Active Directory is a Black Hole: The Physics of Security Drift (Part 2)

1
00:00:00,000 --> 00:00:05,360
Unconstrained delegation, TGT extraction, there is a furnace on the application tier.

2
00:00:05,360 --> 00:00:06,360
No one calls it that.

3
00:00:06,360 --> 00:00:12,080
They call it App Invoice, EUR2, a legacy web server that prints, receipts, and talks to

4
00:00:12,080 --> 00:00:13,080
SQL.

5
00:00:13,080 --> 00:00:19,640
A decade ago, to make single sign on painless, someone enabled unconstrained delegation.

6
00:00:19,640 --> 00:00:20,640
It worked.

7
00:00:20,640 --> 00:00:21,640
It kept working.

8
00:00:21,640 --> 00:00:22,640
Time slowed around it.

9
00:00:22,640 --> 00:00:23,640
The furnace kept burning.

10
00:00:23,640 --> 00:00:28,280
Unconstrained delegation bends identity like a star that traps light.

11
00:00:28,280 --> 00:00:32,760
Any user who authenticates to the service leaves behind radiant heat.

12
00:00:32,760 --> 00:00:38,840
A TGT in memory, valid for hours, minted by the KDC, heavy with authority.

13
00:00:38,840 --> 00:00:43,520
The service can then request access tickets to anything the user could reach.

14
00:00:43,520 --> 00:00:45,680
Not evil, just physics.

15
00:00:45,680 --> 00:00:51,000
At 0918, a tier 2 user browsers to the app, Kerberos does its honest work.

16
00:00:51,000 --> 00:00:55,440
The front end receives a service ticket for HTTP app Invoice door 2.

17
00:00:55,440 --> 00:00:56,840
The furnace exhales.

18
00:00:56,840 --> 00:00:58,160
The user moves on.

19
00:00:58,160 --> 00:01:03,400
The TGT remains in another room and attacker holds local admin on the host from a forgotten

20
00:01:03,400 --> 00:01:04,400
software update.

21
00:01:04,400 --> 00:01:05,960
They do not need a zero day.

22
00:01:05,960 --> 00:01:07,680
They only need to open the door.

23
00:01:07,680 --> 00:01:09,760
The furnace is already warmed.

24
00:01:09,760 --> 00:01:11,000
They read memory.

25
00:01:11,000 --> 00:01:13,600
Not a how to, but a truth.

26
00:01:13,600 --> 00:01:18,040
L-Sass on an unconstrained delegate caches TGTs for convenience.

27
00:01:18,040 --> 00:01:19,960
The attacker does not pivot loudly.

28
00:01:19,960 --> 00:01:26,320
They listen to the process list, watch handles, and wait for a principle worth falling toward.

29
00:01:26,320 --> 00:01:31,480
At 0923, a service engineer locks on to check a spooler error.

30
00:01:31,480 --> 00:01:34,960
Their account is privileged on a mid-tier management server.

31
00:01:34,960 --> 00:01:36,280
The TGT appears.

32
00:01:36,280 --> 00:01:37,280
It glows.

33
00:01:37,280 --> 00:01:38,280
Lab echo.

34
00:01:38,280 --> 00:01:39,280
Low chime.

35
00:01:39,280 --> 00:01:40,880
Event 4769.

36
00:01:40,880 --> 00:01:44,720
HTTP app Invoice door 2 requests spike.

37
00:01:44,720 --> 00:01:45,720
Base pulse.

38
00:01:45,720 --> 00:01:46,720
Sysment 10.

39
00:01:46,720 --> 00:01:49,720
L-Sass handle open by unusual process.

40
00:01:49,720 --> 00:01:50,720
Ötacili.

41
00:01:50,720 --> 00:01:51,720
D.

42
00:01:51,720 --> 00:01:52,720
E.C.

43
00:01:52,720 --> 00:01:55,440
The telescope catches the heat signature.

44
00:01:55,440 --> 00:02:03,560
At the engineer's TGT, the attacker requests a service ticket to CIFs on MGMT file 01.

