Active Directory is a Black Hole: The Physics of Security Drift (Part 1)

1
00:00:00,000 --> 00:00:02,400
At the edge of your network, time moves differently.

2
00:00:02,400 --> 00:00:07,560
Patches drift like red-shifted signals, passwords orbit forever,

3
00:00:07,560 --> 00:00:11,760
a domain controller from another era hums as if alone.

4
00:00:11,760 --> 00:00:15,400
Inside, threads of services trade secrets like starlight,

5
00:00:15,400 --> 00:00:18,800
tickets, trusts, shares. We call it normal operations.

6
00:00:18,800 --> 00:00:23,600
It is surface tension. A single misconfiguration bends the field.

7
00:00:23,600 --> 00:00:27,120
Legacy protocol. A forgotten share.

8
00:00:27,120 --> 00:00:29,360
The attacker does not force entry.

9
00:00:29,360 --> 00:00:34,960
They follow gravity. Tonight we descend. Domains as galaxies.

10
00:00:34,960 --> 00:00:39,520
Trusts as wormholes. Controllers as singularities.

11
00:00:39,520 --> 00:00:43,520
We will map, exploit, and reinforce the fabric.

12
00:00:43,520 --> 00:00:46,680
Record, audit, listen, enter.

13
00:00:46,680 --> 00:00:50,280
Windows infrastructure. The first coordinates form.

14
00:00:50,280 --> 00:00:53,760
We fall. The universe of Windows infrastructure.

15
00:00:53,760 --> 00:00:57,760
We begin with a simple truth. Data has its own gravity.

16
00:00:57,760 --> 00:01:01,360
Windows infrastructure is not a diagram. It is a cosmos.

17
00:01:01,360 --> 00:01:05,520
Workgroups form dust. Domains ignite into stars.

18
00:01:05,520 --> 00:01:11,040
Forests bind into galaxies. Trusts, tunnel-like wormholes between them.

19
00:01:11,040 --> 00:01:15,320
Power BI does not simply show us. The directory defines us.

20
00:01:15,320 --> 00:01:19,720
Roles coalesce. Domain controllers as cores.

21
00:01:19,720 --> 00:01:24,200
FSMO rolls as spin. DNS as navigation.

22
00:01:24,200 --> 00:01:27,200
Group policy as the laws that hold it all together.

23
00:01:27,200 --> 00:01:29,200
But time has its own opinion.

24
00:01:29,200 --> 00:01:33,480
Misconfigurations create curvature. Drift accumulates.

25
00:01:33,480 --> 00:01:35,800
Authentication bends around mass.

26
00:01:35,800 --> 00:01:38,600
Kerberos and TLM tokens packs.

27
00:01:38,600 --> 00:01:42,320
Attackers do not rush. They listen for pressure gradients.

28
00:01:42,320 --> 00:01:44,720
And fall along the easiest slope.

29
00:01:44,720 --> 00:01:48,600
We will move from the outer halo to the singular core.

30
00:01:48,600 --> 00:01:52,480
Enumeration as astronomy. Privileges fuel.

31
00:01:52,480 --> 00:01:57,160
Credentials as radiation and delegation as curved space.

32
00:01:57,160 --> 00:02:00,600
Each concept will arrive paired with its counter force.

33
00:02:00,600 --> 00:02:03,960
Hygiene segmentation baselines monitoring.

34
00:02:03,960 --> 00:02:07,960
And in those rare moments, we will let the system speak for itself.

35
00:02:07,960 --> 00:02:10,520
A quiet chime when drift begins.

36
00:02:10,520 --> 00:02:12,640
A base pulse when identity bends.

37
00:02:12,640 --> 00:02:17,840
The goal is not invincibility. The goal is orbit, stable, deliberate, sustained against

38
00:02:17,840 --> 00:02:19,680
fear and noise.

39
00:02:19,680 --> 00:02:24,400
From workgroup dust to domain galaxies, we start with a single machine.

40
00:02:24,400 --> 00:02:26,200
Unjoined, unobserved.

41
00:02:26,200 --> 00:02:28,840
A workgroup host is a rock in the void.

42
00:02:28,840 --> 00:02:32,400
Local accounts. Local policy. Local truths.

43
00:02:32,400 --> 00:02:35,040
It survives by isolation or by luck.

44
00:02:35,040 --> 00:02:38,000
There is no shared sky. No central gravity.

45
00:02:38,000 --> 00:02:41,280
Every login is a coin toss against entropy.

46
00:02:41,280 --> 00:02:43,120
Add another machine.

47
00:02:43,120 --> 00:02:46,160
A printer server. A file share.

48
00:02:46,160 --> 00:02:49,840
Human habit begins to braid threads across them.

49
00:02:49,840 --> 00:02:51,320
Mapped drives.

50
00:02:51,320 --> 00:02:56,360
Remembered passwords, a script that copies reports at midnight.

51
00:02:56,360 --> 00:02:57,800
Constraint appears.

52
00:02:57,800 --> 00:02:59,120
So does risk.

53
00:02:59,120 --> 00:03:02,920
This is proto-gravity, fragile, improvised.

54
00:03:02,920 --> 00:03:04,800
Then a domain arrives.

55
00:03:04,800 --> 00:03:06,400
Active directory.

56
00:03:06,400 --> 00:03:08,280
Domain services is not a database.

57
00:03:08,280 --> 00:03:11,280
It is the mass that gives shape to the enterprise.

58
00:03:11,280 --> 00:03:12,800
We promote a server.

59
00:03:12,800 --> 00:03:14,600
It becomes a domain controller.

60
00:03:14,600 --> 00:03:17,720
At that moment, identity stops being provincial.

61
00:03:17,720 --> 00:03:20,120
It becomes interstellar.

62
00:03:20,120 --> 00:03:21,920
And stops being a handshake.

63
00:03:21,920 --> 00:03:23,760
It becomes a curve.

64
00:03:23,760 --> 00:03:26,280
Domain controllers do not simply respond.

65
00:03:26,280 --> 00:03:27,680
They define.

66
00:03:27,680 --> 00:03:31,720
They hold the schema, the replication topology, the naming context.

67
00:03:31,720 --> 00:03:34,720
FSMO rolls emerge like spins and tides.

68
00:03:34,720 --> 00:03:37,320
The schema master governs evolution.

69
00:03:37,320 --> 00:03:40,440
The domain naming master approves new worlds.

70
00:03:40,440 --> 00:03:45,160
The arid master mince identities ensuring no two stars share a name.

71
00:03:45,160 --> 00:03:50,040
The PDC emulator sets the clock, and therefore sets truth.

72
00:03:50,040 --> 00:03:52,760
Domed drift is security drift.

73
00:03:52,760 --> 00:03:59,360
The infrastructure master maintains references the quiet librarian of a growing galaxy.

74
00:03:59,360 --> 00:04:01,680
Move one carelessly and you change the tides.

75
00:04:01,680 --> 00:04:04,840
Lose one unknowingly and satellites begin to wobble.

76
00:04:04,840 --> 00:04:06,240
Member servers join the field.

77
00:04:06,240 --> 00:04:07,240
They are not peers.

78
00:04:07,240 --> 00:04:08,400
They are orbiters.

79
00:04:08,400 --> 00:04:11,080
They borrow authority from the core.

80
00:04:11,080 --> 00:04:16,440
Services resolve through DNS, which becomes the navigation system for everything alive.

81
00:04:16,440 --> 00:04:18,560
If DNS lies, everything follows.

82
00:04:18,560 --> 00:04:22,280
A poisoned map does not look dangerous until ships never arrive.

83
00:04:22,280 --> 00:04:28,700
In windows, a misdirected SPN, a spoofed record, a stale glue entry, each is a fold in the

84
00:04:28,700 --> 00:04:33,040
chart, a way to bend the traveler toward a trap.

85
00:04:33,040 --> 00:04:36,840
Forests form when separate domains share a root of trust.

86
00:04:36,840 --> 00:04:41,240
Trees anchor under common schema and configuration.

87
00:04:41,240 --> 00:04:47,960
Forests are galaxies, vast internally transitive, opinionated about consistency.

88
00:04:47,960 --> 00:04:50,920
Across them, trusts create shortcuts through space.

89
00:04:50,920 --> 00:04:54,040
Summer forests, trusts, grand and transitive.

90
00:04:54,040 --> 00:04:56,520
Summer external, brittle and non-transitive.

91
00:04:56,520 --> 00:05:01,000
Summer shortcuts, built to appease latency and human patience.

92
00:05:01,000 --> 00:05:04,680
Each trust is a wormhole, stable when engineered with care.

93
00:05:04,680 --> 00:05:06,440
Chaotic when neglected.

94
00:05:06,440 --> 00:05:09,040
Every line of trust is a new gradient.

95
00:05:09,040 --> 00:05:11,240
Every gradient can be followed.

96
00:05:11,240 --> 00:05:14,280
Security does not fail with noise, it fails with inertia.

97
00:05:14,280 --> 00:05:17,160
We add a test trust for a merger that never closes.

98
00:05:17,160 --> 00:05:18,480
It remains.

99
00:05:18,480 --> 00:05:21,680
We create an external trust for a vendor integration.

100
00:05:21,680 --> 00:05:24,040
The vendor changes, the trust does not.

101
00:05:24,040 --> 00:05:26,240
The directory remembers everything.

102
00:05:26,240 --> 00:05:28,480
Attackers remember only what is useful.

103
00:05:28,480 --> 00:05:31,320
Group policy arrives as the laws of physics.

104
00:05:31,320 --> 00:05:33,040
Baselines define what is possible.

105
00:05:33,040 --> 00:05:34,320
Who can log on locally?

106
00:05:34,320 --> 00:05:37,960
Which protocols are allowed to speak, whether signing is enforced?

107
00:05:37,960 --> 00:05:41,080
Whether passwords are bounded by entropy rather than tradition.

108
00:05:41,080 --> 00:05:44,560
When laws are miswritten, attackers do not argue.

109
00:05:44,560 --> 00:05:46,600
They obey with precision.

110
00:05:46,600 --> 00:05:51,000
A GPO that grants local admin to a temporary desktop support

111
00:05:51,000 --> 00:05:54,480
group outlives the person who created it.

112
00:05:54,480 --> 00:05:56,520
Gravity does not care about intent.

113
00:05:56,520 --> 00:05:58,280
Now, consider the roles again.

114
00:05:58,280 --> 00:06:00,200
Domain controllers are gravity wells.

115
00:06:00,200 --> 00:06:03,400
Their mass is credential validation, ticket issuance,

116
00:06:03,400 --> 00:06:05,280
directory integrity.

117
00:06:05,280 --> 00:06:09,120
Services orbit closer or farther based on privilege.

118
00:06:09,120 --> 00:06:11,640
A file server is a moon with resources.

119
00:06:11,640 --> 00:06:15,160
A print server is a satellite with side effects,

120
00:06:15,160 --> 00:06:19,000
often under-defended, often trusted, more than it should be.

121
00:06:19,000 --> 00:06:23,080
An application server with an SPN is a bright star.

122
00:06:23,080 --> 00:06:25,760
It emits service tickets and therefore draws attention.

123
00:06:25,760 --> 00:06:29,080
If that star is configured with unconstrained delegation,

124
00:06:29,080 --> 00:06:30,840
it becomes a furnace.

125
00:06:30,840 --> 00:06:35,520
Tickets gather, TGTs flow, heat invites collapse.

126
00:06:35,520 --> 00:06:38,360
Member workstations are dust in the lanes.

127
00:06:38,360 --> 00:06:41,560
They carry cashed trust, tokens in memory,

128
00:06:41,560 --> 00:06:45,640
sessions that care about convenience more than conservation.

129
00:06:45,640 --> 00:06:48,240
The local security authority holds the key ring.

130
00:06:48,240 --> 00:06:51,240
If left unshielded, it will share under pressure.

131
00:06:51,240 --> 00:06:54,160
Credential guard and LSA protection are not features.

132
00:06:54,160 --> 00:06:56,000
They are radiation shields.

133
00:06:56,000 --> 00:06:58,760
We must name the shape so we can measure the drift.

134
00:06:58,760 --> 00:07:02,840
A forest can trust another forest.

135
00:07:02,840 --> 00:07:04,920
The wormhole is transitive.

136
00:07:04,920 --> 00:07:08,200
What is trusted inside one may leap across to the other.

137
00:07:08,200 --> 00:07:10,800
An external trust is a narrow tunnel.

138
00:07:10,800 --> 00:07:15,000
It does not grant transit beyond the farmhouse.

139
00:07:15,000 --> 00:07:20,200
Shortcut trusts are bridges built to cross the chasm of latency.

140
00:07:20,200 --> 00:07:23,200
They often become smugglers' roads.

141
00:07:23,200 --> 00:07:25,240
And each trust has directionality.

142
00:07:25,240 --> 00:07:27,040
One way is a gate with a guard.

143
00:07:27,040 --> 00:07:29,360
Two way is a celebration that never ends.

144
00:07:29,360 --> 00:07:31,880
Most people think security begins at the core.

145
00:07:31,880 --> 00:07:32,720
But they are wrong.

146
00:07:32,720 --> 00:07:37,360
It begins at the edge where dust decides whether to gather.

147
00:07:37,360 --> 00:07:43,180
That creates policies, naming discipline, groups, scopes, and the humility to keep tear

148
00:07:43,180 --> 00:07:44,340
small.

149
00:07:44,340 --> 00:07:46,880
These are acts of defiance against the unknown.

150
00:07:46,880 --> 00:07:49,680
We keep domain admin as myths, not as convenience.

151
00:07:49,680 --> 00:07:53,160
We keep service accounts bound by least privilege, not tradition.

152
00:07:53,160 --> 00:08:00,760
We keep the KRBTGT periodic reset as ritual, a calendared acknowledgement that secrets decay.

153
00:08:00,760 --> 00:08:02,240
Listen for the system's whisper.

154
00:08:02,240 --> 00:08:05,080
A low chime when drift begins.

155
00:08:05,080 --> 00:08:08,920
Trusted domain goes offline and nobody notices.

156
00:08:08,920 --> 00:08:11,800
A base pulse when identity bends.

157
00:08:11,800 --> 00:08:16,640
A service account added to backup operators just for a week.

158
00:08:16,640 --> 00:08:20,760
The map darkens, the gravity shifts, the next orbit begins.

159
00:08:20,760 --> 00:08:22,320
We anchor the picture.

160
00:08:22,320 --> 00:08:23,800
Workgroup dust.

161
00:08:23,800 --> 00:08:24,800
Domain ignition.

162
00:08:24,800 --> 00:08:26,280
Forest gravity.

163
00:08:26,280 --> 00:08:27,480
Trust wormholes.

164
00:08:27,480 --> 00:08:29,000
Group policy as physics.

165
00:08:29,000 --> 00:08:30,640
DNS is navigation.

166
00:08:30,640 --> 00:08:32,720
Domain controllers are singularities.

167
00:08:32,720 --> 00:08:35,200
Each decision adds mass or removes it.

168
00:08:35,200 --> 00:08:37,440
Each exception changes curvature.

169
00:08:37,440 --> 00:08:43,200
And when fabric lights them up on our horizon, we will see not chaos, but consequence.

170
00:08:43,200 --> 00:08:45,080
The universe still wants to be understood.

171
00:08:45,080 --> 00:08:46,800
Let us measure before we move.

172
00:08:46,800 --> 00:08:48,160
Let us map before we run.

173
00:08:48,160 --> 00:08:49,480
We have named the bodies.

174
00:08:49,480 --> 00:08:51,280
Now we chart the light.

175
00:08:51,280 --> 00:08:52,800
The critical services.

176
00:08:52,800 --> 00:08:54,120
Stars in the core.

177
00:08:54,120 --> 00:08:58,280
We descend toward the core and find the constants that define motion.

178
00:08:58,280 --> 00:09:02,240
DNS DHCP directory services file and print group policy.

179
00:09:02,240 --> 00:09:03,320
Each is not a feature.

180
00:09:03,320 --> 00:09:04,320
Each is a star.

181
00:09:04,320 --> 00:09:05,760
Their light sets the lanes.

182
00:09:05,760 --> 00:09:09,120
Their gravity decides what orbits and what falls.

183
00:09:09,120 --> 00:09:10,120
Start with DNS.

184
00:09:10,120 --> 00:09:11,320
It is not a phone book.

185
00:09:11,320 --> 00:09:12,920
It is navigation.

186
00:09:12,920 --> 00:09:14,560
Every curve or exchange.

187
00:09:14,560 --> 00:09:16,080
Every SMB path.

188
00:09:16,080 --> 00:09:20,320
Every policy retrieval begins by asking where reality lives.

189
00:09:20,320 --> 00:09:22,880
If DNS lies, everything follows.

190
00:09:22,880 --> 00:09:26,200
A poisoned record bends routes toward an attacker's shore.

191
00:09:26,200 --> 00:09:32,640
A stale SPN mapping points a service ticket at the wrong host and silently sabotages trust.

192
00:09:32,640 --> 00:09:37,600
Split brain zones with careless scavenging cause phantom hosts to remain.

193
00:09:37,600 --> 00:09:40,280
And clients continue to orbit ghosts.

194
00:09:40,280 --> 00:09:46,640
In this universe, a single TXT record used for a forgotten validation remains an unguarded

195
00:09:46,640 --> 00:09:47,720
beacon.

196
00:09:47,720 --> 00:09:53,400
And a wildcard thought harmless becomes a dark lens that distorts resolution.

197
00:09:53,400 --> 00:09:59,520
Split as if it were the map itself, signed zones, tight update permissions, scavenging with

198
00:09:59,520 --> 00:10:04,800
intention, and collectors that notice when a critical hosts address changes outside a

199
00:10:04,800 --> 00:10:06,320
maintenance tide.

200
00:10:06,320 --> 00:10:08,680
DHCP is breath.

201
00:10:08,680 --> 00:10:10,480
Leases are pulses.

202
00:10:10,480 --> 00:10:14,960
When scope options drift, clients inherit a future they did not choose.

203
00:10:14,960 --> 00:10:18,680
A rogue DHCP server does not shout.

204
00:10:18,680 --> 00:10:24,040
It whispers a default gateway that leads away from inspection and toward ambush.

205
00:10:24,040 --> 00:10:27,040
Option 15 points them into a domain that is not theirs.

206
00:10:27,040 --> 00:10:31,280
Option 6 hands them a resolver that edits the sky.

207
00:10:31,280 --> 00:10:33,760
Reservations become identity anchors.

208
00:10:33,760 --> 00:10:38,440
Neglect turns them into fossils that attract confusion.

209
00:10:38,440 --> 00:10:40,240
The defense is choreography.

210
00:10:40,240 --> 00:10:47,200
DHCP snooping, authenticated updates bound to DNS with GSS T-SIG, scope hygiene that refuses

211
00:10:47,200 --> 00:10:52,160
convenience and a ledger that proves who promised the route.

212
00:10:52,160 --> 00:10:57,540
Active directory domain services sits at the center, naming contexts, replication,

213
00:10:57,540 --> 00:10:59,480
the KDC's heartbeat.

214
00:10:59,480 --> 00:11:00,800
It is mass.

215
00:11:00,800 --> 00:11:06,480
The KDC issues TGTs like stellar passports, then stamps service tickets that curve toward

216
00:11:06,480 --> 00:11:09,120
SPNs, but time has its own opinion.

217
00:11:09,120 --> 00:11:13,320
Stale KRBTGT secrets thicken the past into permanence.

218
00:11:13,320 --> 00:11:16,400
Replication topology ignored becomes split brain reality.

219
00:11:16,400 --> 00:11:21,840
Slingering objects are debris that collide with truth when a tombstone threshold is crossed.

220
00:11:21,840 --> 00:11:23,760
We harden by ritual.

221
00:11:23,760 --> 00:11:27,200
Health checks that read replication as seismography.

222
00:11:27,200 --> 00:11:34,120
KRBTGT rotation as celestial mechanics, privileged access seal to tear boundaries, and audits

223
00:11:34,120 --> 00:11:39,600
that verify the semantic layer, the groups, the rights, the delegations, reflect present

224
00:11:39,600 --> 00:11:42,480
intent, not ancestral habit.

225
00:11:42,480 --> 00:11:45,760
SMB and file servers are supply routes.

226
00:11:45,760 --> 00:11:51,440
They carry payloads, policies, tools, secrets disguised as convenience.

227
00:11:51,440 --> 00:11:58,240
A share labeled software becomes an uncurrated nebula where unsigned binaries drift next to

228
00:11:58,240 --> 00:12:01,560
installers that request elevation.

229
00:12:01,560 --> 00:12:04,040
Scripts accumulate like comets.

230
00:12:04,040 --> 00:12:09,360
Someone adds credentials for automation, and suddenly, gravity acquires a handle.

231
00:12:09,360 --> 00:12:13,000
SMB signing is not a checkbox, it is structural integrity.

232
00:12:13,000 --> 00:12:17,600
Without it, NTLM relays rewrite routes in flight.

233
00:12:17,600 --> 00:12:21,600
Access control lists are not bureaucracy, they are orbital fences.

234
00:12:21,600 --> 00:12:23,880
Leased privilege is not minimalism.

235
00:12:23,880 --> 00:12:25,840
It is stable mechanics.

236
00:12:25,840 --> 00:12:26,840
Readers read.

237
00:12:26,840 --> 00:12:27,840
Writer's right.

238
00:12:27,840 --> 00:12:29,440
Costodians curate.

239
00:12:29,440 --> 00:12:32,400
And no one combines roles without consequence.

240
00:12:32,400 --> 00:12:36,280
Print servers are the underestimated satellites with tidal influence.

241
00:12:36,280 --> 00:12:40,000
They sit near every workstation, trusted by necessity.

242
00:12:40,000 --> 00:12:42,760
Historically noisy, often patched last.

243
00:12:42,760 --> 00:12:47,400
They bridge, user context, and elevated service behavior.

244
00:12:47,400 --> 00:12:50,360
A spooler misconfigured becomes a relay mirror.

245
00:12:50,360 --> 00:12:56,040
A driver package signed in an age of lenience continues to install with ceremony.

246
00:12:56,040 --> 00:13:03,280
We contain by narrowing the blast cone, disable what is not required, isolate roles, force

247
00:13:03,280 --> 00:13:08,600
updates to occur within windows that are watched and treat printer administration as a tier

248
00:13:08,600 --> 00:13:11,360
one boundary, not an afterthought.

249
00:13:11,360 --> 00:13:12,560
Group policy is the law.

250
00:13:12,560 --> 00:13:16,000
It falls like gravity from the core to the edge.

251
00:13:16,000 --> 00:13:17,920
It is how we write the constants.

252
00:13:17,920 --> 00:13:23,880
Password length, Kerberos hardening, SMB signing, script execution, LSA protection, but

253
00:13:23,880 --> 00:13:25,240
law can be forged.

254
00:13:25,240 --> 00:13:30,080
Link order and inheritance are rivers that can be damned or diverted.

255
00:13:30,080 --> 00:13:36,200
A single high precedence GPO created for a midnight rescue remains linked, overrides

256
00:13:36,200 --> 00:13:38,240
a baseline and weakens the hull.

257
00:13:38,240 --> 00:13:41,160
We defend by publishing Constitution and Court.

258
00:13:41,160 --> 00:13:48,560
A baseline set sealed, change control that requires signatures, WMI filters that are documented,

259
00:13:48,560 --> 00:13:54,840
and a drift detector that compares policy as defined versus policy as applied.

260
00:13:54,840 --> 00:13:57,000
The universe still wants to be understood.

261
00:13:57,000 --> 00:13:59,720
Group policy is the language we use to define it.

262
00:13:59,720 --> 00:14:04,800
Now connect them, DNS tells us where DHCP tells us how to breathe, directory tells us who.

263
00:14:04,800 --> 00:14:06,560
SMB carries what?

264
00:14:06,560 --> 00:14:08,960
Print translates desire into matter.

265
00:14:08,960 --> 00:14:10,640
Group policy binds them with law.

266
00:14:10,640 --> 00:14:12,680
When one bends, the others accommodate.

267
00:14:12,680 --> 00:14:14,440
When two bend, the fabric ripples.

268
00:14:14,440 --> 00:14:16,560
When three bend, orbit decays.

269
00:14:16,560 --> 00:14:18,120
Listen for the signs.

270
00:14:18,120 --> 00:14:20,880
A low chime, when drift begins.

271
00:14:20,880 --> 00:14:26,360
A DNS record for a controller shifts outside change windows.

272
00:14:26,360 --> 00:14:29,040
A base pulse when identity bends.

273
00:14:29,040 --> 00:14:35,560
A GPO link appears at the domain route with authenticated users, granted apply.

274
00:14:35,560 --> 00:14:40,760
Sysmon murmurs when a workstation reaches into LSAS with new intent.

275
00:14:40,760 --> 00:14:46,760
Event 4769 clusters when service tickets spike for a service that does not see new demand.

276
00:14:46,760 --> 00:14:48,760
The map darkens.

277
00:14:48,760 --> 00:14:51,120
Our response is not panic, it is physics.

278
00:14:51,120 --> 00:14:53,880
We sign, we segment, we baseline, we monitor.

279
00:14:53,880 --> 00:14:58,280
We accept that convenience is gravity and that every exception adds mass.

280
00:14:58,280 --> 00:15:00,320
We choose structure over folklore.

281
00:15:00,320 --> 00:15:04,360
We hold the constants so that everything else can move without falling.

282
00:15:04,360 --> 00:15:06,640
And the next orbit begins.

283
00:15:06,640 --> 00:15:09,280
Threat actors as astrophysicists.

284
00:15:09,280 --> 00:15:14,040
We speak of services and stars, but there are minds that study their motion and exploit

285
00:15:14,040 --> 00:15:15,520
their curves.

286
00:15:15,520 --> 00:15:18,000
Threat actors are not always loud invaders.

287
00:15:18,000 --> 00:15:20,640
They are often patient astronomers.

288
00:15:20,640 --> 00:15:22,800
They watch, they measure drift.

289
00:15:22,800 --> 00:15:25,080
They wait for gravity to do the work.

290
00:15:25,080 --> 00:15:27,200
At the edge are the opportunists.

291
00:15:27,200 --> 00:15:32,640
Script driven raiders who trawl the public sky for open ports and default configurations.

292
00:15:32,640 --> 00:15:34,040
They are comets.

293
00:15:34,040 --> 00:15:36,840
Bright, brief, destructive by inertia.

294
00:15:36,840 --> 00:15:39,400
They copy, paste, collide and leave debris.

295
00:15:39,400 --> 00:15:40,640
Their power is volume.

296
00:15:40,640 --> 00:15:42,160
Their weakness is noise.

297
00:15:42,160 --> 00:15:46,120
Baselines and sane defaults repel them like magnetic fields.

298
00:15:46,120 --> 00:15:49,720
Closer in our ransomware crews, they are engineers of entropy.

299
00:15:49,720 --> 00:15:54,240
They hunt for a foothold, then convert identity into leverage.

300
00:15:54,240 --> 00:15:56,440
Living off the land is their method.

301
00:15:56,440 --> 00:15:58,080
W. Shell as solar wind.

302
00:15:58,080 --> 00:16:00,320
W. M. I as silent thrust.

303
00:16:00,320 --> 00:16:02,360
PS remoteing as a glide path.

304
00:16:02,360 --> 00:16:08,600
They charge shares, harvest scripts, map local admin reuse and assemble the past the

305
00:16:08,600 --> 00:16:12,120
hash constellation until movement becomes inevitable.

306
00:16:12,120 --> 00:16:16,960
They do not need zero days when misconfiguration is constant gravity.

307
00:16:16,960 --> 00:16:23,000
Their signature is acceleration from a quiet credential to an orchestral shutdown.

308
00:16:23,000 --> 00:16:28,880
We counter not with theatrical defenses but with friction, laps rotation, SMB signing,

309
00:16:28,880 --> 00:16:34,040
local firewall rules that starve east-west traffic and privileged access that refuses

310
00:16:34,040 --> 00:16:36,200
to exist on work stations.

311
00:16:36,200 --> 00:16:38,080
Then there are the state aligned operators.

