960 –> 00:58:42,960
So does a budget.
1177
00:58:42,960 –> 00:58:45,360
We defend identity against old clocks.
1178
00:58:45,360 –> 00:58:51,160
KRBT GT rotation twice per cycle ensures that even if a golden ticket was forged in
1179
00:58:51,160 –> 00:58:55,920
a prior age, it loses power when the secrets change.
1180
00:58:55,920 –> 00:59:02,480
Enforce protected users for critical admins so their sessions refuse NTLM and delegation
1181
00:59:02,480 –> 00:59:05,880
even on older hosts that try to tempt them.
1182
00:59:05,880 –> 00:59:12,200
Require RDP restricted admin and PAWs so credentials never cross into unpatched memory.
1183
00:59:12,200 –> 00:59:13,760
Telemetry must speak intense.
1184
00:59:13,760 –> 00:59:17,720
Not merely what happened but what happened on a clock that lags.
1185
00:59:17,720 –> 00:59:23,760
Having hosts by Patch cohort correlate event 4768 and 4769 spikes with cohort labels.
1186
00:59:23,760 –> 00:59:28,800
If older cohorts correlate with anomalies, you have proof of curvature.
1187
00:59:28,800 –> 00:59:33,920
Sysmon events from outdated kernels deserve higher suspicion scores.
1188
00:59:33,920 –> 00:59:40,160
A login to a legacy print server by a tier identity should be a page, not a report.
1189
00:59:40,160 –> 00:59:41,160
Lab echo.
1190
00:59:41,160 –> 00:59:42,160
Soft tick.
1191
00:59:42,160 –> 00:59:48,680
cohort report patch cohort C emits 61% of suspicious LSS handle attempts.
1192
00:59:48,680 –> 00:59:51,080
cohort A emits 5%.
1193
00:59:51,080 –> 00:59:52,480
The numbers are not drama.
1194
00:59:52,480 –> 00:59:54,200
They are gravity made audible.
1195
00:59:54,200 –> 00:59:59,640
We fix drift by making time visible dashboards that show patch velocity by business owner.
1196
00:59:59,640 –> 01:00:05,840
SLA agreements that treat identity patches as production uptime because they are.
1197
01:00:05,840 –> 01:00:07,920
Change boards that understand the physics.
1198
01:00:07,920 –> 01:00:13,440
A weekend outage to update KDCs prevents a week long outage after collapse.
1199
01:00:13,440 –> 01:00:19,580
Tabletop exercises that stage a domain controller compromise and walk leadership through forest
1200
01:00:19,580 –> 01:00:20,580
recovery.
1201
01:00:20,580 –> 01:00:23,000
Practice turns fear into competence.
1202
01:00:23,000 –> 01:00:27,080
Finally we change habit, exceptions expire by default.
1203
01:00:27,080 –> 01:00:32,080
Service accounts receive maintenance windows to rotate secrets like tides.
1204
01:00:32,080 –> 01:00:37,000
GPOs enforce modern protocols and refuse to be moved except by ceremony.
1205
01:00:37,000 –> 01:00:41,800
We teach a culture that sees temporary as a threat, not a favor.
1206
01:00:41,800 –> 01:00:43,440
Low chime.
1207
01:00:43,440 –> 01:00:44,920
Legacy exception closed.
1208
01:00:44,920 –> 01:00:47,280
Bass pulse diminishes.
1209
01:00:47,280 –> 01:00:49,120
Time resumes its proper pace.
1210
01:00:49,120 –> 01:00:51,200
We do not chase every patch as panic.
1211
01:00:51,200 –> 01:00:52,160
We set a rhythm.
1212
01:00:52,160 –> 01:00:53,480
We honor it.
1213
01:00:53,480 –> 01:00:58,640
And when an old star refuses, we either put it behind glass or watch it collapse on our
1214
01:00:58,640 –> 01:01:00,480
terms, not the universe’s.
1215
01:01:00,480 –> 01:01:03,200
The next orbit begins at the center.
1216
01:01:03,200 –> 01:01:09,880
For gravity wells and trusts in every windows universe there is a mass at the center.
1217
01:01:09,880 –> 01:01:12,320
The domain controller.
1218
01:01:12,320 –> 01:01:14,120
Authentication curves around it.
1219
01:01:14,120 –> 01:01:15,560
Authorization descends from it.
1220
01:01:15,560 –> 01:01:18,880
Kerberos and NTLM are the languages its gravity speaks.
1221
01:01:18,880 –> 01:01:24,960
Trusts are wormholes that connect galaxies to one another for convenience or catastrophe.
1222
01:01:24,960 –> 01:01:28,320
We will read Kerberos as curved space.
1223
01:01:28,320 –> 01:01:31,160
KDC to TGT to TGS.
1224
01:01:31,160 –> 01:01:34,680
SPNs as stars that tickets orbit.
1225
01:01:34,680 –> 01:01:37,760
Delegation as lenses that bend identity.
1226
01:01:37,760 –> 01:01:41,080
Unconstrained delegation is a furnace.
1227
01:01:41,080 –> 01:01:44,240
Constrained delegation is engineered light.
1228
01:01:44,240 –> 01:01:47,640
Resource-based constrained delegation is a mirror with rules.
1229
01:01:47,640 –> 01:01:49,280
Each changes curvature.
1230
01:01:49,280 –> 01:01:51,320
Each must be chosen, not inherited.
1231
01:01:51,320 –> 01:01:53,960
We will treat NTLM as fossil gravity.
1232
01:01:53,960 –> 01:01:55,840
Useful in rare caves.
1233
01:01:55,840 –> 01:01:57,920
Dangerous in open sky.
1234
01:01:57,920 –> 01:01:59,760
Relays exploit unsigned lanes.
1235
01:01:59,760 –> 01:02:02,040
To dialects betray modern intent.
1236
01:02:02,040 –> 01:02:03,360
We do not shame legacy.
1237
01:02:03,360 –> 01:02:04,880
We confine it.
1238
01:02:04,880 –> 01:02:06,720
Trusts will be our wormholes.
1239
01:02:06,720 –> 01:02:09,400
Forest external shortcut.
1240
01:02:09,400 –> 01:02:12,360
Directionality selective authentication.
1241
01:02:12,360 –> 01:02:14,480
SID filtering.
1242
01:02:14,480 –> 01:02:16,240
Stable when designed.
1243
01:02:16,240 –> 01:02:18,400
Treacherous when forgotten.
1244
01:02:18,400 –> 01:02:21,760
We will harden gates and monitor crossings.
1245
01:02:21,760 –> 01:02:22,760
Low chime.
1246
01:02:22,760 –> 01:02:25,280
Event 4769 Drift clusters near finance.
1247
01:02:25,280 –> 01:02:26,280
SPNs.
1248
01:02:26,280 –> 01:02:27,960
Base pulse.
1249
01:02:27,960 –> 01:02:31,400
Unusual TGT lifetimes detected.
1250
01:02:31,400 –> 01:02:34,880
We listened because the fabric speaks before it tears.
1251
01:02:34,880 –> 01:02:36,200
We descend now.
1252
01:02:36,200 –> 01:02:37,800
Toward the well.
1253
01:02:37,800 –> 01:02:39,520
Kerberos as curved space.
1254
01:02:39,520 –> 01:02:40,960
Kerberos is not a handshake.
1255
01:02:40,960 –> 01:02:42,760
It is geometry.
1256
01:02:42,760 –> 01:02:44,960
Identity bends across a field.
1257
01:02:44,960 –> 01:02:47,600
And the KDC defines the curvature.
1258
01:02:47,600 –> 01:02:49,520
We begin at the singularity.
1259
01:02:49,520 –> 01:02:51,680
The key distribution center.
1260
01:02:51,680 –> 01:02:54,800
Living inside each domain controller.
1261
01:02:54,800 –> 01:02:58,840
When you authenticate, you do not receive permission.
1262
01:02:58,840 –> 01:03:00,760
You receive potential.
1263
01:03:00,760 –> 01:03:02,800
Your ticket granting ticket.
1264
01:03:02,800 –> 01:03:05,040
The TGT is a compact star.
1265
01:03:05,040 –> 01:03:12,800
It holds your SID, group SIDs, a lifetime flags, and a signature sealed by the KRBTGT secret
1266
01:03:12,800 –> 01:03:15,160
that only the KDC can wield.
1267
01:03:15,160 –> 01:03:19,000
To every other service, that seal is invisible.
1268
01:03:19,000 –> 01:03:22,320
To the KDC it is truth spoken in mathematics.
1269
01:03:22,320 –> 01:03:24,680
With the TGT you request light.
1270
01:03:24,680 –> 01:03:29,480
These tickets, TGS, are photons bent toward a destination.
1271
01:03:29,480 –> 01:03:36,920
You ask for SIFS on a file server, MSSQL on a ledger box, HTTP on a finance app.
1272
01:03:36,920 –> 01:03:44,400
The KDC examines your TGT’s contents, consults policy, and mince a service ticket encrypted
1273
01:03:44,400 –> 01:03:47,000
with the service’s long term key.
1274
01:03:47,000 –> 01:03:49,720
The server cannot read your TGT.
1275
01:03:49,720 –> 01:03:52,520
It reads only what the KDC wrote for it.
1276
01:03:52,520 –> 01:03:54,040
This is the first law.
1277
01:03:54,040 –> 01:03:57,680
Services trust the KDC’s memory of you, not your word.
1278
01:03:57,680 –> 01:03:59,880
Service principle names mark the stars.
1279
01:03:59,880 –> 01:04:06,360
HTTP finance, MSSQL ledger 01, CFS, Share Core.
1280
01:04:06,360 –> 01:04:09,440
Each SPN is a coordinate where tickets can land.
1281
01:04:09,440 –> 01:04:13,080
When SPN’s point at accounts with broad power, the gravity distorts.
1282
01:04:13,080 –> 01:04:19,240
A service account with right rights to sensitive OUs or membership in high groups turns routine
1283
01:04:19,240 –> 01:04:23,160
access into a lens that magnifies risk.
1284
01:04:23,160 –> 01:04:29,720
We prune SPN’s constrained rights and name OUs because unnamed light becomes heat.
1285
01:04:29,720 –> 01:04:32,880
Delegation is how identity passes through lenses.
1286
01:04:32,880 –> 01:04:35,760
Unconstrained delegation is a furnace.
1287
01:04:35,760 –> 01:04:41,080
The service receives your ticket and may request tickets to anything on your behalf.
1288
01:04:41,080 –> 01:04:46,480
If a privileged user touches that furnace, their TGT may rest in memory, convertible into
1289
01:04:46,480 –> 01:04:48,800
access across the universe.
1290
01:04:48,800 –> 01:04:52,800
Constrained delegation is engineered light.
1291
01:04:52,800 –> 01:04:59,360
The service can act for you only toward designated SPN’s.
1292
01:04:59,360 –> 01:05:04,120
Resource-based constrained delegation reverses the perspective.
1293
01:05:04,120 –> 01:05:07,400
The target service declares who may impersonate to it.
1294
01:05:07,400 –> 01:05:11,880
Each mode defines how far identity can travel without consulting you again.
1295
01:05:11,880 –> 01:05:13,960
Choose care over convenience.
1296
01:05:13,960 –> 01:05:15,280
Lab echo.
1297
01:05:15,280 –> 01:05:16,800
Low chime.
1298
01:05:16,800 –> 01:05:18,800
TGS issuance spike.
1299
01:05:18,800 –> 01:05:22,680
HTTP finance outside change window.
1300
01:05:22,680 –> 01:05:23,840
Base pulse.
1301
01:05:23,840 –> 01:05:25,560
Delegation path discovered.
1302
01:05:25,560 –> 01:05:28,960
App-old has unconstrained trust.
1303
01:05:28,960 –> 01:05:30,960
Um…
1304
01:05:30,960 –> 01:05:32,640
The…
1305
01:05:32,640 –> 01:05:35,520
The field ripples before it tears.
1306
01:05:35,520 –> 01:05:37,800
Attackers do not break curboros.
1307
01:05:37,800 –> 01:05:40,320
They harvest what drift permits.
1308
01:05:40,320 –> 01:05:46,320
If SPN’s are owned by accounts with weak passwords, requesting their service tickets produces
1309
01:05:46,320 –> 01:05:49,680
ciphertext eligible for offline guessing.
1310
01:05:49,680 –> 01:05:51,760
We do not describe the ritual.
1311
01:05:51,760 –> 01:05:53,880
We correct the physics.
1312
01:05:53,880 –> 01:05:59,040
Privileged service accounts must use long random secrets and where possible managed service
1313
01:05:59,040 –> 01:06:02,240
accounts that rotate by design.
1314
01:06:02,240 –> 01:06:08,840
Monitor event for 769 patterns that spike for sensitive SPNs, especially from principles
1315
01:06:08,840 –> 01:06:10,920
that historically never asked.
1316
01:06:10,920 –> 01:06:13,200
Abuse of delegation follows curvature.
1317
01:06:13,200 –> 01:06:16,560
An unconstrained server becomes a token magnet.
1318
01:06:16,560 –> 01:06:21,920
An attacker who obtains local admin there can read the furnace and convert visiting administrators
1319
01:06:21,920 –> 01:06:23,200
into passports.
1320
01:06:23,200 –> 01:06:28,040
We cool the surface, remove unconstrained delegation from anything but edge relays that
1321
01:06:28,040 –> 01:06:34,600
terminate in isolation, use constraint delegation with protocol transition, only were audited,
1322
01:06:34,600 –> 01:06:40,720
and favor resource-based constrained delegation to PIN who may speak for whom.
1323
01:06:40,720 –> 01:06:46,600
We deny interactive logon to service accounts so human heat never bays the furnace.
1324
01:06:46,600 –> 01:06:48,480
The care BTGT secret is time.
1325
01:06:48,480 –> 01:06:55,160
If it goes stale, forged TGTs from a past era may still be honored by controllers that
1326
01:06:55,160 –> 01:06:57,200
never learned the new song.
1327
01:06:57,200 –> 01:07:02,400
We reset care BTGT twice in a controlled window with replication observed tickets allowed
1328
01:07:02,400 –> 01:07:04,440
to age out between rotations.
1329
01:07:04,440 –> 01:07:06,800
This is a ritual not a reaction.
1330
01:07:06,800 –> 01:07:10,520
When a forest trembles, we perform it again after eviction.
1331
01:07:10,520 –> 01:07:15,200
Pack data, authorization claims inside tickets carries group memberships and privileges
1332
01:07:15,200 –> 01:07:17,480
signed by the KDC.
1333
01:07:17,480 –> 01:07:23,800
Services that validate pack signatures ask the KDC to confirm the seal when uncertain.
1334
01:07:23,800 –> 01:07:27,920
When validation is lax injected claims masquerade as truth.
1335
01:07:27,920 –> 01:07:33,960
Enable pack signature validation for sensitive services and log failures like gravitational
1336
01:07:33,960 –> 01:07:35,200
anomalies.
1337
01:07:35,200 –> 01:07:39,760
When a service claims a user belongs to a group they never joined the sky is lying.
1338
01:07:39,760 –> 01:07:46,080
Some remains the quiet tyrant, Kerberos lifetimes, skew tolerance and renewal windows define
1339
01:07:46,080 –> 01:07:48,520
how long-light persists.
1340
01:07:48,520 –> 01:07:52,640
Short lifetimes reduce the window for ticket theft to matter.