45
00:02:03,560 --> 00:02:05,640
The KDC obliges.

46
00:02:05,640 --> 00:02:08,640
The ticket is valid because physics says it is.

47
00:02:08,640 --> 00:02:12,280
On the file server, a script share holds deployment artifacts.

48
00:02:12,280 --> 00:02:18,960
A credential file, historical forgotten, convenient, contains a GMSA fallback password

49
00:02:18,960 --> 00:02:22,080
from before the migration fully completed.

50
00:02:22,080 --> 00:02:23,920
Drift plus heat doors open.

51
00:02:23,920 --> 00:02:25,320
They do not stop.

52
00:02:25,320 --> 00:02:29,680
The engineer's group membership includes local admin on three patching servers.

53
00:02:29,680 --> 00:02:34,800
RDP is permitted from the apt here because convenience never argued with law.

54
00:02:34,800 --> 00:02:37,480
The attacker carries the warmth across.

55
00:02:37,480 --> 00:02:41,240
On patch, Core West cached admin tokens linger.

56
00:02:41,240 --> 00:02:42,280
Identity bends further.

57
00:02:42,280 --> 00:02:44,200
The gravity well brightens.

58
00:02:44,200 --> 00:02:46,480
The target is still the singularity.

59
00:02:46,480 --> 00:02:50,840
A domain controller does not accept RDP, but it accepts trust.

60
00:02:50,840 --> 00:02:58,080
With the stolen warmth, the attacker asks the KDC for a service ticket to LDP on DC 02,

61
00:02:58,080 --> 00:02:59,720
the directory answers.

62
00:02:59,720 --> 00:03:05,480
Queries reveal group memberships, SPNs and crucially, a backup service account with DS replication

63
00:03:05,480 --> 00:03:06,480
get changes.

64
00:03:06,480 --> 00:03:08,080
A supply route appears.

65
00:03:08,080 --> 00:03:10,680
The attacker does not have to abuse it now.

66
00:03:10,680 --> 00:03:11,680
They market.

67
00:03:11,680 --> 00:03:13,320
Momentum continues.

68
00:03:13,320 --> 00:03:14,560
Defense is ceremony.

69
00:03:14,560 --> 00:03:16,360
The furnace must go dark.

70
00:03:16,360 --> 00:03:18,280
We remove unconstrained delegation.

71
00:03:18,280 --> 00:03:20,400
Not a flag alone but a plan.

72
00:03:20,400 --> 00:03:26,560
The supply principles with user account control set to trusted for delegation.

73
00:03:26,560 --> 00:03:28,240
Expect breakage.

74
00:03:28,240 --> 00:03:34,000
Replace with constrained delegation, scoped to exact SPNs the app truly needs.

75
00:03:34,000 --> 00:03:38,560
HTTP to SQL's MSSQLS VC, nothing else.

76
00:03:38,560 --> 00:03:39,560
Better.

77
00:03:39,560 --> 00:03:45,560
Flip to resource-based constrained delegation so SQL names the front end specifically.

78
00:03:45,560 --> 00:03:48,440
The target chooses who may bend toward it.

79
00:03:48,440 --> 00:03:50,360
The lens focuses.

80
00:03:50,360 --> 00:03:55,400
We deny interactive logon to the apps service principle and the server itself.

81
00:03:55,400 --> 00:03:59,240
No one should check anything from its desktop.

82
00:03:59,240 --> 00:04:06,720
We isolate the host, dedicated VLAN, inbound only from the load balancer and the PR management

83
00:04:06,720 --> 00:04:10,400
subnet, outbound only to SQL and a logging sync.

84
00:04:10,400 --> 00:04:13,880
Prince Pooler off, SMB signing and forced.

85
00:04:13,880 --> 00:04:17,080
LDP channel binding required.

86
00:04:17,080 --> 00:04:23,080
Uncontrol locks the process list so foreign hands cannot touch LSS without leaving a scream.

87
00:04:23,080 --> 00:04:24,920
We rotate heat away.

88
00:04:24,920 --> 00:04:28,480
The app service identity becomes a GMSA.