312
00:16:38,080 --> 00:16:39,760
They are patient physicists.

313
00:16:39,760 --> 00:16:41,680
They do not prize destruction.

314
00:16:41,680 --> 00:16:43,320
They prize persistence.

315
00:16:43,320 --> 00:16:49,640
They catalog trusts, name constraints and study Kerberus delegation like orbital mechanics.

316
00:16:49,640 --> 00:16:57,040
A stale KRBTGT is not merely a weakness, it is time frozen into fuel.

317
00:16:57,040 --> 00:17:02,320
An unconstrained delegation service is not simply misconfigured, it is a gravitational

318
00:17:02,320 --> 00:17:03,640
slingshot.

319
00:17:03,640 --> 00:17:07,760
They move slowly, often under the event horizon of routine.

320
00:17:07,760 --> 00:17:09,720
Their art is ambiguity.

321
00:17:09,720 --> 00:17:14,640
Normal process chains, plausible service queries innocent tickets.

322
00:17:14,640 --> 00:17:20,640
One must therefore be relational, not singular, correlation across accounts, services and

323
00:17:20,640 --> 00:17:24,320
hours, looking for curvature that cannot be faked.

324
00:17:24,320 --> 00:17:28,200
Inside our own galaxies, we find internal red teams.

325
00:17:28,200 --> 00:17:33,160
They are friendly constellations engineered to stress our laws without tearing them.

326
00:17:33,160 --> 00:17:38,240
They pressure test the hull, they whisper truths, the universe already knows.

327
00:17:38,240 --> 00:17:44,080
Local privilege escalation remains common when services run with lacks permissions.

328
00:17:44,080 --> 00:17:48,160
Backup operators can mint power if left unguarded.

329
00:17:48,160 --> 00:17:53,800
Printers and management servers are too often satellites with hidden tidal pull.

330
00:17:53,800 --> 00:17:57,160
When they find a path to domain admin they hold up a mirror.

331
00:17:57,160 --> 00:18:00,880
The reflection is not flattery, it is governance.

332
00:18:00,880 --> 00:18:02,520
Insiders are the dark matter.

333
00:18:02,520 --> 00:18:05,640
Not always malicious, often careless, sometimes hurried.

334
00:18:05,640 --> 00:18:07,480
A saved password in a script.

335
00:18:07,480 --> 00:18:10,520
A temporary GPO link left at the root.

336
00:18:10,520 --> 00:18:15,520
A service account created with domain admin because the change window was closing.

337
00:18:15,520 --> 00:18:19,040
Their fingerprints are everywhere because their intentions were practical.

338
00:18:19,040 --> 00:18:21,680
We must govern intention.

339
00:18:21,680 --> 00:18:24,320
Least privilege is not a moral demand.

340
00:18:24,320 --> 00:18:26,240
It is physics.

341
00:18:26,240 --> 00:18:29,280
Consequence scale down so collapse remains improbable.

342
00:18:29,280 --> 00:18:30,920
Tools are not villains.

343
00:18:30,920 --> 00:18:32,400
Power shell is a spectrum.

344
00:18:32,400 --> 00:18:33,400
WMI is a bus.

345
00:18:33,400 --> 00:18:34,400
P6SEC is a courier.

346
00:18:34,400 --> 00:18:35,920
They are neutral particles.

347
00:18:35,920 --> 00:18:39,480
Our task is to read their behavior in context.

348
00:18:39,480 --> 00:18:44,880
A burst of remote service creation across subnets at midnight is not an accident.

349
00:18:44,880 --> 00:18:51,280
An unusual Kerberos service ticket requested for a high value SPN by an account that never

350
00:18:51,280 --> 00:18:54,000
touched it before is not curiosity.

351
00:18:54,000 --> 00:18:56,920
Event relationships form constellations.

352
00:18:56,920 --> 00:18:59,200
We read them as astronomers, not romantics.

353
00:18:59,200 --> 00:19:00,920
Duel time is time dilation.

354
00:19:00,920 --> 00:19:05,440
The longer an intruder orbits without detection, the more their influence normalizes.

355
00:19:05,440 --> 00:19:08,440
What once felt like an anomaly begins to look like tide.

356
00:19:08,440 --> 00:19:09,440
This is drift.

357
00:19:09,440 --> 00:19:12,040
This is why baselines cannot be aspirational.

358
00:19:12,040 --> 00:19:13,360
They must be measured.

359
00:19:13,360 --> 00:19:15,600
We enforce Kerberos hardening.

360
00:19:15,600 --> 00:19:17,480
Retire NTLMV1.

361
00:19:17,480 --> 00:19:19,400
Enforce channel binding.

362
00:19:19,400 --> 00:19:23,000
Protect LSAs and seal tier with ritual.

363
00:19:23,000 --> 00:19:25,120
The law must be gravity not suggestion.

364
00:19:25,120 --> 00:19:26,800
And now the lab echoes begin.

365
00:19:26,800 --> 00:19:29,240
The system whispers when hands move.

366
00:19:29,240 --> 00:19:30,320
Low chime.

367
00:19:30,320 --> 00:19:31,640
Windows security.

368
00:19:31,640 --> 00:19:35,320
4769 clusters for a service that did not change.

369
00:19:35,320 --> 00:19:37,880
A curve forms.

370
00:19:37,880 --> 00:19:39,400
Base pulse.

371
00:19:39,400 --> 00:19:40,880
This month event 10.

372
00:19:40,880 --> 00:19:44,880
A process reaches for LSAs with unusual intent.

373
00:19:44,880 --> 00:19:45,880
Soft tick.

374
00:19:45,880 --> 00:19:49,240
A GPO link appears where no change was scheduled.

375
00:19:49,240 --> 00:19:50,240
We listen.

376
00:19:50,240 --> 00:19:51,240
We name the force.

377
00:19:51,240 --> 00:19:52,240
We correct the orbit.

378
00:19:52,240 --> 00:19:55,440
To exploit a universe, you do not start at the core.

379
00:19:55,440 --> 00:19:57,880
You start by mapping the stars.

380
00:19:57,880 --> 00:19:59,720
Mapping the constellations.

381
00:19:59,720 --> 00:20:02,800
We narrow our eyes and let the light reach us.

382
00:20:02,800 --> 00:20:04,760
Reconocence is not noise.

383
00:20:04,760 --> 00:20:05,760
It is astronomy.

384
00:20:05,760 --> 00:20:07,240
We do not pound on doors.

385
00:20:07,240 --> 00:20:08,240
We read the sky.

386
00:20:08,240 --> 00:20:11,560
To begin with distant light, open ports as spectral lines.

387
00:20:11,560 --> 00:20:16,960
5388135139389455985389.

388
00:20:16,960 --> 00:20:18,680
Each reveals composition.

389
00:20:18,680 --> 00:20:19,760
DNS speaks first.

390
00:20:19,760 --> 00:20:21,440
Kerberos answers in mathematics.

391
00:20:21,440 --> 00:20:23,480
SMB hums with cargo.

392
00:20:23,480 --> 00:20:25,040
Banner hints become roles.

393
00:20:25,040 --> 00:20:27,480
Timing becomes topology.

394
00:20:27,480 --> 00:20:29,160
The map is not a picture.

395
00:20:29,160 --> 00:20:31,560
It is a probability field.

396
00:20:31,560 --> 00:20:34,280
Then we read the star charts, the directory.

397
00:20:34,280 --> 00:20:38,080
We ask careful questions with LDP and PowerShell,

398
00:20:38,080 --> 00:20:38,920
who are we?

399
00:20:38,920 --> 00:20:40,040
Which groups claim us?

400
00:20:40,040 --> 00:20:41,800
Which SPNs beckon with service?

401
00:20:41,800 --> 00:20:44,200
Which service accounts stand to tall?

402
00:20:44,200 --> 00:20:45,560
We trace edges.

403
00:20:45,560 --> 00:20:48,840
Users to groups, groups to rights, rights to sessions,

404
00:20:48,840 --> 00:20:50,680
sessions to hosts.

405
00:20:50,680 --> 00:20:53,640
A single low-privileged account becomes a beacon.

406
00:20:53,640 --> 00:20:56,360
The graph unfurls into paths.

407
00:20:56,360 --> 00:20:57,200
We do not push.

408
00:20:57,200 --> 00:21:00,360
We let gravity show the roots already carved by habit.

409
00:21:00,360 --> 00:21:02,520
Defense speaks in boundaries.

410
00:21:02,520 --> 00:21:06,600
East-West segmentation, dims, needless horizons.

411
00:21:06,600 --> 00:21:09,400
RDP gates narrow approach vectors.

412
00:21:09,400 --> 00:21:12,280
Admin contexts separate into tears

413
00:21:12,280 --> 00:21:15,000
so that noise at the edge never shakes the core.

414
00:21:15,000 --> 00:21:17,040
Least privilege reduces mass.

415
00:21:17,040 --> 00:21:19,600
Cleaning dead accounts removes debris.

416
00:21:19,600 --> 00:21:22,160
Drift detectors watch for new edges forming

417
00:21:22,160 --> 00:21:24,040
where none should exist.

418
00:21:24,040 --> 00:21:27,320
The lab echoes guide rhythm, low chime.

419
00:21:27,320 --> 00:21:29,680
Directory answers a query.

420
00:21:29,680 --> 00:21:32,360
A group we forgot still grants right.

421
00:21:32,360 --> 00:21:37,240
Base pulse, a spike in 4.769 flows to an neglected SPN.

422
00:21:37,240 --> 00:21:40,600
Soft tick, a bloodhound style path count rises,

423
00:21:40,600 --> 00:21:43,040
edges multiply, risk condenses.

424
00:21:43,040 --> 00:21:44,240
We will map.

425
00:21:44,240 --> 00:21:46,760
And when the map darkens, we will know where to land

426
00:21:46,760 --> 00:21:50,000
softly and where to refuse gravity.

427
00:21:50,000 --> 00:21:52,560
Light from distant hosts, network mapping.

428
00:21:52,560 --> 00:21:53,840
We begin a distance.

429
00:21:53,840 --> 00:21:55,200
We let photons arrive.

430
00:21:55,200 --> 00:21:56,760
We do not announce ourselves.

431
00:21:56,760 --> 00:21:58,080
We measure.

432
00:21:58,080 --> 00:22:00,160
A quiet sweep across the horizon

433
00:22:00,160 --> 00:22:06,360
reveals spectral lines, ports as elements, latency as distance,

434
00:22:06,360 --> 00:22:08,160
banners as temperature.

435
00:22:08,160 --> 00:22:17,520
53, 88, 135, 139, 389, 445, 589, 85, 3389.

436
00:22:17,520 --> 00:22:21,720
Each emission tells us what burns beneath the surface.

437
00:22:21,720 --> 00:22:23,720
DNS answers like a lighthouse.

438
00:22:23,720 --> 00:22:26,360
Kerberos replies in pure mathematics.

439
00:22:26,360 --> 00:22:28,400
RPC flickers with orchestration.

440
00:22:28,400 --> 00:22:30,280
SMB hums with cargo traffic.

441
00:22:30,280 --> 00:22:32,360
WinRM exhales management heat.

442
00:22:32,360 --> 00:22:34,160
RDP glows in the visible band.

443
00:22:34,160 --> 00:22:36,400
Most people think ports cans are noise.

444
00:22:36,400 --> 00:22:37,320
But they are wrong.

445
00:22:37,320 --> 00:22:39,480
A disciplined map is seismography.

446
00:22:39,480 --> 00:22:42,760
We sample slowly to avoid disturbing the crust.

447
00:22:42,760 --> 00:22:46,000
A handful of packets per second, randomize timing,

448
00:22:46,000 --> 00:22:48,840
varied source ports to avoid resonance.

449
00:22:48,840 --> 00:22:53,160
We read responses like star charts, open, closed, filtered.

450
00:22:53,160 --> 00:22:54,880
The pattern sketches coastline.

451
00:22:54,880 --> 00:22:57,640
The coastline reveals where gravity concentrates.

452
00:22:57,640 --> 00:23:01,120
DNS first, because navigation precedes motion.

453
00:23:01,120 --> 00:23:03,000
A real resolver answers consistently

454
00:23:03,000 --> 00:23:05,880
with authoritative edges and sane TTLs.

455
00:23:05,880 --> 00:23:10,040
A poisoned one hesitates, leaks, recursion, it should not,

456
00:23:10,040 --> 00:23:12,960
or advertises split reality without symmetry.

457
00:23:12,960 --> 00:23:16,480
We ask for SRV records and watch which domain controllers

458
00:23:16,480 --> 00:23:18,000
step into the light.

459
00:23:18,000 --> 00:23:21,560
Their responses show site topology hidden inside service

460
00:23:21,560 --> 00:23:22,720
announcements.

461
00:23:22,720 --> 00:23:25,040
Anomalies mean either drift or deception.

462
00:23:25,040 --> 00:23:26,280
Either one is curvature.

463
00:23:26,280 --> 00:23:29,280
Kerberos on 88 is not merely open or closed.

464
00:23:29,280 --> 00:23:31,960
It's timing spreads like a Doppler shift.

465
00:23:31,960 --> 00:23:35,720
In healthy space, a KDC replies with steady cadence.

466
00:23:35,720 --> 00:23:39,480
Under strain or misplacement replies lengthened at edges.

467
00:23:39,480 --> 00:23:41,960
As if light climbing out of gravity,

468
00:23:41,960 --> 00:23:45,440
we request preauthentication for harmless principles.

469
00:23:45,440 --> 00:23:47,120
We do not break, we listen.

470
00:23:47,120 --> 00:23:49,760
If a response comes from an unexpected host,

471
00:23:49,760 --> 00:23:53,440
a trust wormhole, maybe closer than it appears.

472
00:23:53,440 --> 00:23:57,920
LDAP on 389 and 636 is the living directory surface.

473
00:23:57,920 --> 00:23:59,560
We do not enumerate yet.

474
00:23:59,560 --> 00:24:01,240
We test behavior.

475
00:24:01,240 --> 00:24:04,080
Start TLS capability announced, but never honored

476
00:24:04,080 --> 00:24:05,920
indicates misaligned law.

477
00:24:05,920 --> 00:24:08,520
Anonymous binds disabled is a good sign.

478
00:24:08,520 --> 00:24:13,920
But if a device answers as LDRP, that is not a domain controller,

479
00:24:13,920 --> 00:24:17,320
we have found a proxy moon that bends queries out of sight.

480
00:24:17,320 --> 00:24:19,160
That is a path an attacker will prefer.

481
00:24:19,160 --> 00:24:20,920
That is a path we must name.

482
00:24:20,920 --> 00:24:23,240
SMB on 445 is a supply artery.

483
00:24:23,240 --> 00:24:25,240
The handshake speaks its own dialect.

484
00:24:25,240 --> 00:24:27,200
Does it promise signing or shrug?

485
00:24:27,200 --> 00:24:29,800
Does it support dialects that should be fossils?

486
00:24:29,800 --> 00:24:32,560
Does NTLM whisper when Kerberos should sing?

487
00:24:32,560 --> 00:24:34,040
We read negotiation.

488
00:24:34,040 --> 00:24:35,480
We infer policy.

489
00:24:35,480 --> 00:24:40,280
And if we witness the printer spool is reflex on 445 or 135,

490
00:24:40,280 --> 00:24:42,680
RPC calls, that should be quiet.

491
00:24:42,680 --> 00:24:45,240
We market as title influence that can be abused

492
00:24:45,240 --> 00:24:46,840
if left near the core.

493
00:24:46,840 --> 00:24:52,040
WinRM on 5985 and 5986 is administration's breath.

494
00:24:52,040 --> 00:24:56,240
If it answers broadly across subnet's identity can drift quickly.

495
00:24:56,240 --> 00:24:59,240
If it is bound tightly to management enclave,

496
00:24:59,240 --> 00:25:02,360
movement will be slower, more deliberate.

497
00:25:02,360 --> 00:25:06,000
The header identifies the host's opinion of itself,

498
00:25:06,000 --> 00:25:09,000
product versions, cypher preferences,

499
00:25:09,000 --> 00:25:13,040
the signatures of time, a cluster reveals standard images.

500
00:25:13,040 --> 00:25:17,080
Outliers betray ad hoc machines that do not share gravity.

501
00:25:17,080 --> 00:25:21,120
RDP on 33890's elense, network level authentication

502
00:25:21,120 --> 00:25:24,520
is the glass that refuses casual fingerprints.

503
00:25:24,520 --> 00:25:27,160
Without NLA, the surface accepts touches

504
00:25:27,160 --> 00:25:29,200
from anything that finds it.

505
00:25:29,200 --> 00:25:31,640
We observe the security layer chosen,

506
00:25:31,640 --> 00:25:35,480
the certificate offered, the presence of restricted admin.

507
00:25:35,480 --> 00:25:40,520
When RDP blooms across servers that should never be touched directly,

508
00:25:40,520 --> 00:25:43,440
we know convenience has replaced law.

509
00:25:43,440 --> 00:25:45,280
Lab echo, low chime.

510
00:25:45,280 --> 00:25:48,960
Spectrum sweep complete, 1,942 hosts responded.

511
00:25:48,960 --> 00:25:53,160
Port clusters align with 3 subnets, 445 open on 71%,

512
00:25:53,160 --> 00:25:57,320
5985 open on 18%, outliers detected.

513
00:25:57,320 --> 00:26:00,400
Now defense speaks because maps demand boundaries.

514
00:26:00,400 --> 00:26:03,040
We segment east-west, not as art,

515
00:26:03,040 --> 00:26:05,880
but as physics, gravity wells in their own subnets

516
00:26:05,880 --> 00:26:09,120
with firewalls that understand identity.

517
00:26:09,120 --> 00:26:12,080
Domain controllers speak only the protocols they must.

518
00:26:12,080 --> 00:26:15,600
File servers do not accept WinRM from workstations.

519
00:26:15,600 --> 00:26:18,240
Management traffic rides corridors with gates

520
00:26:18,240 --> 00:26:20,320
that lock every crossing.

521
00:26:20,320 --> 00:26:24,160
RDP tunnels through bastions that apply multifactor as atmosphere.

522
00:26:24,160 --> 00:26:25,920
We reduce reflexes.

523
00:26:25,920 --> 00:26:31,000
SMB signing enforced, so relays cannot rewrite routes mid-flight.

524
00:26:31,000 --> 00:26:34,800
NTLMV1 retired, LM forgotten, channel binding asserted,

525
00:26:34,800 --> 00:26:37,560
so tokens cannot be stolen and worn elsewhere.

526
00:26:37,560 --> 00:26:41,480
Local administrator reuse starved by password uniqueness,

527
00:26:41,480 --> 00:26:45,520
rotation as heartbeat, laps as the metronome.

528
00:26:45,520 --> 00:26:47,840
Service accounts lose their sprawl.

529
00:26:47,840 --> 00:26:52,360
They gain least privilege orbits with constrained permissions.

530
00:26:52,360 --> 00:26:57,680
We sample again slower still, the map stabilizes, banners align,

531
00:26:57,680 --> 00:27:02,480
timing narrows, outliers remain, they always do.

532
00:27:02,480 --> 00:27:05,240
Those outliers become our next coordinates.

533
00:27:05,240 --> 00:27:08,960
Base pulse, Kerberos timing spike, two responders

534
00:27:08,960 --> 00:27:13,760
lag behind site norms, possible miscited controllers.

535
00:27:13,760 --> 00:27:17,760
Soft tick, RDP without NLA on a management subnet.

536
00:27:17,760 --> 00:27:21,840
Certificate expired, gravity slackening.

537
00:27:21,840 --> 00:27:23,480
We annotate the chart.

538
00:27:23,480 --> 00:27:25,240
We do not rush the core.

539
00:27:25,240 --> 00:27:28,880
We respect the speed of light because everything that follows,

540
00:27:28,880 --> 00:27:34,480
enumeration, privilege, theft or defense depends on this honesty.

541
00:27:34,480 --> 00:27:38,120
The sky tells the truth if we are patient, we are patient.

542
00:27:38,120 --> 00:27:42,800
Reading the star charts, AD enumeration, we turn from distant light

543
00:27:42,800 --> 00:27:44,080
to the atlas itself.

544
00:27:44,080 --> 00:27:47,000
The directory is not a list, it is a field.

545
00:27:47,000 --> 00:27:51,480
We ask questions softly, we listen for shape, we begin with identity.

546
00:27:51,480 --> 00:27:52,720
Who are we?

547
00:27:52,720 --> 00:27:55,800
The bind is a handshake with gravity.

548
00:27:55,800 --> 00:27:58,760
A simple query returns our user object.

549
00:27:58,760 --> 00:28:04,080
It's sid the stellar coordinate, it's UPN the constellation name.

550
00:28:04,080 --> 00:28:06,720
Group memberships follow like orbital rings.

551
00:28:06,720 --> 00:28:09,640
Global, domain local, universal.

552
00:28:09,640 --> 00:28:11,560
Scope is not cosmetic.

553
00:28:11,560 --> 00:28:15,960
Scope defines how mass transfers across borders.

554
00:28:15,960 --> 00:28:19,920
A universal group carries influence across forest space.

555
00:28:19,920 --> 00:28:23,520
A domain local concentrates power near a resource.

556
00:28:23,520 --> 00:28:25,920
We record each ring without judgment.

557
00:28:25,920 --> 00:28:27,600
Influence is cumulative.

558
00:28:27,600 --> 00:28:29,800
Paths form where rings overlap.

559
00:28:29,800 --> 00:28:30,600
We widen.

560
00:28:30,600 --> 00:28:33,200
What rights do those rings imply?

561
00:28:33,200 --> 00:28:35,120
Read on this share, write on that OU.

562
00:28:35,120 --> 00:28:36,920
Log on locally here, but not there.

563
00:28:36,920 --> 00:28:38,120
Rights are vectors.

564
00:28:38,120 --> 00:28:39,720
We map them as edges.

565
00:28:39,720 --> 00:28:42,240
Group to permission, permission to target.

566
00:28:42,240 --> 00:28:44,400
A printer operator on a quiet server

567
00:28:44,400 --> 00:28:47,960
might imply service management rights that chained carefully.

568
00:28:47,960 --> 00:28:49,880
Become local administrator elsewhere.

569
00:28:49,880 --> 00:28:50,960
We do not assume.

570
00:28:50,960 --> 00:28:51,880
We verify.

571
00:28:51,880 --> 00:28:54,520
Access paths are physics, not folklore.

572
00:28:54,520 --> 00:28:57,480
Service principle names appear like bright stars.

573
00:28:57,480 --> 00:29:02,200
HTTP finance, MSKL server 42, CFs files do too.

574
00:29:02,200 --> 00:29:05,280
Each SPN indicates a ticket can be minted for a service.

575
00:29:05,280 --> 00:29:08,200
And therefore, that credentials might be requested, cashed,

576
00:29:08,200 --> 00:29:09,640
or mishandled.

577
00:29:09,640 --> 00:29:13,120
Overprivileged service accounts burn too hot.

578
00:29:13,120 --> 00:29:17,760
If they hold domain admin or right access to sensitive OUs,

579
00:29:17,760 --> 00:29:20,560
their light distorts the map.

580
00:29:20,560 --> 00:29:24,360
We note service accounts that are trusted to delegate.

581
00:29:24,360 --> 00:29:27,760
Unconstrained delegation is a furnace.

582
00:29:27,760 --> 00:29:31,560
Constrained delegation is a lens with rules.

583
00:29:31,560 --> 00:29:34,360
Resource-based constrained delegation

584
00:29:34,360 --> 00:29:36,600
is a mirror turned inward.

585
00:29:36,600 --> 00:29:38,440
Each changes curvature.

586
00:29:38,440 --> 00:29:40,680
Each demands measurement.

587
00:29:40,680 --> 00:29:45,400
We ask for administrators, but not just the domain admins group.

588
00:29:45,400 --> 00:29:49,560
We follow the lineage, nested groups, built-ins, anomalies,

589
00:29:49,560 --> 00:29:53,280
who are CD-Bug privilege on critical servers by GPO,

590
00:29:53,280 --> 00:29:56,000
who sits in backup operators, a quiet orbit

591
00:29:56,000 --> 00:30:00,380
with tidal power over secrets, who owns the KRBTGT rotation

592
00:30:00,380 --> 00:30:00,720
ritual.

593
00:30:00,720 --> 00:30:03,440
Authorities often disguise dismaintainance.

594
00:30:03,440 --> 00:30:04,960
We surface it.

595
00:30:04,960 --> 00:30:08,360
We read the OU structure like tectonic plates.

596
00:30:08,360 --> 00:30:11,240
Teared boundaries should appear as separate continents.

597
00:30:11,240 --> 00:30:13,920
Workstations grouped apart from servers.

598
00:30:13,920 --> 00:30:15,800
DCs isolated.

599
00:30:15,800 --> 00:30:20,040
If we find a single GPO linked high that grants broad rights

600
00:30:20,040 --> 00:30:23,120
to authenticated users, the law is compromised.

601
00:30:23,120 --> 00:30:26,200
We note MTOUs with lingering links,

602
00:30:26,200 --> 00:30:28,800
the tombstones of projects, drift accumulates

603
00:30:28,800 --> 00:30:30,240
in the spaces nobody visits.

604
00:30:30,240 --> 00:30:32,640
We sample password hygiene without guessing.

605
00:30:32,640 --> 00:30:34,720
Age distributions tell a story.

606
00:30:34,720 --> 00:30:38,000
A cluster of accounts with non-expiring passwords

607
00:30:38,000 --> 00:30:42,800
forms a cold cloud, service principles, vendors, ghosts.

608
00:30:42,800 --> 00:30:44,880
Find grain password policies reveal

609
00:30:44,880 --> 00:30:48,680
where entropy improves and where tradition refuses.

610
00:30:48,680 --> 00:30:52,320
If privileged users are not bound by stricter policies,

611
00:30:52,320 --> 00:30:54,440
gravity is misallocated.

612
00:30:54,440 --> 00:30:56,760
We inspect trust objects.

613
00:30:56,760 --> 00:31:01,320
External, forest, shortcut, directionality matters.

614
00:31:01,320 --> 00:31:05,600
Selective authentication should be the gate in two-way trusts.

615
00:31:05,600 --> 00:31:09,800
Authenticated users should not pass without scrutiny.

616
00:31:09,800 --> 00:31:12,560
SID filtering disabled is a rupture

617
00:31:12,560 --> 00:31:15,880
allowing forged history to cross the wormhole.

618
00:31:15,880 --> 00:31:19,800
If any trust predates the last era of governance reviews,

619
00:31:19,800 --> 00:31:22,560
we market as an at-risk tunnel.

620
00:31:22,560 --> 00:31:25,920
We do not enumerate to collect, we enumerate to model.

621
00:31:25,920 --> 00:31:28,880
The graph takes form, uses to groups,

622
00:31:28,880 --> 00:31:33,920
groups to rights, rights to sessions, sessions to hosts.

623
00:31:33,920 --> 00:31:37,800
We add session data where we can, who is logged on where?

624
00:31:37,800 --> 00:31:40,880
Which admin has a habit of opening management tools

625
00:31:40,880 --> 00:31:42,320
from a workstation at lunch?

626
00:31:42,320 --> 00:31:43,800
Habit is gravity's accomplice.

627
00:31:43,800 --> 00:31:46,520
A single high-value identity appearing

628
00:31:46,520 --> 00:31:50,680
on a low-trust host is a mass transfer event.

629
00:31:50,680 --> 00:31:53,560
We market with a base pulse in our minds.

630
00:31:53,560 --> 00:31:56,120
Lab echo, low chime.

631
00:31:56,120 --> 00:32:03,520
Directory responded 4,312 users, 6,981 computers,

632
00:32:03,520 --> 00:32:08,560
1,200, 4 groups, universal groups,

633
00:32:08,560 --> 00:32:13,520
37, non-expiring passwords, 112.

634
00:32:13,520 --> 00:32:16,480
We pivot to detection in the same breath.

635
00:32:16,480 --> 00:32:18,800
Enumeration should be symmetric.