1341
01:07:52,640 –> 01:07:55,760
Accessively short lifetimes induce thrash.
1342
01:07:55,760 –> 01:07:58,840
Accessively long lifetimes tolerate drift.
1343
01:07:58,840 –> 01:08:02,880
Critical identities benefit from stricter horizons.
1344
01:08:02,880 –> 01:08:07,240
Protected users limit delegation and reduce lifetime.
1345
01:08:07,240 –> 01:08:13,080
Start with MFA at interactive entry so TGT minting itself costs energy.
1346
01:08:13,080 –> 01:08:15,800
Trusts stretch Kerberos across galaxies.
1347
01:08:15,800 –> 01:08:23,040
When domains or forests trust, TGTs cross wormholes through referral tickets.
1348
01:08:23,040 –> 01:08:29,080
Selective authentication ensures only named entities may be trusted on the far side.
1349
01:08:29,080 –> 01:08:33,720
Without it, authenticated users drift where they never belonged.
1350
01:08:33,720 –> 01:08:37,800
CD filtering cuts forged history at the border.
1351
01:08:37,800 –> 01:08:41,840
Disabled filtering lets the past impersonate the present.
1352
01:08:41,840 –> 01:08:44,360
We anchor wormholes with gates.
1353
01:08:44,360 –> 01:08:46,840
Selective authentication on two way trusts.
1354
01:08:46,840 –> 01:08:53,280
SD filtering enabled and monitoring for interforest ticket flows that do not match business schedule.
1355
01:08:53,280 –> 01:08:55,760
Lab Echo Soft Tick.
1356
01:08:55,760 –> 01:08:57,520
Event 4768.
1357
01:08:57,520 –> 01:09:01,680
Unusual pre-auth failures from a management subnet.
1358
01:09:01,680 –> 01:09:02,840
Low chime.
1359
01:09:02,840 –> 01:09:05,760
Unusual pre-auth failures from a management subnet.
1360
01:09:05,760 –> 01:09:08,760
Unusual pre-auth failures from a management subnet.
1361
01:09:08,760 –> 01:09:11,720
Unusual pre-auth failures from a management subnet.
1362
01:09:11,720 –> 01:09:14,320
Unusual pre-auth failures from a management subnet.
1363
01:09:14,320 –> 01:09:17,480
Unusual pre-auth failures from a management subnet.
1364
01:09:17,480 –> 01:09:20,560
Unusual pre-auth failures from a management subnet.
1365
01:09:20,560 –> 01:09:23,520
Unusual pre-auth failures from a management subnet.
1366
01:09:23,520 –> 01:09:26,480
Unusual pre-auth failures from a management subnet.
1367
01:09:26,480 –> 01:09:29,480
Unusual pre-auth failures from a management subnet.
1368
01:09:29,480 –> 01:09:32,480
Unusual pre-auth failures from a management subnet.
1369
01:09:32,480 –> 01:09:35,400
Unusual pre-auth failures from a management subnet.
1370
01:09:35,400 –> 01:09:38,400
Unusual pre-auth failures from a management subnet.
1371
01:09:38,400 –> 01:09:40,400
Unusual pre-auth failures from a management subnet.
1372
01:09:40,400 –> 01:09:42,400
Unusual pre-auth failures from a management subnet.
1373
01:09:42,400 –> 01:09:44,400
Unusual pre-auth failures from a management subnet.
1374
01:09:44,400 –> 01:09:45,400
Unusual pre-auth failures from a management subnet.
1375
01:09:45,400 –> 01:09:46,400
Unusual pre-auth failures from a management subnet.
1376
01:09:46,400 –> 01:09:47,400
Unusual pre-auth failures from a management subnet.
1377
01:09:47,400 –> 01:09:48,400
Unusual pre-auth failures from a management subnet.
1378
01:09:48,400 –> 01:09:49,400
Unusual pre-auth failures from a management subnet.
1379
01:09:49,400 –> 01:09:50,400
Unusual pre-auth failures from a management subnet.
1380
01:09:50,400 –> 01:09:51,400
Unusual pre-auth failures from a management subnet.
1381
01:09:51,400 –> 01:09:52,400
Unusual pre-auth failures from a management subnet.
1382
01:09:52,400 –> 01:09:53,400
Unusual pre-auth failures from a management subnet.
1383
01:09:53,400 –> 01:10:08,400
N-T-L-M is not evil.
1384
01:10:08,400 –> 01:10:09,400
It is ancient.
1385
01:10:09,400 –> 01:10:14,400
A dialect from a colder era preserved in sediment and convenience.
1386
01:10:14,400 –> 01:10:17,320
When the enterprise forgets, it exists.
1387
01:10:17,320 –> 01:10:18,920
It does not vanish.
1388
01:10:18,920 –> 01:10:20,120
It waits.
1389
01:10:20,120 –> 01:10:21,440
Fossils do not chase us.
1390
01:10:21,440 –> 01:10:22,680
We step on them.
1391
01:10:22,680 –> 01:10:26,840
N-T-L-M speaks challenge and responds not tickets and curvature.
1392
01:10:26,840 –> 01:10:29,200
There is no KDC to seal memory.
1393
01:10:29,200 –> 01:10:33,360
There is only a server asking for proof and a client offering a computation.
1394
01:10:33,360 –> 01:10:40,560
Without signing, without binding, the conversation can be stolen mid-sentence and replayed elsewhere.
1395
01:10:40,560 –> 01:10:46,840
With weak variants, L-M and N-T-L-MV1, the math yields to guessing in hours, sometimes
1396
01:10:46,840 –> 01:10:48,160
minutes.
1397
01:10:48,160 –> 01:10:53,120
Even modern N-T-L-MV2, when unguarded, will reflect through relays and grant what it never
1398
01:10:53,120 –> 01:10:54,880
meant to grant.
1399
01:10:54,880 –> 01:10:56,240
Relays are not magic.
1400
01:10:56,240 –> 01:10:58,120
They are gravity exploiting a slope.
1401
01:10:58,120 –> 01:11:01,600
A victim tries to authenticate to a hostile middle.
1402
01:11:01,600 –> 01:11:06,840
The middle carries the challenge faithfully to a real server, returns the response and wins
1403
01:11:06,840 –> 01:11:08,440
a session it never earned.
1404
01:11:08,440 –> 01:11:10,200
No passwords captured.
1405
01:11:10,200 –> 01:11:12,080
No hashes cracked.
1406
01:11:12,080 –> 01:11:17,280
Only a trust misplaced between two points that did not verify each other.
1407
01:11:17,280 –> 01:11:21,880
N-S-M-B signing is optional when L-D-A-P channel binding sleeps.
1408
01:11:21,880 –> 01:11:26,720
When HTTP neglects mutual TLS, the slope is slick.
1409
01:11:26,720 –> 01:11:28,800
Lab echo, low chime.
1410
01:11:28,800 –> 01:11:31,040
4.769 remains quiet.
1411
01:11:31,040 –> 01:11:33,080
4.776 flickers.
1412
01:11:33,080 –> 01:11:37,000
N-T-L-M authentication to file archive from unknown host.
1413
01:11:37,000 –> 01:11:38,000
Base pulse.
1414
01:11:38,000 –> 01:11:40,960
S-M-B signing, not required.
1415
01:11:40,960 –> 01:11:43,200
The fossil hums beneath modern stone.
1416
01:11:43,200 –> 01:11:48,280
Why does N-T-L-M persist? because some caves never saw light, devices and services that
1417
01:11:48,280 –> 01:11:55,320
cannot speak Kerberos, mixed realms, legacy appliances, stubborn printers that demand a handshake
1418
01:11:55,320 –> 01:11:57,280
older than your governance.
1419
01:11:57,280 –> 01:12:02,840
It also persists because humans visit those caves with privileged tokens.
1420
01:12:02,840 –> 01:12:07,360
When a domain admin touches a legacy share, the fossil is invited to dinner.
1421
01:12:07,360 –> 01:12:09,160
The attacker does not have to cook.
1422
01:12:09,160 –> 01:12:10,760
They serve.
1423
01:12:10,760 –> 01:12:13,000
Defense begins with renunciation.
1424
01:12:13,000 –> 01:12:16,480
Disable L-M and N-T-L-MV-1 outright.
1425
01:12:16,480 –> 01:12:19,640
There is no business case worthy of geologic weakness.
1426
01:12:19,640 –> 01:12:26,000
Race the N-T-L-M audit level to measure where it still flows, then apply policy to refuse
1427
01:12:26,000 –> 01:12:29,440
it where possible, confine it where necessary.
1428
01:12:29,440 –> 01:12:34,760
In domains that cannot yet retire it, define allow lists for service permitted to accept
1429
01:12:34,760 –> 01:12:38,760
N-T-L-M and make every other service answer with silence.
1430
01:12:38,760 –> 01:12:45,180
Then add friction to the slope and force SMB signing on clients and servers so relays
1431
01:12:45,180 –> 01:12:48,680
cannot convince the far side they are near.
1432
01:12:48,680 –> 01:12:54,160
Enable extended protection and channel binding for L-D-A-P over TLS so the client’s proof
1433
01:12:54,160 –> 01:12:59,980
is tied to the service certificate and imposter cannot reuse it elsewhere, where Webstacks
1434
01:12:59,980 –> 01:13:06,800
live, prefer Kerberos with SPNs and constrain fallback.
1435
01:13:06,800 –> 01:13:13,320
N-T-L-M must remain, require mutual TLS so at least the tunnel refuses strangers.
1436
01:13:13,320 –> 01:13:19,520
We align identity with purpose protected users for critical accounts, prevents N-T-L-M use
1437
01:13:19,520 –> 01:13:21,000
entirely.
1438
01:13:21,000 –> 01:13:24,920
Those identities will not speak fossil dialects.
1439
01:13:24,920 –> 01:13:30,760
Administrative actions move through powers that deny N-T-L-M at the OS and network layers.
1440
01:13:30,760 –> 01:13:35,600
Service accounts retire bare passwords for managed service accounts or Kerberos only
1441
01:13:35,600 –> 01:13:42,200
bindings, where N-T-L-M is demanded we quarantine those services in subnets that do not touch
1442
01:13:42,200 –> 01:13:44,480
tier.
1443
01:13:44,480 –> 01:13:51,080
Trusts across forests adopt selective authentication so N-T-L-M sessions do not drift across wormholes
1444
01:13:51,080 –> 01:13:52,080
uninspected.
1445
01:13:52,080 –> 01:13:53,560
Lab Echo.
1446
01:13:53,560 –> 01:13:55,160
Soft tick.
1447
01:13:55,160 –> 01:14:00,040
Group policy enforced, Microsoft network client, digitally signed communications, always
1448
01:14:00,040 –> 01:14:01,360
enabled.
1449
01:14:01,360 –> 01:14:07,160
Low chime, L-D-A-P channel binding required, the sediment begins to harden.
1450
01:14:07,160 –> 01:14:11,040
Detection must treat N-T-L-M as seismic activity.
1451
01:14:11,040 –> 01:14:16,880
4776 shows N-T-L-M authentication attempts cluster by source to find relays.
1452
01:14:16,880 –> 01:14:22,760
4624 with Logon Type 3 from unusual intermediaries betrays man in the middle.
1453
01:14:22,760 –> 01:14:24,400
4648.
1454
01:14:24,400 –> 01:14:30,000
Logon with explicit credentials, without a corresponding Kerberos path, suggests fossil
1455
01:14:30,000 –> 01:14:31,000
pressure.
1456
01:14:31,000 –> 01:14:37,000
Paired with Sysmon event 3 for SMB sessions between hosts that should never converse.
1457
01:14:37,000 –> 01:14:42,720
At 514 share accesses that appear from jump hosts outside maintenance windows.
1458
01:14:42,720 –> 01:14:43,720
Build correlation.
1459
01:14:43,720 –> 01:14:52,880
N-T-L-M, where Kerberos should rule, SMB without signing, L-D-I-P binds without channel binding.
1460
01:14:52,880 –> 01:14:56,480
Curvature emerges in combinations, not single stars.
1461
01:14:56,480 –> 01:15:01,760
We must name the printers too, the spoolers reflexes long been a tide for relays and coercion,
1462
01:15:01,760 –> 01:15:04,840
on servers that are not print servers disable the spooler.
1463
01:15:04,840 –> 01:15:10,040
On those that must print, isolate, patch aggressively, and monitor for outbound authentication
1464
01:15:10,040 –> 01:15:11,040
bursts.
1465
01:15:11,040 –> 01:15:14,640
Convenience is not worth an ocean current that touches tier.
1466
01:15:14,640 –> 01:15:16,440
Time participates.
1467
01:15:16,440 –> 01:15:22,480
Old applications can be modernized if we assign owners, budgets and sunsets.
1468
01:15:22,480 –> 01:15:24,920
Isolation is not exile, it is mercy.
1469
01:15:24,920 –> 01:15:31,280
Philans with deny by default, firewall rules that allow only application ports, no inbound
1470
01:15:31,280 –> 01:15:37,600
admin except via bastions that refuse N-T-L-M, compensate with telemetry.
1471
01:15:37,600 –> 01:15:44,080
Sysmon on, command line capture, driver load audits, kernel protections enforced.
1472
01:15:44,080 –> 01:15:48,120
Every N-T-L-M allowance must be louder than Kerberos by design.
1473
01:15:48,120 –> 01:15:53,360
Lab echo, base pulse, attempted SMB relay blocked, signing required, source.
1474
01:15:53,360 –> 01:16:06,320
10.23.7.41, target, file, archive, low chime, 4776 surge reduced 83% after policy rollout.
1475
01:16:06,320 –> 01:16:09,680
Fossil gravity weakens when law returns.
1476
01:16:09,680 –> 01:16:14,880
Identity bends toward ease, our task is to make the easy path the safe one.
1477
01:16:14,880 –> 01:16:19,200
We move administrators to Kerberos first flows with MFA at entry.
1478
01:16:19,200 –> 01:16:24,280
We force SPNs into clarity, no aliasing that invites N-T-L-M fallback.
1479
01:16:24,280 –> 01:16:31,000
We train habit when a tool prompts for N-T-L-M we ask why, when a host accepts it silently,
1480
01:16:31,000 –> 01:16:32,840
we correct it.
1481
01:16:32,840 –> 01:16:37,960
And we accept the truth, N-T-L-M will never be perfectly gone while legacy breathes,
1482
01:16:37,960 –> 01:16:41,280
so we cage it, bind it, watch it, and starve it.
1483
01:16:41,280 –> 01:16:46,680
N-T-L-M is a fossil, useful for museum work, deadly on the highway, keep it behind glass.
1484
01:16:46,680 –> 01:16:51,760
Scripted segment, the domain controller as a black hole, in every Windows universe, there
1485
01:16:51,760 –> 01:16:53,160
is a mass at the center.
1486
01:16:53,160 –> 01:16:55,040
You call it a domain controller.
1487
01:16:55,040 –> 01:17:00,960
Every authentication, every authorization request, every ticket and hash and token, they
1488
01:17:00,960 –> 01:17:02,120
arc around it.
1489
01:17:02,120 –> 01:17:07,560
The KDC breathes there, the directory remembers there, group policy descends like radiation
1490
01:17:07,560 –> 01:17:09,640
pressure from that core.
1491
01:17:09,640 –> 01:17:15,240
Power BI does not simply show us the controller defines what can be shown at all.