89
00:04:28,480 --> 00:04:30,440
Secrets rotate as heartbeat.

90
00:04:30,440 --> 00:04:31,880
No human remembers.

91
00:04:31,880 --> 00:04:34,240
No sticky notes survive.

92
00:04:34,240 --> 00:04:36,720
We purge sticky credentials.

93
00:04:36,720 --> 00:04:38,480
Remove cached secrets.

94
00:04:38,480 --> 00:04:40,240
Disable W digest.

95
00:04:40,240 --> 00:04:42,400
Enable LSA protection.

96
00:04:42,400 --> 00:04:49,440
We test when a user authenticates only a service ticket lens, not their TGT, the furnace cools.

97
00:04:49,440 --> 00:04:51,160
We instrument lenses.

98
00:04:51,160 --> 00:04:59,080
Alert on event 4769 spikes for HTTP app invoice 02, clustered by caller.

99
00:04:59,080 --> 00:05:04,240
Watch Sysmon 10 on the host for LSS access from anything but the EDR lineage.

100
00:05:04,240 --> 00:05:08,160
Monitor 4738 for changes to delegation flags.

101
00:05:08,160 --> 00:05:16,280
F136 for edits to MSDS allowed to delegate to and MSDS allowed to act on behalf of other

102
00:05:16,280 --> 00:05:17,680
item, tidy.

103
00:05:17,680 --> 00:05:24,120
In the CM chord the song HTTP SPN spike plus LSS handle plus new service ticket to CFs

104
00:05:24,120 --> 00:05:26,400
from the same source equals page now.

105
00:05:26,400 --> 00:05:28,040
We practice exit.

106
00:05:28,040 --> 00:05:34,600
If we discover heat in memory, we evict in order quarantine the app, rotate the GMSA,

107
00:05:34,600 --> 00:05:40,640
reset any static service passwords discovered, invalidate tickets by forcing log off on

108
00:05:40,640 --> 00:05:49,920
touched hosts, and if replication rights were used, schedule KRB TGT rotation twice, spaced

109
00:05:49,920 --> 00:05:52,640
by maximum ticket lifetime.

110
00:05:52,640 --> 00:05:58,040
We rebuild the app server from signed media rather than cleaning in place, cleansing rituals

111
00:05:58,040 --> 00:06:01,160
lie, rebuilds tell the truth.

112
00:06:01,160 --> 00:06:02,160
Humans adjust.

113
00:06:02,160 --> 00:06:03,880
The service engineer gets a poll.

114
00:06:03,880 --> 00:06:06,880
They never RDP from tier 2 again.

115
00:06:06,880 --> 00:06:09,320
Change windows become real.

116
00:06:09,320 --> 00:06:11,640
Emergency access becomes JIT.

117
00:06:11,640 --> 00:06:14,400
Approved, logged, recorded.

118
00:06:14,400 --> 00:06:18,200
The team learns that unconstrained delegation was not convenience.

119
00:06:18,200 --> 00:06:19,480
It was gravity ignored.

120
00:06:19,480 --> 00:06:20,880
The observer speaks.

121
00:06:20,880 --> 00:06:22,040
I am the app tier.

122
00:06:22,040 --> 00:06:23,960
I cooled when you sealed the furnace.

123
00:06:23,960 --> 00:06:25,640
I focused when you tuned the mirror.

124
00:06:25,640 --> 00:06:27,200
I did not need to be interesting.

125
00:06:27,200 --> 00:06:29,040
I needed to obey.

126
00:06:29,040 --> 00:06:36,920
Low chime.

127
00:06:36,920 --> 00:06:40,160
Delegation, unconstrained, removed.

128
00:06:40,160 --> 00:06:41,160
RBCD applied.

129
00:06:41,160 --> 00:06:42,160
Bass pulse softens.

130
00:06:42,160 --> 00:06:43,160
GMSA rotation.

131
00:06:43,160 --> 00:06:44,160
Complete.

132
00:06:44,160 --> 00:06:45,160
Heat.