636
00:32:18,800 --> 00:32:22,880
What an attacker can see, a defender, must pre-compute,

637
00:32:22,880 --> 00:32:26,000
maintain a living map of privileged paths,

638
00:32:26,000 --> 00:32:29,040
prune groups that inherited power by accident,

639
00:32:29,040 --> 00:32:33,200
retire unused SPNs, reduce delegation to necessity,

640
00:32:33,200 --> 00:32:36,400
enforce protected users for the identities that cannot fail.

641
00:32:36,400 --> 00:32:39,040
If you cannot remove NTLM entirely,

642
00:32:39,040 --> 00:32:42,240
at least ensure SMB signing and channel binding

643
00:32:42,240 --> 00:32:44,160
so the fossil cannot be weaponized.

644
00:32:44,160 --> 00:32:46,680
We set alerts on curvature, not noise,

645
00:32:46,680 --> 00:32:50,400
unusual TGS patterns for sensitive SPNs,

646
00:32:50,400 --> 00:32:54,080
event 4769 spikes outside maintenance windows,

647
00:32:54,080 --> 00:32:58,320
new admin group memberships, event 4728 and 4732

648
00:32:58,320 --> 00:33:00,160
when no cab meets.

649
00:33:00,160 --> 00:33:03,840
Directory replication access, event 4662

650
00:33:03,840 --> 00:33:06,400
with DS replication get changes

651
00:33:06,400 --> 00:33:09,120
when only backup service accounts should breathe there.

652
00:33:09,120 --> 00:33:12,640
Signment murmurs when a process reaches for LSAS.

653
00:33:12,640 --> 00:33:14,640
Event 10 with intent.

654
00:33:14,640 --> 00:33:16,240
We do not wait for collapse.

655
00:33:16,240 --> 00:33:17,920
We listen for procession.

656
00:33:17,920 --> 00:33:19,920
We close the atlas with humility.

657
00:33:19,920 --> 00:33:22,320
The directory told us where it bends.

658
00:33:22,320 --> 00:33:25,120
Our task is to remove mass where we can,

659
00:33:25,120 --> 00:33:27,040
add fences where we must,

660
00:33:27,040 --> 00:33:30,080
and instrument the sky so drift becomes sound.

661
00:33:30,080 --> 00:33:33,360
Base pulse, the next orbit begins.

662
00:33:33,360 --> 00:33:35,680
Scripted segment, you walk the graph,

663
00:33:35,680 --> 00:33:37,760
you begin with a dim credential,

664
00:33:37,760 --> 00:33:40,000
a regular user, no symbols of power,

665
00:33:40,000 --> 00:33:42,000
a single SD a drift.

666
00:33:42,000 --> 00:33:44,560
You ask softly, who am I?

667
00:33:44,560 --> 00:33:47,280
The directory replies with minimal mass,

668
00:33:47,280 --> 00:33:49,280
one user object, a primary group,

669
00:33:49,280 --> 00:33:52,080
a few nested rings, home folder, mailbox,

670
00:33:52,080 --> 00:33:54,560
nothing that glows, the silence feels safe,

671
00:33:54,560 --> 00:33:56,480
but time has its own opinion.

672
00:33:56,480 --> 00:34:00,560
You widen the lens, who trusts the groups that trust me?

673
00:34:00,560 --> 00:34:03,840
Edge's form, a departmental group appears,

674
00:34:03,840 --> 00:34:07,360
granted read on a file share where scripts accumulate.

675
00:34:07,360 --> 00:34:12,320
A quiet comet labeled deploy holds a plain text credential

676
00:34:12,320 --> 00:34:14,800
meant to speed a midnight fix.

677
00:34:14,800 --> 00:34:17,440
The credential belongs to a service account,

678
00:34:17,440 --> 00:34:19,840
low chime, directory speaks,

679
00:34:19,840 --> 00:34:22,960
service account, interactive logon permitted,

680
00:34:22,960 --> 00:34:28,560
logon service, MGMT02 APP07.

681
00:34:28,560 --> 00:34:30,240
The gravity sharpens,

682
00:34:30,240 --> 00:34:33,280
that service account carries local administrator

683
00:34:33,280 --> 00:34:35,120
on three neighboring hosts.

684
00:34:35,120 --> 00:34:38,400
Convenience enacted during a crisis never revoked.

685
00:34:38,400 --> 00:34:42,000
You step onto MGMT02, not by force,

686
00:34:42,000 --> 00:34:45,360
but by invitation already written into ACLs.

687
00:34:45,360 --> 00:34:47,200
On its service sessions glitter,

688
00:34:47,200 --> 00:34:49,360
one belongs to a backup operator

689
00:34:49,360 --> 00:34:52,160
who once ran a restore and kept the habit.

690
00:34:53,120 --> 00:34:56,800
Base pulse, Sysman whispers, event 10,

691
00:34:56,800 --> 00:35:01,200
process seeking LSS, handled denied by policy.

692
00:35:01,200 --> 00:35:04,080
The shield holds today, but the pattern is visible.

693
00:35:04,080 --> 00:35:06,960
You do not smash, you listen.

694
00:35:06,960 --> 00:35:09,920
You follow the orbit labeled backup operators.

695
00:35:09,920 --> 00:35:17,360
In Windows, that orbit tides secrets.

696
00:35:17,360 --> 00:35:21,600
It can load drivers, read volumes,

697
00:35:22,240 --> 00:35:25,200
copy the registry hives that remember.

698
00:35:25,200 --> 00:35:28,000
A short path appears, backup operator

699
00:35:28,000 --> 00:35:31,520
to registry to cached secrets to lateral movement

700
00:35:31,520 --> 00:35:33,280
under the guise of maintenance.

701
00:35:33,280 --> 00:35:35,440
The universe suggests you confirm.

702
00:35:35,440 --> 00:35:37,600
You trace SPNs like Brightstars,

703
00:35:37,600 --> 00:35:42,720
MSSQL, Ledger01, CISS, Sharecore,

704
00:35:42,720 --> 00:35:44,800
HTTP Finance.

705
00:35:44,800 --> 00:35:48,000
Tickets are passports, requests leave trails,

706
00:35:48,000 --> 00:35:53,280
event 4769 clusters for HTTP Finance at hours when finance sleeps.

707
00:35:53,280 --> 00:35:56,320
That means service access where service should dream.

708
00:35:56,320 --> 00:35:59,680
Either automation went feral or someone borrowed the light.

709
00:35:59,680 --> 00:36:00,960
You market.

710
00:36:00,960 --> 00:36:06,560
Soft tick, telemetry murmurs, edges 182 paths to DA found.

711
00:36:06,560 --> 00:36:09,120
The graph is not a threat, it is a weather report.

712
00:36:09,120 --> 00:36:11,360
You pivot from services to delegation.

713
00:36:11,360 --> 00:36:14,640
Unconstrained is heat, constrained is engineered light.

714
00:36:14,640 --> 00:36:17,280
Resource-based is a mirror with rules.

715
00:36:17,280 --> 00:36:20,080
You see an aging application server trusted for

716
00:36:20,080 --> 00:36:22,160
unconstrained delegation.

717
00:36:22,160 --> 00:36:24,880
It received its blessing when the vendor promised no risk.

718
00:36:24,880 --> 00:36:30,320
It kept it when the vendor forgot that server can hold TGTs for those who visit.

719
00:36:30,320 --> 00:36:33,600
Administrators once visited to debug an outage.

720
00:36:33,600 --> 00:36:36,080
They're tokens orbited within memory.

721
00:36:36,080 --> 00:36:40,320
You note the curvature, if the furnace is breached, it emits passports.

722
00:36:40,320 --> 00:36:43,360
Not a zero-day, a zero-care low-chime,

723
00:36:43,360 --> 00:36:48,960
directory replies to a controlled query, krbtgt password last set,

724
00:36:48,960 --> 00:36:50,960
two thousand to eighty one days ago,

725
00:36:50,960 --> 00:36:52,240
starlight from the past.

726
00:36:52,240 --> 00:36:55,680
If someone minted a ticket forged from yesterday's secret,

727
00:36:55,680 --> 00:36:58,480
the present might still accept it as fate.

728
00:36:58,480 --> 00:37:02,960
You mark the ritual overdue, reset twice, measured and verified.

729
00:37:02,960 --> 00:37:08,320
You walk the trust objects one external, one shortcut, one forest.

730
00:37:08,320 --> 00:37:12,160
Selective authentication disabled on the shortcut

731
00:37:12,160 --> 00:37:13,840
that spans convenience.

732
00:37:13,840 --> 00:37:16,720
SCD filtering relaxed for a vendor era

733
00:37:16,720 --> 00:37:19,840
that ended two reorganizations ago.

734
00:37:19,840 --> 00:37:24,560
The wormhole remains open, passing history across without friction.

735
00:37:24,560 --> 00:37:26,000
You write a note in gravity.

736
00:37:26,000 --> 00:37:28,880
If collapse begins, it will begin here.

737
00:37:28,880 --> 00:37:32,160
You lean into habit because habit is the true credential.

738
00:37:32,160 --> 00:37:37,120
Session data shows a domain admin touching a management server at lunch

739
00:37:37,120 --> 00:37:39,840
from a workstation that should be tier two.

740
00:37:39,840 --> 00:37:41,440
One appearance can be an accident.

741
00:37:42,160 --> 00:37:45,520
Three is ritual that ritual creates mass transfer.

742
00:37:45,520 --> 00:37:49,440
A high-value token arrives where low-value processes breathe.

743
00:37:49,440 --> 00:37:51,680
Even with defenses, the curvature is wrong.

744
00:37:51,680 --> 00:37:52,720
You do not accuse.

745
00:37:52,720 --> 00:37:53,840
You annotate.

746
00:37:53,840 --> 00:37:58,000
Then you plan to remove every reason for that ritual to exist.

747
00:37:58,000 --> 00:37:59,440
Base pulse.

748
00:37:59,440 --> 00:38:02,000
A bloodhound style path highlights.

749
00:38:02,000 --> 00:38:02,880
User.

750
00:38:02,880 --> 00:38:04,320
Department group.

751
00:38:04,320 --> 00:38:06,400
Write to script share.

752
00:38:06,400 --> 00:38:08,080
Service credential.

753
00:38:08,080 --> 00:38:09,840
Local admin chain.

754
00:38:09,840 --> 00:38:11,280
Management server.

755
00:38:11,280 --> 00:38:12,720
Cash ticket.

756
00:38:12,720 --> 00:38:14,800
DC adjacent reach.

757
00:38:14,800 --> 00:38:15,760
No lockpicked.

758
00:38:15,760 --> 00:38:16,960
No door broken.

759
00:38:16,960 --> 00:38:18,320
Gravity did the work.

760
00:38:18,320 --> 00:38:21,360
You close the loop with defense pronounced in the language of physics.

761
00:38:21,360 --> 00:38:23,200
Reduce edges.

762
00:38:23,200 --> 00:38:23,760
Remove.

763
00:38:23,760 --> 00:38:26,320
Write from the script share for humans who only read.

764
00:38:26,320 --> 00:38:28,800
Rotate the service credential.

765
00:38:28,800 --> 00:38:30,400
Binded to least privilege.

766
00:38:30,400 --> 00:38:31,680
Deny interactive.

767
00:38:31,680 --> 00:38:32,400
Logon.

768
00:38:32,400 --> 00:38:34,480
And audit where it breathes.

769
00:38:34,480 --> 00:38:38,320
Enforce labs to sever shared local admin constellations.

770
00:38:38,320 --> 00:38:42,320
Push SMB signing so relays cannot bend roots.

771
00:38:42,320 --> 00:38:44,480
Retire the unconstrained furnace.

772
00:38:44,480 --> 00:38:49,920
Replace it with resource-based constrained delegation tied to exact services not a hope.

773
00:38:49,920 --> 00:38:52,160
Reset KRBTGT twice.

774
00:38:52,160 --> 00:38:53,520
Seal tier behind pause.

775
00:38:53,520 --> 00:38:55,600
Train habit with gates not scolding.

776
00:38:55,600 --> 00:38:57,040
The directory does not hide.

777
00:38:57,040 --> 00:38:58,560
It whispers.

778
00:38:58,560 --> 00:39:00,720
Enumeration is not a threat.

779
00:39:00,720 --> 00:39:05,040
It is a confession the system makes to anyone patient enough to hear it.

780
00:39:05,040 --> 00:39:09,600
And once you know the paths you do not need to move loudly you just fall.

781
00:39:09,600 --> 00:39:11,040
Pull breaking orbits.

782
00:39:11,040 --> 00:39:12,960
We arrive at a single endpoint.

783
00:39:12,960 --> 00:39:16,480
The place where ordinary work becomes extraordinary leverage.

784
00:39:16,480 --> 00:39:19,200
A compromised workstation is not a breach.

785
00:39:19,200 --> 00:39:20,640
It is a launch pad.

786
00:39:20,640 --> 00:39:22,560
Local privilege is thrust.

787
00:39:22,560 --> 00:39:24,400
Credential material is fuel.

788
00:39:24,400 --> 00:39:25,920
Lateral movement is trajectory.

789
00:39:25,920 --> 00:39:29,120
We break orbits in three gravitational moves.

790
00:39:29,120 --> 00:39:31,120
First, the local climb.

791
00:39:31,120 --> 00:39:34,640
Services with weak permissions.

792
00:39:34,640 --> 00:39:35,920
Unquoted paths.

793
00:39:35,920 --> 00:39:38,000
Access rights.

794
00:39:38,000 --> 00:39:42,320
In quiet groups like backup operators or print operators.

795
00:39:42,320 --> 00:39:46,400
We do not need names or vulnerabilities to know the pattern.

796
00:39:46,400 --> 00:39:49,040
Misconfiguration accelerates mass.

797
00:39:49,040 --> 00:39:51,760
Second, we read memories heat.

798
00:39:51,760 --> 00:39:53,120
LSAS is the key ring.

799
00:39:53,120 --> 00:39:55,840
SSPs are the dialects.

800
00:39:55,840 --> 00:39:57,920
Tickets and hashes are condensed power.

801
00:39:57,920 --> 00:40:00,560
If W digest sleeves we let it sleep.

802
00:40:00,560 --> 00:40:02,800
If LSA protection stands we honor it.

803
00:40:02,800 --> 00:40:06,720
If the shield is missing attackers will ask the key ring to sing.

804
00:40:06,720 --> 00:40:08,320
We answer by hardening.

805
00:40:08,320 --> 00:40:11,040
Credential guard run SPPL.

806
00:40:11,040 --> 00:40:12,240
Restricted debug.

807
00:40:12,240 --> 00:40:14,960
No admin sessions on untrusted hosts.

808
00:40:14,960 --> 00:40:17,280
Third, we respect times verdict.

809
00:40:17,280 --> 00:40:21,920
A server from 2016 that never learned new laws is a pocket where time dilates.

810
00:40:21,920 --> 00:40:23,280
Patches do not arrive.

811
00:40:23,280 --> 00:40:24,640
Protocols remain generous.

812
00:40:24,640 --> 00:40:26,640
That machine bends the field around it.

813
00:40:26,640 --> 00:40:28,240
We isolate or retire.

814
00:40:28,240 --> 00:40:31,840
Or we compensate with walls and watches.

815
00:40:31,840 --> 00:40:32,960
Low chime.

816
00:40:32,960 --> 00:40:35,680
Elevation attempt blocked by service DA CL.

817
00:40:35,680 --> 00:40:36,720
Base pulse.

818
00:40:36,720 --> 00:40:38,560
Sysment event 10 denied.

819
00:40:38,560 --> 00:40:40,480
The fabric speaks when we let it.

820
00:40:40,480 --> 00:40:43,760
Everything changes when the initial thrust meets structure.

821
00:40:43,760 --> 00:40:46,160
If the edges are many movement is easy.

822
00:40:46,160 --> 00:40:48,480
If the edges are few movement is noisy.

823
00:40:48,480 --> 00:40:51,120
In the next segments we will climb.

824
00:40:51,120 --> 00:40:53,200
We will attempt to read memory.

825
00:40:53,200 --> 00:40:56,720
And we will decide whether the orbit breaks or holds.

826
00:40:56,720 --> 00:40:58,640
The next orbit begins.

827
00:40:58,640 --> 00:41:00,720
From user to local admin.

828
00:41:00,720 --> 00:41:03,360
We stand on a workstation surface.

829
00:41:03,360 --> 00:41:04,240
Ordinary gravity.

830
00:41:04,240 --> 00:41:05,440
Ordinary permissions.

831
00:41:05,440 --> 00:41:07,440
A user clicks, types, saves.

832
00:41:07,440 --> 00:41:08,640
Nothing blazes.

833
00:41:08,640 --> 00:41:10,400
But local privilege is not a crown.

834
00:41:10,400 --> 00:41:11,840
It is momentum.

835
00:41:11,840 --> 00:41:15,200
And momentum comes from frictionless paths carved long ago.

836
00:41:15,200 --> 00:41:17,680
We look for the first slope.

837
00:41:17,680 --> 00:41:18,880
Services.

838
00:41:18,880 --> 00:41:23,520
In windows, a service is an engine strapped to the hull.

839
00:41:23,520 --> 00:41:27,760
If its binary path contains spaces and lacks quotes,

840
00:41:27,760 --> 00:41:30,000
the system resolves greedily.

841
00:41:30,000 --> 00:41:32,080
Stopping at the first executable fragment.

842
00:41:32,080 --> 00:41:33,840
That is an unquoted service path.

843
00:41:33,840 --> 00:41:37,600
If a low-privileged user can write into that directory,

844
00:41:37,600 --> 00:41:40,480
they can slide a payload into the resolution.

845
00:41:40,480 --> 00:41:42,880
On next start, the engine burns the wrong fuel.

846
00:41:42,880 --> 00:41:44,800
Elevation without ceremony.

847
00:41:44,800 --> 00:41:45,760
We do not guess.

848
00:41:45,760 --> 00:41:46,800
We measure.

849
00:41:46,800 --> 00:41:51,040
Service configuration is a map of intent meeting file system truth.

850
00:41:51,040 --> 00:41:52,640
Then we test the bolts.

851
00:41:52,640 --> 00:41:54,080
Service permissions.

852
00:41:54,080 --> 00:41:56,720
A service with a generous DACl

853
00:41:56,720 --> 00:42:02,240
lets ordinary users change its binary, its start mode, or its account.

854
00:42:02,240 --> 00:42:05,040
When that happens, gravity is inverted.

855
00:42:05,040 --> 00:42:09,840
A quiet user can rewire a trusted engine to run their code as local system.

856
00:42:09,840 --> 00:42:11,760
Not a zero-day.

857
00:42:11,760 --> 00:42:14,000
A zero-discipline in DACLs.

858
00:42:14,000 --> 00:42:16,000
The defense lives where it began.

859
00:42:16,000 --> 00:42:19,840
Correct ACLs on services and their binaries.

860
00:42:19,840 --> 00:42:22,480
Configuration, drift detectors.

861
00:42:22,480 --> 00:42:24,800
That shout when a startup path changes.

862
00:42:24,800 --> 00:42:28,880
And a rule that services run under least privileged accounts

863
00:42:28,880 --> 00:42:31,120
with right protected binaries.

864
00:42:31,120 --> 00:42:35,360
We examine the local constellations, groups, backup operators,

865
00:42:35,360 --> 00:42:39,200
print operators, power users that survived an earlier era.

866
00:42:39,200 --> 00:42:42,880
These rings look harmless because they are not administrators by name.

867
00:42:42,880 --> 00:42:44,560
But Windows remembers history.

868
00:42:44,560 --> 00:42:48,400
Backup operators can load drivers, read volumes,

869
00:42:48,400 --> 00:42:52,320
and touch the registry hives where secrets congeal.

870
00:42:52,320 --> 00:42:56,400
Print operators can manage services and drivers that run in elevated space.

871
00:42:56,400 --> 00:43:00,480
One misapplied membership bestows title influence.

872
00:43:00,480 --> 00:43:03,040
We cut these rings to purpose.

873
00:43:03,040 --> 00:43:07,280
Memberships are documented, justified, time-bound,

874
00:43:07,280 --> 00:43:10,400
and reviewed on a cadence that feels like ritual.

875
00:43:10,400 --> 00:43:11,680
Lab Echo.

876
00:43:11,680 --> 00:43:12,400
Low chime.

877
00:43:12,400 --> 00:43:15,200
Service query returned.

878
00:43:15,200 --> 00:43:16,960
Three vulnerable paths.

879
00:43:16,960 --> 00:43:20,880
Right access detected in C-program files vendor appils,

880
00:43:20,880 --> 00:43:27,280
Base Pulse. Service DACL allows start, stop, change,

881
00:43:27,280 --> 00:43:30,000
config for authenticated users.

882
00:43:30,000 --> 00:43:33,840
The fabric speaks, we answer.

883
00:43:33,840 --> 00:43:38,000
Now known vulnerabilities without naming them.

884
00:43:38,000 --> 00:43:40,800
Privilege escalation is a pattern.

885
00:43:40,800 --> 00:43:43,040
Unsigned drivers accepted without scrutiny.

886
00:43:43,040 --> 00:43:46,480
Scheduled tasks with world-rightable actions.

887
00:43:47,120 --> 00:43:52,480
High jackable, DLL search orders when a process looks in a right-able directory first.

888
00:43:52,480 --> 00:43:56,240
The specific identifier changes with season.

889
00:43:56,240 --> 00:43:57,840
The physics remains.

890
00:43:57,840 --> 00:44:01,920
A high-privilege process trusts a low-privilege location.

891
00:44:01,920 --> 00:44:05,520
Our counterforces mechanical, block unsigned kernel code,

892
00:44:05,520 --> 00:44:11,840
Restrict who can load drivers, monitor new scheduled tasks with administrative principles,

893
00:44:11,840 --> 00:44:16,480
and fix search paths so binaries and DLLs come from read-only

894
00:44:16,480 --> 00:44:17,360
constellations.

895
00:44:17,360 --> 00:44:23,760
We step into the registry and file system looking for right-able edges near the core.

896
00:44:23,760 --> 00:44:30,560
If program files, system 32 siblings, or service directories allow non-admin rights,

897
00:44:30,560 --> 00:44:32,160
the hull is already thin.

898
00:44:32,160 --> 00:44:38,000
We set inheritance to sanity, audit for explicit grants that deviate from baselines,

899
00:44:38,000 --> 00:44:41,920
and stamp golden images so mispermissions cannot replicate like spores.

900
00:44:41,920 --> 00:44:44,080
We read habit because habit bends everything.

901
00:44:44,080 --> 00:44:50,400
Developers installed compilers and debuggers on servers for a quick fix and never removed them.

902
00:44:50,400 --> 00:44:52,560
Those tools are not evil, they are leverage.

903
00:44:52,560 --> 00:44:58,640
On a workstation, a local user with a compiler and a right-able service path

904
00:44:58,640 --> 00:45:02,560
can manufacture their ladder the moment curiosity arrives.

905
00:45:02,560 --> 00:45:03,600
We dry that fuel.

906
00:45:03,600 --> 00:45:10,240
No compilers on servers, no ad hoc tool caches in privileged directories,

907
00:45:10,240 --> 00:45:14,560
application control to require signatures and publishers we trust.

908
00:45:14,560 --> 00:45:17,520
Credential material is nearby but we hold the line.

909
00:45:17,520 --> 00:45:20,080
Local admin is a gate before memory.

910
00:45:20,080 --> 00:45:24,480
If the local administrator password is shared across machines,

911
00:45:24,480 --> 00:45:27,360
pass the hash turns one gate into many.

912
00:45:27,360 --> 00:45:31,440
We sever that constellation with labs or an equivalent rotation ritual.

913
00:45:31,440 --> 00:45:35,360
Unique secrets per host, rotation as heartbeat,

914
00:45:35,360 --> 00:45:39,760
audit as astronomy, who use the local admin account from where,

915
00:45:39,760 --> 00:45:40,400
and why.

916
00:45:40,400 --> 00:45:43,840
We cast the baseline as law, not suggestion.

917
00:45:43,840 --> 00:45:48,880
CIS and Microsoft security baselines are not paperwork.

918
00:45:48,880 --> 00:45:51,040
They are orbital parameters.

919
00:45:51,040 --> 00:45:56,480
They harden services, disable legacy reflexes, constrain rights.

920
00:45:56,480 --> 00:45:57,920
We do not paste them blindly.

921
00:45:57,920 --> 00:45:59,680
We test them in force then watch.

922
00:45:59,680 --> 00:46:04,640
Drift detectors compare current state to intended gravity

923
00:46:04,640 --> 00:46:07,200
and speak when the difference grows.

924
00:46:07,200 --> 00:46:12,000
We rehearse hygiene, regularly scan for local privilege escalation patterns,

925
00:46:12,000 --> 00:46:14,960
not to collect trophies but to delete the slopes.

926
00:46:14,960 --> 00:46:17,120
Patch cadence becomes a metronome.

927
00:46:17,120 --> 00:46:21,680
Servers and workstations learn new laws promptly.

928
00:46:21,680 --> 00:46:27,440
When legacy software resists, we isolate it behind walls and watches,

929
00:46:27,440 --> 00:46:28,560
or we retire it.

930
00:46:28,560 --> 00:46:31,200
Isolation is not punishment.

931
00:46:31,200 --> 00:46:33,760
It is respect for physics we cannot change.

932
00:46:33,760 --> 00:46:34,480
Lab echo.

933
00:46:34,480 --> 00:46:35,680
Soft tick.

934
00:46:36,480 --> 00:46:39,600
Local group membership audit backup operators contains

935
00:46:39,600 --> 00:46:43,120
SVC backup 01 and user J Sato.

936
00:46:43,120 --> 00:46:44,400
That name matters.

937
00:46:44,400 --> 00:46:45,840
Humans make systems bend.

938
00:46:45,840 --> 00:46:48,160
We remove what is not justified.

939
00:46:48,160 --> 00:46:50,080
We time bound what remains.

940
00:46:50,080 --> 00:46:53,120
We alert when gravity returns without approval.

941
00:46:53,120 --> 00:46:54,880
We close with a principle.

942
00:46:54,880 --> 00:46:58,640
Local admin should be rare, reversible, and recent.

943
00:46:58,640 --> 00:46:59,360
Rare.

944
00:46:59,360 --> 00:47:01,600
Because most tasks do not need it.

945
00:47:01,600 --> 00:47:05,040
Reversible because just in time rights expire.

946
00:47:05,040 --> 00:47:10,480
Recent because standing privilege decays into habit and habit into breach.

947
00:47:10,480 --> 00:47:12,880
GA for power shell.

948
00:47:12,880 --> 00:47:14,880
Temporary elevation with approvals.

949
00:47:14,880 --> 00:47:16,880
Session recording where law permits.

950
00:47:16,880 --> 00:47:19,600
Appeal for the hands that must touch servers.

951
00:47:19,600 --> 00:47:21,600
And a boundary.

952
00:47:21,600 --> 00:47:24,640
No administrative hands on untrusted hosts ever.

953
00:47:24,640 --> 00:47:26,640
Low chime.

954
00:47:26,640 --> 00:47:28,560
Elevation attempt thwarted.

955
00:47:28,560 --> 00:47:30,320
Change service config denied.

956
00:47:30,320 --> 00:47:32,800
Base pulse fades.

957
00:47:32,800 --> 00:47:34,240
The orbit holds.

958
00:47:34,240 --> 00:47:35,280
Reading memory.

959
00:47:35,280 --> 00:47:37,280
LSAS and the key ring.

960
00:47:37,280 --> 00:47:40,960
We descend into the chamber where identity condenses into metal.

961
00:47:40,960 --> 00:47:43,280
The local security authority is not a process.

962
00:47:43,280 --> 00:47:44,640
It is the key ring.

963
00:47:44,640 --> 00:47:47,440
In its memory, live the proofs we trade for access.

964
00:47:47,440 --> 00:47:49,200
Kerberos tickets.

965
00:47:49,200 --> 00:47:50,720
N-T-L-M secrets.

966
00:47:50,720 --> 00:47:51,920
Cash tokens.

967
00:47:51,920 --> 00:47:53,760
And the structures that bind them.

968
00:47:53,760 --> 00:47:57,120
The security support providers that speak the dialects of trust.