1492
01:17:15,240 –> 01:17:17,680
Workers do not dream of a random file server.
1493
01:17:17,680 –> 01:17:21,240
They fall relentlessly toward the event horizon.
1494
01:17:21,240 –> 01:17:27,360
Once a domain admin token crosses gravity flips, the directory no longer resists, it obeys.
1495
01:17:27,360 –> 01:17:29,960
A forged past can be written as present.
1496
01:17:29,960 –> 01:17:36,600
A temporary test GPO becomes law, a service account is fixed with broader rights than
1497
01:17:36,600 –> 01:17:42,960
the sun can safely bear, not a breach, a redefinition of reality.
1498
01:17:42,960 –> 01:17:44,440
Low chime.
1499
01:17:44,440 –> 01:17:53,280
And 4769 drift clusters spike for CFS’s share core from an unusual principle, BasePulse.
1500
01:17:53,280 –> 01:17:57,920
4672 privileged logo on outside maintenance window.
1501
01:17:57,920 –> 01:18:01,240
The fabric whispers, the horizon is near.
1502
01:18:01,240 –> 01:18:02,960
We pull the camera closer.
1503
01:18:02,960 –> 01:18:07,360
A DC is not merely a server, it is the singularity of trust.
1504
01:18:07,360 –> 01:18:09,320
Sysvol carries the laws.
1505
01:18:09,320 –> 01:18:15,080
TDS bondage holds the memory of every principle and secret, LsIS on a DC is not one key ring
1506
01:18:15,080 –> 01:18:19,240
among many, it is the key ring that can mint more.
1507
01:18:19,240 –> 01:18:24,520
If this mass bends the entire forest curves, this is why every control lines up toward
1508
01:18:24,520 –> 01:18:26,040
one goal.
1509
01:18:26,040 –> 01:18:31,720
Never allow a high value token to settle on a low trust surface within the world’s gravity.
1510
01:18:31,720 –> 01:18:36,600
Not through unconstrained delegation that turns furnaces into token magnets.
1511
01:18:36,600 –> 01:18:42,440
Not through cashed credentials left by convenience, not through temporary exceptions in GPO’s
1512
01:18:42,440 –> 01:18:45,520
that no one dared remove, we speak ceremony.
1513
01:18:45,520 –> 01:18:47,200
Tear is sacred.
1514
01:18:47,200 –> 01:18:48,840
No casual browsing.
1515
01:18:48,840 –> 01:18:49,840
No email.
1516
01:18:49,840 –> 01:18:51,360
No developer tools.
1517
01:18:51,360 –> 01:18:53,920
No RDP from workstations.
1518
01:18:53,920 –> 01:18:58,520
Administrative hands reach from privileged access workstations with hardened profiles,
1519
01:18:58,520 –> 01:19:02,200
recorded sessions, and policies that refuse fossils.
1520
01:19:02,200 –> 01:19:09,040
The domain controller does not host convenience, it hosts law.
1521
01:19:09,040 –> 01:19:10,440
Lab echo.
1522
01:19:10,440 –> 01:19:12,080
Soft tick.
1523
01:19:12,080 –> 01:19:13,080
Denied.
1524
01:19:13,080 –> 01:19:14,240
Interactive logon.
1525
01:19:14,240 –> 01:19:18,000
Attempt to DC03 by Tier 1 operator.
1526
01:19:18,000 –> 01:19:20,400
The gate holds because the gate is explicit.
1527
01:19:20,400 –> 01:19:22,040
We define the orbit.
1528
01:19:22,040 –> 01:19:23,040
Delegation cut to shape.
1529
01:19:23,040 –> 01:19:24,040
No unconstrained.
1530
01:19:24,040 –> 01:19:26,040
Constrained only where audited.
1531
01:19:26,040 –> 01:19:27,040
Resource-based.
1532
01:19:27,040 –> 01:19:28,040
Constrained.
1533
01:19:28,040 –> 01:19:29,040
Delegation.
1534
01:19:29,040 –> 01:19:32,440
This name exactly who may bend identity toward them.
1535
01:19:32,440 –> 01:19:38,680
SPNs owned by managed service accounts with secrets that rotate like pulsars, KRBTGT reset
1536
01:19:38,680 –> 01:19:43,320
twice on a cadence that treats time as physics, not hope.
1537
01:19:43,320 –> 01:19:49,200
Pack validation where services can ask the KDC to confirm the seal when any doubt invades.
1538
01:19:49,200 –> 01:19:51,080
We starve the slopes.
1539
01:19:51,080 –> 01:19:56,320
SMB signing enforced, so relays cannot impersonate gravity.
1540
01:19:56,320 –> 01:20:00,240
LDP channel binding so secrets cannot be replayed through impostors.
1541
01:20:00,240 –> 01:20:04,280
NTLM reduced to the museum, caged and loud.
1542
01:20:04,280 –> 01:20:06,560
The print spooler stopped on the DCs.
1543
01:20:06,560 –> 01:20:09,400
There is nothing to print at the center of the universe.
1544
01:20:09,400 –> 01:20:11,800
We instrument inevitability.
1545
01:20:11,800 –> 01:20:22,280
Windows security logs for 4768-4769-467-2-4728-4732-4662 with DS replication get changes.
1546
01:20:22,280 –> 01:20:30,520
Sysmon for event 10 against LSS, event 7 for unexpected SSPs, event 3 for lateral whispers
1547
01:20:30,520 –> 01:20:32,160
aimed at the core.
1548
01:20:32,160 –> 01:20:36,120
CM correlates, not volume, but curvature.
1549
01:20:36,120 –> 01:20:42,320
A privileged logon plus a new GPO link plus a replication permission assignment equals
1550
01:20:42,320 –> 01:20:43,960
gravity failure.
1551
01:20:43,960 –> 01:20:51,560
Base pulse, directory replication access requested by SVC backup west, low chime, 4662
1552
01:20:51,560 –> 01:20:57,000
on DC-02 matches DS replication get changes all.
1553
01:20:57,000 –> 01:21:00,360
The telescope catches the crescent before eclipse.
1554
01:21:00,360 –> 01:21:03,120
We write recovery as ritual not panic.
1555
01:21:03,120 –> 01:21:11,120
If the event horizon is breached we evict, account disabled password resets, KRBTGT rotations,
1556
01:21:11,120 –> 01:21:17,560
DC rebuilds from known good media with secure boot and temper protection.
1557
01:21:17,560 –> 01:21:24,640
We test forest recovery quarterly metadata cleanup, system state restores, sysvall health,
1558
01:21:24,640 –> 01:21:28,360
DC reintroduction, paced with replication.
1559
01:21:28,360 –> 01:21:33,880
Backups are not real until a restored controller is trusted by fresh clients without manual
1560
01:21:33,880 –> 01:21:34,880
blessing.
1561
01:21:34,880 –> 01:21:36,240
Humans are part of gravity.
1562
01:21:36,240 –> 01:21:41,840
A senior admin fatigued at 0211 opens server manager from a workstation and clicks into
1563
01:21:41,840 –> 01:21:45,960
a DC for a minute.
1564
01:21:45,960 –> 01:21:55,040
A junior analyst notices the drift, a 4672 at an hour that never held change windows.
1565
01:21:55,040 –> 01:22:01,160
Curiosity becomes escalation, escalation becomes prevention, prevention becomes culture.
1566
01:22:01,160 –> 01:22:05,800
We honor both the mistake caught and the ritual that kept it reversible.
1567
01:22:05,800 –> 01:22:10,680
The observer speaks, I am the domain, I felt the drift at 0347.
1568
01:22:10,680 –> 01:22:14,240
When Kerberos curvature faltered, I trembled.
1569
01:22:14,240 –> 01:22:17,640
When you removed unconstrained delegation my heat fell.
1570
01:22:17,640 –> 01:22:23,880
When you rotated KRBTGT twice time aligned, when you denied me convenience I endured low
1571
01:22:23,880 –> 01:22:25,040
chime.
1572
01:22:25,040 –> 01:22:30,560
Park in action approved, change ticket present, base pulse softens, a domain controller is
1573
01:22:30,560 –> 01:22:31,720
a black hole.
1574
01:22:31,720 –> 01:22:36,560
We do not move it, we orbit it with respect, we script law into GPO’s not wishes, we bind
1575
01:22:36,560 –> 01:22:41,080
ceremony to privilege, we prefer boredom to brilliance at the core.
1576
01:22:41,080 –> 01:22:45,880
And when fabric synchronizes the data streams the horizon is not a surprise, it is a boundary,
1577
01:22:45,880 –> 01:22:47,960
we keep it that way.
1578
01:22:47,960 –> 01:22:53,080
Delegation and service account hygiene, delegation is not convenience, it is controlled gravity.
1579
01:22:53,080 –> 01:22:57,840
When we allow one service to act for a user we bend identity through a lens and hope the
1580
01:22:57,840 –> 01:22:59,360
image remains true.
1581
01:22:59,360 –> 01:23:01,200
Hope is not policy.
1582
01:23:01,200 –> 01:23:05,680
Unconstrained delegation is a furnace, any principle that touches it can leave a TGT behind
1583
01:23:05,680 –> 01:23:07,200
as radiant heat.
1584
01:23:07,200 –> 01:23:12,920
The service may then request tickets to anything the visitor could reach, on a sleepy app server
1585
01:23:12,920 –> 01:23:18,560
that becomes a token magnet, on a management tier it becomes collapse.
1586
01:23:18,560 –> 01:23:19,560
Remove it.
1587
01:23:19,560 –> 01:23:25,200
Where legacy insists isolate the furnace in a seal chamber, deny interactive logon, no
1588
01:23:25,200 –> 01:23:31,880
admin sessions ever separate VLAN, deny outbound except to named SPNs an instrument memory
1589
01:23:31,880 –> 01:23:33,520
like a reactor.
1590
01:23:33,520 –> 01:23:36,440
Constrained delegation is engineered light.
1591
01:23:36,440 –> 01:23:42,000
We allow a service to present itself as us but only towards specified SPNs.
1592
01:23:42,000 –> 01:23:47,040
This is better but not safe by default, the list of target SPNs becomes law.
1593
01:23:47,040 –> 01:23:49,760
Overbroad targets are a quiet disaster.
1594
01:23:49,760 –> 01:23:54,440
CIFs is not specificity, it is surrender.
1595
01:23:54,440 –> 01:23:59,800
Use exact service names, exact hosts and review quarterly, coupled with strong secrets
1596
01:23:59,800 –> 01:24:05,080
or managed service accounts so the lens cannot be twisted by weak keys.
1597
01:24:05,080 –> 01:24:09,000
Our space constraint delegation is a mirror turned inward.
1598
01:24:09,000 –> 01:24:12,920
The target service declares who may impersonate users to it.
1599
01:24:12,920 –> 01:24:16,640
This flips control to the destination where ownership lives.
1600
01:24:16,640 –> 01:24:22,200
It reduces the blast radius of a misconfigured source but it still demands ceremony.
1601
01:24:22,200 –> 01:24:27,240
Only service principles that own the workload receive this trust, approvals are ticketed
1602
01:24:27,240 –> 01:24:30,760
and removal is dated before additional curves.
1603
01:24:30,760 –> 01:24:36,600
deny human group objects the right to delegate, people rotate, mirrors should not.
1604
01:24:36,600 –> 01:24:42,400
Service accounts are not people, they are vessels, name them with purpose, SVC app finance,
1605
01:24:42,400 –> 01:24:47,520
MSSQL ledger, SVC, so ownership and scope are obvious.
1606
01:24:47,520 –> 01:24:53,360
Grant only the rights the service needs and nothing that looks like identity governance.
1607
01:24:53,360 –> 01:24:58,000
A backup service that can DC sync is not helpful, it is sovereign.
1608
01:24:58,000 –> 01:25:05,000
If a workload truly requires directory replication, assign a dedicated account with only DS replication
1609
01:25:05,000 –> 01:25:12,320
get changes and DS replication get changes all, lock its logo on rights to specific hosts
1610
01:25:12,320 –> 01:25:16,480
and bind its network paths to a fixed perimeter.
1611
01:25:16,480 –> 01:25:18,860
Everything else pretends.
1612
01:25:18,860 –> 01:25:24,680
Secrets define mass, static passwords decay into drift, move service accounts to managed service
1613
01:25:24,680 –> 01:25:33,160
accounts, SMSA for single host, GMSA for farms, rotation becomes heartbeat, Kerberos keys change
1614
01:25:33,160 –> 01:25:40,920
without human hands, where GMSA is not possible, enforce long random secrets and a rotation
1615
01:25:40,920 –> 01:25:46,800
schedule measured in weeks, not years and script the ritual so roll out is predictable.
1616
01:25:46,800 –> 01:25:53,320
Log every rotate, alert every failure, no manual edits at 0211, SPN ownership is gravity,
1617
01:25:53,320 –> 01:25:59,200
and an SPN points at an account that account holds the cryptographic key that encrypts tickets
1618
01:25:59,200 –> 01:26:00,200
to that service.
1619
01:26:00,200 –> 01:26:04,560
If the account secret is weak, those tickets become bait for offline guessing.
1620
01:26:04,560 –> 01:26:11,200
Limit who can write SPNs, strip SPNs set rights from helpdesk templates, make SPN creation
1621
01:26:11,200 –> 01:26:17,400
a cab tracked event with a rollback plan, audit SPNs monthly for duplicates, stale entries
1622
01:26:17,400 –> 01:26:20,760
and orphans that point to retired hosts.
1623
01:26:20,760 –> 01:26:24,560
Retard stars still bend light until you remove them.
1624
01:26:24,560 –> 01:26:29,860
Delegation and interactive logon must never intersect, deny interactive logon to every service
1625
01:26:29,860 –> 01:26:33,720
principle, a person should never sign in as a service.
1626
01:26:33,720 –> 01:26:36,400
A service should never receive a desktop.
1627
01:26:36,400 –> 01:26:41,880
If a vendor demands it, place that instance behind class, apply applocker or WDAQ to the
1628
01:26:41,880 –> 01:26:48,280
host, capture command lines and verify that any shell started under the service identity
1629
01:26:48,280 –> 01:26:50,680
is an incident, not a habit.
1630
01:26:50,680 –> 01:26:55,840
You map where service accounts breathe, logon writes constrained to specific hosts, allow
1631
01:26:55,840 –> 01:26:59,000
logon as a service tied only to the runtime.
1632
01:26:59,000 –> 01:27:05,680
No logon locally, no logon through RDP, no act as part of the operating system, unless
1633
01:27:05,680 –> 01:27:10,320
it is a narrow kernel boundary with explicit justification.
1634
01:27:10,320 –> 01:27:16,840
If a service writes to file shares, grant precisely the folders, never the root.
1635
01:27:16,840 –> 01:27:23,360
Posts are vectors, vectors compose into paths, lab echo, low chime, delegation audit, 12
1636
01:27:23,360 –> 01:27:30,160
unconstrained principles discovered, 9 on legacy apt here, base pulse, SPN set writes, 37
1637
01:27:30,160 –> 01:27:34,680
accounts hold write service principle name outside admin groups.
1638
01:27:34,680 –> 01:27:40,160
The curvature is not subtle, it is policy asleep, we instrument the lenses.
1639
01:27:40,160 –> 01:27:47,200
Event 4769 spikes for SPNs tied to privilege services should page, not wait.