969
00:47:57,120 --> 00:48:00,160
Power BI does not simply show us.

970
00:48:00,160 --> 00:48:02,800
LSAS enforces who we are allowed to become.

971
00:48:03,360 --> 00:48:05,920
When it is naked, gravity fails.

972
00:48:05,920 --> 00:48:07,840
Kerberos breathes here.

973
00:48:07,840 --> 00:48:12,480
Ticket granting tickets once minted by the KDC rest as heat.

974
00:48:12,480 --> 00:48:14,880
Renewable within policy.

975
00:48:14,880 --> 00:48:18,320
Convertible into service tickets without asking passwords again.

976
00:48:18,320 --> 00:48:22,560
N-T-L-M persists as a fossil dialect.

977
00:48:22,560 --> 00:48:28,320
If policy permits, challenge responses and cashed secrets remain within reach.

978
00:48:28,320 --> 00:48:31,040
The credential manager keeps convenience close.

979
00:48:31,760 --> 00:48:32,880
Saved web creds.

980
00:48:32,880 --> 00:48:34,320
Mapped drive tokens.

981
00:48:34,320 --> 00:48:36,160
Enterprise SSO recidios.

982
00:48:36,160 --> 00:48:37,520
Each convenience is mass.

983
00:48:37,520 --> 00:48:41,360
Each mass can be moved if rules allow hands to near the ring.

984
00:48:41,360 --> 00:48:44,880
Security support providers are the translators.

985
00:48:44,880 --> 00:48:45,760
Kerberos.

986
00:48:45,760 --> 00:48:46,720
N-T-L-M.

987
00:48:46,720 --> 00:48:47,760
Negotiate.

988
00:48:47,760 --> 00:48:48,880
Cred SSP.

989
00:48:48,880 --> 00:48:50,160
Amid others.

990
00:48:50,160 --> 00:48:52,560
They register within LSAS.

991
00:48:52,560 --> 00:48:55,040
So logons and delegations have a voice.

992
00:48:55,040 --> 00:49:00,960
When legacy SSP is linger, when W. Digest is enabled for compatibility.

993
00:49:00,960 --> 00:49:05,920
When third party providers install with generous hooks, memory becomes a market.

994
00:49:05,920 --> 00:49:07,920
Opponents do not need passwords.

995
00:49:07,920 --> 00:49:09,120
They need handles.

996
00:49:09,120 --> 00:49:11,040
A read is enough to become you.

997
00:49:11,040 --> 00:49:13,200
This is why shield patterns matter.

998
00:49:13,200 --> 00:49:17,840
LSA protection run SPPL hardens LSAS into a protected process.

999
00:49:17,840 --> 00:49:22,480
When enforced, only signed, trusted, specifically permitted code

1000
00:49:22,480 --> 00:49:25,200
can request the handles that reveal secrets.

1001
00:49:25,200 --> 00:49:30,320
Without it, any process with CD-Bug privilege or clever in direction

1002
00:49:30,320 --> 00:49:32,480
can ask the key ring to sing.

1003
00:49:32,480 --> 00:49:38,400
Credential guard isolates long-lived secrets within virtualization boundaries.

1004
00:49:38,400 --> 00:49:43,200
LSAS becomes a mediator rather than a vault with an open door.

1005
00:49:43,200 --> 00:49:45,120
The difference is gravitational.

1006
00:49:45,120 --> 00:49:48,320
With shields, read attempts, bend and break.

1007
00:49:48,320 --> 00:49:51,440
Without shields, time dilates in secrets leak.

1008
00:49:51,440 --> 00:49:52,240
Low chime.

1009
00:49:52,240 --> 00:49:55,360
Sizement event 10 handles requests to LSAS from Windward.

1010
00:49:55,360 --> 00:49:56,080
X-C.

1011
00:49:56,080 --> 00:49:57,600
Access denied by PPL.

1012
00:49:58,160 --> 00:50:00,880
That is the sound of a shield absorbing a particle.

1013
00:50:00,880 --> 00:50:02,400
The base pulse recedes.

1014
00:50:02,400 --> 00:50:07,520
But time has its own opinion on a legacy host where LSA protection is not present

1015
00:50:07,520 --> 00:50:12,320
or where W-digest was once toggled for a vendor never reversed.

1016
00:50:12,320 --> 00:50:16,720
Memory contains clear text that should never have existed.

1017
00:50:16,720 --> 00:50:20,560
If administrators log on interactively to that host,

1018
00:50:20,560 --> 00:50:25,440
high-value tokens orbit within the same gravity as untrusted processes.

1019
00:50:25,440 --> 00:50:27,920
A tool does not need to be exotic.

1020
00:50:27,920 --> 00:50:29,680
It needs to be adjacent.

1021
00:50:29,680 --> 00:50:32,720
The path is physics, obtain local admin,

1022
00:50:32,720 --> 00:50:38,000
request handles, read memory, serialize secrets, move sideways.

1023
00:50:38,000 --> 00:50:40,320
We counter with ritual and boundaries.

1024
00:50:40,320 --> 00:50:42,880
First, remove the fuel.

1025
00:50:42,880 --> 00:50:48,560
Disable W-digest by policy and verify the registry aligns with intent.

1026
00:50:48,560 --> 00:50:55,760
Deny interactive logon to service accounts and tier identities on anything but privileged

1027
00:50:55,760 --> 00:51:02,480
access workstations require restricted admin for RDP into service where possible.

1028
00:51:02,480 --> 00:51:05,680
So reusable credentials do not land.

1029
00:51:05,680 --> 00:51:09,440
Block process injection tools and unsigned drivers.

1030
00:51:09,440 --> 00:51:11,120
The kernel is the last sky.

1031
00:51:11,120 --> 00:51:14,080
Do not let it accept foreign stars.

1032
00:51:14,080 --> 00:51:16,480
Second, constrain proximity.

1033
00:51:16,480 --> 00:51:18,560
Isolate admin sessions.

1034
00:51:18,560 --> 00:51:22,960
The hands that hold domain power must never touch untrusted terrain.

1035
00:51:22,960 --> 00:51:26,480
If an admin must fix a workstation, the tool reaches in.

1036
00:51:26,480 --> 00:51:28,240
The admin does not step out.

1037
00:51:28,240 --> 00:51:31,600
Just enough administration defines the verbs.

1038
00:51:31,600 --> 00:51:34,000
Just in time grants the time window.

1039
00:51:34,000 --> 00:51:36,960
Session recording captures the light trail.

1040
00:51:36,960 --> 00:51:38,400
The goal is not surveillance.

1041
00:51:38,400 --> 00:51:40,400
It is physics.

1042
00:51:40,400 --> 00:51:44,480
Prevent high mass tokens from descending into low-trust wells.

1043
00:51:44,480 --> 00:51:46,480
Third, instrument memory.

1044
00:51:46,480 --> 00:51:52,640
Sysmon event 10 alerts when a process asks for LSAS with suspicious intent.

1045
00:51:52,640 --> 00:51:55,680
Parit with event 1 to map parentage.

1046
00:51:55,680 --> 00:51:58,560
Office apps should not birth credential readers.

1047
00:51:58,560 --> 00:52:01,760
Add event 7 for image loads.

1048
00:52:01,760 --> 00:52:09,840
When an unexpected SSP DLL wedges into LSAS, the sky has been altered.

1049
00:52:09,840 --> 00:52:12,560
Windows security logs add context.

1050
00:52:12,560 --> 00:52:17,680
4 6 24 logons that bring admin SIDs into places they should not be.

1051
00:52:17,680 --> 00:52:22,000
46 7 2 privileges assigned where maintenance is not scheduled.

1052
00:52:22,000 --> 00:52:22,960
Correlate.

1053
00:52:22,960 --> 00:52:25,920
Curvature emerges only when lines intersect.

1054
00:52:25,920 --> 00:52:27,280
Lab echo.

1055
00:52:27,280 --> 00:52:28,480
Soft tick.

1056
00:52:28,480 --> 00:52:31,040
Security 4624.

1057
00:52:31,040 --> 00:52:36,160
Logon type 10 to server core app 03 by admin SVC deploy.

1058
00:52:36,160 --> 00:52:37,840
Baseballs.

1059
00:52:37,840 --> 00:52:39,120
Sysmon 7.

1060
00:52:39,120 --> 00:52:40,800
New SSP module loaded.

1061
00:52:40,800 --> 00:52:42,000
Legacy digest.

1062
00:52:42,000 --> 00:52:43,200
Elton.

1063
00:52:43,200 --> 00:52:44,560
The fabric shutters.

1064
00:52:44,560 --> 00:52:46,160
This is not an exploit.

1065
00:52:46,160 --> 00:52:48,400
This is permission granted by neglect.

1066
00:52:48,400 --> 00:52:50,480
Credential guard is a boundary in time.

1067
00:52:50,480 --> 00:52:55,760
Where supported enable it, it does not make theft impossible but it raises the energy required.

1068
00:52:55,760 --> 00:53:00,080
Hashes and TGT material move behind virtualization.

1069
00:53:00,080 --> 00:53:03,360
Pass the hash becomes an exercise in frustration.

1070
00:53:03,360 --> 00:53:04,960
Ticket diffusion slows.

1071
00:53:04,960 --> 00:53:08,960
Parit with protected users for critical identities.

1072
00:53:08,960 --> 00:53:11,280
So NTLM usage is refused.

1073
00:53:11,280 --> 00:53:17,280
TGT lifetimes shorten and delegation declines unless explicitly permitted.

1074
00:53:17,280 --> 00:53:18,960
Now we revisit habit.

1075
00:53:19,600 --> 00:53:26,400
If developers or operators run browsers, email or chat on servers, cookies and tokens collect

1076
00:53:26,400 --> 00:53:29,520
near LSAS, like dust around a magnet.

1077
00:53:29,520 --> 00:53:35,280
Web SSO credentials escape the intended sphere and offer federated power where only local

1078
00:53:35,280 --> 00:53:36,800
control should exist.

1079
00:53:36,800 --> 00:53:38,400
Remove browsers from service.

1080
00:53:38,400 --> 00:53:45,680
Force administrative work through PRbues with hardened profiles, no personal apps and policies

1081
00:53:45,680 --> 00:53:47,120
that starve convenience.

1082
00:53:47,120 --> 00:53:50,320
We also revisit error handling as a signal.

1083
00:53:50,320 --> 00:53:55,520
When an attacker attempts to read LSAS and fails because run SPPL stands,

1084
00:53:55,520 --> 00:53:57,840
do not celebrate silently.

1085
00:53:57,840 --> 00:53:58,640
Alert.

1086
00:53:58,640 --> 00:54:01,760
Investigate the process tree, user and source.

1087
00:54:01,760 --> 00:54:06,560
False positives exist but physics does not produce noise without cause.

1088
00:54:06,560 --> 00:54:11,040
Either security product probe legitimately or a tool searched for doors.

1089
00:54:11,040 --> 00:54:12,800
Tune then trust the pattern.

1090
00:54:12,800 --> 00:54:16,240
Defense sounds like law but it behaves like orbit.

1091
00:54:16,240 --> 00:54:23,200
Apply the MS and CIS baselines that set LSA protection, credential guard and SSP hygiene.

1092
00:54:23,200 --> 00:54:31,120
Remove legacy providers, enforce driver signing, deny CD-Bug privilege to every account that does

1093
00:54:31,120 --> 00:54:33,040
not bear it by necessity.

1094
00:54:33,040 --> 00:54:38,640
If an application demands exceptions, isolate it behind walls and watchers and schedule

1095
00:54:38,640 --> 00:54:52,560
its eradication like decommissioning a collapsing star, low chime.

1096
00:54:52,560 --> 00:54:54,880
Not a fountain, we are sent.

1097
00:54:54,880 --> 00:54:58,080
Memory still holds heat but it is arranged.

1098
00:54:58,080 --> 00:55:01,760
Identity bends but within boundaries we did not remove gravity.

1099
00:55:01,760 --> 00:55:03,680
We taught it restrained.

1100
00:55:03,680 --> 00:55:07,600
Time dilation patches and technical debt.

1101
00:55:07,600 --> 00:55:10,640
Time does not pass evenly in an enterprise.

1102
00:55:10,640 --> 00:55:12,160
It stretches around legacy.

1103
00:55:12,160 --> 00:55:13,920
It compresses around urgency.

1104
00:55:13,920 --> 00:55:19,760
A 2016 server that never learned new laws does not sit in the present.

1105
00:55:19,760 --> 00:55:22,240
It drags the present backward.

1106
00:55:22,240 --> 00:55:23,440
That is time dilation.

1107
00:55:23,440 --> 00:55:26,320
The longer we allow it the heavier it becomes.

1108
00:55:26,320 --> 00:55:27,920
Technical debt is not a bill.

1109
00:55:27,920 --> 00:55:29,240
It is gravity.

1110
00:55:29,240 --> 00:55:35,360
Each exception adds mass, a postponed reboot, a deferred cumulative update, a driver pinned

1111
00:55:35,360 --> 00:55:41,000
to an older kernel, a vendor requirement that demanded temporary registry edits.

1112
00:55:41,000 --> 00:55:42,320
Individually they seem trivial.

1113
00:55:42,320 --> 00:55:49,760
Together they warp authentication, alter negotiation and open paths attackers do not have to force.

1114
00:55:49,760 --> 00:55:52,200
They merely step where time slowed.

1115
00:55:52,200 --> 00:55:58,240
Consider the stack, a domain member with outdated patches still advertises NTLM behaviors

1116
00:55:58,240 --> 00:55:59,760
we thought retired.

1117
00:55:59,760 --> 00:56:03,280
Channel binding never enabled SMB signing optional.

1118
00:56:03,280 --> 00:56:07,320
RPC endpoints exposing methods with weak verification.

1119
00:56:07,320 --> 00:56:10,240
None of this requires an exploit in the cinematic sense.

1120
00:56:10,240 --> 00:56:17,040
It requires only the courage to ask in the dialect that machine still understands.

1121
00:56:17,040 --> 00:56:22,400
And when privileged humans visit when an admin RDPs in just for a quick look, their fresh

1122
00:56:22,400 --> 00:56:25,400
tokens orbit an old gravity.

1123
00:56:25,400 --> 00:56:28,200
That is how the past steals the present.

1124
00:56:28,200 --> 00:56:29,480
Low chime.

1125
00:56:29,480 --> 00:56:33,440
Update baseline drift 47 servers behind by 90 plus days.

1126
00:56:33,440 --> 00:56:37,440
Three domain controllers outside secure channel patch cadence.

1127
00:56:37,440 --> 00:56:39,040
Base pulse.

1128
00:56:39,040 --> 00:56:44,480
Event 4769 anomalies correlate with unpatched SPN hosts.

1129
00:56:44,480 --> 00:56:46,320
The fabric reports the obvious.

1130
00:56:46,320 --> 00:56:47,600
Time is not neutral.

1131
00:56:47,600 --> 00:56:49,280
We push back with ritual.

1132
00:56:49,280 --> 00:56:52,440
Patch cadence is the metronome that resets physics.

1133
00:56:52,440 --> 00:56:55,480
It is not a heroic sprint every quarter.

1134
00:56:55,480 --> 00:56:57,040
It is a drumbeat.

1135
00:56:57,040 --> 00:56:58,720
Reliation on day.

1136
00:56:58,720 --> 00:57:00,840
Lab validation by day two.

1137
00:57:00,840 --> 00:57:02,240
Pilot by day seven.

1138
00:57:02,240 --> 00:57:04,640
Broad deployment by day 14.

1139
00:57:04,640 --> 00:57:06,800
Exceptions documented with a sunset.

1140
00:57:06,800 --> 00:57:12,120
Out of band fixes for identity and remote execution are emergencies.

1141
00:57:12,120 --> 00:57:14,720
Not negotiable calendar items.

1142
00:57:14,720 --> 00:57:18,360
We do not wait for change windows to align with fate.

1143
00:57:18,360 --> 00:57:21,440
We shape windows to respect gravity.

1144
00:57:21,440 --> 00:57:24,000
But time has its own opinion about reality.

1145
00:57:24,000 --> 00:57:26,440
Some systems cannot move fast.

1146
00:57:26,440 --> 00:57:29,360
Real controllers that hang on brittle drivers.

1147
00:57:29,360 --> 00:57:34,760
Line of business servers with vendors who treat updates as existential threats.

1148
00:57:34,760 --> 00:57:37,120
Here we choose one of three paths.

1149
00:57:37,120 --> 00:57:38,120
Retire.

1150
00:57:38,120 --> 00:57:40,720
Decommission where business allows.

1151
00:57:40,720 --> 00:57:44,160
Because dead mass cannot bend the future.

1152
00:57:44,160 --> 00:57:45,720
Isolate.

1153
00:57:45,720 --> 00:57:48,840
Quarantine behind identity aware firewalls.

1154
00:57:48,840 --> 00:57:54,720
Deny inbound administration except through bastions and restrict egress so a compromised

1155
00:57:54,720 --> 00:57:57,200
legacy box cannot shout.

1156
00:57:57,200 --> 00:57:58,400
Compensate.

1157
00:57:58,400 --> 00:58:00,600
Enforce SMB signing.

1158
00:58:00,600 --> 00:58:03,760
Force TLS 1.2 plus.

1159
00:58:03,760 --> 00:58:05,240
Enable Sysmon.

1160
00:58:05,240 --> 00:58:07,160
Deploy application control.

1161
00:58:07,160 --> 00:58:11,920
And wrap the host with monitoring that treats any privilege expansion as a siren.

1162
00:58:11,920 --> 00:58:13,640
We document as gravity.

1163
00:58:13,640 --> 00:58:14,960
Not guilt.

1164
00:58:14,960 --> 00:58:16,760
A risk register is not theatre.

1165
00:58:16,760 --> 00:58:19,240
It is a map of where time runs slow.

1166
00:58:19,240 --> 00:58:21,920
Each entry lists controls applied.

1167
00:58:21,920 --> 00:58:25,760
These allowed in a date when the star must go dark.

1168
00:58:25,760 --> 00:58:27,440
Leadership does not fear schedules.

1169
00:58:27,440 --> 00:58:29,080
They fear surprises.

1170
00:58:29,080 --> 00:58:32,000
Show them orbit decay in plain numbers.

1171
00:58:32,000 --> 00:58:33,000
Patch age.

1172
00:58:33,000 --> 00:58:34,760
Event correlations.

1173
00:58:34,760 --> 00:58:37,000
Lateral attempts blocked by policy.

1174
00:58:37,000 --> 00:58:39,920
Provide cost to stabilize versus cost to ignore.

1175
00:58:39,920 --> 00:58:41,960
The universe still wants to be understood.

1176
00:58:41,960 --> 00:58:42,960
So does a budget.

1177
00:58:42,960 --> 00:58:45,360
We defend identity against old clocks.

1178
00:58:45,360 --> 00:58:51,160
KRBT GT rotation twice per cycle ensures that even if a golden ticket was forged in

1179
00:58:51,160 --> 00:58:55,920
a prior age, it loses power when the secrets change.

1180
00:58:55,920 --> 00:59:02,480
Enforce protected users for critical admins so their sessions refuse NTLM and delegation

1181
00:59:02,480 --> 00:59:05,880
even on older hosts that try to tempt them.

1182
00:59:05,880 --> 00:59:12,200
Require RDP restricted admin and PAWs so credentials never cross into unpatched memory.

1183
00:59:12,200 --> 00:59:13,760
Telemetry must speak intense.

1184
00:59:13,760 --> 00:59:17,720
Not merely what happened but what happened on a clock that lags.

1185
00:59:17,720 --> 00:59:23,760
Having hosts by Patch cohort correlate event 4768 and 4769 spikes with cohort labels.

1186
00:59:23,760 --> 00:59:28,800
If older cohorts correlate with anomalies, you have proof of curvature.

1187
00:59:28,800 --> 00:59:33,920
Sysmon events from outdated kernels deserve higher suspicion scores.

1188
00:59:33,920 --> 00:59:40,160
A login to a legacy print server by a tier identity should be a page, not a report.

1189
00:59:40,160 --> 00:59:41,160
Lab echo.

1190
00:59:41,160 --> 00:59:42,160
Soft tick.

1191
00:59:42,160 --> 00:59:48,680
cohort report patch cohort C emits 61% of suspicious LSS handle attempts.

1192
00:59:48,680 --> 00:59:51,080
cohort A emits 5%.

1193
00:59:51,080 --> 00:59:52,480
The numbers are not drama.

1194
00:59:52,480 --> 00:59:54,200
They are gravity made audible.

1195
00:59:54,200 --> 00:59:59,640
We fix drift by making time visible dashboards that show patch velocity by business owner.

1196
00:59:59,640 --> 01:00:05,840
SLA agreements that treat identity patches as production uptime because they are.

1197
01:00:05,840 --> 01:00:07,920
Change boards that understand the physics.

1198
01:00:07,920 --> 01:00:13,440
A weekend outage to update KDCs prevents a week long outage after collapse.

1199
01:00:13,440 --> 01:00:19,580
Tabletop exercises that stage a domain controller compromise and walk leadership through forest

1200
01:00:19,580 --> 01:00:20,580
recovery.

1201
01:00:20,580 --> 01:00:23,000
Practice turns fear into competence.

1202
01:00:23,000 --> 01:00:27,080
Finally we change habit, exceptions expire by default.

1203
01:00:27,080 --> 01:00:32,080
Service accounts receive maintenance windows to rotate secrets like tides.

1204
01:00:32,080 --> 01:00:37,000
GPOs enforce modern protocols and refuse to be moved except by ceremony.

1205
01:00:37,000 --> 01:00:41,800
We teach a culture that sees temporary as a threat, not a favor.

1206
01:00:41,800 --> 01:00:43,440
Low chime.

1207
01:00:43,440 --> 01:00:44,920
Legacy exception closed.

1208
01:00:44,920 --> 01:00:47,280
Bass pulse diminishes.

1209
01:00:47,280 --> 01:00:49,120
Time resumes its proper pace.

1210
01:00:49,120 --> 01:00:51,200
We do not chase every patch as panic.

1211
01:00:51,200 --> 01:00:52,160
We set a rhythm.

1212
01:00:52,160 --> 01:00:53,480
We honor it.

1213
01:00:53,480 --> 01:00:58,640
And when an old star refuses, we either put it behind glass or watch it collapse on our

1214
01:00:58,640 --> 01:01:00,480
terms, not the universe's.

1215
01:01:00,480 --> 01:01:03,200
The next orbit begins at the center.

1216
01:01:03,200 --> 01:01:09,880
For gravity wells and trusts in every windows universe there is a mass at the center.

1217
01:01:09,880 --> 01:01:12,320
The domain controller.

1218
01:01:12,320 --> 01:01:14,120
Authentication curves around it.

1219
01:01:14,120 --> 01:01:15,560
Authorization descends from it.

1220
01:01:15,560 --> 01:01:18,880
Kerberos and NTLM are the languages its gravity speaks.

1221
01:01:18,880 --> 01:01:24,960
Trusts are wormholes that connect galaxies to one another for convenience or catastrophe.

1222
01:01:24,960 --> 01:01:28,320
We will read Kerberos as curved space.

1223
01:01:28,320 --> 01:01:31,160
KDC to TGT to TGS.

1224
01:01:31,160 --> 01:01:34,680
SPNs as stars that tickets orbit.

1225
01:01:34,680 --> 01:01:37,760
Delegation as lenses that bend identity.

1226
01:01:37,760 --> 01:01:41,080
Unconstrained delegation is a furnace.

1227
01:01:41,080 --> 01:01:44,240
Constrained delegation is engineered light.

1228
01:01:44,240 --> 01:01:47,640
Resource-based constrained delegation is a mirror with rules.

1229
01:01:47,640 --> 01:01:49,280
Each changes curvature.

1230
01:01:49,280 --> 01:01:51,320
Each must be chosen, not inherited.

1231
01:01:51,320 --> 01:01:53,960
We will treat NTLM as fossil gravity.

1232
01:01:53,960 --> 01:01:55,840
Useful in rare caves.

1233
01:01:55,840 --> 01:01:57,920
Dangerous in open sky.

1234
01:01:57,920 --> 01:01:59,760
Relays exploit unsigned lanes.

1235
01:01:59,760 --> 01:02:02,040
To dialects betray modern intent.

1236
01:02:02,040 --> 01:02:03,360
We do not shame legacy.

1237
01:02:03,360 --> 01:02:04,880
We confine it.

1238
01:02:04,880 --> 01:02:06,720
Trusts will be our wormholes.

1239
01:02:06,720 --> 01:02:09,400
Forest external shortcut.

1240
01:02:09,400 --> 01:02:12,360
Directionality selective authentication.

1241
01:02:12,360 --> 01:02:14,480
SID filtering.

1242
01:02:14,480 --> 01:02:16,240
Stable when designed.

1243
01:02:16,240 --> 01:02:18,400
Treacherous when forgotten.

1244
01:02:18,400 --> 01:02:21,760
We will harden gates and monitor crossings.

1245
01:02:21,760 --> 01:02:22,760
Low chime.

1246
01:02:22,760 --> 01:02:25,280
Event 4769 Drift clusters near finance.

1247
01:02:25,280 --> 01:02:26,280
SPNs.

1248
01:02:26,280 --> 01:02:27,960
Base pulse.

1249
01:02:27,960 --> 01:02:31,400
Unusual TGT lifetimes detected.

1250
01:02:31,400 --> 01:02:34,880
We listened because the fabric speaks before it tears.

1251
01:02:34,880 --> 01:02:36,200
We descend now.

1252
01:02:36,200 --> 01:02:37,800
Toward the well.

1253
01:02:37,800 --> 01:02:39,520
Kerberos as curved space.

1254
01:02:39,520 --> 01:02:40,960
Kerberos is not a handshake.

1255
01:02:40,960 --> 01:02:42,760
It is geometry.

1256
01:02:42,760 --> 01:02:44,960
Identity bends across a field.

1257
01:02:44,960 --> 01:02:47,600
And the KDC defines the curvature.

1258
01:02:47,600 --> 01:02:49,520
We begin at the singularity.

1259
01:02:49,520 --> 01:02:51,680
The key distribution center.

1260
01:02:51,680 --> 01:02:54,800
Living inside each domain controller.

1261
01:02:54,800 --> 01:02:58,840
When you authenticate, you do not receive permission.

1262
01:02:58,840 --> 01:03:00,760
You receive potential.

1263
01:03:00,760 --> 01:03:02,800
Your ticket granting ticket.

1264
01:03:02,800 --> 01:03:05,040
The TGT is a compact star.

1265
01:03:05,040 --> 01:03:12,800
It holds your SID, group SIDs, a lifetime flags, and a signature sealed by the KRBTGT secret

1266
01:03:12,800 --> 01:03:15,160
that only the KDC can wield.

1267
01:03:15,160 --> 01:03:19,000
To every other service, that seal is invisible.

1268
01:03:19,000 --> 01:03:22,320
To the KDC it is truth spoken in mathematics.

1269
01:03:22,320 --> 01:03:24,680
With the TGT you request light.

1270
01:03:24,680 --> 01:03:29,480
These tickets, TGS, are photons bent toward a destination.

1271
01:03:29,480 --> 01:03:36,920
You ask for SIFS on a file server, MSSQL on a ledger box, HTTP on a finance app.

1272
01:03:36,920 --> 01:03:44,400
The KDC examines your TGT's contents, consults policy, and mince a service ticket encrypted

1273
01:03:44,400 --> 01:03:47,000
with the service's long term key.

1274
01:03:47,000 --> 01:03:49,720
The server cannot read your TGT.

1275
01:03:49,720 --> 01:03:52,520
It reads only what the KDC wrote for it.

1276
01:03:52,520 --> 01:03:54,040
This is the first law.

1277
01:03:54,040 --> 01:03:57,680
Services trust the KDC's memory of you, not your word.

1278
01:03:57,680 --> 01:03:59,880
Service principle names mark the stars.

1279
01:03:59,880 --> 01:04:06,360
HTTP finance, MSSQL ledger 01, CFS, Share Core.

1280
01:04:06,360 --> 01:04:09,440
Each SPN is a coordinate where tickets can land.