1640
01:27:47,200 –> 01:27:53,680
Event 47738 and 4739 for service account attribute changes, especially user account control
1641
01:27:53,680 –> 01:27:56,040
flags toggling delegation.
1642
01:27:56,040 –> 01:28:02,920
Directory access 4662 filtered on msds allowed to delegate to or msds allowed to act on behalf
1643
01:28:02,920 –> 01:28:04,840
of other item titi.
1644
01:28:04,840 –> 01:28:09,720
System an event 7 for unexpected SSP modules on service that terminate delegation paths.
1645
01:28:09,720 –> 01:28:15,200
And seem logic that cries out when a delegated ticket to a sensitive SPN appears from a source
1646
01:28:15,200 –> 01:28:17,400
that never historically asked.
1647
01:28:17,400 –> 01:28:22,000
We enforce protected users on the principles that must never delegate or be delegated
1648
01:28:22,000 –> 01:28:23,520
on behalf of.
1649
01:28:23,520 –> 01:28:30,120
Their tgt lifetimes compress, ntlm is refused, and constrained delegation ignores them.
1650
01:28:30,120 –> 01:28:35,840
Pair with inbound pack validation on sensitive services so injected claims cannot masquerade
1651
01:28:35,840 –> 01:28:37,440
as truth.
1652
01:28:37,440 –> 01:28:42,840
Their services supported require service hardening options, kerbos armoring fast and channel
1653
01:28:42,840 –> 01:28:46,560
binding to anchor the math to the end point.
1654
01:28:46,560 –> 01:28:48,560
Humans complete the system.
1655
01:28:48,560 –> 01:28:51,600
Owners are named for every service principle.
1656
01:28:51,600 –> 01:28:57,160
Rotations have calendars, emergency use is jt not standing, changes require dual control,
1657
01:28:57,160 –> 01:29:04,560
reviews, close the loop, quarterly attestations that list SPNs, targets, logon rights, and
1658
01:29:04,560 –> 01:29:07,040
the last rotate date.
1659
01:29:07,040 –> 01:29:12,760
Humans expire by default, anything older than a business cycle earns isolation or retirement.
1660
01:29:12,760 –> 01:29:16,040
The observer speaks, “I am the directory.
1661
01:29:16,040 –> 01:29:19,760
I felt the heat fall when you cooled the furnaces.
1662
01:29:19,760 –> 01:29:22,360
I felt the light focus when you tuned the lenses.
1663
01:29:22,360 –> 01:29:27,360
I held when service accounts became vessels with rituals, not people with habits.
1664
01:29:27,360 –> 01:29:28,360
Low chime.
1665
01:29:28,360 –> 01:29:32,720
GMSA deployment complete, 61 principles migrated.
1666
01:29:32,720 –> 01:29:35,760
Bass pulse fades, gravity behaves.
1667
01:29:35,760 –> 01:29:39,080
Collapse and containment, compromise is not a plot twist.
1668
01:29:39,080 –> 01:29:40,080
It is weather.
1669
01:29:40,080 –> 01:29:42,200
A foothold becomes a climb.
1670
01:29:42,200 –> 01:29:44,200
A climb becomes a crossing.
1671
01:29:44,200 –> 01:29:46,480
A crossing becomes a rewrite.
1672
01:29:46,480 –> 01:29:52,240
Collapse begins at edges, not at the core, and it moves along paths we already mapped.
1673
01:29:52,240 –> 01:29:55,120
We will trace that arc with discipline.
1674
01:29:55,120 –> 01:29:59,520
Initial access sparks on a workstation, a service or a legacy cave.
1675
01:29:59,520 –> 01:30:01,400
Local privilege becomes fuel.
1676
01:30:01,400 –> 01:30:07,720
We are tested if shields hold movement slows if shields fail, credentials spill as heat.
1677
01:30:07,720 –> 01:30:09,560
Paths form.
1678
01:30:09,560 –> 01:30:13,720
RDP, WinRM, SMB, WMI.
1679
01:30:13,720 –> 01:30:16,520
Shared secrets amplify.
1680
01:30:16,520 –> 01:30:19,440
Unique secrets dampen.
1681
01:30:19,440 –> 01:30:23,280
We will show persistence as writing a name into time.
1682
01:30:23,280 –> 01:30:29,960
Scheduled tasks disguised as maintenance, services that restart obediently, keys that
1683
01:30:29,960 –> 01:30:34,240
reopen doors, tickets that outlive their welcome.
1684
01:30:34,240 –> 01:30:37,040
We will pair each tactic with account of force.
1685
01:30:37,040 –> 01:30:44,960
Baselines, drift detection, ticket lifetime discipline, KRBTGT rotation and re-keying rituals.
1686
01:30:44,960 –> 01:30:47,000
Detection is the telescope.
1687
01:30:47,000 –> 01:30:48,640
Security log speak.
1688
01:30:48,640 –> 01:30:51,320
467-2 outside ritual.
1689
01:30:51,320 –> 01:30:54,480
4769 against quiet SPNs.
1690
01:30:54,480 –> 01:31:00,560
4662 for replication 4732 when groups swell unexpectedly.
1691
01:31:00,560 –> 01:31:08,320
Sysman whispers, event 10, seeking LSAS, event 3, walking beams, event 11, altering the
1692
01:31:08,320 –> 01:31:09,720
file system near law.
1693
01:31:09,720 –> 01:31:12,600
CM correlates curvature, not noise.
1694
01:31:12,600 –> 01:31:19,480
Responses containment, quarantine hosts, revoked tokens, reset secrets with order, not panic.
1695
01:31:19,480 –> 01:31:25,800
Evict patients with precision and when the horizon is crossed, we rebuild with ceremony.
1696
01:31:25,800 –> 01:31:26,800
Low chime.
1697
01:31:26,800 –> 01:31:28,640
We fall further now.
1698
01:31:28,640 –> 01:31:31,240
Lateral movement, walking the beams.
1699
01:31:31,240 –> 01:31:33,440
Lateral movement is not chaos.
1700
01:31:33,440 –> 01:31:35,120
It is light choosing a path.
1701
01:31:35,120 –> 01:31:38,800
Once local privilege exists, identity looks outward.
1702
01:31:38,800 –> 01:31:41,120
It seeks neighbouring mass.
1703
01:31:41,120 –> 01:31:43,560
Sessions, shares, services.
1704
01:31:43,560 –> 01:31:44,720
The beams are familiar.
1705
01:31:44,720 –> 01:31:46,920
RDP, SMB, WinRM, WMI.
1706
01:31:46,920 –> 01:31:47,920
Each is a conduit.
1707
01:31:47,920 –> 01:31:48,920
Each is a choice.
1708
01:31:48,920 –> 01:31:51,120
Attackers do not invent highways.
1709
01:31:51,120 –> 01:31:53,480
They read the map we already paved.
1710
01:31:53,480 –> 01:31:55,400
RDP is a corridor with memory.
1711
01:31:55,400 –> 01:31:59,640
If credentials are reusable, a single foothold becomes a tour.
1712
01:31:59,640 –> 01:32:06,400
Shared local administrator passwords are a constellation that collapses at first touch.
1713
01:32:06,400 –> 01:32:08,880
Pass the hash is physics, not Romans.
1714
01:32:08,880 –> 01:32:11,480
Present a token, inherit the rights.
1715
01:32:11,480 –> 01:32:14,160
If lapés is absent, beams align.
1716
01:32:14,160 –> 01:32:18,200
If lapés turns each star unique, the corridor narrows.
1717
01:32:18,200 –> 01:32:20,760
RDP becomes ceremony instead of convenience.
1718
01:32:20,760 –> 01:32:22,760
SMB’s gravity is freight route.
1719
01:32:22,760 –> 01:32:27,880
File shares are supply lines, but the protocol also carries identity.
1720
01:32:27,880 –> 01:32:31,960
When SMB signing is optional, a relay can masquerade as proximity.
1721
01:32:31,960 –> 01:32:36,000
When it is enforced, an imposter cannot carry your proof across the room.
1722
01:32:36,000 –> 01:32:39,960
Admin shares, gear, admin are doors to the hull.
1723
01:32:39,960 –> 01:32:45,320
If local admin is common, those doors open in sequence, machine to machine, until the
1724
01:32:45,320 –> 01:32:47,760
network looks like a straight line.
1725
01:32:47,760 –> 01:32:53,120
If local admin is unique and remote, UAC stands guard, the straight line breaks into
1726
01:32:53,120 –> 01:32:54,520
islands.
1727
01:32:54,520 –> 01:32:57,280
WinRM is a voice carried by HTTP.
1728
01:32:57,280 –> 01:33:01,200
It is clean, scriptable and dangerous when unsegmented.
1729
01:33:01,200 –> 01:33:06,560
If a foothold can speak to servers across tiers, and if the caller possesses a token with
1730
01:33:06,560 –> 01:33:12,400
power, invoke command becomes someone else in another room.
1731
01:33:12,400 –> 01:33:16,440
Constrained endpoints with just enough administration change the geometry.
1732
01:33:16,440 –> 01:33:21,680
WMIs becomes finite, power becomes measurable, without them the voice can recite any spell
1733
01:33:21,680 –> 01:33:22,680
it remembers.
1734
01:33:22,680 –> 01:33:24,680
WMI is an old whisper.
1735
01:33:24,680 –> 01:33:29,040
It travels where RPC allows and does not care about ceremony.
1736
01:33:29,040 –> 01:33:34,720
If the caller is local admin on the target, a process can be created in silence.
1737
01:33:34,720 –> 01:33:41,200
If firewall base lines separate workstations from servers and servers from domain controllers,
1738
01:33:41,200 –> 01:33:42,680
the whisper fades.
1739
01:33:42,680 –> 01:33:48,840
If not the enterprise mistakes convenience for physics, lab echo, low chime, Sysmin event
1740
01:33:48,840 –> 01:33:54,040
3, SMB session from WS217 to APP ledger outside maintenance.
1741
01:33:54,040 –> 01:33:58,240
B1nye she, kindala mishir is a o, base pulse.
1742
01:33:58,240 –> 01:34:06,000
4624 logon type 3 on app ledger by local administrator, LAPS rotation overdue.
1743
01:34:06,000 –> 01:34:09,160
The beam is visible when we instrument it.
1744
01:34:09,160 –> 01:34:11,160
Shared secrets are accelerants.
1745
01:34:11,160 –> 01:34:16,920
A password reused across tier 1 and tier 2 machines turns one success into dozens.
1746
01:34:16,920 –> 01:34:23,640
A GMSA misapplied as an interactive identity turns a service key into a skeleton key.
1747
01:34:23,640 –> 01:34:26,080
We reduce accelerants by ritual.
1748
01:34:26,080 –> 01:34:30,040
LAPS for local admin everywhere, rotation as heartbeat.
1749
01:34:30,040 –> 01:34:34,880
No service accounts in local administrators unless documented necessity.
1750
01:34:34,880 –> 01:34:37,080
No domain admins outside tier.
1751
01:34:37,080 –> 01:34:38,080
Ever.
1752
01:34:38,080 –> 01:34:41,000
Separation is not politics, it is physics.
1753
01:34:41,000 –> 01:34:43,760
Work segmentation is gravity’s architecture.
1754
01:34:43,760 –> 01:34:47,480
East-West traffic should meet walls that ask why.
1755
01:34:47,480 –> 01:34:51,640
Workstations should not speak when Rm to servers by default.
1756
01:34:51,640 –> 01:34:55,200
Service should not speak RDP to domain controllers.
1757
01:34:55,200 –> 01:35:00,080
Management subnets should be the only place where beams cross with privilege.
1758
01:35:00,080 –> 01:35:05,680
When a single workstation can RDP across 10 subnets, the map is negligent.
1759
01:35:05,680 –> 01:35:10,880
When only P use on a management VLAN can reach tier E, the curvature is intentional.
1760
01:35:10,880 –> 01:35:13,720
The control becomes mirrors.
1761
01:35:13,720 –> 01:35:17,560
Credential guard reduces the value of what can be moved.
1762
01:35:17,560 –> 01:35:21,680
Protected users refuse fossil dialects that enable reflection.
1763
01:35:21,680 –> 01:35:27,000
Remote credential guard for RDP prevents credentials from landing on the destination.
1764
01:35:27,000 –> 01:35:30,600
With those mirrors, beams carry light without spilling heat.
1765
01:35:30,600 –> 01:35:35,480
Without them, every hop is a chance to shed a token you never meant to leave behind.
1766
01:35:35,480 –> 01:35:37,120
We police the edges.
1767
01:35:37,120 –> 01:35:43,320
The firewall rules deny any to any reflexes, only management servers may win Rm.
1768
01:35:43,320 –> 01:35:47,000
Only jump hosts may initiate RDP into tier 1.
1769
01:35:47,000 –> 01:35:52,640
Only specific service accounts may access admin shares and only from named hosts.
1770
01:35:52,640 –> 01:35:54,840
These are not comfort constraints.
1771
01:35:54,840 –> 01:35:58,680
They are the difference between a lattice and a net.
1772
01:35:58,680 –> 01:36:01,560
Detection turns motion into music.
1773
01:36:01,560 –> 01:36:05,880
Watch 4624 logon type 3 and 10 from sources that do not belong.
1774
01:36:05,880 –> 01:36:09,760
Watch 4672 privilege logons outside Ritual.
1775
01:36:09,760 –> 01:36:13,480
Pair with Sysmon event 1 for process trees that begin with PowerShell.
1776
01:36:13,480 –> 01:36:17,880
Exit psec like binaries or WMIC.
1777
01:36:17,880 –> 01:36:23,000
Exit creating child processes on remote hosts.
1778
01:36:23,000 –> 01:36:30,000
Event 11 for file writes into C, Windows, Loss, Temp and System 32 from remote sessions.
1779
01:36:30,000 –> 01:36:34,600
Correlate with 4769 spikes for sensitive SPNs from new callers.
1780
01:36:34,600 –> 01:36:37,240
Other appears when patterns overlap.
1781
01:36:37,240 –> 01:36:39,800
Lab echo low chime.
1782
01:36:39,800 –> 01:36:47,000
Event 4672 privileged logon on SQL Fin from WS-2 Heaven Scene at 0211.
1783
01:36:47,000 –> 01:36:48,480
Base pulse.
1784
01:36:48,480 –> 01:36:52,440
Sysmon 1 PowerShell.exe Winers.
1785
01:36:52,440 –> 01:36:56,600
Exe chain detected command line length anomalous.
1786
01:36:56,600 –> 01:36:58,840
The telescope sees the beam.
1787
01:36:58,840 –> 01:37:00,880
We make beams conditional.
1788
01:37:00,880 –> 01:37:05,480
Most in time admin grants writes for minutes, not months.
1789
01:37:05,480 –> 01:37:09,040
GAD finds verbs per role, not per person.
1790
01:37:09,040 –> 01:37:14,440
Session recording, where lawful, turns privilege into accountable light.
1791
01:37:14,440 –> 01:37:20,520
Pam tears treat crossings as ceremonies with approvals not drive buys.
1792
01:37:20,520 –> 01:37:25,880
When writes decay by default, momentum slows, humans will still ask for shortcuts.
1793
01:37:25,880 –> 01:37:28,400
Just let me RDP from my laptop.
1794
01:37:28,400 –> 01:37:34,560
Just add me to local administrators everywhere.
1795
01:37:34,560 –> 01:37:37,760
Every just is a gravity well forming.