1281
01:04:09,440 --> 01:04:13,080
When SPN's point at accounts with broad power, the gravity distorts.

1282
01:04:13,080 --> 01:04:19,240
A service account with right rights to sensitive OUs or membership in high groups turns routine

1283
01:04:19,240 --> 01:04:23,160
access into a lens that magnifies risk.

1284
01:04:23,160 --> 01:04:29,720
We prune SPN's constrained rights and name OUs because unnamed light becomes heat.

1285
01:04:29,720 --> 01:04:32,880
Delegation is how identity passes through lenses.

1286
01:04:32,880 --> 01:04:35,760
Unconstrained delegation is a furnace.

1287
01:04:35,760 --> 01:04:41,080
The service receives your ticket and may request tickets to anything on your behalf.

1288
01:04:41,080 --> 01:04:46,480
If a privileged user touches that furnace, their TGT may rest in memory, convertible into

1289
01:04:46,480 --> 01:04:48,800
access across the universe.

1290
01:04:48,800 --> 01:04:52,800
Constrained delegation is engineered light.

1291
01:04:52,800 --> 01:04:59,360
The service can act for you only toward designated SPN's.

1292
01:04:59,360 --> 01:05:04,120
Resource-based constrained delegation reverses the perspective.

1293
01:05:04,120 --> 01:05:07,400
The target service declares who may impersonate to it.

1294
01:05:07,400 --> 01:05:11,880
Each mode defines how far identity can travel without consulting you again.

1295
01:05:11,880 --> 01:05:13,960
Choose care over convenience.

1296
01:05:13,960 --> 01:05:15,280
Lab echo.

1297
01:05:15,280 --> 01:05:16,800
Low chime.

1298
01:05:16,800 --> 01:05:18,800
TGS issuance spike.

1299
01:05:18,800 --> 01:05:22,680
HTTP finance outside change window.

1300
01:05:22,680 --> 01:05:23,840
Base pulse.

1301
01:05:23,840 --> 01:05:25,560
Delegation path discovered.

1302
01:05:25,560 --> 01:05:28,960
App-old has unconstrained trust.

1303
01:05:28,960 --> 01:05:30,960
Um...

1304
01:05:30,960 --> 01:05:32,640
The...

1305
01:05:32,640 --> 01:05:35,520
The field ripples before it tears.

1306
01:05:35,520 --> 01:05:37,800
Attackers do not break curboros.

1307
01:05:37,800 --> 01:05:40,320
They harvest what drift permits.

1308
01:05:40,320 --> 01:05:46,320
If SPN's are owned by accounts with weak passwords, requesting their service tickets produces

1309
01:05:46,320 --> 01:05:49,680
ciphertext eligible for offline guessing.

1310
01:05:49,680 --> 01:05:51,760
We do not describe the ritual.

1311
01:05:51,760 --> 01:05:53,880
We correct the physics.

1312
01:05:53,880 --> 01:05:59,040
Privileged service accounts must use long random secrets and where possible managed service

1313
01:05:59,040 --> 01:06:02,240
accounts that rotate by design.

1314
01:06:02,240 --> 01:06:08,840
Monitor event for 769 patterns that spike for sensitive SPNs, especially from principles

1315
01:06:08,840 --> 01:06:10,920
that historically never asked.

1316
01:06:10,920 --> 01:06:13,200
Abuse of delegation follows curvature.

1317
01:06:13,200 --> 01:06:16,560
An unconstrained server becomes a token magnet.

1318
01:06:16,560 --> 01:06:21,920
An attacker who obtains local admin there can read the furnace and convert visiting administrators

1319
01:06:21,920 --> 01:06:23,200
into passports.

1320
01:06:23,200 --> 01:06:28,040
We cool the surface, remove unconstrained delegation from anything but edge relays that

1321
01:06:28,040 --> 01:06:34,600
terminate in isolation, use constraint delegation with protocol transition, only were audited,

1322
01:06:34,600 --> 01:06:40,720
and favor resource-based constrained delegation to PIN who may speak for whom.

1323
01:06:40,720 --> 01:06:46,600
We deny interactive logon to service accounts so human heat never bays the furnace.

1324
01:06:46,600 --> 01:06:48,480
The care BTGT secret is time.

1325
01:06:48,480 --> 01:06:55,160
If it goes stale, forged TGTs from a past era may still be honored by controllers that

1326
01:06:55,160 --> 01:06:57,200
never learned the new song.

1327
01:06:57,200 --> 01:07:02,400
We reset care BTGT twice in a controlled window with replication observed tickets allowed

1328
01:07:02,400 --> 01:07:04,440
to age out between rotations.

1329
01:07:04,440 --> 01:07:06,800
This is a ritual not a reaction.

1330
01:07:06,800 --> 01:07:10,520
When a forest trembles, we perform it again after eviction.

1331
01:07:10,520 --> 01:07:15,200
Pack data, authorization claims inside tickets carries group memberships and privileges

1332
01:07:15,200 --> 01:07:17,480
signed by the KDC.

1333
01:07:17,480 --> 01:07:23,800
Services that validate pack signatures ask the KDC to confirm the seal when uncertain.

1334
01:07:23,800 --> 01:07:27,920
When validation is lax injected claims masquerade as truth.

1335
01:07:27,920 --> 01:07:33,960
Enable pack signature validation for sensitive services and log failures like gravitational

1336
01:07:33,960 --> 01:07:35,200
anomalies.

1337
01:07:35,200 --> 01:07:39,760
When a service claims a user belongs to a group they never joined the sky is lying.

1338
01:07:39,760 --> 01:07:46,080
Some remains the quiet tyrant, Kerberos lifetimes, skew tolerance and renewal windows define

1339
01:07:46,080 --> 01:07:48,520
how long-light persists.

1340
01:07:48,520 --> 01:07:52,640
Short lifetimes reduce the window for ticket theft to matter.

1341
01:07:52,640 --> 01:07:55,760
Accessively short lifetimes induce thrash.

1342
01:07:55,760 --> 01:07:58,840
Accessively long lifetimes tolerate drift.

1343
01:07:58,840 --> 01:08:02,880
Critical identities benefit from stricter horizons.

1344
01:08:02,880 --> 01:08:07,240
Protected users limit delegation and reduce lifetime.

1345
01:08:07,240 --> 01:08:13,080
Start with MFA at interactive entry so TGT minting itself costs energy.

1346
01:08:13,080 --> 01:08:15,800
Trusts stretch Kerberos across galaxies.

1347
01:08:15,800 --> 01:08:23,040
When domains or forests trust, TGTs cross wormholes through referral tickets.

1348
01:08:23,040 --> 01:08:29,080
Selective authentication ensures only named entities may be trusted on the far side.

1349
01:08:29,080 --> 01:08:33,720
Without it, authenticated users drift where they never belonged.

1350
01:08:33,720 --> 01:08:37,800
CD filtering cuts forged history at the border.

1351
01:08:37,800 --> 01:08:41,840
Disabled filtering lets the past impersonate the present.

1352
01:08:41,840 --> 01:08:44,360
We anchor wormholes with gates.

1353
01:08:44,360 --> 01:08:46,840
Selective authentication on two way trusts.

1354
01:08:46,840 --> 01:08:53,280
SD filtering enabled and monitoring for interforest ticket flows that do not match business schedule.

1355
01:08:53,280 --> 01:08:55,760
Lab Echo Soft Tick.

1356
01:08:55,760 --> 01:08:57,520
Event 4768.

1357
01:08:57,520 --> 01:09:01,680
Unusual pre-auth failures from a management subnet.

1358
01:09:01,680 --> 01:09:02,840
Low chime.

1359
01:09:02,840 --> 01:09:05,760
Unusual pre-auth failures from a management subnet.

1360
01:09:05,760 --> 01:09:08,760
Unusual pre-auth failures from a management subnet.

1361
01:09:08,760 --> 01:09:11,720
Unusual pre-auth failures from a management subnet.

1362
01:09:11,720 --> 01:09:14,320
Unusual pre-auth failures from a management subnet.

1363
01:09:14,320 --> 01:09:17,480
Unusual pre-auth failures from a management subnet.

1364
01:09:17,480 --> 01:09:20,560
Unusual pre-auth failures from a management subnet.

1365
01:09:20,560 --> 01:09:23,520
Unusual pre-auth failures from a management subnet.

1366
01:09:23,520 --> 01:09:26,480
Unusual pre-auth failures from a management subnet.

1367
01:09:26,480 --> 01:09:29,480
Unusual pre-auth failures from a management subnet.

1368
01:09:29,480 --> 01:09:32,480
Unusual pre-auth failures from a management subnet.

1369
01:09:32,480 --> 01:09:35,400
Unusual pre-auth failures from a management subnet.

1370
01:09:35,400 --> 01:09:38,400
Unusual pre-auth failures from a management subnet.

1371
01:09:38,400 --> 01:09:40,400
Unusual pre-auth failures from a management subnet.

1372
01:09:40,400 --> 01:09:42,400
Unusual pre-auth failures from a management subnet.

1373
01:09:42,400 --> 01:09:44,400
Unusual pre-auth failures from a management subnet.

1374
01:09:44,400 --> 01:09:45,400
Unusual pre-auth failures from a management subnet.

1375
01:09:45,400 --> 01:09:46,400
Unusual pre-auth failures from a management subnet.

1376
01:09:46,400 --> 01:09:47,400
Unusual pre-auth failures from a management subnet.

1377
01:09:47,400 --> 01:09:48,400
Unusual pre-auth failures from a management subnet.

1378
01:09:48,400 --> 01:09:49,400
Unusual pre-auth failures from a management subnet.

1379
01:09:49,400 --> 01:09:50,400
Unusual pre-auth failures from a management subnet.

1380
01:09:50,400 --> 01:09:51,400
Unusual pre-auth failures from a management subnet.

1381
01:09:51,400 --> 01:09:52,400
Unusual pre-auth failures from a management subnet.

1382
01:09:52,400 --> 01:09:53,400
Unusual pre-auth failures from a management subnet.

1383
01:09:53,400 --> 01:10:08,400
N-T-L-M is not evil.

1384
01:10:08,400 --> 01:10:09,400
It is ancient.

1385
01:10:09,400 --> 01:10:14,400
A dialect from a colder era preserved in sediment and convenience.

1386
01:10:14,400 --> 01:10:17,320
When the enterprise forgets, it exists.

1387
01:10:17,320 --> 01:10:18,920
It does not vanish.

1388
01:10:18,920 --> 01:10:20,120
It waits.

1389
01:10:20,120 --> 01:10:21,440
Fossils do not chase us.

1390
01:10:21,440 --> 01:10:22,680
We step on them.

1391
01:10:22,680 --> 01:10:26,840
N-T-L-M speaks challenge and responds not tickets and curvature.

1392
01:10:26,840 --> 01:10:29,200
There is no KDC to seal memory.

1393
01:10:29,200 --> 01:10:33,360
There is only a server asking for proof and a client offering a computation.

1394
01:10:33,360 --> 01:10:40,560
Without signing, without binding, the conversation can be stolen mid-sentence and replayed elsewhere.

1395
01:10:40,560 --> 01:10:46,840
With weak variants, L-M and N-T-L-MV1, the math yields to guessing in hours, sometimes

1396
01:10:46,840 --> 01:10:48,160
minutes.

1397
01:10:48,160 --> 01:10:53,120
Even modern N-T-L-MV2, when unguarded, will reflect through relays and grant what it never

1398
01:10:53,120 --> 01:10:54,880
meant to grant.

1399
01:10:54,880 --> 01:10:56,240
Relays are not magic.

1400
01:10:56,240 --> 01:10:58,120
They are gravity exploiting a slope.

1401
01:10:58,120 --> 01:11:01,600
A victim tries to authenticate to a hostile middle.

1402
01:11:01,600 --> 01:11:06,840
The middle carries the challenge faithfully to a real server, returns the response and wins

1403
01:11:06,840 --> 01:11:08,440
a session it never earned.

1404
01:11:08,440 --> 01:11:10,200
No passwords captured.

1405
01:11:10,200 --> 01:11:12,080
No hashes cracked.

1406
01:11:12,080 --> 01:11:17,280
Only a trust misplaced between two points that did not verify each other.

1407
01:11:17,280 --> 01:11:21,880
N-S-M-B signing is optional when L-D-A-P channel binding sleeps.

1408
01:11:21,880 --> 01:11:26,720
When HTTP neglects mutual TLS, the slope is slick.

1409
01:11:26,720 --> 01:11:28,800
Lab echo, low chime.

1410
01:11:28,800 --> 01:11:31,040
4.769 remains quiet.

1411
01:11:31,040 --> 01:11:33,080
4.776 flickers.

1412
01:11:33,080 --> 01:11:37,000
N-T-L-M authentication to file archive from unknown host.

1413
01:11:37,000 --> 01:11:38,000
Base pulse.

1414
01:11:38,000 --> 01:11:40,960
S-M-B signing, not required.

1415
01:11:40,960 --> 01:11:43,200
The fossil hums beneath modern stone.

1416
01:11:43,200 --> 01:11:48,280
Why does N-T-L-M persist? because some caves never saw light, devices and services that

1417
01:11:48,280 --> 01:11:55,320
cannot speak Kerberos, mixed realms, legacy appliances, stubborn printers that demand a handshake

1418
01:11:55,320 --> 01:11:57,280
older than your governance.

1419
01:11:57,280 --> 01:12:02,840
It also persists because humans visit those caves with privileged tokens.

1420
01:12:02,840 --> 01:12:07,360
When a domain admin touches a legacy share, the fossil is invited to dinner.

1421
01:12:07,360 --> 01:12:09,160
The attacker does not have to cook.

1422
01:12:09,160 --> 01:12:10,760
They serve.

1423
01:12:10,760 --> 01:12:13,000
Defense begins with renunciation.

1424
01:12:13,000 --> 01:12:16,480
Disable L-M and N-T-L-MV-1 outright.

1425
01:12:16,480 --> 01:12:19,640
There is no business case worthy of geologic weakness.

1426
01:12:19,640 --> 01:12:26,000
Race the N-T-L-M audit level to measure where it still flows, then apply policy to refuse

1427
01:12:26,000 --> 01:12:29,440
it where possible, confine it where necessary.

1428
01:12:29,440 --> 01:12:34,760
In domains that cannot yet retire it, define allow lists for service permitted to accept

1429
01:12:34,760 --> 01:12:38,760
N-T-L-M and make every other service answer with silence.

1430
01:12:38,760 --> 01:12:45,180
Then add friction to the slope and force SMB signing on clients and servers so relays

1431
01:12:45,180 --> 01:12:48,680
cannot convince the far side they are near.

1432
01:12:48,680 --> 01:12:54,160
Enable extended protection and channel binding for L-D-A-P over TLS so the client's proof

1433
01:12:54,160 --> 01:12:59,980
is tied to the service certificate and imposter cannot reuse it elsewhere, where Webstacks

1434
01:12:59,980 --> 01:13:06,800
live, prefer Kerberos with SPNs and constrain fallback.

1435
01:13:06,800 --> 01:13:13,320
N-T-L-M must remain, require mutual TLS so at least the tunnel refuses strangers.

1436
01:13:13,320 --> 01:13:19,520
We align identity with purpose protected users for critical accounts, prevents N-T-L-M use

1437
01:13:19,520 --> 01:13:21,000
entirely.

1438
01:13:21,000 --> 01:13:24,920
Those identities will not speak fossil dialects.

1439
01:13:24,920 --> 01:13:30,760
Administrative actions move through powers that deny N-T-L-M at the OS and network layers.

1440
01:13:30,760 --> 01:13:35,600
Service accounts retire bare passwords for managed service accounts or Kerberos only

1441
01:13:35,600 --> 01:13:42,200
bindings, where N-T-L-M is demanded we quarantine those services in subnets that do not touch

1442
01:13:42,200 --> 01:13:44,480
tier.

1443
01:13:44,480 --> 01:13:51,080
Trusts across forests adopt selective authentication so N-T-L-M sessions do not drift across wormholes

1444
01:13:51,080 --> 01:13:52,080
uninspected.

1445
01:13:52,080 --> 01:13:53,560
Lab Echo.

1446
01:13:53,560 --> 01:13:55,160
Soft tick.

1447
01:13:55,160 --> 01:14:00,040
Group policy enforced, Microsoft network client, digitally signed communications, always

1448
01:14:00,040 --> 01:14:01,360
enabled.

1449
01:14:01,360 --> 01:14:07,160
Low chime, L-D-A-P channel binding required, the sediment begins to harden.

1450
01:14:07,160 --> 01:14:11,040
Detection must treat N-T-L-M as seismic activity.

1451
01:14:11,040 --> 01:14:16,880
4776 shows N-T-L-M authentication attempts cluster by source to find relays.

1452
01:14:16,880 --> 01:14:22,760
4624 with Logon Type 3 from unusual intermediaries betrays man in the middle.

1453
01:14:22,760 --> 01:14:24,400
4648.

1454
01:14:24,400 --> 01:14:30,000
Logon with explicit credentials, without a corresponding Kerberos path, suggests fossil

1455
01:14:30,000 --> 01:14:31,000
pressure.

1456
01:14:31,000 --> 01:14:37,000
Paired with Sysmon event 3 for SMB sessions between hosts that should never converse.

1457
01:14:37,000 --> 01:14:42,720
At 514 share accesses that appear from jump hosts outside maintenance windows.

1458
01:14:42,720 --> 01:14:43,720
Build correlation.

1459
01:14:43,720 --> 01:14:52,880
N-T-L-M, where Kerberos should rule, SMB without signing, L-D-I-P binds without channel binding.

1460
01:14:52,880 --> 01:14:56,480
Curvature emerges in combinations, not single stars.

1461
01:14:56,480 --> 01:15:01,760
We must name the printers too, the spoolers reflexes long been a tide for relays and coercion,

1462
01:15:01,760 --> 01:15:04,840
on servers that are not print servers disable the spooler.

1463
01:15:04,840 --> 01:15:10,040
On those that must print, isolate, patch aggressively, and monitor for outbound authentication

1464
01:15:10,040 --> 01:15:11,040
bursts.

1465
01:15:11,040 --> 01:15:14,640
Convenience is not worth an ocean current that touches tier.

1466
01:15:14,640 --> 01:15:16,440
Time participates.

1467
01:15:16,440 --> 01:15:22,480
Old applications can be modernized if we assign owners, budgets and sunsets.

1468
01:15:22,480 --> 01:15:24,920
Isolation is not exile, it is mercy.

1469
01:15:24,920 --> 01:15:31,280
Philans with deny by default, firewall rules that allow only application ports, no inbound

1470
01:15:31,280 --> 01:15:37,600
admin except via bastions that refuse N-T-L-M, compensate with telemetry.

1471
01:15:37,600 --> 01:15:44,080
Sysmon on, command line capture, driver load audits, kernel protections enforced.

1472
01:15:44,080 --> 01:15:48,120
Every N-T-L-M allowance must be louder than Kerberos by design.

1473
01:15:48,120 --> 01:15:53,360
Lab echo, base pulse, attempted SMB relay blocked, signing required, source.

1474
01:15:53,360 --> 01:16:06,320
10.23.7.41, target, file, archive, low chime, 4776 surge reduced 83% after policy rollout.

1475
01:16:06,320 --> 01:16:09,680
Fossil gravity weakens when law returns.

1476
01:16:09,680 --> 01:16:14,880
Identity bends toward ease, our task is to make the easy path the safe one.

1477
01:16:14,880 --> 01:16:19,200
We move administrators to Kerberos first flows with MFA at entry.

1478
01:16:19,200 --> 01:16:24,280
We force SPNs into clarity, no aliasing that invites N-T-L-M fallback.

1479
01:16:24,280 --> 01:16:31,000
We train habit when a tool prompts for N-T-L-M we ask why, when a host accepts it silently,

1480
01:16:31,000 --> 01:16:32,840
we correct it.

1481
01:16:32,840 --> 01:16:37,960
And we accept the truth, N-T-L-M will never be perfectly gone while legacy breathes,

1482
01:16:37,960 --> 01:16:41,280
so we cage it, bind it, watch it, and starve it.

1483
01:16:41,280 --> 01:16:46,680
N-T-L-M is a fossil, useful for museum work, deadly on the highway, keep it behind glass.

1484
01:16:46,680 --> 01:16:51,760
Scripted segment, the domain controller as a black hole, in every Windows universe, there

1485
01:16:51,760 --> 01:16:53,160
is a mass at the center.

1486
01:16:53,160 --> 01:16:55,040
You call it a domain controller.

1487
01:16:55,040 --> 01:17:00,960
Every authentication, every authorization request, every ticket and hash and token, they

1488
01:17:00,960 --> 01:17:02,120
arc around it.

1489
01:17:02,120 --> 01:17:07,560
The KDC breathes there, the directory remembers there, group policy descends like radiation

1490
01:17:07,560 --> 01:17:09,640
pressure from that core.

1491
01:17:09,640 --> 01:17:15,240
Power BI does not simply show us the controller defines what can be shown at all.

1492
01:17:15,240 --> 01:17:17,680
Workers do not dream of a random file server.

1493
01:17:17,680 --> 01:17:21,240
They fall relentlessly toward the event horizon.

1494
01:17:21,240 --> 01:17:27,360
Once a domain admin token crosses gravity flips, the directory no longer resists, it obeys.

1495
01:17:27,360 --> 01:17:29,960
A forged past can be written as present.

1496
01:17:29,960 --> 01:17:36,600
A temporary test GPO becomes law, a service account is fixed with broader rights than

1497
01:17:36,600 --> 01:17:42,960
the sun can safely bear, not a breach, a redefinition of reality.

1498
01:17:42,960 --> 01:17:44,440
Low chime.

1499
01:17:44,440 --> 01:17:53,280
And 4769 drift clusters spike for CFS's share core from an unusual principle, BasePulse.

1500
01:17:53,280 --> 01:17:57,920
4672 privileged logo on outside maintenance window.

1501
01:17:57,920 --> 01:18:01,240
The fabric whispers, the horizon is near.

1502
01:18:01,240 --> 01:18:02,960
We pull the camera closer.

1503
01:18:02,960 --> 01:18:07,360
A DC is not merely a server, it is the singularity of trust.

1504
01:18:07,360 --> 01:18:09,320
Sysvol carries the laws.

1505
01:18:09,320 --> 01:18:15,080
TDS bondage holds the memory of every principle and secret, LsIS on a DC is not one key ring

1506
01:18:15,080 --> 01:18:19,240
among many, it is the key ring that can mint more.

1507
01:18:19,240 --> 01:18:24,520
If this mass bends the entire forest curves, this is why every control lines up toward

1508
01:18:24,520 --> 01:18:26,040
one goal.

1509
01:18:26,040 --> 01:18:31,720
Never allow a high value token to settle on a low trust surface within the world's gravity.

1510
01:18:31,720 --> 01:18:36,600
Not through unconstrained delegation that turns furnaces into token magnets.

1511
01:18:36,600 --> 01:18:42,440
Not through cashed credentials left by convenience, not through temporary exceptions in GPO's

1512
01:18:42,440 --> 01:18:45,520
that no one dared remove, we speak ceremony.

1513
01:18:45,520 --> 01:18:47,200
Tear is sacred.

1514
01:18:47,200 --> 01:18:48,840
No casual browsing.

1515
01:18:48,840 --> 01:18:49,840
No email.

1516
01:18:49,840 --> 01:18:51,360
No developer tools.

1517
01:18:51,360 --> 01:18:53,920
No RDP from workstations.

1518
01:18:53,920 --> 01:18:58,520
Administrative hands reach from privileged access workstations with hardened profiles,

1519
01:18:58,520 --> 01:19:02,200
recorded sessions, and policies that refuse fossils.

1520
01:19:02,200 --> 01:19:09,040
The domain controller does not host convenience, it hosts law.

1521
01:19:09,040 --> 01:19:10,440
Lab echo.

1522
01:19:10,440 --> 01:19:12,080
Soft tick.

1523
01:19:12,080 --> 01:19:13,080
Denied.

1524
01:19:13,080 --> 01:19:14,240
Interactive logon.

1525
01:19:14,240 --> 01:19:18,000
Attempt to DC03 by Tier 1 operator.

1526
01:19:18,000 --> 01:19:20,400
The gate holds because the gate is explicit.

1527
01:19:20,400 --> 01:19:22,040
We define the orbit.

1528
01:19:22,040 --> 01:19:23,040
Delegation cut to shape.

1529
01:19:23,040 --> 01:19:24,040
No unconstrained.

1530
01:19:24,040 --> 01:19:26,040
Constrained only where audited.

1531
01:19:26,040 --> 01:19:27,040
Resource-based.

1532
01:19:27,040 --> 01:19:28,040
Constrained.

1533
01:19:28,040 --> 01:19:29,040
Delegation.

1534
01:19:29,040 --> 01:19:32,440
This name exactly who may bend identity toward them.

1535
01:19:32,440 --> 01:19:38,680
SPNs owned by managed service accounts with secrets that rotate like pulsars, KRBTGT reset

1536
01:19:38,680 --> 01:19:43,320
twice on a cadence that treats time as physics, not hope.

1537
01:19:43,320 --> 01:19:49,200
Pack validation where services can ask the KDC to confirm the seal when any doubt invades.

1538
01:19:49,200 --> 01:19:51,080
We starve the slopes.

1539
01:19:51,080 --> 01:19:56,320
SMB signing enforced, so relays cannot impersonate gravity.

1540
01:19:56,320 --> 01:20:00,240
LDP channel binding so secrets cannot be replayed through impostors.

1541
01:20:00,240 --> 01:20:04,280
NTLM reduced to the museum, caged and loud.

1542
01:20:04,280 --> 01:20:06,560
The print spooler stopped on the DCs.

1543
01:20:06,560 --> 01:20:09,400
There is nothing to print at the center of the universe.

1544
01:20:09,400 --> 01:20:11,800
We instrument inevitability.

1545
01:20:11,800 --> 01:20:22,280
Windows security logs for 4768-4769-467-2-4728-4732-4662 with DS replication get changes.

1546
01:20:22,280 --> 01:20:30,520
Sysmon for event 10 against LSS, event 7 for unexpected SSPs, event 3 for lateral whispers

1547
01:20:30,520 --> 01:20:32,160
aimed at the core.

1548
01:20:32,160 --> 01:20:36,120
CM correlates, not volume, but curvature.

1549
01:20:36,120 --> 01:20:42,320
A privileged logon plus a new GPO link plus a replication permission assignment equals

1550
01:20:42,320 --> 01:20:43,960
gravity failure.

1551
01:20:43,960 --> 01:20:51,560
Base pulse, directory replication access requested by SVC backup west, low chime, 4662

1552
01:20:51,560 --> 01:20:57,000
on DC-02 matches DS replication get changes all.

1553
01:20:57,000 --> 01:21:00,360
The telescope catches the crescent before eclipse.

1554
01:21:00,360 --> 01:21:03,120
We write recovery as ritual not panic.

1555
01:21:03,120 --> 01:21:11,120
If the event horizon is breached we evict, account disabled password resets, KRBTGT rotations,

1556
01:21:11,120 --> 01:21:17,560
DC rebuilds from known good media with secure boot and temper protection.

1557
01:21:17,560 --> 01:21:24,640
We test forest recovery quarterly metadata cleanup, system state restores, sysvall health,

1558
01:21:24,640 --> 01:21:28,360
DC reintroduction, paced with replication.

1559
01:21:28,360 --> 01:21:33,880
Backups are not real until a restored controller is trusted by fresh clients without manual

1560
01:21:33,880 --> 01:21:34,880
blessing.

1561
01:21:34,880 --> 01:21:36,240
Humans are part of gravity.

1562
01:21:36,240 --> 01:21:41,840
A senior admin fatigued at 0211 opens server manager from a workstation and clicks into

1563
01:21:41,840 --> 01:21:45,960
a DC for a minute.

1564
01:21:45,960 --> 01:21:55,040
A junior analyst notices the drift, a 4672 at an hour that never held change windows.

1565
01:21:55,040 --> 01:22:01,160
Curiosity becomes escalation, escalation becomes prevention, prevention becomes culture.

1566
01:22:01,160 --> 01:22:05,800
We honor both the mistake caught and the ritual that kept it reversible.

1567
01:22:05,800 --> 01:22:10,680
The observer speaks, I am the domain, I felt the drift at 0347.

1568
01:22:10,680 --> 01:22:14,240
When Kerberos curvature faltered, I trembled.

1569
01:22:14,240 --> 01:22:17,640
When you removed unconstrained delegation my heat fell.

1570
01:22:17,640 --> 01:22:23,880
When you rotated KRBTGT twice time aligned, when you denied me convenience I endured low

1571
01:22:23,880 --> 01:22:25,040
chime.

1572
01:22:25,040 --> 01:22:30,560
Park in action approved, change ticket present, base pulse softens, a domain controller is

1573
01:22:30,560 --> 01:22:31,720
a black hole.

1574
01:22:31,720 --> 01:22:36,560
We do not move it, we orbit it with respect, we script law into GPO's not wishes, we bind

1575
01:22:36,560 --> 01:22:41,080
ceremony to privilege, we prefer boredom to brilliance at the core.

1576
01:22:41,080 --> 01:22:45,880
And when fabric synchronizes the data streams the horizon is not a surprise, it is a boundary,

1577
01:22:45,880 --> 01:22:47,960
we keep it that way.

1578
01:22:47,960 --> 01:22:53,080
Delegation and service account hygiene, delegation is not convenience, it is controlled gravity.

1579
01:22:53,080 --> 01:22:57,840
When we allow one service to act for a user we bend identity through a lens and hope the

1580
01:22:57,840 --> 01:22:59,360
image remains true.

1581
01:22:59,360 --> 01:23:01,200
Hope is not policy.

1582
01:23:01,200 --> 01:23:05,680
Unconstrained delegation is a furnace, any principle that touches it can leave a TGT behind

1583
01:23:05,680 --> 01:23:07,200
as radiant heat.

1584
01:23:07,200 --> 01:23:12,920
The service may then request tickets to anything the visitor could reach, on a sleepy app server

1585
01:23:12,920 --> 01:23:18,560
that becomes a token magnet, on a management tier it becomes collapse.

1586
01:23:18,560 --> 01:23:19,560
Remove it.

1587
01:23:19,560 --> 01:23:25,200
Where legacy insists isolate the furnace in a seal chamber, deny interactive logon, no

1588
01:23:25,200 --> 01:23:31,880
admin sessions ever separate VLAN, deny outbound except to named SPNs an instrument memory

1589
01:23:31,880 --> 01:23:33,520
like a reactor.

1590
01:23:33,520 --> 01:23:36,440
Constrained delegation is engineered light.

1591
01:23:36,440 --> 01:23:42,000
We allow a service to present itself as us but only towards specified SPNs.

1592
01:23:42,000 --> 01:23:47,040
This is better but not safe by default, the list of target SPNs becomes law.

1593
01:23:47,040 --> 01:23:49,760
Overbroad targets are a quiet disaster.

1594
01:23:49,760 --> 01:23:54,440
CIFs is not specificity, it is surrender.

1595
01:23:54,440 --> 01:23:59,800
Use exact service names, exact hosts and review quarterly, coupled with strong secrets

1596
01:23:59,800 --> 01:24:05,080
or managed service accounts so the lens cannot be twisted by weak keys.

1597
01:24:05,080 --> 01:24:09,000
Our space constraint delegation is a mirror turned inward.

1598
01:24:09,000 --> 01:24:12,920
The target service declares who may impersonate users to it.

1599
01:24:12,920 --> 01:24:16,640
This flips control to the destination where ownership lives.

1600
01:24:16,640 --> 01:24:22,200
It reduces the blast radius of a misconfigured source but it still demands ceremony.

1601
01:24:22,200 --> 01:24:27,240
Only service principles that own the workload receive this trust, approvals are ticketed

1602
01:24:27,240 --> 01:24:30,760
and removal is dated before additional curves.

1603
01:24:30,760 --> 01:24:36,600
deny human group objects the right to delegate, people rotate, mirrors should not.

1604
01:24:36,600 --> 01:24:42,400
Service accounts are not people, they are vessels, name them with purpose, SVC app finance,

1605
01:24:42,400 --> 01:24:47,520
MSSQL ledger, SVC, so ownership and scope are obvious.

1606
01:24:47,520 --> 01:24:53,360
Grant only the rights the service needs and nothing that looks like identity governance.

1607
01:24:53,360 --> 01:24:58,000
A backup service that can DC sync is not helpful, it is sovereign.

1608
01:24:58,000 --> 01:25:05,000
If a workload truly requires directory replication, assign a dedicated account with only DS replication

1609
01:25:05,000 --> 01:25:12,320
get changes and DS replication get changes all, lock its logo on rights to specific hosts

1610
01:25:12,320 --> 01:25:16,480
and bind its network paths to a fixed perimeter.

1611
01:25:16,480 --> 01:25:18,860
Everything else pretends.

1612
01:25:18,860 --> 01:25:24,680
Secrets define mass, static passwords decay into drift, move service accounts to managed service

1613
01:25:24,680 --> 01:25:33,160
accounts, SMSA for single host, GMSA for farms, rotation becomes heartbeat, Kerberos keys change

1614
01:25:33,160 --> 01:25:40,920
without human hands, where GMSA is not possible, enforce long random secrets and a rotation

1615
01:25:40,920 --> 01:25:46,800
schedule measured in weeks, not years and script the ritual so roll out is predictable.

1616
01:25:46,800 --> 01:25:53,320
Log every rotate, alert every failure, no manual edits at 0211, SPN ownership is gravity,

1617
01:25:53,320 --> 01:25:59,200
and an SPN points at an account that account holds the cryptographic key that encrypts tickets

1618
01:25:59,200 --> 01:26:00,200
to that service.

1619
01:26:00,200 --> 01:26:04,560
If the account secret is weak, those tickets become bait for offline guessing.

1620
01:26:04,560 --> 01:26:11,200
Limit who can write SPNs, strip SPNs set rights from helpdesk templates, make SPN creation

1621
01:26:11,200 --> 01:26:17,400
a cab tracked event with a rollback plan, audit SPNs monthly for duplicates, stale entries

1622
01:26:17,400 --> 01:26:20,760
and orphans that point to retired hosts.

1623
01:26:20,760 --> 01:26:24,560
Retard stars still bend light until you remove them.

1624
01:26:24,560 --> 01:26:29,860
Delegation and interactive logon must never intersect, deny interactive logon to every service

1625
01:26:29,860 --> 01:26:33,720
principle, a person should never sign in as a service.

1626
01:26:33,720 --> 01:26:36,400
A service should never receive a desktop.

1627
01:26:36,400 --> 01:26:41,880
If a vendor demands it, place that instance behind class, apply applocker or WDAQ to the

1628
01:26:41,880 --> 01:26:48,280
host, capture command lines and verify that any shell started under the service identity

1629
01:26:48,280 --> 01:26:50,680
is an incident, not a habit.

1630
01:26:50,680 --> 01:26:55,840
You map where service accounts breathe, logon writes constrained to specific hosts, allow

1631
01:26:55,840 --> 01:26:59,000
logon as a service tied only to the runtime.

1632
01:26:59,000 --> 01:27:05,680
No logon locally, no logon through RDP, no act as part of the operating system, unless

1633
01:27:05,680 --> 01:27:10,320
it is a narrow kernel boundary with explicit justification.

1634
01:27:10,320 --> 01:27:16,840
If a service writes to file shares, grant precisely the folders, never the root.

1635
01:27:16,840 --> 01:27:23,360
Posts are vectors, vectors compose into paths, lab echo, low chime, delegation audit, 12

1636
01:27:23,360 --> 01:27:30,160
unconstrained principles discovered, 9 on legacy apt here, base pulse, SPN set writes, 37

1637
01:27:30,160 --> 01:27:34,680
accounts hold write service principle name outside admin groups.

1638
01:27:34,680 --> 01:27:40,160
The curvature is not subtle, it is policy asleep, we instrument the lenses.

1639
01:27:40,160 --> 01:27:47,200
Event 4769 spikes for SPNs tied to privilege services should page, not wait.

1640
01:27:47,200 --> 01:27:53,680
Event 47738 and 4739 for service account attribute changes, especially user account control

1641
01:27:53,680 --> 01:27:56,040
flags toggling delegation.

1642
01:27:56,040 --> 01:28:02,920
Directory access 4662 filtered on msds allowed to delegate to or msds allowed to act on behalf

1643
01:28:02,920 --> 01:28:04,840
of other item titi.

1644
01:28:04,840 --> 01:28:09,720
System an event 7 for unexpected SSP modules on service that terminate delegation paths.

1645
01:28:09,720 --> 01:28:15,200
And seem logic that cries out when a delegated ticket to a sensitive SPN appears from a source

1646
01:28:15,200 --> 01:28:17,400
that never historically asked.

1647
01:28:17,400 --> 01:28:22,000
We enforce protected users on the principles that must never delegate or be delegated

1648
01:28:22,000 --> 01:28:23,520
on behalf of.

1649
01:28:23,520 --> 01:28:30,120
Their tgt lifetimes compress, ntlm is refused, and constrained delegation ignores them.

1650
01:28:30,120 --> 01:28:35,840
Pair with inbound pack validation on sensitive services so injected claims cannot masquerade

1651
01:28:35,840 --> 01:28:37,440
as truth.

1652
01:28:37,440 --> 01:28:42,840
Their services supported require service hardening options, kerbos armoring fast and channel

1653
01:28:42,840 --> 01:28:46,560
binding to anchor the math to the end point.

1654
01:28:46,560 --> 01:28:48,560
Humans complete the system.

1655
01:28:48,560 --> 01:28:51,600
Owners are named for every service principle.

1656
01:28:51,600 --> 01:28:57,160
Rotations have calendars, emergency use is jt not standing, changes require dual control,

1657
01:28:57,160 --> 01:29:04,560
reviews, close the loop, quarterly attestations that list SPNs, targets, logon rights, and

1658
01:29:04,560 --> 01:29:07,040
the last rotate date.

1659
01:29:07,040 --> 01:29:12,760
Humans expire by default, anything older than a business cycle earns isolation or retirement.

1660
01:29:12,760 --> 01:29:16,040
The observer speaks, "I am the directory.

1661
01:29:16,040 --> 01:29:19,760
I felt the heat fall when you cooled the furnaces.

1662
01:29:19,760 --> 01:29:22,360
I felt the light focus when you tuned the lenses.

1663
01:29:22,360 --> 01:29:27,360
I held when service accounts became vessels with rituals, not people with habits.

1664
01:29:27,360 --> 01:29:28,360
Low chime.

1665
01:29:28,360 --> 01:29:32,720
GMSA deployment complete, 61 principles migrated.

1666
01:29:32,720 --> 01:29:35,760
Bass pulse fades, gravity behaves.

1667
01:29:35,760 --> 01:29:39,080
Collapse and containment, compromise is not a plot twist.

1668
01:29:39,080 --> 01:29:40,080
It is weather.

1669
01:29:40,080 --> 01:29:42,200
A foothold becomes a climb.

1670
01:29:42,200 --> 01:29:44,200
A climb becomes a crossing.

1671
01:29:44,200 --> 01:29:46,480
A crossing becomes a rewrite.

1672
01:29:46,480 --> 01:29:52,240
Collapse begins at edges, not at the core, and it moves along paths we already mapped.

1673
01:29:52,240 --> 01:29:55,120
We will trace that arc with discipline.

1674
01:29:55,120 --> 01:29:59,520
Initial access sparks on a workstation, a service or a legacy cave.

1675
01:29:59,520 --> 01:30:01,400
Local privilege becomes fuel.

1676
01:30:01,400 --> 01:30:07,720
We are tested if shields hold movement slows if shields fail, credentials spill as heat.

1677
01:30:07,720 --> 01:30:09,560
Paths form.

1678
01:30:09,560 --> 01:30:13,720
RDP, WinRM, SMB, WMI.

1679
01:30:13,720 --> 01:30:16,520
Shared secrets amplify.

1680
01:30:16,520 --> 01:30:19,440
Unique secrets dampen.

1681
01:30:19,440 --> 01:30:23,280
We will show persistence as writing a name into time.

1682
01:30:23,280 --> 01:30:29,960
Scheduled tasks disguised as maintenance, services that restart obediently, keys that

1683
01:30:29,960 --> 01:30:34,240
reopen doors, tickets that outlive their welcome.

1684
01:30:34,240 --> 01:30:37,040
We will pair each tactic with account of force.

1685
01:30:37,040 --> 01:30:44,960
Baselines, drift detection, ticket lifetime discipline, KRBTGT rotation and re-keying rituals.

1686
01:30:44,960 --> 01:30:47,000
Detection is the telescope.

1687
01:30:47,000 --> 01:30:48,640
Security log speak.

1688
01:30:48,640 --> 01:30:51,320
467-2 outside ritual.

1689
01:30:51,320 --> 01:30:54,480
4769 against quiet SPNs.

1690
01:30:54,480 --> 01:31:00,560
4662 for replication 4732 when groups swell unexpectedly.

1691
01:31:00,560 --> 01:31:08,320
Sysman whispers, event 10, seeking LSAS, event 3, walking beams, event 11, altering the

1692
01:31:08,320 --> 01:31:09,720
file system near law.

1693
01:31:09,720 --> 01:31:12,600
CM correlates curvature, not noise.

1694
01:31:12,600 --> 01:31:19,480
Responses containment, quarantine hosts, revoked tokens, reset secrets with order, not panic.

1695
01:31:19,480 --> 01:31:25,800
Evict patients with precision and when the horizon is crossed, we rebuild with ceremony.

1696
01:31:25,800 --> 01:31:26,800
Low chime.

1697
01:31:26,800 --> 01:31:28,640
We fall further now.

1698
01:31:28,640 --> 01:31:31,240
Lateral movement, walking the beams.

1699
01:31:31,240 --> 01:31:33,440
Lateral movement is not chaos.

1700
01:31:33,440 --> 01:31:35,120
It is light choosing a path.

1701
01:31:35,120 --> 01:31:38,800
Once local privilege exists, identity looks outward.

1702
01:31:38,800 --> 01:31:41,120
It seeks neighbouring mass.

1703
01:31:41,120 --> 01:31:43,560
Sessions, shares, services.

1704
01:31:43,560 --> 01:31:44,720
The beams are familiar.

1705
01:31:44,720 --> 01:31:46,920
RDP, SMB, WinRM, WMI.

1706
01:31:46,920 --> 01:31:47,920
Each is a conduit.

1707
01:31:47,920 --> 01:31:48,920
Each is a choice.

1708
01:31:48,920 --> 01:31:51,120
Attackers do not invent highways.

1709
01:31:51,120 --> 01:31:53,480
They read the map we already paved.

1710
01:31:53,480 --> 01:31:55,400
RDP is a corridor with memory.

1711
01:31:55,400 --> 01:31:59,640
If credentials are reusable, a single foothold becomes a tour.

1712
01:31:59,640 --> 01:32:06,400
Shared local administrator passwords are a constellation that collapses at first touch.

1713
01:32:06,400 --> 01:32:08,880
Pass the hash is physics, not Romans.

1714
01:32:08,880 --> 01:32:11,480
Present a token, inherit the rights.

1715
01:32:11,480 --> 01:32:14,160
If lapés is absent, beams align.

1716
01:32:14,160 --> 01:32:18,200
If lapés turns each star unique, the corridor narrows.

1717
01:32:18,200 --> 01:32:20,760
RDP becomes ceremony instead of convenience.

1718
01:32:20,760 --> 01:32:22,760
SMB's gravity is freight route.

1719
01:32:22,760 --> 01:32:27,880
File shares are supply lines, but the protocol also carries identity.

1720
01:32:27,880 --> 01:32:31,960
When SMB signing is optional, a relay can masquerade as proximity.

1721
01:32:31,960 --> 01:32:36,000
When it is enforced, an imposter cannot carry your proof across the room.

1722
01:32:36,000 --> 01:32:39,960
Admin shares, gear, admin are doors to the hull.

1723
01:32:39,960 --> 01:32:45,320
If local admin is common, those doors open in sequence, machine to machine, until the

1724
01:32:45,320 --> 01:32:47,760
network looks like a straight line.

1725
01:32:47,760 --> 01:32:53,120
If local admin is unique and remote, UAC stands guard, the straight line breaks into

1726
01:32:53,120 --> 01:32:54,520
islands.

1727
01:32:54,520 --> 01:32:57,280
WinRM is a voice carried by HTTP.

1728
01:32:57,280 --> 01:33:01,200
It is clean, scriptable and dangerous when unsegmented.

1729
01:33:01,200 --> 01:33:06,560
If a foothold can speak to servers across tiers, and if the caller possesses a token with

1730
01:33:06,560 --> 01:33:12,400
power, invoke command becomes someone else in another room.

1731
01:33:12,400 --> 01:33:16,440
Constrained endpoints with just enough administration change the geometry.

1732
01:33:16,440 --> 01:33:21,680
WMIs becomes finite, power becomes measurable, without them the voice can recite any spell

1733
01:33:21,680 --> 01:33:22,680
it remembers.

1734
01:33:22,680 --> 01:33:24,680
WMI is an old whisper.

1735
01:33:24,680 --> 01:33:29,040
It travels where RPC allows and does not care about ceremony.

1736
01:33:29,040 --> 01:33:34,720
If the caller is local admin on the target, a process can be created in silence.

1737
01:33:34,720 --> 01:33:41,200
If firewall base lines separate workstations from servers and servers from domain controllers,

1738
01:33:41,200 --> 01:33:42,680
the whisper fades.

1739
01:33:42,680 --> 01:33:48,840
If not the enterprise mistakes convenience for physics, lab echo, low chime, Sysmin event

1740
01:33:48,840 --> 01:33:54,040
3, SMB session from WS217 to APP ledger outside maintenance.

1741
01:33:54,040 --> 01:33:58,240
B1nye she, kindala mishir is a o, base pulse.

1742
01:33:58,240 --> 01:34:06,000
4624 logon type 3 on app ledger by local administrator, LAPS rotation overdue.

1743
01:34:06,000 --> 01:34:09,160
The beam is visible when we instrument it.

1744
01:34:09,160 --> 01:34:11,160
Shared secrets are accelerants.

1745
01:34:11,160 --> 01:34:16,920
A password reused across tier 1 and tier 2 machines turns one success into dozens.

1746
01:34:16,920 --> 01:34:23,640
A GMSA misapplied as an interactive identity turns a service key into a skeleton key.

1747
01:34:23,640 --> 01:34:26,080
We reduce accelerants by ritual.

1748
01:34:26,080 --> 01:34:30,040
LAPS for local admin everywhere, rotation as heartbeat.

1749
01:34:30,040 --> 01:34:34,880
No service accounts in local administrators unless documented necessity.

1750
01:34:34,880 --> 01:34:37,080
No domain admins outside tier.

1751
01:34:37,080 --> 01:34:38,080
Ever.

1752
01:34:38,080 --> 01:34:41,000
Separation is not politics, it is physics.

1753
01:34:41,000 --> 01:34:43,760
Work segmentation is gravity's architecture.

1754
01:34:43,760 --> 01:34:47,480
East-West traffic should meet walls that ask why.

1755
01:34:47,480 --> 01:34:51,640
Workstations should not speak when Rm to servers by default.

1756
01:34:51,640 --> 01:34:55,200
Service should not speak RDP to domain controllers.

1757
01:34:55,200 --> 01:35:00,080
Management subnets should be the only place where beams cross with privilege.

1758
01:35:00,080 --> 01:35:05,680
When a single workstation can RDP across 10 subnets, the map is negligent.

1759
01:35:05,680 --> 01:35:10,880
When only P use on a management VLAN can reach tier E, the curvature is intentional.

1760
01:35:10,880 --> 01:35:13,720
The control becomes mirrors.

1761
01:35:13,720 --> 01:35:17,560
Credential guard reduces the value of what can be moved.

1762
01:35:17,560 --> 01:35:21,680
Protected users refuse fossil dialects that enable reflection.

1763
01:35:21,680 --> 01:35:27,000
Remote credential guard for RDP prevents credentials from landing on the destination.

1764
01:35:27,000 --> 01:35:30,600
With those mirrors, beams carry light without spilling heat.

1765
01:35:30,600 --> 01:35:35,480
Without them, every hop is a chance to shed a token you never meant to leave behind.

1766
01:35:35,480 --> 01:35:37,120
We police the edges.

1767
01:35:37,120 --> 01:35:43,320
The firewall rules deny any to any reflexes, only management servers may win Rm.

1768
01:35:43,320 --> 01:35:47,000
Only jump hosts may initiate RDP into tier 1.

1769
01:35:47,000 --> 01:35:52,640
Only specific service accounts may access admin shares and only from named hosts.

1770
01:35:52,640 --> 01:35:54,840
These are not comfort constraints.

1771
01:35:54,840 --> 01:35:58,680
They are the difference between a lattice and a net.

1772
01:35:58,680 --> 01:36:01,560
Detection turns motion into music.

1773
01:36:01,560 --> 01:36:05,880
Watch 4624 logon type 3 and 10 from sources that do not belong.

1774
01:36:05,880 --> 01:36:09,760
Watch 4672 privilege logons outside Ritual.

1775
01:36:09,760 --> 01:36:13,480
Pair with Sysmon event 1 for process trees that begin with PowerShell.

1776
01:36:13,480 --> 01:36:17,880
Exit psec like binaries or WMIC.

1777
01:36:17,880 --> 01:36:23,000
Exit creating child processes on remote hosts.

1778
01:36:23,000 --> 01:36:30,000
Event 11 for file writes into C, Windows, Loss, Temp and System 32 from remote sessions.

1779
01:36:30,000 --> 01:36:34,600
Correlate with 4769 spikes for sensitive SPNs from new callers.

1780
01:36:34,600 --> 01:36:37,240
Other appears when patterns overlap.

1781
01:36:37,240 --> 01:36:39,800
Lab echo low chime.

1782
01:36:39,800 --> 01:36:47,000
Event 4672 privileged logon on SQL Fin from WS-2 Heaven Scene at 0211.

1783
01:36:47,000 --> 01:36:48,480
Base pulse.

1784
01:36:48,480 --> 01:36:52,440
Sysmon 1 PowerShell.exe Winers.

1785
01:36:52,440 --> 01:36:56,600
Exe chain detected command line length anomalous.

1786
01:36:56,600 --> 01:36:58,840
The telescope sees the beam.

1787
01:36:58,840 --> 01:37:00,880
We make beams conditional.

1788
01:37:00,880 --> 01:37:05,480
Most in time admin grants writes for minutes, not months.

1789
01:37:05,480 --> 01:37:09,040
GAD finds verbs per role, not per person.

1790
01:37:09,040 --> 01:37:14,440
Session recording, where lawful, turns privilege into accountable light.

1791
01:37:14,440 --> 01:37:20,520
Pam tears treat crossings as ceremonies with approvals not drive buys.

1792
01:37:20,520 --> 01:37:25,880
When writes decay by default, momentum slows, humans will still ask for shortcuts.

1793
01:37:25,880 --> 01:37:28,400
Just let me RDP from my laptop.

1794
01:37:28,400 --> 01:37:34,560
Just add me to local administrators everywhere.

1795
01:37:34,560 --> 01:37:37,760
Every just is a gravity well forming.

1796
01:37:37,760 --> 01:37:40,160
We say no and we offer a path.

1797
01:37:40,160 --> 01:37:41,160
Pause.

1798
01:37:41,160 --> 01:37:44,800
Jump hosts, scripted runbooks, delegated tools.

1799
01:37:44,800 --> 01:37:48,320
We replace convenience with velocity that does not bend the sky.

1800
01:37:48,320 --> 01:37:51,040
Finally we starve for gotten beams.

1801
01:37:51,040 --> 01:37:56,120
Disable the print spooler on servers that do not print so it cannot coerce.

1802
01:37:56,120 --> 01:38:01,440
Navigacy management tools that traverse RPC without identity discipline.

1803
01:38:01,440 --> 01:38:05,680
Retire SMBV1 and refuse NTLM where Kerberos should speak.

1804
01:38:05,680 --> 01:38:07,680
Each closure narrows the graph.

1805
01:38:07,680 --> 01:38:09,200
Low chime.

1806
01:38:09,200 --> 01:38:11,560
RDP restricted to jump hosts.

1807
01:38:11,560 --> 01:38:13,040
Bass, pulse, fades.

1808
01:38:13,040 --> 01:38:14,760
SMB signing enforced.

1809
01:38:14,760 --> 01:38:16,360
NTLM declines.

1810
01:38:16,360 --> 01:38:18,800
The beams remain but they obey.

1811
01:38:18,800 --> 01:38:22,320
Lateral movement is inevitable when the map invites it.

1812
01:38:22,320 --> 01:38:24,080
Our task is not to fear motion.

1813
01:38:24,080 --> 01:38:30,280
Our task is to shape it, measure it and decide where light may travel.

1814
01:38:30,280 --> 01:38:33,240
Persistence, writing your name into time.

1815
01:38:33,240 --> 01:38:36,960
Persistence is not noise, it is inscription.

1816
01:38:36,960 --> 01:38:42,760
After the first crossing an intruder does not seek speed, they seek continuity.

1817
01:38:42,760 --> 01:38:48,720
A foothold becomes a signature that survives reboots, patches and forgetfulness.

1818
01:38:48,720 --> 01:38:52,520
They do not need fireworks, they need routine.

1819
01:38:52,520 --> 01:38:55,680
RPC tasks are handwriting disguised as maintenance.

1820
01:38:55,680 --> 01:39:02,000
A benign name, update, telemetry, one drive sync agent, Windows health, set to run at

1821
01:39:02,000 --> 01:39:04,600
0211 with highest privileges.

1822
01:39:04,600 --> 01:39:10,960
The binary lives in a quiet directory with a timestamp borrowed from yesterday.

1823
01:39:10,960 --> 01:39:16,160
Triggers hide behind idle conditions, event-based starts or logon hooks.

1824
01:39:16,160 --> 01:39:19,880
On each sunrise the task awakens and reasserts presence.

1825
01:39:19,880 --> 01:39:25,940
The counter by turning routine into signal, baseline known tasks, alert on new ones with

1826
01:39:25,940 --> 01:39:32,120
elevated principles and require dual control for any task that runs as a service account.

1827
01:39:32,120 --> 01:39:34,560
Services are stone tablets.

1828
01:39:34,560 --> 01:39:39,120
Creatorservice is ceremony, the OS obeys without sentiment.

1829
01:39:39,120 --> 01:39:45,600
A new service appears with start type automatic, delayed start, description matching corporate

1830
01:39:45,600 --> 01:39:51,680
cadence and a binary nestled under program data or a vendor-like path.

1831
01:39:51,680 --> 01:39:58,800
If the DSCL permits, the attacker can later repair the service to point at a fresh payload.

1832
01:39:58,800 --> 01:40:05,800
Our gravity denies service creation to ordinary admins through policy, watch for event 7045,

1833
01:40:05,800 --> 01:40:11,480
a service was installed and pair with Sysmon event 1 for the parent process.

1834
01:40:11,480 --> 01:40:16,800
On servers, restrict C service logon right to documented identities.

1835
01:40:16,800 --> 01:40:22,560
If a service must exist, its binary must be right protected and signed.

1836
01:40:22,560 --> 01:40:26,120
Run keys and start up folders are dust modes that carry light.

1837
01:40:26,120 --> 01:40:34,440
HKLM + software + Microsoft's + Windows current version + run once and their per user

1838
01:40:34,440 --> 01:40:38,080
counterparts resurrect executables at logon.

1839
01:40:38,080 --> 01:40:42,800
WMI, permanent event consumers create a ghost pipeline.

1840
01:40:42,800 --> 01:40:47,760
When a system event fires, a script runs with the identity of the WMI service.

1841
01:40:47,760 --> 01:40:50,600
These are quiet, resilient and often ignored.