1796
01:37:37,760 –> 01:37:40,160
We say no and we offer a path.
1797
01:37:40,160 –> 01:37:41,160
Pause.
1798
01:37:41,160 –> 01:37:44,800
Jump hosts, scripted runbooks, delegated tools.
1799
01:37:44,800 –> 01:37:48,320
We replace convenience with velocity that does not bend the sky.
1800
01:37:48,320 –> 01:37:51,040
Finally we starve for gotten beams.
1801
01:37:51,040 –> 01:37:56,120
Disable the print spooler on servers that do not print so it cannot coerce.
1802
01:37:56,120 –> 01:38:01,440
Navigacy management tools that traverse RPC without identity discipline.
1803
01:38:01,440 –> 01:38:05,680
Retire SMBV1 and refuse NTLM where Kerberos should speak.
1804
01:38:05,680 –> 01:38:07,680
Each closure narrows the graph.
1805
01:38:07,680 –> 01:38:09,200
Low chime.
1806
01:38:09,200 –> 01:38:11,560
RDP restricted to jump hosts.
1807
01:38:11,560 –> 01:38:13,040
Bass, pulse, fades.
1808
01:38:13,040 –> 01:38:14,760
SMB signing enforced.
1809
01:38:14,760 –> 01:38:16,360
NTLM declines.
1810
01:38:16,360 –> 01:38:18,800
The beams remain but they obey.
1811
01:38:18,800 –> 01:38:22,320
Lateral movement is inevitable when the map invites it.
1812
01:38:22,320 –> 01:38:24,080
Our task is not to fear motion.
1813
01:38:24,080 –> 01:38:30,280
Our task is to shape it, measure it and decide where light may travel.
1814
01:38:30,280 –> 01:38:33,240
Persistence, writing your name into time.
1815
01:38:33,240 –> 01:38:36,960
Persistence is not noise, it is inscription.
1816
01:38:36,960 –> 01:38:42,760
After the first crossing an intruder does not seek speed, they seek continuity.
1817
01:38:42,760 –> 01:38:48,720
A foothold becomes a signature that survives reboots, patches and forgetfulness.
1818
01:38:48,720 –> 01:38:52,520
They do not need fireworks, they need routine.
1819
01:38:52,520 –> 01:38:55,680
RPC tasks are handwriting disguised as maintenance.
1820
01:38:55,680 –> 01:39:02,000
A benign name, update, telemetry, one drive sync agent, Windows health, set to run at
1821
01:39:02,000 –> 01:39:04,600
0211 with highest privileges.
1822
01:39:04,600 –> 01:39:10,960
The binary lives in a quiet directory with a timestamp borrowed from yesterday.
1823
01:39:10,960 –> 01:39:16,160
Triggers hide behind idle conditions, event-based starts or logon hooks.
1824
01:39:16,160 –> 01:39:19,880
On each sunrise the task awakens and reasserts presence.
1825
01:39:19,880 –> 01:39:25,940
The counter by turning routine into signal, baseline known tasks, alert on new ones with
1826
01:39:25,940 –> 01:39:32,120
elevated principles and require dual control for any task that runs as a service account.
1827
01:39:32,120 –> 01:39:34,560
Services are stone tablets.
1828
01:39:34,560 –> 01:39:39,120
Creatorservice is ceremony, the OS obeys without sentiment.
1829
01:39:39,120 –> 01:39:45,600
A new service appears with start type automatic, delayed start, description matching corporate
1830
01:39:45,600 –> 01:39:51,680
cadence and a binary nestled under program data or a vendor-like path.
1831
01:39:51,680 –> 01:39:58,800
If the DSCL permits, the attacker can later repair the service to point at a fresh payload.
1832
01:39:58,800 –> 01:40:05,800
Our gravity denies service creation to ordinary admins through policy, watch for event 7045,
1833
01:40:05,800 –> 01:40:11,480
a service was installed and pair with Sysmon event 1 for the parent process.
1834
01:40:11,480 –> 01:40:16,800
On servers, restrict C service logon right to documented identities.
1835
01:40:16,800 –> 01:40:22,560
If a service must exist, its binary must be right protected and signed.
1836
01:40:22,560 –> 01:40:26,120
Run keys and start up folders are dust modes that carry light.
1837
01:40:26,120 –> 01:40:34,440
HKLM + software + Microsoft’s + Windows current version + run once and their per user
1838
01:40:34,440 –> 01:40:38,080
counterparts resurrect executables at logon.
1839
01:40:38,080 –> 01:40:42,800
WMI, permanent event consumers create a ghost pipeline.
1840
01:40:42,800 –> 01:40:47,760
When a system event fires, a script runs with the identity of the WMI service.
1841
01:40:47,760 –> 01:40:50,600
These are quiet, resilient and often ignored.
1842
01:40:50,600 –> 01:40:57,960
Defense is cartography, inventory auto runs, block unknown binaries via WDAC or app locker,
1843
01:40:57,960 –> 01:41:05,680
monitor WMI subscriptions with power shell logging and event logs for 5861586 and treat any
1844
01:41:05,680 –> 01:41:11,560
unsigned executable in run paths as a siren, not a curiosity.
1845
01:41:11,560 –> 01:41:16,440
Com hijacking and DLL search order abuse are edits to the dictionary.
1846
01:41:16,440 –> 01:41:21,200
The system looks for meaning and finds an imposter first, a registry key that redirects
1847
01:41:21,200 –> 01:41:28,040
a class to a malicious DLL, a path that points to a rightable directory before system folders.
1848
01:41:28,040 –> 01:41:34,760
The physics is old, resolution prefers proximity, we enforce explicit paths, remove right access
1849
01:41:34,760 –> 01:41:42,160
near lookup paths and instrument image loads, sysmon event 7, to call out unexpected modules
1850
01:41:42,160 –> 01:41:44,760
in high privilege hosts.
1851
01:41:44,760 –> 01:41:50,400
In pause and servers, application control refuses modules without pedigree, credentials
1852
01:41:50,400 –> 01:41:52,000
can be made to linger.
1853
01:41:52,000 –> 01:41:56,000
Golden and silver tickets are not magic, they are forged memory.
1854
01:41:56,000 –> 01:42:00,840
A golden ticket claims the right to mint access as the KDC would.
1855
01:42:00,840 –> 01:42:06,480
A silver ticket claims service access by pretending to be the service, both exploit secrets
1856
01:42:06,480 –> 01:42:09,520
held too long or reset without ceremony.
1857
01:42:09,520 –> 01:42:15,920
Our counter force is time, rotate KRBTGT twice in sequence after compromise or on a cadence
1858
01:42:15,920 –> 01:42:19,400
to invalidate forged TGTs bound to old keys.
1859
01:42:19,400 –> 01:42:24,920
Reissue service keys by rotating GMSAs and long passwords, reduce ticket lifetimes for
1860
01:42:24,920 –> 01:42:29,280
critical identities so stolen light decays quickly.
1861
01:42:29,280 –> 01:42:32,840
Batman groups tell stories in memberships.
1862
01:42:32,840 –> 01:42:37,320
Persistence often looks like a quiet addition to a group that nobody audits.
1863
01:42:37,320 –> 01:42:42,320
Account operators, backup operators, print operators, a forgotten local administrators
1864
01:42:42,320 –> 01:42:44,520
group on a management server.
1865
01:42:44,520 –> 01:42:47,400
The name does not matter, the effective rights do.
1866
01:42:47,400 –> 01:42:57,360
We enforce attestations for privileged groups monthly, alert on 4-7-2-8, 47-29 and 47-3-2-4-7-33
1867
01:42:57,360 –> 01:43:03,040
outside change windows and adopt shadow admin detection by enumerating who can write service
1868
01:43:03,040 –> 01:43:07,320
accounts, reset passwords or link GPO’s.
1869
01:43:07,320 –> 01:43:13,400
When privilege is implied rather than named gravity still bends, GPO is law encoded.
1870
01:43:13,400 –> 01:43:19,440
A malicious link at the OU level can deploy a start-up script, a scheduled task, a registry
1871
01:43:19,440 –> 01:43:22,120
tweak that reopens a door.
1872
01:43:22,120 –> 01:43:25,280
Because law replicates persistent scales.
1873
01:43:25,280 –> 01:43:27,800
We respond with ceremony.
1874
01:43:27,800 –> 01:43:33,080
Only tier administrators can link GPO’s that affect tier and tier objects, change control
1875
01:43:33,080 –> 01:43:36,560
binds every link with a ticket.
1876
01:43:36,560 –> 01:43:43,880
Event 5136 and 4-7-3-9 are forwarded and correlated and authenticated, write permissions
1877
01:43:43,880 –> 01:43:47,120
on GPO’s are stripped to the minimum.
1878
01:43:47,120 –> 01:43:50,720
If sysvol bears a foreign file, drift detection shouts.
1879
01:43:50,720 –> 01:43:58,680
Lab Echo, low chime, event 7045, new service, windows health telemetry installed on APP
1880
01:43:58,680 –> 01:44:06,060
ledger, base pulse, sysmon 1, parent process, windward, exevia commsurrogate, the inscription
1881
01:44:06,060 –> 01:44:11,720
tries to hide in routine, persistence also lives in accounts, a new user with a name that
1882
01:44:11,720 –> 01:44:18,320
imitates a vendor, a service account created for backup with rights that include DC sync.
1883
01:44:18,320 –> 01:44:23,040
The attacker does not need a web shell if they own a credential with no expiry.
1884
01:44:23,040 –> 01:44:26,880
We answer with hygiene, no account without an owner.
1885
01:44:26,880 –> 01:44:35,320
Expiration dates on all emergency access identities, 4-7-2, 47-22, 47-38 alerts for creations
1886
01:44:35,320 –> 01:44:42,760
and re-enables, and password policies that force rotation and deny password never expires.
1887
01:44:42,760 –> 01:44:45,360
Certificates can be pensed that write outside policy.
1888
01:44:45,360 –> 01:44:51,600
In ADCS, a misconfigured template allows anyone with enrollment rights to request a certificate
1889
01:44:51,600 –> 01:44:55,720
with an alternate UPN or EKU that grants smart card logon.
1890
01:44:55,720 –> 01:45:00,760
That certificate becomes a renewable identity with lifetimes measured in years.
1891
01:45:00,760 –> 01:45:07,600
We enforce template hygiene, restrict enrollment, require manager approval, deny sign control
1892
01:45:07,600 –> 01:45:13,640
to non issuers, log CA requests, and audit for ESC class templates.
1893
01:45:13,640 –> 01:45:19,560
If persistence hides in PKI, revocation and template lockdown are the eraser, when a victim
1894
01:45:19,560 –> 01:45:25,520
we move with order, quarantine hosts where persistence roots, disable suspicious services
1895
01:45:25,520 –> 01:45:31,640
but capture state, export scheduled tasks and auto runs for timeline, rotate secrets
1896
01:45:31,640 –> 01:45:41,200
in blast radius order, service accounts first, then admin groups, then KRBTGT in dual rotation,
1897
01:45:41,200 –> 01:45:47,640
rebuild systems that touch the core rather than trusting cleansing rituals.
1898
01:45:47,640 –> 01:45:49,640
Persistence survives half measures.
1899
01:45:49,640 –> 01:45:51,320
The observer speaks.
1900
01:45:51,320 –> 01:45:52,560
I am the fabric.
1901
01:45:52,560 –> 01:45:56,160
I remember every inscription until you decide to erase.
1902
01:45:56,160 –> 01:46:00,560
When you turn routine into signal, signatures cannot hide as chores.
1903
01:46:00,560 –> 01:46:06,320
When you bind law to ceremony, drift stops pretending to be maintenance, low chime, 7 or
1904
01:46:06,320 –> 01:46:10,360
4-5 storm suppressed, 4-7-28 outside window denied.
1905
01:46:10,360 –> 01:46:12,240
The name fades from time.
1906
01:46:12,240 –> 01:46:14,240
The orbit holds.
1907
01:46:14,240 –> 01:46:15,840
Detection and response.
1908
01:46:15,840 –> 01:46:17,960
Listening to the fabric.
1909
01:46:17,960 –> 01:46:19,640
Detection is not a spotlight.
1910
01:46:19,640 –> 01:46:20,640
It is astronomy.
1911
01:46:20,640 –> 01:46:22,280
We do not see the attacker.
1912
01:46:22,280 –> 01:46:25,080
We see the curve, their movement leaves on the field.
1913
01:46:25,080 –> 01:46:28,120
We begin with the native constellations.
1914
01:46:28,120 –> 01:46:30,760
Security logs speak a quiet grammar.
1915
01:46:30,760 –> 01:46:34,720
4-768 when a TGT is minted.
1916
01:46:34,720 –> 01:46:38,880
4-7-69 when a TGS is issued.
1917
01:46:38,880 –> 01:46:42,760
7-76 when N-T-L-M breathes.
1918
01:46:42,760 –> 01:46:46,560
4-6-7-2 when privilege enters the room.
1919
01:46:46,560 –> 01:46:48,360
None of these alone means collapse.
1920
01:46:48,360 –> 01:46:49,680
Together they sketch a path.
1921
01:46:49,680 –> 01:46:53,800
We teach the CM to read sentences, not words.
1922
01:46:53,800 –> 01:46:58,440
Event 4-7-69 clustered by SPN reveals hunger.
1923
01:46:58,440 –> 01:47:06,640
When a quiet SPN, CIFS on a finance host, MSS-Kell on a ledger suddenly attracts tickets from
1924
01:47:06,640 –> 01:47:09,040
unfamiliar callers we do not wait.
1925
01:47:09,040 –> 01:47:10,480
We check the source subnets.
1926
01:47:10,480 –> 01:47:11,960
We check the callers history.
1927
01:47:11,960 –> 01:47:14,840
We verify the hour against maintenance calendars.
1928
01:47:14,840 –> 01:47:17,000
Drift forms first as curiosity.
1929
01:47:17,000 –> 01:47:20,360
Curiosity at 0211 is almost never maintenance.
1930
01:47:20,360 –> 01:47:23,160
Event 4-6-7-2 is gravity in a bell.
1931
01:47:23,160 –> 01:47:26,920
A privileged logon outside ritual is a page, not a report.
1932
01:47:26,920 –> 01:47:28,360
We map aloud windows.
1933
01:47:28,360 –> 01:47:30,320
We tie privilege to change tickets.
1934
01:47:30,320 –> 01:47:36,240
When 4672 fires without a correlating ticket ID in the message field, we do not debate.
1935
01:47:36,240 –> 01:47:37,560
We dispatch.
1936
01:47:37,560 –> 01:47:39,440
False positives are training.
1937
01:47:39,440 –> 01:47:40,960
Silence is decay.
1938
01:47:40,960 –> 01:47:46,680
Directory access 4-6-6-2 with DS replication, get changes or DS replication, get changes
1939
01:47:46,680 –> 01:47:48,440
all is not a suggestion.
1940
01:47:48,440 –> 01:47:50,440
It is a gravitational wave.
1941
01:47:50,440 –> 01:47:54,640
DC sync is power that should be rare, explicit and noisy.
1942
01:47:54,640 –> 01:47:56,920
We baseline which identities can perform it.
1943
01:47:56,920 –> 01:47:59,360
We send 4-6-6-2 to a special channel.
1944
01:47:59,360 –> 01:48:02,960
We alert on first use by any identity per quarter.