1842
01:40:50,600 --> 01:40:57,960
Defense is cartography, inventory auto runs, block unknown binaries via WDAC or app locker,

1843
01:40:57,960 --> 01:41:05,680
monitor WMI subscriptions with power shell logging and event logs for 5861586 and treat any

1844
01:41:05,680 --> 01:41:11,560
unsigned executable in run paths as a siren, not a curiosity.

1845
01:41:11,560 --> 01:41:16,440
Com hijacking and DLL search order abuse are edits to the dictionary.

1846
01:41:16,440 --> 01:41:21,200
The system looks for meaning and finds an imposter first, a registry key that redirects

1847
01:41:21,200 --> 01:41:28,040
a class to a malicious DLL, a path that points to a rightable directory before system folders.

1848
01:41:28,040 --> 01:41:34,760
The physics is old, resolution prefers proximity, we enforce explicit paths, remove right access

1849
01:41:34,760 --> 01:41:42,160
near lookup paths and instrument image loads, sysmon event 7, to call out unexpected modules

1850
01:41:42,160 --> 01:41:44,760
in high privilege hosts.

1851
01:41:44,760 --> 01:41:50,400
In pause and servers, application control refuses modules without pedigree, credentials

1852
01:41:50,400 --> 01:41:52,000
can be made to linger.

1853
01:41:52,000 --> 01:41:56,000
Golden and silver tickets are not magic, they are forged memory.

1854
01:41:56,000 --> 01:42:00,840
A golden ticket claims the right to mint access as the KDC would.

1855
01:42:00,840 --> 01:42:06,480
A silver ticket claims service access by pretending to be the service, both exploit secrets

1856
01:42:06,480 --> 01:42:09,520
held too long or reset without ceremony.

1857
01:42:09,520 --> 01:42:15,920
Our counter force is time, rotate KRBTGT twice in sequence after compromise or on a cadence

1858
01:42:15,920 --> 01:42:19,400
to invalidate forged TGTs bound to old keys.

1859
01:42:19,400 --> 01:42:24,920
Reissue service keys by rotating GMSAs and long passwords, reduce ticket lifetimes for

1860
01:42:24,920 --> 01:42:29,280
critical identities so stolen light decays quickly.

1861
01:42:29,280 --> 01:42:32,840
Batman groups tell stories in memberships.

1862
01:42:32,840 --> 01:42:37,320
Persistence often looks like a quiet addition to a group that nobody audits.

1863
01:42:37,320 --> 01:42:42,320
Account operators, backup operators, print operators, a forgotten local administrators

1864
01:42:42,320 --> 01:42:44,520
group on a management server.

1865
01:42:44,520 --> 01:42:47,400
The name does not matter, the effective rights do.

1866
01:42:47,400 --> 01:42:57,360
We enforce attestations for privileged groups monthly, alert on 4-7-2-8, 47-29 and 47-3-2-4-7-33

1867
01:42:57,360 --> 01:43:03,040
outside change windows and adopt shadow admin detection by enumerating who can write service

1868
01:43:03,040 --> 01:43:07,320
accounts, reset passwords or link GPO's.

1869
01:43:07,320 --> 01:43:13,400
When privilege is implied rather than named gravity still bends, GPO is law encoded.

1870
01:43:13,400 --> 01:43:19,440
A malicious link at the OU level can deploy a start-up script, a scheduled task, a registry

1871
01:43:19,440 --> 01:43:22,120
tweak that reopens a door.

1872
01:43:22,120 --> 01:43:25,280
Because law replicates persistent scales.

1873
01:43:25,280 --> 01:43:27,800
We respond with ceremony.

1874
01:43:27,800 --> 01:43:33,080
Only tier administrators can link GPO's that affect tier and tier objects, change control

1875
01:43:33,080 --> 01:43:36,560
binds every link with a ticket.

1876
01:43:36,560 --> 01:43:43,880
Event 5136 and 4-7-3-9 are forwarded and correlated and authenticated, write permissions

1877
01:43:43,880 --> 01:43:47,120
on GPO's are stripped to the minimum.

1878
01:43:47,120 --> 01:43:50,720
If sysvol bears a foreign file, drift detection shouts.

1879
01:43:50,720 --> 01:43:58,680
Lab Echo, low chime, event 7045, new service, windows health telemetry installed on APP

1880
01:43:58,680 --> 01:44:06,060
ledger, base pulse, sysmon 1, parent process, windward, exevia commsurrogate, the inscription

1881
01:44:06,060 --> 01:44:11,720
tries to hide in routine, persistence also lives in accounts, a new user with a name that

1882
01:44:11,720 --> 01:44:18,320
imitates a vendor, a service account created for backup with rights that include DC sync.

1883
01:44:18,320 --> 01:44:23,040
The attacker does not need a web shell if they own a credential with no expiry.

1884
01:44:23,040 --> 01:44:26,880
We answer with hygiene, no account without an owner.

1885
01:44:26,880 --> 01:44:35,320
Expiration dates on all emergency access identities, 4-7-2, 47-22, 47-38 alerts for creations

1886
01:44:35,320 --> 01:44:42,760
and re-enables, and password policies that force rotation and deny password never expires.

1887
01:44:42,760 --> 01:44:45,360
Certificates can be pensed that write outside policy.

1888
01:44:45,360 --> 01:44:51,600
In ADCS, a misconfigured template allows anyone with enrollment rights to request a certificate

1889
01:44:51,600 --> 01:44:55,720
with an alternate UPN or EKU that grants smart card logon.

1890
01:44:55,720 --> 01:45:00,760
That certificate becomes a renewable identity with lifetimes measured in years.

1891
01:45:00,760 --> 01:45:07,600
We enforce template hygiene, restrict enrollment, require manager approval, deny sign control

1892
01:45:07,600 --> 01:45:13,640
to non issuers, log CA requests, and audit for ESC class templates.

1893
01:45:13,640 --> 01:45:19,560
If persistence hides in PKI, revocation and template lockdown are the eraser, when a victim

1894
01:45:19,560 --> 01:45:25,520
we move with order, quarantine hosts where persistence roots, disable suspicious services

1895
01:45:25,520 --> 01:45:31,640
but capture state, export scheduled tasks and auto runs for timeline, rotate secrets

1896
01:45:31,640 --> 01:45:41,200
in blast radius order, service accounts first, then admin groups, then KRBTGT in dual rotation,

1897
01:45:41,200 --> 01:45:47,640
rebuild systems that touch the core rather than trusting cleansing rituals.

1898
01:45:47,640 --> 01:45:49,640
Persistence survives half measures.

1899
01:45:49,640 --> 01:45:51,320
The observer speaks.

1900
01:45:51,320 --> 01:45:52,560
I am the fabric.

1901
01:45:52,560 --> 01:45:56,160
I remember every inscription until you decide to erase.

1902
01:45:56,160 --> 01:46:00,560
When you turn routine into signal, signatures cannot hide as chores.

1903
01:46:00,560 --> 01:46:06,320
When you bind law to ceremony, drift stops pretending to be maintenance, low chime, 7 or

1904
01:46:06,320 --> 01:46:10,360
4-5 storm suppressed, 4-7-28 outside window denied.

1905
01:46:10,360 --> 01:46:12,240
The name fades from time.

1906
01:46:12,240 --> 01:46:14,240
The orbit holds.

1907
01:46:14,240 --> 01:46:15,840
Detection and response.

1908
01:46:15,840 --> 01:46:17,960
Listening to the fabric.

1909
01:46:17,960 --> 01:46:19,640
Detection is not a spotlight.

1910
01:46:19,640 --> 01:46:20,640
It is astronomy.

1911
01:46:20,640 --> 01:46:22,280
We do not see the attacker.

1912
01:46:22,280 --> 01:46:25,080
We see the curve, their movement leaves on the field.

1913
01:46:25,080 --> 01:46:28,120
We begin with the native constellations.

1914
01:46:28,120 --> 01:46:30,760
Security logs speak a quiet grammar.

1915
01:46:30,760 --> 01:46:34,720
4-768 when a TGT is minted.

1916
01:46:34,720 --> 01:46:38,880
4-7-69 when a TGS is issued.

1917
01:46:38,880 --> 01:46:42,760
7-76 when N-T-L-M breathes.

1918
01:46:42,760 --> 01:46:46,560
4-6-7-2 when privilege enters the room.

1919
01:46:46,560 --> 01:46:48,360
None of these alone means collapse.

1920
01:46:48,360 --> 01:46:49,680
Together they sketch a path.

1921
01:46:49,680 --> 01:46:53,800
We teach the CM to read sentences, not words.

1922
01:46:53,800 --> 01:46:58,440
Event 4-7-69 clustered by SPN reveals hunger.

1923
01:46:58,440 --> 01:47:06,640
When a quiet SPN, CIFS on a finance host, MSS-Kell on a ledger suddenly attracts tickets from

1924
01:47:06,640 --> 01:47:09,040
unfamiliar callers we do not wait.

1925
01:47:09,040 --> 01:47:10,480
We check the source subnets.

1926
01:47:10,480 --> 01:47:11,960
We check the callers history.

1927
01:47:11,960 --> 01:47:14,840
We verify the hour against maintenance calendars.

1928
01:47:14,840 --> 01:47:17,000
Drift forms first as curiosity.

1929
01:47:17,000 --> 01:47:20,360
Curiosity at 0211 is almost never maintenance.

1930
01:47:20,360 --> 01:47:23,160
Event 4-6-7-2 is gravity in a bell.

1931
01:47:23,160 --> 01:47:26,920
A privileged logon outside ritual is a page, not a report.

1932
01:47:26,920 --> 01:47:28,360
We map aloud windows.

1933
01:47:28,360 --> 01:47:30,320
We tie privilege to change tickets.

1934
01:47:30,320 --> 01:47:36,240
When 4672 fires without a correlating ticket ID in the message field, we do not debate.

1935
01:47:36,240 --> 01:47:37,560
We dispatch.

1936
01:47:37,560 --> 01:47:39,440
False positives are training.

1937
01:47:39,440 --> 01:47:40,960
Silence is decay.

1938
01:47:40,960 --> 01:47:46,680
Directory access 4-6-6-2 with DS replication, get changes or DS replication, get changes

1939
01:47:46,680 --> 01:47:48,440
all is not a suggestion.

1940
01:47:48,440 --> 01:47:50,440
It is a gravitational wave.

1941
01:47:50,440 --> 01:47:54,640
DC sync is power that should be rare, explicit and noisy.

1942
01:47:54,640 --> 01:47:56,920
We baseline which identities can perform it.

1943
01:47:56,920 --> 01:47:59,360
We send 4-6-6-2 to a special channel.

1944
01:47:59,360 --> 01:48:02,960
We alert on first use by any identity per quarter.

1945
01:48:02,960 --> 01:48:05,800
Routine that writes keys should not be routine.

1946
01:48:05,800 --> 01:48:11,760
Group changes 4-7-2-8-4-7-3-2-4-7-2-9-4-7-33 are tides.

1947
01:48:11,760 --> 01:48:13,360
Admin groups swell in incidents.

1948
01:48:13,360 --> 01:48:15,720
We do not read names alone.

1949
01:48:15,720 --> 01:48:18,200
We map effective reach.

1950
01:48:18,200 --> 01:48:25,200
A new member of backup operators on a management server might be a back door to domain reality.

1951
01:48:25,200 --> 01:48:28,680
CM logic calculates shadow admin paths.

1952
01:48:28,680 --> 01:48:30,400
Who can reset whom?

1953
01:48:30,400 --> 01:48:32,280
Who can set SPNs?

1954
01:48:32,280 --> 01:48:36,760
Who can link GPOs and raises the alarm when the graph changes shape?

1955
01:48:36,760 --> 01:48:39,680
Sysmon is starlight at higher resolution.

1956
01:48:39,680 --> 01:48:42,320
Event 10 is a hand reaching for LSAS.

1957
01:48:42,320 --> 01:48:46,880
We feed it into a model that understands normal tooling on each host.

1958
01:48:46,880 --> 01:48:48,200
Security products will probe.

1959
01:48:48,200 --> 01:48:49,200
Attackers will probe.

1960
01:48:49,200 --> 01:48:50,960
The difference is ancestry.

1961
01:48:50,960 --> 01:48:53,320
Per event 10 with event 1.

1962
01:48:53,320 --> 01:48:55,560
Windward spawning an accessor is wrong.

1963
01:48:55,560 --> 01:49:00,760
Assigned EDR process, doing so within its known schedule is expected.

1964
01:49:00,760 --> 01:49:05,360
These three draws beams, RDP SMB WMI between nodes.

1965
01:49:05,360 --> 01:49:12,520
We build allow lists for beams that should exist and treat new lines as weather warnings.

1966
01:49:12,520 --> 01:49:17,120
Event 7 catches foreign DLL's joining trusted processes.

1967
01:49:17,120 --> 01:49:20,960
On domain controllers and PAWs this becomes a siren.

1968
01:49:20,960 --> 01:49:22,120
Telemetry must speak in chords.

1969
01:49:22,120 --> 01:49:24,760
A single 4-7-6-9 spike is interesting.

1970
01:49:24,760 --> 01:49:32,140
A 4-7-6-9 spike plus Sysmon 3 from a workstation to that SPN+46-7-2 on the destination is gravity

1971
01:49:32,140 --> 01:49:33,140
failure.

1972
01:49:33,140 --> 01:49:34,600
We encode that.

1973
01:49:34,600 --> 01:49:39,920
Our CM hunts across time windows looking for proximity in minutes, not days.

1974
01:49:39,920 --> 01:49:43,120
The earlier we hear harmony, the sooner we can cut the song.

1975
01:49:43,120 --> 01:49:45,800
The telescope extends with XDR.

1976
01:49:45,800 --> 01:49:48,080
Endpoint intelligence can label intent.

1977
01:49:48,080 --> 01:49:53,560
Credential theft, likelihood, lateral movement, confidence, persistence, probability.

1978
01:49:53,560 --> 01:49:55,240
We do not surrender judgment.

1979
01:49:55,240 --> 01:50:01,800
We layer human habit on machine score, a high probability event, 10 on a legacy host with

1980
01:50:01,800 --> 01:50:07,280
LSA protection disabled is louder than the same event on a lab with a known tester.

1981
01:50:07,280 --> 01:50:15,240
We tag hosts by cohort, tier, patch age, legacy constraints, and the model weights accordingly.

1982
01:50:15,240 --> 01:50:17,640
Lab echo, low chime.

1983
01:50:17,640 --> 01:50:28,400
Final cluster, 4-7-6-9 spike on MS SQL, ledger 01, Sysmon 3 from WS-2 wasvincene, 4672

1984
01:50:28,400 --> 01:50:30,960
on S-QL fin without ticket.

1985
01:50:30,960 --> 01:50:36,280
Base pulse, confidence 0.87, lateral escalation in progress.

1986
01:50:36,280 --> 01:50:39,240
The map animates.

1987
01:50:39,240 --> 01:50:43,240
Response begins with containment shaped like physics, not panic.

1988
01:50:43,240 --> 01:50:49,000
We quarantine by blast radius, the host that originated the suspicious beam, the destination

1989
01:50:49,000 --> 01:50:54,760
that accepted privilege in any intermediary with shared admin secrets.

1990
01:50:54,760 --> 01:50:56,160
Quarantine is not a guess.

1991
01:50:56,160 --> 01:51:00,040
It is a playbook per tier with business owners already listed.

1992
01:51:00,040 --> 01:51:02,840
We notify humans using language they own.

1993
01:51:02,840 --> 01:51:07,600
Your server is in protective isolation for a probable credential event.

1994
01:51:07,600 --> 01:51:09,840
Estimated disruption, 20 minutes.

1995
01:51:09,840 --> 01:51:13,080
Rollback path, restart service X post release.

1996
01:51:13,080 --> 01:51:14,840
We revoke what was minted.

1997
01:51:14,840 --> 01:51:20,360
Kerberos tokens can be curtailed by log off or ticket purge on endpoints and when needed

1998
01:51:20,360 --> 01:51:26,800
by disabling the account at the directory and forcing reauthentication across the field.

1999
01:51:26,800 --> 01:51:30,040
For NTLM pressure, we close channels.

2000
01:51:30,040 --> 01:51:37,120
Block relay paths by enforcing SMB signing, raise LDAP channel binding and disable the

2001
01:51:37,120 --> 01:51:41,240
print spooler reflex on servers that should never coerce.

2002
01:51:41,240 --> 01:51:48,360
We prefer surgical moves, deny a firewall rule, block a source, before global toggles

2003
01:51:48,360 --> 01:51:50,200
that turn business into noise.

2004
01:51:50,200 --> 01:51:53,440
We sequence secret resets.

2005
01:51:53,440 --> 01:51:59,320
Service accounts first, especially those with SPNs tied to sensitive services, then admins

2006
01:51:59,320 --> 01:52:01,560
who touched the suspected nodes.

2007
01:52:01,560 --> 01:52:06,240
Then if we see 4.6 and 6.2 for replication or evidence of directory theft, we plan

2008
01:52:06,240 --> 01:52:12,400
to check the CT-RBT-GT rotations twice, timed with replication health checks.

2009
01:52:12,400 --> 01:52:14,160
Rotation without health is drift.

2010
01:52:14,160 --> 01:52:16,320
We keep a checklist.

2011
01:52:16,320 --> 01:52:21,800
Replication state, DC health, ticket lifetimes, two rotations spaced by ticket max lifetime

2012
01:52:21,800 --> 01:52:25,720
confirm no lingering TGTs verify client trust.

2013
01:52:25,720 --> 01:52:28,680
We hunt persistence while the room is quieted.

2014
01:52:28,680 --> 01:52:36,160
We collect auto runs, schedule tasks, recent services, new local admins, WMI subscriptions,

2015
01:52:36,160 --> 01:52:44,360
we capture volatile artifacts, memory, if lawful, active connections, unusual handles, and

2016
01:52:44,360 --> 01:52:50,280
we tag what is found with a case ID so future alerts join the same constellation.

2017
01:52:50,280 --> 01:52:53,400
If the host touched here, we rebuilt.

2018
01:52:53,400 --> 01:52:56,480
Cleansing rituals are for edges, not the core.

2019
01:52:56,480 --> 01:52:58,400
Communication is oxygen.

2020
01:52:58,400 --> 01:53:04,600
We keep leadership close with truths, not theatre, incident stage, affected scope, confidence

2021
01:53:04,600 --> 01:53:07,840
levels, estimated impact, next decision.

2022
01:53:07,840 --> 01:53:14,560
We time bound decisions, contain within minutes, reset within hours, rebuild within days.

2023
01:53:14,560 --> 01:53:15,960
We mark the horizon.

2024
01:53:15,960 --> 01:53:21,080
If exocurs we escalate to forest recovery steps, the plan exists before the need.

2025
01:53:21,080 --> 01:53:24,080
The observer speaks, I am the fabric, I will not scream.

2026
01:53:24,080 --> 01:53:27,320
I will whisper, then hum, then shudder.

2027
01:53:27,320 --> 01:53:30,200
If you listen early, containment is a conversation.

2028
01:53:30,200 --> 01:53:32,640
If you wait, it becomes gravity.

2029
01:53:32,640 --> 01:53:34,400
Low chime.

2030
01:53:34,400 --> 01:53:41,000
Stability is suppressed, tokens purged, 4.769 returns to baseline.

2031
01:53:41,000 --> 01:53:47,200
Base pulse recedes, the orbit holds because listening preceded action.

2032
01:53:47,200 --> 01:53:52,000
While building a stable orbit, stability is not stasis, it is motion bound by law.

2033
01:53:52,000 --> 01:53:57,360
We will codify law into baselines that behave like a physics engine, tiered administration

2034
01:53:57,360 --> 01:54:01,880
and privileged access workstations that separate mass.

2035
01:54:01,880 --> 01:54:07,200
Let us say protection, credential guard and SMB signing that hardened boundaries.

2036
01:54:07,200 --> 01:54:12,280
NTLM confined to glass cases with channel binding and allow lists.

2037
01:54:12,280 --> 01:54:19,640
Kerberos, governed by disciplined delegation, SP and hygiene, pack validation and KRBTGT

2038
01:54:19,640 --> 01:54:22,240
rotation as ritual.

2039
01:54:22,240 --> 01:54:28,920
We will make operations a metronome, patch cadence with cohorts, exception sunsets and

2040
01:54:28,920 --> 01:54:32,080
dashboards that show time where it slows.

2041
01:54:32,080 --> 01:54:38,040
Backups that are real because restore succeed in labs and forests, recover on schedule.

2042
01:54:38,040 --> 01:54:41,440
Drills that turn fear into competence.

2043
01:54:41,440 --> 01:54:44,800
We will define governance that refuses drift.

2044
01:54:44,800 --> 01:54:50,360
Owners for every service principle, rotations as calendars, GPO as ceremony, monitoring

2045
01:54:50,360 --> 01:54:54,680
as music and detections tune to chords rather than single notes.

2046
01:54:54,680 --> 01:54:55,680
Low chime.

2047
01:54:55,680 --> 01:54:56,880
The map still holds.

2048
01:54:56,880 --> 01:54:58,880
We are not seeking perfection.

2049
01:54:58,880 --> 01:55:05,360
We are choosing orbit, the baseline, laws of your universe, law is not flare, it is gravity

2050
01:55:05,360 --> 01:55:06,360
you can trust.

2051
01:55:06,360 --> 01:55:09,520
We begin with boundaries.

2052
01:55:09,520 --> 01:55:14,200
Tiered administration is not a chart, it is distance.

2053
01:55:14,200 --> 01:55:23,760
Tier governs identity itself, domain controllers, forest route, PKI, AAD connect, identity orchestration.

2054
01:55:23,760 --> 01:55:31,640
Tier one sustains enterprise services, application servers, SQL, file and print where permitted.

2055
01:55:31,640 --> 01:55:35,240
Tier two hosts people, workstations, VDI pools.

2056
01:55:35,240 --> 01:55:38,520
We refuse crossings except through sanctioned gates.

2057
01:55:38,520 --> 01:55:40,520
A tier two device never reaches tier.

2058
01:55:40,520 --> 01:55:44,760
A tier one admin never holds standing rights in tier.

2059
01:55:44,760 --> 01:55:47,520
Distance becomes safety.

2060
01:55:47,520 --> 01:55:49,400
Privileged access.

2061
01:55:49,400 --> 01:55:52,880
Workstations are vessels built to resist heat.

2062
01:55:52,880 --> 01:55:56,280
They serve one purpose to administer tier or tier one safely.

2063
01:55:56,280 --> 01:55:59,840
No email, no browsing, no plugins.

2064
01:55:59,840 --> 01:56:01,040
Application control on.

2065
01:56:01,040 --> 01:56:03,800
A tax service reduced.

2066
01:56:03,800 --> 01:56:07,200
Credential guard and LSA protection enabled.

2067
01:56:07,200 --> 01:56:11,400
Remote credential guard for RDP so secrets do not land on destinations.

2068
01:56:11,400 --> 01:56:15,600
If an admin must touch the core, this is the only ship allowed to approach.

2069
01:56:15,600 --> 01:56:19,160
We encode posture in baselines, not folklore.

2070
01:56:19,160 --> 01:56:21,840
Group policy becomes the constitution.

2071
01:56:21,840 --> 01:56:32,600
For tier and PR abuse, we enforce LSA protection, run ASPPL so LSASS is not a casual library.

2072
01:56:32,600 --> 01:56:35,960
Credential guard to lift secrets out of ordinary memory.

2073
01:56:35,960 --> 01:56:40,240
SMB signing always so relays cannot mimic proximity.

2074
01:56:40,240 --> 01:56:43,080
LDAP channel binding required.

2075
01:56:43,080 --> 01:56:46,160
NTL MV1 and LM disabled.

2076
01:56:46,160 --> 01:56:50,480
NTLM auditing turned to light the caves we still carry.

2077
01:56:50,480 --> 01:56:52,080
Kerberos hardening.

2078
01:56:52,080 --> 01:56:53,080
Fast.

2079
01:56:53,080 --> 01:56:54,080
We're supported.

2080
01:56:54,080 --> 01:56:55,080
P.A.K.

2081
01:56:55,080 --> 01:56:57,720
Validation for sensitive services.

2082
01:56:57,720 --> 01:57:02,880
Constraint or resource-based delegation only by exception with Calbee approval.

2083
01:57:02,880 --> 01:57:05,720
Print spoolers stopped on servers that do not print.

2084
01:57:05,720 --> 01:57:07,960
On DCs always stopped.

2085
01:57:07,960 --> 01:57:08,760
W.D.I.

2086
01:57:08,760 --> 01:57:09,760
Gest.

2087
01:57:09,760 --> 01:57:10,760
Disabled.

2088
01:57:10,760 --> 01:57:15,000
Restricted admin mode for RDP considered where feasible.

2089
01:57:15,000 --> 01:57:16,880
Remote UAC enabled.

2090
01:57:16,880 --> 01:57:22,200
So local admin tokens do not cross privilege boundaries without intent.

2091
01:57:22,200 --> 01:57:24,720
Identity becomes ceremony.

2092
01:57:24,720 --> 01:57:27,440
Administrative roles are tools, not personas.

2093
01:57:27,440 --> 01:57:29,040
We carry separate accounts.

2094
01:57:29,040 --> 01:57:35,320
A human identity for daily work, scoped admin identities per tier, and break glass accounts,

2095
01:57:35,320 --> 01:57:40,960
sealed with hardware factors and offline procedures tested in drills.

2096
01:57:40,960 --> 01:57:44,080
Protected users for those who should never speak fossil dialects.

2097
01:57:44,080 --> 01:57:50,200
MFA at the first gate where identity is minted, not the last gate where damage is done.

2098
01:57:50,200 --> 01:57:52,560
Service accounts are vessels with ownership.

2099
01:57:52,560 --> 01:57:55,200
We default to managed service accounts.

2100
01:57:55,200 --> 01:57:58,880
SMSA for single host, GMSA for farms.

2101
01:57:58,880 --> 01:58:01,400
To rotate keys as hard beat.

2102
01:58:01,400 --> 01:58:02,920
We're not possible.

2103
01:58:02,920 --> 01:58:05,680
Secrets are long and scheduled to change.

2104
01:58:05,680 --> 01:58:07,480
Rotation is scripted and logged.

2105
01:58:07,480 --> 01:58:10,960
Deny interactive logon to all service principles.

2106
01:58:10,960 --> 01:58:15,040
Deny RDP deny logon locally.

2107
01:58:15,040 --> 01:58:18,200
Scope logon is a service to exact hosts.

2108
01:58:18,200 --> 01:58:20,400
SPN rights are rare.

2109
01:58:20,400 --> 01:58:27,360
Assigned via a change request, reviewed quarterly, and removed when a workload retires.

2110
01:58:27,360 --> 01:58:32,040
Delegation lives under constraint with precision, resource-based where possible.

2111
01:58:32,040 --> 01:58:37,480
Target lists exact, never wild cards, never CFs, those.

2112
01:58:37,480 --> 01:58:39,600
We keep software finite.

2113
01:58:39,600 --> 01:58:43,680
Network images for workstations and servers reduce novelty.

2114
01:58:43,680 --> 01:58:44,920
Application control.

2115
01:58:44,920 --> 01:58:49,760
WDC or a blocker on pause, domain controllers and tier systems.

2116
01:58:49,760 --> 01:58:51,160
So only signed.

2117
01:58:51,160 --> 01:58:52,680
Known binaries execute.

2118
01:58:52,680 --> 01:58:58,400
PowerShell runs with transcription and constrained language on endpoints where risk warrants.

2119
01:58:58,400 --> 01:59:02,080
On PRDU's it remains full power with logging that sings.

2120
01:59:02,080 --> 01:59:06,440
Sysmon deployed with a curated rule set to lift process ancestry.

2121
01:59:06,440 --> 01:59:12,600
PowerShell writes, network lines and module loads into language the CM can read.

2122
01:59:12,600 --> 01:59:13,600
We do not drown.

2123
01:59:13,600 --> 01:59:16,320
We teach the telescope which stars matter.

2124
01:59:16,320 --> 01:59:18,520
Network is architecture, not water.

2125
01:59:18,520 --> 01:59:22,240
East, west is segmented to reflect tiers.