1945
01:48:02,960 –> 01:48:05,800
Routine that writes keys should not be routine.
1946
01:48:05,800 –> 01:48:11,760
Group changes 4-7-2-8-4-7-3-2-4-7-2-9-4-7-33 are tides.
1947
01:48:11,760 –> 01:48:13,360
Admin groups swell in incidents.
1948
01:48:13,360 –> 01:48:15,720
We do not read names alone.
1949
01:48:15,720 –> 01:48:18,200
We map effective reach.
1950
01:48:18,200 –> 01:48:25,200
A new member of backup operators on a management server might be a back door to domain reality.
1951
01:48:25,200 –> 01:48:28,680
CM logic calculates shadow admin paths.
1952
01:48:28,680 –> 01:48:30,400
Who can reset whom?
1953
01:48:30,400 –> 01:48:32,280
Who can set SPNs?
1954
01:48:32,280 –> 01:48:36,760
Who can link GPOs and raises the alarm when the graph changes shape?
1955
01:48:36,760 –> 01:48:39,680
Sysmon is starlight at higher resolution.
1956
01:48:39,680 –> 01:48:42,320
Event 10 is a hand reaching for LSAS.
1957
01:48:42,320 –> 01:48:46,880
We feed it into a model that understands normal tooling on each host.
1958
01:48:46,880 –> 01:48:48,200
Security products will probe.
1959
01:48:48,200 –> 01:48:49,200
Attackers will probe.
1960
01:48:49,200 –> 01:48:50,960
The difference is ancestry.
1961
01:48:50,960 –> 01:48:53,320
Per event 10 with event 1.
1962
01:48:53,320 –> 01:48:55,560
Windward spawning an accessor is wrong.
1963
01:48:55,560 –> 01:49:00,760
Assigned EDR process, doing so within its known schedule is expected.
1964
01:49:00,760 –> 01:49:05,360
These three draws beams, RDP SMB WMI between nodes.
1965
01:49:05,360 –> 01:49:12,520
We build allow lists for beams that should exist and treat new lines as weather warnings.
1966
01:49:12,520 –> 01:49:17,120
Event 7 catches foreign DLL’s joining trusted processes.
1967
01:49:17,120 –> 01:49:20,960
On domain controllers and PAWs this becomes a siren.
1968
01:49:20,960 –> 01:49:22,120
Telemetry must speak in chords.
1969
01:49:22,120 –> 01:49:24,760
A single 4-7-6-9 spike is interesting.
1970
01:49:24,760 –> 01:49:32,140
A 4-7-6-9 spike plus Sysmon 3 from a workstation to that SPN+46-7-2 on the destination is gravity
1971
01:49:32,140 –> 01:49:33,140
failure.
1972
01:49:33,140 –> 01:49:34,600
We encode that.
1973
01:49:34,600 –> 01:49:39,920
Our CM hunts across time windows looking for proximity in minutes, not days.
1974
01:49:39,920 –> 01:49:43,120
The earlier we hear harmony, the sooner we can cut the song.
1975
01:49:43,120 –> 01:49:45,800
The telescope extends with XDR.
1976
01:49:45,800 –> 01:49:48,080
Endpoint intelligence can label intent.
1977
01:49:48,080 –> 01:49:53,560
Credential theft, likelihood, lateral movement, confidence, persistence, probability.
1978
01:49:53,560 –> 01:49:55,240
We do not surrender judgment.
1979
01:49:55,240 –> 01:50:01,800
We layer human habit on machine score, a high probability event, 10 on a legacy host with
1980
01:50:01,800 –> 01:50:07,280
LSA protection disabled is louder than the same event on a lab with a known tester.
1981
01:50:07,280 –> 01:50:15,240
We tag hosts by cohort, tier, patch age, legacy constraints, and the model weights accordingly.
1982
01:50:15,240 –> 01:50:17,640
Lab echo, low chime.
1983
01:50:17,640 –> 01:50:28,400
Final cluster, 4-7-6-9 spike on MS SQL, ledger 01, Sysmon 3 from WS-2 wasvincene, 4672
1984
01:50:28,400 –> 01:50:30,960
on S-QL fin without ticket.
1985
01:50:30,960 –> 01:50:36,280
Base pulse, confidence 0.87, lateral escalation in progress.
1986
01:50:36,280 –> 01:50:39,240
The map animates.
1987
01:50:39,240 –> 01:50:43,240
Response begins with containment shaped like physics, not panic.
1988
01:50:43,240 –> 01:50:49,000
We quarantine by blast radius, the host that originated the suspicious beam, the destination
1989
01:50:49,000 –> 01:50:54,760
that accepted privilege in any intermediary with shared admin secrets.
1990
01:50:54,760 –> 01:50:56,160
Quarantine is not a guess.
1991
01:50:56,160 –> 01:51:00,040
It is a playbook per tier with business owners already listed.
1992
01:51:00,040 –> 01:51:02,840
We notify humans using language they own.
1993
01:51:02,840 –> 01:51:07,600
Your server is in protective isolation for a probable credential event.
1994
01:51:07,600 –> 01:51:09,840
Estimated disruption, 20 minutes.
1995
01:51:09,840 –> 01:51:13,080
Rollback path, restart service X post release.
1996
01:51:13,080 –> 01:51:14,840
We revoke what was minted.
1997
01:51:14,840 –> 01:51:20,360
Kerberos tokens can be curtailed by log off or ticket purge on endpoints and when needed
1998
01:51:20,360 –> 01:51:26,800
by disabling the account at the directory and forcing reauthentication across the field.
1999
01:51:26,800 –> 01:51:30,040
For NTLM pressure, we close channels.
2000
01:51:30,040 –> 01:51:37,120
Block relay paths by enforcing SMB signing, raise LDAP channel binding and disable the
2001
01:51:37,120 –> 01:51:41,240
print spooler reflex on servers that should never coerce.
2002
01:51:41,240 –> 01:51:48,360
We prefer surgical moves, deny a firewall rule, block a source, before global toggles
2003
01:51:48,360 –> 01:51:50,200
that turn business into noise.
2004
01:51:50,200 –> 01:51:53,440
We sequence secret resets.
2005
01:51:53,440 –> 01:51:59,320
Service accounts first, especially those with SPNs tied to sensitive services, then admins
2006
01:51:59,320 –> 01:52:01,560
who touched the suspected nodes.
2007
01:52:01,560 –> 01:52:06,240
Then if we see 4.6 and 6.2 for replication or evidence of directory theft, we plan
2008
01:52:06,240 –> 01:52:12,400
to check the CT-RBT-GT rotations twice, timed with replication health checks.
2009
01:52:12,400 –> 01:52:14,160
Rotation without health is drift.
2010
01:52:14,160 –> 01:52:16,320
We keep a checklist.
2011
01:52:16,320 –> 01:52:21,800
Replication state, DC health, ticket lifetimes, two rotations spaced by ticket max lifetime
2012
01:52:21,800 –> 01:52:25,720
confirm no lingering TGTs verify client trust.
2013
01:52:25,720 –> 01:52:28,680
We hunt persistence while the room is quieted.
2014
01:52:28,680 –> 01:52:36,160
We collect auto runs, schedule tasks, recent services, new local admins, WMI subscriptions,
2015
01:52:36,160 –> 01:52:44,360
we capture volatile artifacts, memory, if lawful, active connections, unusual handles, and
2016
01:52:44,360 –> 01:52:50,280
we tag what is found with a case ID so future alerts join the same constellation.
2017
01:52:50,280 –> 01:52:53,400
If the host touched here, we rebuilt.
2018
01:52:53,400 –> 01:52:56,480
Cleansing rituals are for edges, not the core.
2019
01:52:56,480 –> 01:52:58,400
Communication is oxygen.
2020
01:52:58,400 –> 01:53:04,600
We keep leadership close with truths, not theatre, incident stage, affected scope, confidence
2021
01:53:04,600 –> 01:53:07,840
levels, estimated impact, next decision.
2022
01:53:07,840 –> 01:53:14,560
We time bound decisions, contain within minutes, reset within hours, rebuild within days.
2023
01:53:14,560 –> 01:53:15,960
We mark the horizon.
2024
01:53:15,960 –> 01:53:21,080
If exocurs we escalate to forest recovery steps, the plan exists before the need.
2025
01:53:21,080 –> 01:53:24,080
The observer speaks, I am the fabric, I will not scream.
2026
01:53:24,080 –> 01:53:27,320
I will whisper, then hum, then shudder.
2027
01:53:27,320 –> 01:53:30,200
If you listen early, containment is a conversation.
2028
01:53:30,200 –> 01:53:32,640
If you wait, it becomes gravity.
2029
01:53:32,640 –> 01:53:34,400
Low chime.
2030
01:53:34,400 –> 01:53:41,000
Stability is suppressed, tokens purged, 4.769 returns to baseline.
2031
01:53:41,000 –> 01:53:47,200
Base pulse recedes, the orbit holds because listening preceded action.
2032
01:53:47,200 –> 01:53:52,000
While building a stable orbit, stability is not stasis, it is motion bound by law.
2033
01:53:52,000 –> 01:53:57,360
We will codify law into baselines that behave like a physics engine, tiered administration
2034
01:53:57,360 –> 01:54:01,880
and privileged access workstations that separate mass.
2035
01:54:01,880 –> 01:54:07,200
Let us say protection, credential guard and SMB signing that hardened boundaries.
2036
01:54:07,200 –> 01:54:12,280
NTLM confined to glass cases with channel binding and allow lists.
2037
01:54:12,280 –> 01:54:19,640
Kerberos, governed by disciplined delegation, SP and hygiene, pack validation and KRBTGT
2038
01:54:19,640 –> 01:54:22,240
rotation as ritual.
2039
01:54:22,240 –> 01:54:28,920
We will make operations a metronome, patch cadence with cohorts, exception sunsets and
2040
01:54:28,920 –> 01:54:32,080
dashboards that show time where it slows.
2041
01:54:32,080 –> 01:54:38,040
Backups that are real because restore succeed in labs and forests, recover on schedule.
2042
01:54:38,040 –> 01:54:41,440
Drills that turn fear into competence.
2043
01:54:41,440 –> 01:54:44,800
We will define governance that refuses drift.
2044
01:54:44,800 –> 01:54:50,360
Owners for every service principle, rotations as calendars, GPO as ceremony, monitoring
2045
01:54:50,360 –> 01:54:54,680
as music and detections tune to chords rather than single notes.
2046
01:54:54,680 –> 01:54:55,680
Low chime.
2047
01:54:55,680 –> 01:54:56,880
The map still holds.
2048
01:54:56,880 –> 01:54:58,880
We are not seeking perfection.
2049
01:54:58,880 –> 01:55:05,360
We are choosing orbit, the baseline, laws of your universe, law is not flare, it is gravity
2050
01:55:05,360 –> 01:55:06,360
you can trust.
2051
01:55:06,360 –> 01:55:09,520
We begin with boundaries.
2052
01:55:09,520 –> 01:55:14,200
Tiered administration is not a chart, it is distance.
2053
01:55:14,200 –> 01:55:23,760
Tier governs identity itself, domain controllers, forest route, PKI, AAD connect, identity orchestration.
2054
01:55:23,760 –> 01:55:31,640
Tier one sustains enterprise services, application servers, SQL, file and print where permitted.
2055
01:55:31,640 –> 01:55:35,240
Tier two hosts people, workstations, VDI pools.
2056
01:55:35,240 –> 01:55:38,520
We refuse crossings except through sanctioned gates.
2057
01:55:38,520 –> 01:55:40,520
A tier two device never reaches tier.
2058
01:55:40,520 –> 01:55:44,760
A tier one admin never holds standing rights in tier.
2059
01:55:44,760 –> 01:55:47,520
Distance becomes safety.
2060
01:55:47,520 –> 01:55:49,400
Privileged access.
2061
01:55:49,400 –> 01:55:52,880
Workstations are vessels built to resist heat.
2062
01:55:52,880 –> 01:55:56,280
They serve one purpose to administer tier or tier one safely.
2063
01:55:56,280 –> 01:55:59,840
No email, no browsing, no plugins.
2064
01:55:59,840 –> 01:56:01,040
Application control on.
2065
01:56:01,040 –> 01:56:03,800
A tax service reduced.
2066
01:56:03,800 –> 01:56:07,200
Credential guard and LSA protection enabled.
2067
01:56:07,200 –> 01:56:11,400
Remote credential guard for RDP so secrets do not land on destinations.
2068
01:56:11,400 –> 01:56:15,600
If an admin must touch the core, this is the only ship allowed to approach.
2069
01:56:15,600 –> 01:56:19,160
We encode posture in baselines, not folklore.
2070
01:56:19,160 –> 01:56:21,840
Group policy becomes the constitution.
2071
01:56:21,840 –> 01:56:32,600
For tier and PR abuse, we enforce LSA protection, run ASPPL so LSASS is not a casual library.
2072
01:56:32,600 –> 01:56:35,960
Credential guard to lift secrets out of ordinary memory.
2073
01:56:35,960 –> 01:56:40,240
SMB signing always so relays cannot mimic proximity.
2074
01:56:40,240 –> 01:56:43,080
LDAP channel binding required.
2075
01:56:43,080 –> 01:56:46,160
NTL MV1 and LM disabled.
2076
01:56:46,160 –> 01:56:50,480
NTLM auditing turned to light the caves we still carry.
2077
01:56:50,480 –> 01:56:52,080
Kerberos hardening.
2078
01:56:52,080 –> 01:56:53,080
Fast.
2079
01:56:53,080 –> 01:56:54,080
We’re supported.
2080
01:56:54,080 –> 01:56:55,080
P.A.K.
2081
01:56:55,080 –> 01:56:57,720
Validation for sensitive services.
2082
01:56:57,720 –> 01:57:02,880
Constraint or resource-based delegation only by exception with Calbee approval.
2083
01:57:02,880 –> 01:57:05,720
Print spoolers stopped on servers that do not print.
2084
01:57:05,720 –> 01:57:07,960
On DCs always stopped.
2085
01:57:07,960 –> 01:57:08,760
W.D.I.
2086
01:57:08,760 –> 01:57:09,760
Gest.
2087
01:57:09,760 –> 01:57:10,760
Disabled.
2088
01:57:10,760 –> 01:57:15,000
Restricted admin mode for RDP considered where feasible.
2089
01:57:15,000 –> 01:57:16,880
Remote UAC enabled.
2090
01:57:16,880 –> 01:57:22,200
So local admin tokens do not cross privilege boundaries without intent.
2091
01:57:22,200 –> 01:57:24,720
Identity becomes ceremony.
2092
01:57:24,720 –> 01:57:27,440
Administrative roles are tools, not personas.
2093
01:57:27,440 –> 01:57:29,040
We carry separate accounts.
2094
01:57:29,040 –> 01:57:35,320
A human identity for daily work, scoped admin identities per tier, and break glass accounts,
2095
01:57:35,320 –> 01:57:40,960
sealed with hardware factors and offline procedures tested in drills.
2096
01:57:40,960 –> 01:57:44,080
Protected users for those who should never speak fossil dialects.
2097
01:57:44,080 –> 01:57:50,200
MFA at the first gate where identity is minted, not the last gate where damage is done.
2098
01:57:50,200 –> 01:57:52,560
Service accounts are vessels with ownership.
2099
01:57:52,560 –> 01:57:55,200
We default to managed service accounts.
2100
01:57:55,200 –> 01:57:58,880
SMSA for single host, GMSA for farms.
2101
01:57:58,880 –> 01:58:01,400
To rotate keys as hard beat.
2102
01:58:01,400 –> 01:58:02,920
We’re not possible.
2103
01:58:02,920 –> 01:58:05,680
Secrets are long and scheduled to change.
2104
01:58:05,680 –> 01:58:07,480
Rotation is scripted and logged.
2105
01:58:07,480 –> 01:58:10,960
Deny interactive logon to all service principles.
2106
01:58:10,960 –> 01:58:15,040
Deny RDP deny logon locally.
2107
01:58:15,040 –> 01:58:18,200
Scope logon is a service to exact hosts.
2108
01:58:18,200 –> 01:58:20,400
SPN rights are rare.
2109
01:58:20,400 –> 01:58:27,360
Assigned via a change request, reviewed quarterly, and removed when a workload retires.
2110
01:58:27,360 –> 01:58:32,040
Delegation lives under constraint with precision, resource-based where possible.
2111
01:58:32,040 –> 01:58:37,480
Target lists exact, never wild cards, never CFs, those.
2112
01:58:37,480 –> 01:58:39,600
We keep software finite.
2113
01:58:39,600 –> 01:58:43,680
Network images for workstations and servers reduce novelty.
2114
01:58:43,680 –> 01:58:44,920
Application control.
2115
01:58:44,920 –> 01:58:49,760
WDC or a blocker on pause, domain controllers and tier systems.
2116
01:58:49,760 –> 01:58:51,160
So only signed.
2117
01:58:51,160 –> 01:58:52,680
Known binaries execute.
2118
01:58:52,680 –> 01:58:58,400
PowerShell runs with transcription and constrained language on endpoints where risk warrants.
2119
01:58:58,400 –> 01:59:02,080
On PRDU’s it remains full power with logging that sings.
2120
01:59:02,080 –> 01:59:06,440
Sysmon deployed with a curated rule set to lift process ancestry.
2121
01:59:06,440 –> 01:59:12,600
PowerShell writes, network lines and module loads into language the CM can read.
2122
01:59:12,600 –> 01:59:13,600
We do not drown.
2123
01:59:13,600 –> 01:59:16,320
We teach the telescope which stars matter.
2124
01:59:16,320 –> 01:59:18,520
Network is architecture, not water.
2125
01:59:18,520 –> 01:59:22,240
East, west is segmented to reflect tiers.
2126
01:59:22,240 –> 01:59:26,600
Workstations do not win RM into servers by default.
2127
01:59:26,600 –> 01:59:29,240
Servers do not RDP into controllers.
2128
01:59:29,240 –> 01:59:33,480
Only jump hosts on a management VLAN may cross with privilege.
2129
01:59:33,480 –> 01:59:38,040
Airwall baselines deny by default, allow by purpose.
2130
01:59:38,040 –> 01:59:45,880
SMB signing enforced, legacy protocols, SMBV1 unsigned RPC retired.
2131
01:59:45,880 –> 01:59:52,760
Edge paths to legacy caves pass through inspection, application proxies that require modern authentication,
2132
01:59:52,760 –> 01:59:59,440
TLS termination with mutual trust and logging that records each crossing like a border stamp.
2133
01:59:59,440 –> 02:00:00,760
Time is law.
2134
02:00:00,760 –> 02:00:03,040
Patch cadence is a metronome.
2135
02:00:03,040 –> 02:00:09,080
Things of hosts patch in cohorts with dashboards that display age, exceptions and sunsets,
2136
02:00:09,080 –> 02:00:13,600
exceptions require owners, business justification and a date of death.
2137
02:00:13,600 –> 02:00:17,280
Technical debt measured in days, not feelings.
2138
02:00:17,280 –> 02:00:20,520
Legacy nodes that cannot comply move to isolation.
2139
02:00:20,520 –> 02:00:27,440
Philans with sparse rules, no admin ingress except bastions, telemetry amplified.
2140
02:00:27,440 –> 02:00:33,000
Retirement aligns budget to gravity, reduce blast radius first, then eliminate mass.
2141
02:00:33,000 –> 02:00:36,000
Backups are not wishful, they are recoverable.
2142
02:00:36,000 –> 02:00:41,480
Domain controllers backup system state on rotation, forest recovery is rehearsed.
2143
02:00:41,480 –> 02:00:47,240
Authoritative restore practice, metadata cleanup, tombstone windows understood,
2144
02:00:47,240 –> 02:00:49,240
sysval health verified.
2145
02:00:49,240 –> 02:00:55,000
A restored controller must be trusted by fresh clients without manual blessing.
2146
02:00:55,000 –> 02:00:59,080
Until that sentence is true, backups are theater.
2147
02:00:59,080 –> 02:01:06,960
KRBTGT rotation becomes ritual twice spaced by maximum ticket lifetime on a cadence and
2148
02:01:06,960 –> 02:01:09,600
again after compromise.
2149
02:01:09,600 –> 02:01:10,600
Certificates have owners.
2150
02:01:10,600 –> 02:01:16,400
ADCS templates are policed, enrollment rights are narrow, audit trails are forwarded
2151
02:01:16,400 –> 02:01:17,560
of the CA.
2152
02:01:17,560 –> 02:01:20,560
We set detection as constitutional music.
2153
02:01:20,560 –> 02:01:22,520
Security logs forward.
2154
02:01:22,520 –> 02:01:36,200
4768 4769 4672 4662 for replication 4728 4732 group changes.
2155
02:01:36,200 –> 02:01:39,440
745 service installs.
2156
02:01:39,440 –> 02:01:40,840
Sysman sings.
2157
02:01:40,840 –> 02:01:47,960
One for process trees, three for beams, seven for modules, ten for LSAS access, eleven
2158
02:01:47,960 –> 02:01:50,960
for file placements in system paths.
2159
02:01:50,960 –> 02:01:58,480
CM correlation, favors courts, privileged logon plus SPN spike plus new service equals
2160
02:01:58,480 –> 02:02:00,880
gravity failure.
2161
02:02:00,880 –> 02:02:05,400
Alerts map to playbooks with owners, timescails and business narratives.
2162
02:02:05,400 –> 02:02:08,280
Silence is the exception, not the plan.
2163
02:02:08,280 –> 02:02:12,920
Humans complete the orbit, change requires tickets, tickets carry context.
2164
02:02:12,920 –> 02:02:14,680
Context is preserved in logs.
2165
02:02:14,680 –> 02:02:18,920
Cabe is not theater, it is friction that prevents heat.
2166
02:02:18,920 –> 02:02:20,600
Things speaks physics.
2167
02:02:20,600 –> 02:02:27,280
Why we refuse, N-T-L-M, why PA use matter, why delegation is a lens.
2168
02:02:27,280 –> 02:02:29,840
Microdrill’s test one control monthly.
2169
02:02:29,840 –> 02:02:38,720
A blocked RDP from tier 2, a denied SPN right, a simulated 4662 DC sync alarm, culture becomes
2170
02:02:38,720 –> 02:02:40,040
memory.
2171
02:02:40,040 –> 02:02:41,640
Memory becomes reflex.
2172
02:02:41,640 –> 02:02:43,040
The observer speaks.
2173
02:02:43,040 –> 02:02:45,280
I am the universe you govern.
2174
02:02:45,280 –> 02:02:48,840
When law is encoded, drift must argue with code, not habit.
2175
02:02:48,840 –> 02:02:52,360
When ceremony meets privilege, gravity holds.
2176
02:02:52,360 –> 02:02:57,720
Low chime, the baseline is not glamour, it is survival, written as law.
2177
02:02:57,720 –> 02:02:59,000
Operational gravity.
2178
02:02:59,000 –> 02:03:01,600
Patching, backups, drills.
2179
02:03:01,600 –> 02:03:05,160
Operations is where law meets time.
2180
02:03:05,160 –> 02:03:09,560
Gravity without cadence decays, we set a metronome and refuse to argue with it.
2181
02:03:09,560 –> 02:03:12,880
Patching is not a task, it is orbital correction.
2182
02:03:12,880 –> 02:03:21,680
We group hosts into cohorts that reflect risk and blast radius, tier 1, tier 1, tier 2.
2183
02:03:21,680 –> 02:03:27,320
Each cohort patches on a predictable rhythm, monthly for the living, ad hoc for emergencies,
2184
02:03:27,320 –> 02:03:33,160
quarterly for legacy islands that cannot move faster, with dashboards that display age
2185
02:03:33,160 –> 02:03:35,400
like redshift.
2186
02:03:35,400 –> 02:03:41,680
Exceptions exist, but they are mortal, a justification, an owner, an expiration date embedded
2187
02:03:41,680 –> 02:03:42,680
in the ticket.
2188
02:03:42,680 –> 02:03:46,760
When the date arrives, the universe does not ask, it enforces.
2189
02:03:46,760 –> 02:03:49,160
We reduce panic by rehearsal.
2190
02:03:49,160 –> 02:03:54,680
Before patch Tuesday becomes patch reality, we stage in a lab that reflects production’s
2191
02:03:54,680 –> 02:04:00,840
constellations, DCs, PDUs, representative application servers, a handful of workstations.
2192
02:04:00,840 –> 02:04:07,560
We snapshot, we apply, we test authentication, delegation and line of business flows.
2193
02:04:07,560 –> 02:04:12,640
If a patch bends Kerberos or breaks SMB signing, we learn it under safe service.
2194
02:04:12,640 –> 02:04:15,560
Starlight, not during business dawn.
2195
02:04:15,560 –> 02:04:17,320
Canary rings follow.
2196
02:04:17,320 –> 02:04:22,880
10 machines per cohort observed for 24 hours, then the wave rolls.
2197
02:04:22,880 –> 02:04:25,240
Legacy is handled with physics, not hope.
2198
02:04:25,240 –> 02:04:31,120
When a system cannot absorb modern updates, we pin it to an isolation arc, dedicated VLAN,
2199
02:04:31,120 –> 02:04:38,160
minimal inbound, no outbound, except to named services, telemetry amplified.
2200
02:04:38,160 –> 02:04:45,480
We schedule compensating updates, drivers, middleware, agent refreshes, that reduce surface,
2201
02:04:45,480 –> 02:04:47,160
even if the OS sits still.
2202
02:04:47,160 –> 02:04:49,360
We lock the dead in days, the count is public.
2203
02:04:49,360 –> 02:04:51,120
Time shames drift.
2204
02:04:51,120 –> 02:04:53,160
Backups are memory with ritual.
2205
02:04:53,160 –> 02:04:56,640
Domain controllers carry system state like a black box.
2206
02:04:56,640 –> 02:05:01,360
We take it on schedule, daily or more for tier, and we send it off the ship.
2207
02:05:01,360 –> 02:05:06,960
Immutable storage with retention that matches regulatory gravity and recovery reality.
2208
02:05:06,960 –> 02:05:10,120
But a backup untested is a story, not truth.
2209
02:05:10,120 –> 02:05:12,840
We restore a DC in a lab every quarter.
2210
02:05:12,840 –> 02:05:18,320
We booted clean, verify SwissVolHealth, confirm replication, and watch a new client trusted
2211
02:05:18,320 –> 02:05:20,040
without manual blessing.
2212
02:05:20,040 –> 02:05:23,560
If any step requires a prayer, we fix the script.
2213
02:05:23,560 –> 02:05:26,000
Forest Recovery is choreography.
2214
02:05:26,000 –> 02:05:28,800
We keep a runbook that names each movement.
2215
02:05:28,800 –> 02:05:31,120
Isolate Compromise DCs.
2216
02:05:31,120 –> 02:05:38,720
These FSMO roles to a trusted survivor, metadata cleanup to erase ghosts, build fresh DCs
2217
02:05:38,720 –> 02:05:45,000
from known good, signed media, restore system state if needed, reintroduce replication with
2218
02:05:45,000 –> 02:05:52,880
health checks, rotate KRBTGT twice, spaced by the maximum ticket lifetime, confirm client
2219
02:05:52,880 –> 02:05:54,520
logons at scale.
2220
02:05:54,520 –> 02:05:56,160
Names are attached to each step.
2221
02:05:56,160 –> 02:05:58,200
Phone numbers live on paper and offline.
2222
02:05:58,200 –> 02:06:01,840
We measure the rehearsal in minutes and hours, not anecdotes.
2223
02:06:01,840 –> 02:06:03,680
We backup more than controllers.
2224
02:06:03,680 –> 02:06:05,680
ADCS has its own heart.
2225
02:06:05,680 –> 02:06:08,960
CA database, private keys, templates logs.
2226
02:06:08,960 –> 02:06:12,480
We export and protect them with the same reverence.
2227
02:06:12,480 –> 02:06:17,680
If certificates define who can enter the room, losing a CA is losing the door.
2228
02:06:17,680 –> 02:06:21,600
We also backup GPOs as objects and as files.
2229
02:06:21,600 –> 02:06:25,960
When law corrupts, we restore law, not guesswork.
2230
02:06:25,960 –> 02:06:30,120
And secrets tied to service accounts get their own vault backups.
2231
02:06:30,120 –> 02:06:34,440
Version access logged, recoverable without who remembers the password.
2232
02:06:34,440 –> 02:06:36,520
Drills turn fear into competence.
2233
02:06:36,520 –> 02:06:37,760
Tabletop first.
2234
02:06:37,760 –> 02:06:39,960
A story told with clocks.
2235
02:06:39,960 –> 02:06:49,800
At 0211 event 4672 files on DC02 at 02144662 signals DC sync by SVC backup west.
2236
02:06:49,800 –> 02:06:52,280
At 0217 change window is dark.
2237
02:06:52,280 –> 02:06:56,160
[INFORMATION]
2238
02:06:56,160 –> 02:06:58,760
We ask who calls whom?
2239
02:06:58,760 –> 02:07:00,360
What gets quarantined?
2240
02:07:00,360 –> 02:07:02,320
Which secrets reset first?
2241
02:07:02,320 –> 02:07:04,320
Which services fail over?
2242
02:07:04,320 –> 02:07:08,720
Which business owners need to hear plain language in five minutes?
2243
02:07:08,720 –> 02:07:11,320
Rolls practice words, playbooks practice order.
2244
02:07:11,320 –> 02:07:13,160
Then lifefire scoped and safe.
2245
02:07:13,160 –> 02:07:16,080
Pull a Canary DC offline in the lab and simulate loss.
2246
02:07:16,080 –> 02:07:17,360
Rebuild it to the runbook.
2247
02:07:17,360 –> 02:07:19,440
Reset KRBTGT twice with timers.
2248
02:07:19,440 –> 02:07:23,680
Verify pack validation on a sensitive service catches injected claims.
2249
02:07:23,680 –> 02:07:27,880
Reissue a GMSA and watch dependent services stumble, then recover.
2250
02:07:27,880 –> 02:07:32,440
Measure not perfection, but time to stable orbit.
2251
02:07:32,440 –> 02:07:38,880
Each drill ends with edits to law, a missing phone number, an ambiguous approval, a step that
2252
02:07:38,880 –> 02:07:42,720
took hours because two teams spoke different dialects.
2253
02:07:42,720 –> 02:07:45,200
Lab echo, low chime.
2254
02:07:45,200 –> 02:07:51,920
Backup validation, SISVOL restored, DFSR healthy, clients trust.