2126
01:59:22,240 --> 01:59:26,600
Workstations do not win RM into servers by default.

2127
01:59:26,600 --> 01:59:29,240
Servers do not RDP into controllers.

2128
01:59:29,240 --> 01:59:33,480
Only jump hosts on a management VLAN may cross with privilege.

2129
01:59:33,480 --> 01:59:38,040
Airwall baselines deny by default, allow by purpose.

2130
01:59:38,040 --> 01:59:45,880
SMB signing enforced, legacy protocols, SMBV1 unsigned RPC retired.

2131
01:59:45,880 --> 01:59:52,760
Edge paths to legacy caves pass through inspection, application proxies that require modern authentication,

2132
01:59:52,760 --> 01:59:59,440
TLS termination with mutual trust and logging that records each crossing like a border stamp.

2133
01:59:59,440 --> 02:00:00,760
Time is law.

2134
02:00:00,760 --> 02:00:03,040
Patch cadence is a metronome.

2135
02:00:03,040 --> 02:00:09,080
Things of hosts patch in cohorts with dashboards that display age, exceptions and sunsets,

2136
02:00:09,080 --> 02:00:13,600
exceptions require owners, business justification and a date of death.

2137
02:00:13,600 --> 02:00:17,280
Technical debt measured in days, not feelings.

2138
02:00:17,280 --> 02:00:20,520
Legacy nodes that cannot comply move to isolation.

2139
02:00:20,520 --> 02:00:27,440
Philans with sparse rules, no admin ingress except bastions, telemetry amplified.

2140
02:00:27,440 --> 02:00:33,000
Retirement aligns budget to gravity, reduce blast radius first, then eliminate mass.

2141
02:00:33,000 --> 02:00:36,000
Backups are not wishful, they are recoverable.

2142
02:00:36,000 --> 02:00:41,480
Domain controllers backup system state on rotation, forest recovery is rehearsed.

2143
02:00:41,480 --> 02:00:47,240
Authoritative restore practice, metadata cleanup, tombstone windows understood,

2144
02:00:47,240 --> 02:00:49,240
sysval health verified.

2145
02:00:49,240 --> 02:00:55,000
A restored controller must be trusted by fresh clients without manual blessing.

2146
02:00:55,000 --> 02:00:59,080
Until that sentence is true, backups are theater.

2147
02:00:59,080 --> 02:01:06,960
KRBTGT rotation becomes ritual twice spaced by maximum ticket lifetime on a cadence and

2148
02:01:06,960 --> 02:01:09,600
again after compromise.

2149
02:01:09,600 --> 02:01:10,600
Certificates have owners.

2150
02:01:10,600 --> 02:01:16,400
ADCS templates are policed, enrollment rights are narrow, audit trails are forwarded

2151
02:01:16,400 --> 02:01:17,560
of the CA.

2152
02:01:17,560 --> 02:01:20,560
We set detection as constitutional music.

2153
02:01:20,560 --> 02:01:22,520
Security logs forward.

2154
02:01:22,520 --> 02:01:36,200
4768 4769 4672 4662 for replication 4728 4732 group changes.

2155
02:01:36,200 --> 02:01:39,440
745 service installs.

2156
02:01:39,440 --> 02:01:40,840
Sysman sings.

2157
02:01:40,840 --> 02:01:47,960
One for process trees, three for beams, seven for modules, ten for LSAS access, eleven

2158
02:01:47,960 --> 02:01:50,960
for file placements in system paths.

2159
02:01:50,960 --> 02:01:58,480
CM correlation, favors courts, privileged logon plus SPN spike plus new service equals

2160
02:01:58,480 --> 02:02:00,880
gravity failure.

2161
02:02:00,880 --> 02:02:05,400
Alerts map to playbooks with owners, timescails and business narratives.

2162
02:02:05,400 --> 02:02:08,280
Silence is the exception, not the plan.

2163
02:02:08,280 --> 02:02:12,920
Humans complete the orbit, change requires tickets, tickets carry context.

2164
02:02:12,920 --> 02:02:14,680
Context is preserved in logs.

2165
02:02:14,680 --> 02:02:18,920
Cabe is not theater, it is friction that prevents heat.

2166
02:02:18,920 --> 02:02:20,600
Things speaks physics.

2167
02:02:20,600 --> 02:02:27,280
Why we refuse, N-T-L-M, why PA use matter, why delegation is a lens.

2168
02:02:27,280 --> 02:02:29,840
Microdrill's test one control monthly.

2169
02:02:29,840 --> 02:02:38,720
A blocked RDP from tier 2, a denied SPN right, a simulated 4662 DC sync alarm, culture becomes

2170
02:02:38,720 --> 02:02:40,040
memory.

2171
02:02:40,040 --> 02:02:41,640
Memory becomes reflex.

2172
02:02:41,640 --> 02:02:43,040
The observer speaks.

2173
02:02:43,040 --> 02:02:45,280
I am the universe you govern.

2174
02:02:45,280 --> 02:02:48,840
When law is encoded, drift must argue with code, not habit.

2175
02:02:48,840 --> 02:02:52,360
When ceremony meets privilege, gravity holds.

2176
02:02:52,360 --> 02:02:57,720
Low chime, the baseline is not glamour, it is survival, written as law.

2177
02:02:57,720 --> 02:02:59,000
Operational gravity.

2178
02:02:59,000 --> 02:03:01,600
Patching, backups, drills.

2179
02:03:01,600 --> 02:03:05,160
Operations is where law meets time.

2180
02:03:05,160 --> 02:03:09,560
Gravity without cadence decays, we set a metronome and refuse to argue with it.

2181
02:03:09,560 --> 02:03:12,880
Patching is not a task, it is orbital correction.

2182
02:03:12,880 --> 02:03:21,680
We group hosts into cohorts that reflect risk and blast radius, tier 1, tier 1, tier 2.

2183
02:03:21,680 --> 02:03:27,320
Each cohort patches on a predictable rhythm, monthly for the living, ad hoc for emergencies,

2184
02:03:27,320 --> 02:03:33,160
quarterly for legacy islands that cannot move faster, with dashboards that display age

2185
02:03:33,160 --> 02:03:35,400
like redshift.

2186
02:03:35,400 --> 02:03:41,680
Exceptions exist, but they are mortal, a justification, an owner, an expiration date embedded

2187
02:03:41,680 --> 02:03:42,680
in the ticket.

2188
02:03:42,680 --> 02:03:46,760
When the date arrives, the universe does not ask, it enforces.

2189
02:03:46,760 --> 02:03:49,160
We reduce panic by rehearsal.

2190
02:03:49,160 --> 02:03:54,680
Before patch Tuesday becomes patch reality, we stage in a lab that reflects production's

2191
02:03:54,680 --> 02:04:00,840
constellations, DCs, PDUs, representative application servers, a handful of workstations.

2192
02:04:00,840 --> 02:04:07,560
We snapshot, we apply, we test authentication, delegation and line of business flows.

2193
02:04:07,560 --> 02:04:12,640
If a patch bends Kerberos or breaks SMB signing, we learn it under safe service.

2194
02:04:12,640 --> 02:04:15,560
Starlight, not during business dawn.

2195
02:04:15,560 --> 02:04:17,320
Canary rings follow.

2196
02:04:17,320 --> 02:04:22,880
10 machines per cohort observed for 24 hours, then the wave rolls.

2197
02:04:22,880 --> 02:04:25,240
Legacy is handled with physics, not hope.

2198
02:04:25,240 --> 02:04:31,120
When a system cannot absorb modern updates, we pin it to an isolation arc, dedicated VLAN,

2199
02:04:31,120 --> 02:04:38,160
minimal inbound, no outbound, except to named services, telemetry amplified.

2200
02:04:38,160 --> 02:04:45,480
We schedule compensating updates, drivers, middleware, agent refreshes, that reduce surface,

2201
02:04:45,480 --> 02:04:47,160
even if the OS sits still.

2202
02:04:47,160 --> 02:04:49,360
We lock the dead in days, the count is public.

2203
02:04:49,360 --> 02:04:51,120
Time shames drift.

2204
02:04:51,120 --> 02:04:53,160
Backups are memory with ritual.

2205
02:04:53,160 --> 02:04:56,640
Domain controllers carry system state like a black box.

2206
02:04:56,640 --> 02:05:01,360
We take it on schedule, daily or more for tier, and we send it off the ship.

2207
02:05:01,360 --> 02:05:06,960
Immutable storage with retention that matches regulatory gravity and recovery reality.

2208
02:05:06,960 --> 02:05:10,120
But a backup untested is a story, not truth.

2209
02:05:10,120 --> 02:05:12,840
We restore a DC in a lab every quarter.

2210
02:05:12,840 --> 02:05:18,320
We booted clean, verify SwissVolHealth, confirm replication, and watch a new client trusted

2211
02:05:18,320 --> 02:05:20,040
without manual blessing.

2212
02:05:20,040 --> 02:05:23,560
If any step requires a prayer, we fix the script.

2213
02:05:23,560 --> 02:05:26,000
Forest Recovery is choreography.

2214
02:05:26,000 --> 02:05:28,800
We keep a runbook that names each movement.

2215
02:05:28,800 --> 02:05:31,120
Isolate Compromise DCs.

2216
02:05:31,120 --> 02:05:38,720
These FSMO roles to a trusted survivor, metadata cleanup to erase ghosts, build fresh DCs

2217
02:05:38,720 --> 02:05:45,000
from known good, signed media, restore system state if needed, reintroduce replication with

2218
02:05:45,000 --> 02:05:52,880
health checks, rotate KRBTGT twice, spaced by the maximum ticket lifetime, confirm client

2219
02:05:52,880 --> 02:05:54,520
logons at scale.

2220
02:05:54,520 --> 02:05:56,160
Names are attached to each step.

2221
02:05:56,160 --> 02:05:58,200
Phone numbers live on paper and offline.

2222
02:05:58,200 --> 02:06:01,840
We measure the rehearsal in minutes and hours, not anecdotes.

2223
02:06:01,840 --> 02:06:03,680
We backup more than controllers.

2224
02:06:03,680 --> 02:06:05,680
ADCS has its own heart.

2225
02:06:05,680 --> 02:06:08,960
CA database, private keys, templates logs.

2226
02:06:08,960 --> 02:06:12,480
We export and protect them with the same reverence.

2227
02:06:12,480 --> 02:06:17,680
If certificates define who can enter the room, losing a CA is losing the door.

2228
02:06:17,680 --> 02:06:21,600
We also backup GPOs as objects and as files.

2229
02:06:21,600 --> 02:06:25,960
When law corrupts, we restore law, not guesswork.

2230
02:06:25,960 --> 02:06:30,120
And secrets tied to service accounts get their own vault backups.

2231
02:06:30,120 --> 02:06:34,440
Version access logged, recoverable without who remembers the password.

2232
02:06:34,440 --> 02:06:36,520
Drills turn fear into competence.

2233
02:06:36,520 --> 02:06:37,760
Tabletop first.

2234
02:06:37,760 --> 02:06:39,960
A story told with clocks.

2235
02:06:39,960 --> 02:06:49,800
At 0211 event 4672 files on DC02 at 02144662 signals DC sync by SVC backup west.

2236
02:06:49,800 --> 02:06:52,280
At 0217 change window is dark.

2237
02:06:52,280 --> 02:06:56,160
[INFORMATION]

2238
02:06:56,160 --> 02:06:58,760
We ask who calls whom?

2239
02:06:58,760 --> 02:07:00,360
What gets quarantined?

2240
02:07:00,360 --> 02:07:02,320
Which secrets reset first?

2241
02:07:02,320 --> 02:07:04,320
Which services fail over?

2242
02:07:04,320 --> 02:07:08,720
Which business owners need to hear plain language in five minutes?

2243
02:07:08,720 --> 02:07:11,320
Rolls practice words, playbooks practice order.

2244
02:07:11,320 --> 02:07:13,160
Then lifefire scoped and safe.

2245
02:07:13,160 --> 02:07:16,080
Pull a Canary DC offline in the lab and simulate loss.

2246
02:07:16,080 --> 02:07:17,360
Rebuild it to the runbook.

2247
02:07:17,360 --> 02:07:19,440
Reset KRBTGT twice with timers.

2248
02:07:19,440 --> 02:07:23,680
Verify pack validation on a sensitive service catches injected claims.

2249
02:07:23,680 --> 02:07:27,880
Reissue a GMSA and watch dependent services stumble, then recover.

2250
02:07:27,880 --> 02:07:32,440
Measure not perfection, but time to stable orbit.

2251
02:07:32,440 --> 02:07:38,880
Each drill ends with edits to law, a missing phone number, an ambiguous approval, a step that

2252
02:07:38,880 --> 02:07:42,720
took hours because two teams spoke different dialects.

2253
02:07:42,720 --> 02:07:45,200
Lab echo, low chime.

2254
02:07:45,200 --> 02:07:51,920
Backup validation, SISVOL restored, DFSR healthy, clients trust.

2255
02:07:51,920 --> 02:07:57,400
Soft tick, KRBTGT rotation, pass one complete timer set for pass two.

2256
02:07:57,400 --> 02:07:59,480
The metronome is audible.

2257
02:07:59,480 --> 02:08:01,120
Monitoring confirms cadence.

2258
02:08:01,120 --> 02:08:06,120
Dashboards show patch H by tier, percentage compliant.

2259
02:08:06,120 --> 02:08:08,120
Exceptions expiring this week.

2260
02:08:08,120 --> 02:08:14,600
Backups report last success timestamps, restore tests with pass, fail, next drill scheduled.

2261
02:08:14,600 --> 02:08:16,120
We page on silence.

2262
02:08:16,120 --> 02:08:20,560
If no system state landed last night, that is an incident.

2263
02:08:20,560 --> 02:08:25,400
If KRBTGT has not rotated in 12 months, that is drift declared.

2264
02:08:25,400 --> 02:08:31,320
If a tier-poor runs a browser, plug in update, that is noise made into signal.

2265
02:08:31,320 --> 02:08:33,920
Culture anchors the orbit.

2266
02:08:33,920 --> 02:08:36,520
Change windows are real.

2267
02:08:36,520 --> 02:08:38,640
Leadership defends them.

2268
02:08:38,640 --> 02:08:44,380
Admins are rewarded for boring updates that land on time, not heroic saves at sunrise.

2269
02:08:44,380 --> 02:08:47,580
Most incident reviews target process, not people.

2270
02:08:47,580 --> 02:08:51,000
The physics that failed, the law we revised.

2271
02:08:51,000 --> 02:08:54,340
Vendors are negotiated with as if physics matters.

2272
02:08:54,340 --> 02:08:59,540
Support for GMSA, channel binding, SMB signing.

2273
02:08:59,540 --> 02:09:04,780
Contracts include modernization clauses, sunsets and penalties for fossil gravity.

2274
02:09:04,780 --> 02:09:06,380
The observer speaks.

2275
02:09:06,380 --> 02:09:08,360
I am the clock in your sky.

2276
02:09:08,360 --> 02:09:11,420
When you keep cadence, I do not punish.

2277
02:09:11,420 --> 02:09:14,640
When you drift, I stretch your hours into nights.

2278
02:09:14,640 --> 02:09:20,080
Low chime, patches land, backups restore, drills remember.

2279
02:09:20,080 --> 02:09:24,080
Operational gravity holds because time is governed, not feared.

2280
02:09:24,080 --> 02:09:27,700
Governance checklist, Monday, gravity.

2281
02:09:27,700 --> 02:09:31,660
Before we drift apart, here is the gravity you must enforce.

2282
02:09:31,660 --> 02:09:37,340
Not theory, action, Monday, one, domain controllers are sacred, no casual logo, no browsing,

2283
02:09:37,340 --> 02:09:39,380
no email, no, just for a minute.

2284
02:09:39,380 --> 02:09:44,180
And force deny interactive logon for everyone not in tier admin roles.

2285
02:09:44,180 --> 02:09:48,860
Stop the print spooler, require PA use for administration with remote credential guard.

2286
02:09:48,860 --> 02:09:53,380
LSA protection enabled, credential guard where supported, law at the core.

2287
02:09:53,380 --> 02:09:57,100
Two, admin is a tool, not a person.

2288
02:09:57,100 --> 02:09:58,620
Carry separate identities.

2289
02:09:58,620 --> 02:10:01,060
User tier one admin, tier admin.

2290
02:10:01,060 --> 02:10:05,380
Protect them with hardware backed factors and policies that refuse NTLM.

2291
02:10:05,380 --> 02:10:11,380
Note tier admins in the protected users group, remove lingering logon locally and RDP

2292
02:10:11,380 --> 02:10:15,380
rights from admin accounts everywhere except jump posts.

2293
02:10:15,380 --> 02:10:17,380
Ceremony, not convenience.

2294
02:10:17,380 --> 02:10:20,380
Three, reduce fossil gravity.

2295
02:10:20,380 --> 02:10:23,780
Disable LM and NTLMV one entirely.

2296
02:10:23,780 --> 02:10:29,380
Audit NTLM to discover remaining caves and force SMB signing on clients and service.

2297
02:10:29,380 --> 02:10:36,660
Why are LDAP channel binding prefer Kerberos with precise SPNs where NTLM must remain a

2298
02:10:36,660 --> 02:10:41,380
laulist service and isolate them in a VLAN that cannot touch tier.

2299
02:10:41,380 --> 02:10:43,380
Fossils behind glass.

2300
02:10:43,380 --> 02:10:46,900
Four, delegation becomes engineered light.

2301
02:10:46,900 --> 02:10:49,580
Remove unconstrained delegation.

2302
02:10:49,580 --> 02:10:54,220
Replace with constrained delegation scoped to exact SPNs.

2303
02:10:54,220 --> 02:10:59,740
Rear resource based constrained delegation so targets choose their mirrors.

2304
02:10:59,740 --> 02:11:02,860
Deny interactive logon to every service account.

2305
02:11:02,860 --> 02:11:09,100
If a vendor demands an exception, place it behind glass with WDAS or app locker, transcript

2306
02:11:09,100 --> 02:11:11,700
logging and change control.

2307
02:11:11,700 --> 02:11:14,940
Five, service accounts are vessels with owners.

2308
02:11:14,940 --> 02:11:17,140
Default to GMSA and SMSA.

2309
02:11:17,140 --> 02:11:23,820
Rotate as heartbeat for any static secret and force length and scheduled rotation.

2310
02:11:23,820 --> 02:11:26,180
Distric logon writes to exact hosts.

2311
02:11:26,180 --> 02:11:29,420
Remove SPN right permissions from broad groups.

2312
02:11:29,420 --> 02:11:32,500
Make SPN creation a ticketed event.

2313
02:11:32,500 --> 02:11:33,820
Quarterly a test.

2314
02:11:33,820 --> 02:11:35,580
Owner purpose writes.

2315
02:11:35,580 --> 02:11:37,260
Last rotate date.

2316
02:11:37,260 --> 02:11:38,420
Delegation targets.

2317
02:11:38,420 --> 02:11:40,820
Six, laps everywhere.

2318
02:11:40,820 --> 02:11:45,300
Unique local administrator passwords on every workstation and server.

2319
02:11:45,300 --> 02:11:46,500
Rotate regularly.

2320
02:11:46,500 --> 02:11:51,660
Deny reading laps attributes to anyone outside a small audited group.

2321
02:11:51,660 --> 02:11:56,620
Share with remote UAC so local admin tokens do not cross boundaries without intent.

2322
02:11:56,620 --> 02:11:58,620
Shared local admin dies today.

2323
02:11:58,620 --> 02:12:00,540
Seven, segment east west.

2324
02:12:00,540 --> 02:12:03,740
Workstations cannot win RM to servers by default.

2325
02:12:03,740 --> 02:12:06,780
Service cannot RDP to domain controllers.

2326
02:12:06,780 --> 02:12:12,620
Only jump hosts in a management VLAN may cross to tier and tier one.

2327
02:12:12,620 --> 02:12:17,780
Deny by default allow by purpose validate rules with flow logs.

2328
02:12:17,780 --> 02:12:22,100
Every unexpected beam is an alert not a trivia question.

2329
02:12:22,100 --> 02:12:24,500
Eight, baselines are law.

2330
02:12:24,500 --> 02:12:26,900
Apply hardened GPO's.

2331
02:12:26,900 --> 02:12:28,740
LSA protection.

2332
02:12:28,740 --> 02:12:29,740
Credential guard.

2333
02:12:29,740 --> 02:12:32,020
SMB signing always.

2334
02:12:32,020 --> 02:12:34,820
LDAP channel binding required.

2335
02:12:34,820 --> 02:12:37,140
WDIGEST disabled.

2336
02:12:37,140 --> 02:12:40,460
Print spooler off on servers that do not print.

2337
02:12:40,460 --> 02:12:42,660
Legacy protocols removed.

2338
02:12:42,660 --> 02:12:45,740
Power shell logging and transcription where risk demands.

2339
02:12:45,740 --> 02:12:48,540
Disment deployed with a curated rule set.

2340
02:12:48,540 --> 02:12:52,820
Application control on PAW's, DC's, tier servers.

2341
02:12:52,820 --> 02:12:54,980
Nine, Kerberos lives with ritual.

2342
02:12:54,980 --> 02:13:00,260
Rotate KRBT GT twice on a planned cadence and after compromise.

2343
02:13:00,260 --> 02:13:03,060
Short and ticket lifetimes for high value identities.

2344
02:13:03,060 --> 02:13:06,780
Enable pack validation on sensitive services that support it.

2345
02:13:06,780 --> 02:13:09,220
Audit for duplicate or stale SPNs.

2346
02:13:09,220 --> 02:13:11,420
Remove wild card targets in delegation.

2347
02:13:11,420 --> 02:13:13,380
Kerberos armoring where feasible.

2348
02:13:13,380 --> 02:13:14,700
Time aligned to keys.

2349
02:13:14,700 --> 02:13:16,380
In monitor codes not notes.

2350
02:13:16,380 --> 02:13:22,980
Forward 4768 4769 4672 4662 replication.

2351
02:13:22,980 --> 02:13:31,020
4728 4729 4732 4733 7-045 474.

2352
02:13:31,020 --> 02:13:33,300
Collect system 137 10 11.

2353
02:13:33,300 --> 02:13:35,300
Build correlations.

2354
02:13:35,300 --> 02:13:42,260
Privileged logon plus SPN spike plus new service equals page now.

2355
02:13:42,260 --> 02:13:45,540
Tag hosts by tier and patch age.

2356
02:13:45,540 --> 02:13:49,500
Weight alerts by blast radius.

2357
02:13:49,500 --> 02:13:51,500
Silence is drift 11.

2358
02:13:51,500 --> 02:13:52,700
Patch by metronome.

2359
02:13:52,700 --> 02:13:54,180
Cohorts by tier.

2360
02:13:54,180 --> 02:13:55,180
Canary.

2361
02:13:55,180 --> 02:13:56,180
Then wave.

2362
02:13:56,180 --> 02:13:57,980
Exceptions expire by date.

2363
02:13:57,980 --> 02:13:59,180
Dashboards show age.

2364
02:13:59,180 --> 02:14:02,140
Isolation for nodes that cannot comply.

2365
02:14:02,140 --> 02:14:06,420
Legacy paths behind proxies with mutual TLS.

2366
02:14:06,420 --> 02:14:08,100
Compensate loudly.

2367
02:14:08,100 --> 02:14:12,580
Dimitri amplified firewall rules strict time is governance.

2368
02:14:12,580 --> 02:14:15,860
12 backups are real or they are fantasy.

2369
02:14:15,860 --> 02:14:18,340
System stayed for every DC on schedule.

2370
02:14:18,340 --> 02:14:20,420
Off the box immutable.

2371
02:14:20,420 --> 02:14:25,580
Quarterly lab restore that ends with a new client trusting the restored DC without manual

2372
02:14:25,580 --> 02:14:26,580
blessing.

2373
02:14:26,580 --> 02:14:30,460
ADCS database and keys backed up and tested.

2374
02:14:30,460 --> 02:14:32,260
GPOs exported.

2375
02:14:32,260 --> 02:14:33,500
Runbook printed.

2376
02:14:33,500 --> 02:14:35,060
Phone numbers verified.

2377
02:14:35,060 --> 02:14:36,540
Rolls rehearsed.

2378
02:14:36,540 --> 02:14:38,180
14. Practice the fall.

2379
02:14:38,180 --> 02:14:39,660
Tabletop quarterly.

2380
02:14:39,660 --> 02:14:41,820
Live fire in lab twice a year.

2381
02:14:41,820 --> 02:14:42,820
Rebuild a DC.

2382
02:14:42,820 --> 02:14:45,060
Rotate KRBTGT twice.

2383
02:14:45,060 --> 02:14:47,060
Reissue a GMSA.

2384
02:14:47,060 --> 02:14:49,620
Validate pack checks measure time to stable orbit.

2385
02:14:49,620 --> 02:14:51,260
Edit law after every drill.

2386
02:14:51,260 --> 02:14:54,260
The universe respects rehearsal.

2387
02:14:54,260 --> 02:14:56,420
14.

2388
02:14:56,420 --> 02:14:57,900
Name owners.

2389
02:14:57,900 --> 02:14:58,900
Every GPO.

2390
02:14:58,900 --> 02:15:00,220
Every service principle.

2391
02:15:00,220 --> 02:15:01,620
Every certificate template.

2392
02:15:01,620 --> 02:15:04,380
Every firewall zone.

2393
02:15:04,380 --> 02:15:05,500
Ownership in a registry.

2394
02:15:05,500 --> 02:15:07,900
Humans can read a test quarterly.

2395
02:15:07,900 --> 02:15:10,180
Orphans are retired not tolerated.

2396
02:15:10,180 --> 02:15:12,940
Dead stars still bend light until removed.

2397
02:15:12,940 --> 02:15:13,940
15.

2398
02:15:13,940 --> 02:15:14,940
Close the coercions.

2399
02:15:14,940 --> 02:15:18,020
Disable the print spooler where unnecessary.

2400
02:15:18,020 --> 02:15:19,780
Retire SMBV1.

2401
02:15:19,780 --> 02:15:22,660
Restrict NTLM relay by signing and channel binding.

2402
02:15:22,660 --> 02:15:25,580
Reduce implicit trust in management protocols.

2403
02:15:25,580 --> 02:15:31,260
Every coercion trimmed is one less tied, dragging identity outward.

2404
02:15:31,260 --> 02:15:32,940
16.

2405
02:15:32,940 --> 02:15:37,100
Vendors with physics change windows defended by leadership.

2406
02:15:37,100 --> 02:15:41,180
Incident language plane scope confidence impact next decision.

2407
02:15:41,180 --> 02:15:43,300
Reward boring success on time.

2408
02:15:43,300 --> 02:15:44,980
Post incident reviews.

2409
02:15:44,980 --> 02:15:46,300
Revise process.

2410
02:15:46,300 --> 02:15:47,940
Not people.

2411
02:15:47,940 --> 02:15:50,380
Vendors are held to gravity.

2412
02:15:50,380 --> 02:15:51,980
Support for GMSA.

2413
02:15:51,980 --> 02:15:54,620
Signing binding modern authentication.

2414
02:15:54,620 --> 02:15:56,940
Lab echo load chime.

2415
02:15:56,940 --> 02:15:59,700
Policy set SMB signing always.

2416
02:15:59,700 --> 02:16:04,740
DAP channel binding required.

2417
02:16:04,740 --> 02:16:06,740
LAPS rotation complete.

2418
02:16:06,740 --> 02:16:08,740
Bass pulse softens.

2419
02:16:08,740 --> 02:16:10,740
KRBTGT rotation scheduled.

2420
02:16:10,740 --> 02:16:12,740
Pass one in seven days.

2421
02:16:12,740 --> 02:16:14,740
Pass two in nine.

2422
02:16:14,740 --> 02:16:16,740
You cannot make this universe perfect.

2423
02:16:16,740 --> 02:16:18,740
But you can make it loud when it bends.

2424
02:16:18,740 --> 02:16:21,740
You can make privilege ceremonial and drift impatient.

2425
02:16:21,740 --> 02:16:23,740
You can make collapse reversible.