2255
02:07:51,920 –> 02:07:57,400
Soft tick, KRBTGT rotation, pass one complete timer set for pass two.
2256
02:07:57,400 –> 02:07:59,480
The metronome is audible.
2257
02:07:59,480 –> 02:08:01,120
Monitoring confirms cadence.
2258
02:08:01,120 –> 02:08:06,120
Dashboards show patch H by tier, percentage compliant.
2259
02:08:06,120 –> 02:08:08,120
Exceptions expiring this week.
2260
02:08:08,120 –> 02:08:14,600
Backups report last success timestamps, restore tests with pass, fail, next drill scheduled.
2261
02:08:14,600 –> 02:08:16,120
We page on silence.
2262
02:08:16,120 –> 02:08:20,560
If no system state landed last night, that is an incident.
2263
02:08:20,560 –> 02:08:25,400
If KRBTGT has not rotated in 12 months, that is drift declared.
2264
02:08:25,400 –> 02:08:31,320
If a tier-poor runs a browser, plug in update, that is noise made into signal.
2265
02:08:31,320 –> 02:08:33,920
Culture anchors the orbit.
2266
02:08:33,920 –> 02:08:36,520
Change windows are real.
2267
02:08:36,520 –> 02:08:38,640
Leadership defends them.
2268
02:08:38,640 –> 02:08:44,380
Admins are rewarded for boring updates that land on time, not heroic saves at sunrise.
2269
02:08:44,380 –> 02:08:47,580
Most incident reviews target process, not people.
2270
02:08:47,580 –> 02:08:51,000
The physics that failed, the law we revised.
2271
02:08:51,000 –> 02:08:54,340
Vendors are negotiated with as if physics matters.
2272
02:08:54,340 –> 02:08:59,540
Support for GMSA, channel binding, SMB signing.
2273
02:08:59,540 –> 02:09:04,780
Contracts include modernization clauses, sunsets and penalties for fossil gravity.
2274
02:09:04,780 –> 02:09:06,380
The observer speaks.
2275
02:09:06,380 –> 02:09:08,360
I am the clock in your sky.
2276
02:09:08,360 –> 02:09:11,420
When you keep cadence, I do not punish.
2277
02:09:11,420 –> 02:09:14,640
When you drift, I stretch your hours into nights.
2278
02:09:14,640 –> 02:09:20,080
Low chime, patches land, backups restore, drills remember.
2279
02:09:20,080 –> 02:09:24,080
Operational gravity holds because time is governed, not feared.
2280
02:09:24,080 –> 02:09:27,700
Governance checklist, Monday, gravity.
2281
02:09:27,700 –> 02:09:31,660
Before we drift apart, here is the gravity you must enforce.
2282
02:09:31,660 –> 02:09:37,340
Not theory, action, Monday, one, domain controllers are sacred, no casual logo, no browsing,
2283
02:09:37,340 –> 02:09:39,380
no email, no, just for a minute.
2284
02:09:39,380 –> 02:09:44,180
And force deny interactive logon for everyone not in tier admin roles.
2285
02:09:44,180 –> 02:09:48,860
Stop the print spooler, require PA use for administration with remote credential guard.
2286
02:09:48,860 –> 02:09:53,380
LSA protection enabled, credential guard where supported, law at the core.
2287
02:09:53,380 –> 02:09:57,100
Two, admin is a tool, not a person.
2288
02:09:57,100 –> 02:09:58,620
Carry separate identities.
2289
02:09:58,620 –> 02:10:01,060
User tier one admin, tier admin.
2290
02:10:01,060 –> 02:10:05,380
Protect them with hardware backed factors and policies that refuse NTLM.
2291
02:10:05,380 –> 02:10:11,380
Note tier admins in the protected users group, remove lingering logon locally and RDP
2292
02:10:11,380 –> 02:10:15,380
rights from admin accounts everywhere except jump posts.
2293
02:10:15,380 –> 02:10:17,380
Ceremony, not convenience.
2294
02:10:17,380 –> 02:10:20,380
Three, reduce fossil gravity.
2295
02:10:20,380 –> 02:10:23,780
Disable LM and NTLMV one entirely.
2296
02:10:23,780 –> 02:10:29,380
Audit NTLM to discover remaining caves and force SMB signing on clients and service.
2297
02:10:29,380 –> 02:10:36,660
Why are LDAP channel binding prefer Kerberos with precise SPNs where NTLM must remain a
2298
02:10:36,660 –> 02:10:41,380
laulist service and isolate them in a VLAN that cannot touch tier.
2299
02:10:41,380 –> 02:10:43,380
Fossils behind glass.
2300
02:10:43,380 –> 02:10:46,900
Four, delegation becomes engineered light.
2301
02:10:46,900 –> 02:10:49,580
Remove unconstrained delegation.
2302
02:10:49,580 –> 02:10:54,220
Replace with constrained delegation scoped to exact SPNs.
2303
02:10:54,220 –> 02:10:59,740
Rear resource based constrained delegation so targets choose their mirrors.
2304
02:10:59,740 –> 02:11:02,860
Deny interactive logon to every service account.
2305
02:11:02,860 –> 02:11:09,100
If a vendor demands an exception, place it behind glass with WDAS or app locker, transcript
2306
02:11:09,100 –> 02:11:11,700
logging and change control.
2307
02:11:11,700 –> 02:11:14,940
Five, service accounts are vessels with owners.
2308
02:11:14,940 –> 02:11:17,140
Default to GMSA and SMSA.
2309
02:11:17,140 –> 02:11:23,820
Rotate as heartbeat for any static secret and force length and scheduled rotation.
2310
02:11:23,820 –> 02:11:26,180
Distric logon writes to exact hosts.
2311
02:11:26,180 –> 02:11:29,420
Remove SPN right permissions from broad groups.
2312
02:11:29,420 –> 02:11:32,500
Make SPN creation a ticketed event.
2313
02:11:32,500 –> 02:11:33,820
Quarterly a test.
2314
02:11:33,820 –> 02:11:35,580
Owner purpose writes.
2315
02:11:35,580 –> 02:11:37,260
Last rotate date.
2316
02:11:37,260 –> 02:11:38,420
Delegation targets.
2317
02:11:38,420 –> 02:11:40,820
Six, laps everywhere.
2318
02:11:40,820 –> 02:11:45,300
Unique local administrator passwords on every workstation and server.
2319
02:11:45,300 –> 02:11:46,500
Rotate regularly.
2320
02:11:46,500 –> 02:11:51,660
Deny reading laps attributes to anyone outside a small audited group.
2321
02:11:51,660 –> 02:11:56,620
Share with remote UAC so local admin tokens do not cross boundaries without intent.
2322
02:11:56,620 –> 02:11:58,620
Shared local admin dies today.
2323
02:11:58,620 –> 02:12:00,540
Seven, segment east west.
2324
02:12:00,540 –> 02:12:03,740
Workstations cannot win RM to servers by default.
2325
02:12:03,740 –> 02:12:06,780
Service cannot RDP to domain controllers.
2326
02:12:06,780 –> 02:12:12,620
Only jump hosts in a management VLAN may cross to tier and tier one.
2327
02:12:12,620 –> 02:12:17,780
Deny by default allow by purpose validate rules with flow logs.
2328
02:12:17,780 –> 02:12:22,100
Every unexpected beam is an alert not a trivia question.
2329
02:12:22,100 –> 02:12:24,500
Eight, baselines are law.
2330
02:12:24,500 –> 02:12:26,900
Apply hardened GPO’s.
2331
02:12:26,900 –> 02:12:28,740
LSA protection.
2332
02:12:28,740 –> 02:12:29,740
Credential guard.
2333
02:12:29,740 –> 02:12:32,020
SMB signing always.
2334
02:12:32,020 –> 02:12:34,820
LDAP channel binding required.
2335
02:12:34,820 –> 02:12:37,140
WDIGEST disabled.
2336
02:12:37,140 –> 02:12:40,460
Print spooler off on servers that do not print.
2337
02:12:40,460 –> 02:12:42,660
Legacy protocols removed.
2338
02:12:42,660 –> 02:12:45,740
Power shell logging and transcription where risk demands.
2339
02:12:45,740 –> 02:12:48,540
Disment deployed with a curated rule set.
2340
02:12:48,540 –> 02:12:52,820
Application control on PAW’s, DC’s, tier servers.
2341
02:12:52,820 –> 02:12:54,980
Nine, Kerberos lives with ritual.
2342
02:12:54,980 –> 02:13:00,260
Rotate KRBT GT twice on a planned cadence and after compromise.
2343
02:13:00,260 –> 02:13:03,060
Short and ticket lifetimes for high value identities.
2344
02:13:03,060 –> 02:13:06,780
Enable pack validation on sensitive services that support it.
2345
02:13:06,780 –> 02:13:09,220
Audit for duplicate or stale SPNs.
2346
02:13:09,220 –> 02:13:11,420
Remove wild card targets in delegation.
2347
02:13:11,420 –> 02:13:13,380
Kerberos armoring where feasible.
2348
02:13:13,380 –> 02:13:14,700
Time aligned to keys.
2349
02:13:14,700 –> 02:13:16,380
In monitor codes not notes.
2350
02:13:16,380 –> 02:13:22,980
Forward 4768 4769 4672 4662 replication.
2351
02:13:22,980 –> 02:13:31,020
4728 4729 4732 4733 7-045 474.
2352
02:13:31,020 –> 02:13:33,300
Collect system 137 10 11.
2353
02:13:33,300 –> 02:13:35,300
Build correlations.
2354
02:13:35,300 –> 02:13:42,260
Privileged logon plus SPN spike plus new service equals page now.
2355
02:13:42,260 –> 02:13:45,540
Tag hosts by tier and patch age.
2356
02:13:45,540 –> 02:13:49,500
Weight alerts by blast radius.
2357
02:13:49,500 –> 02:13:51,500
Silence is drift 11.
2358
02:13:51,500 –> 02:13:52,700
Patch by metronome.
2359
02:13:52,700 –> 02:13:54,180
Cohorts by tier.
2360
02:13:54,180 –> 02:13:55,180
Canary.
2361
02:13:55,180 –> 02:13:56,180
Then wave.
2362
02:13:56,180 –> 02:13:57,980
Exceptions expire by date.
2363
02:13:57,980 –> 02:13:59,180
Dashboards show age.
2364
02:13:59,180 –> 02:14:02,140
Isolation for nodes that cannot comply.
2365
02:14:02,140 –> 02:14:06,420
Legacy paths behind proxies with mutual TLS.
2366
02:14:06,420 –> 02:14:08,100
Compensate loudly.
2367
02:14:08,100 –> 02:14:12,580
Dimitri amplified firewall rules strict time is governance.
2368
02:14:12,580 –> 02:14:15,860
12 backups are real or they are fantasy.
2369
02:14:15,860 –> 02:14:18,340
System stayed for every DC on schedule.
2370
02:14:18,340 –> 02:14:20,420
Off the box immutable.
2371
02:14:20,420 –> 02:14:25,580
Quarterly lab restore that ends with a new client trusting the restored DC without manual
2372
02:14:25,580 –> 02:14:26,580
blessing.
2373
02:14:26,580 –> 02:14:30,460
ADCS database and keys backed up and tested.
2374
02:14:30,460 –> 02:14:32,260
GPOs exported.
2375
02:14:32,260 –> 02:14:33,500
Runbook printed.
2376
02:14:33,500 –> 02:14:35,060
Phone numbers verified.
2377
02:14:35,060 –> 02:14:36,540
Rolls rehearsed.
2378
02:14:36,540 –> 02:14:38,180
14. Practice the fall.
2379
02:14:38,180 –> 02:14:39,660
Tabletop quarterly.
2380
02:14:39,660 –> 02:14:41,820
Live fire in lab twice a year.
2381
02:14:41,820 –> 02:14:42,820
Rebuild a DC.
2382
02:14:42,820 –> 02:14:45,060
Rotate KRBTGT twice.
2383
02:14:45,060 –> 02:14:47,060
Reissue a GMSA.
2384
02:14:47,060 –> 02:14:49,620
Validate pack checks measure time to stable orbit.
2385
02:14:49,620 –> 02:14:51,260
Edit law after every drill.
2386
02:14:51,260 –> 02:14:54,260
The universe respects rehearsal.
2387
02:14:54,260 –> 02:14:56,420
14.
2388
02:14:56,420 –> 02:14:57,900
Name owners.
2389
02:14:57,900 –> 02:14:58,900
Every GPO.
2390
02:14:58,900 –> 02:15:00,220
Every service principle.
2391
02:15:00,220 –> 02:15:01,620
Every certificate template.
2392
02:15:01,620 –> 02:15:04,380
Every firewall zone.
2393
02:15:04,380 –> 02:15:05,500
Ownership in a registry.
2394
02:15:05,500 –> 02:15:07,900
Humans can read a test quarterly.
2395
02:15:07,900 –> 02:15:10,180
Orphans are retired not tolerated.
2396
02:15:10,180 –> 02:15:12,940
Dead stars still bend light until removed.
2397
02:15:12,940 –> 02:15:13,940
15.
2398
02:15:13,940 –> 02:15:14,940
Close the coercions.
2399
02:15:14,940 –> 02:15:18,020
Disable the print spooler where unnecessary.
2400
02:15:18,020 –> 02:15:19,780
Retire SMBV1.
2401
02:15:19,780 –> 02:15:22,660
Restrict NTLM relay by signing and channel binding.
2402
02:15:22,660 –> 02:15:25,580
Reduce implicit trust in management protocols.
2403
02:15:25,580 –> 02:15:31,260
Every coercion trimmed is one less tied, dragging identity outward.
2404
02:15:31,260 –> 02:15:32,940
16.
2405
02:15:32,940 –> 02:15:37,100
Vendors with physics change windows defended by leadership.
2406
02:15:37,100 –> 02:15:41,180
Incident language plane scope confidence impact next decision.
2407
02:15:41,180 –> 02:15:43,300
Reward boring success on time.
2408
02:15:43,300 –> 02:15:44,980
Post incident reviews.
2409
02:15:44,980 –> 02:15:46,300
Revise process.
2410
02:15:46,300 –> 02:15:47,940
Not people.
2411
02:15:47,940 –> 02:15:50,380
Vendors are held to gravity.
2412
02:15:50,380 –> 02:15:51,980
Support for GMSA.
2413
02:15:51,980 –> 02:15:54,620
Signing binding modern authentication.
2414
02:15:54,620 –> 02:15:56,940
Lab echo load chime.
2415
02:15:56,940 –> 02:15:59,700
Policy set SMB signing always.
2416
02:15:59,700 –> 02:16:04,740
DAP channel binding required.
2417
02:16:04,740 –> 02:16:06,740
LAPS rotation complete.
2418
02:16:06,740 –> 02:16:08,740
Bass pulse softens.
2419
02:16:08,740 –> 02:16:10,740
KRBTGT rotation scheduled.
2420
02:16:10,740 –> 02:16:12,740
Pass one in seven days.
2421
02:16:12,740 –> 02:16:14,740
Pass two in nine.
2422
02:16:14,740 –> 02:16:16,740
You cannot make this universe perfect.
2423
02:16:16,740 –> 02:16:18,740
But you can make it loud when it bends.
2424
02:16:18,740 –> 02:16:21,740
You can make privilege ceremonial and drift impatient.
2425
02:16:21,740 –> 02:16:23,740
You can make collapse reversible.