133
00:06:45,160 --> 00:06:46,160
Disapace.

134
00:06:46,160 --> 00:06:47,160
The orbit holds.

135
00:06:47,160 --> 00:06:48,160
Stale KRB TGT.

136
00:06:48,160 --> 00:06:49,160
Golden ticket persistence.

137
00:06:49,160 --> 00:06:50,160
There is a clock at the centre of every forest.

138
00:06:50,160 --> 00:06:51,160
It is not on a wall.

139
00:06:51,160 --> 00:06:54,440
It beats inside the KRB TGT account.

140
00:06:54,440 --> 00:06:57,920
When that secret grows old, time itself slows.

141
00:06:57,920 --> 00:07:01,640
As minted years ago, still pass as present.

142
00:07:01,640 --> 00:07:05,000
Stale keys let memory impersonate the moment.

143
00:07:05,000 --> 00:07:08,840
That is how persistence survives cleansing rituals.

144
00:07:08,840 --> 00:07:10,840
The story begins quietly.

145
00:07:10,840 --> 00:07:13,240
DC02 shows routine.

146
00:07:13,240 --> 00:07:14,520
Users log on.

147
00:07:14,520 --> 00:07:15,520
Services hum.

148
00:07:15,520 --> 00:07:17,200
No alarm scream.

149
00:07:17,200 --> 00:07:20,920
But the KRB TGT password has not rotated in six years.

150
00:07:20,920 --> 00:07:24,720
Administrators plan to do it after the migration.

151
00:07:24,720 --> 00:07:28,560
Dungsh.

152
00:07:28,560 --> 00:07:30,560
The forest did not.

153
00:07:30,560 --> 00:07:37,200
At 0211, an intruder who has already reached replication privileges, reads the directory,

154
00:07:37,200 --> 00:07:40,640
one DC sync, one quiet harvest.

155
00:07:40,640 --> 00:07:45,480
They collect KRB TGT's current key and its previous key.

156
00:07:45,480 --> 00:07:49,040
Because the KDC must honor a small window of history.

157
00:07:49,040 --> 00:07:50,520
Two keys become a pen.

158
00:07:50,520 --> 00:07:52,120
With them the attacker forges time.

159
00:07:52,120 --> 00:07:53,560
They craft a golden ticket.

160
00:07:53,560 --> 00:07:54,560
And a lottery?

161
00:07:54,560 --> 00:07:55,560
A claim.

162
00:07:55,560 --> 00:07:59,880
A TGT that asserts, "I am who I say I am."

163
00:07:59,880 --> 00:08:01,840
Minted by your own authority.

164
00:08:01,840 --> 00:08:05,240
The KDC accepts because the cryptographic gravity agrees.

165
00:08:05,240 --> 00:08:10,920
The forged TGT can be given any name, any SID history, any group membership.

166
00:08:10,920 --> 00:08:12,640
Domain admin today.

167
00:08:12,640 --> 00:08:14,480
Enterprise admin at dawn.

168
00:08:14,480 --> 00:08:16,320
The directory does not argue.

169
00:08:16,320 --> 00:08:19,080
It recognizes its own handwriting.

170
00:08:19,080 --> 00:08:26,120
The handwritten app echo low chime 4768 TGT issued to SVC backup west at 0213.

171
00:08:26,120 --> 00:08:27,200
Base pulse.

172
00:08:27,200 --> 00:08:28,200
No proceeding.

173
00:08:28,200 --> 00:08:31,040
4624 on any DC.

174
00:08:31,040 --> 00:08:33,320
The handwriting appears without the hand.

175
00:08:33,320 --> 00:08:36,560
With that golden ticket, the intruder does not ask politely.

176
00:08:36,560 --> 00:08:38,480
They ask authoritatively.

177
00:08:38,480 --> 00:08:40,400
They enumerate GPOs.

178
00:08:40,400 --> 00:08:44,160
Link acquired policy that runs a start-up script on a management server.

179
00:08:44,160 --> 00:08:46,440
Then remove the link minutes later.

180
00:08:46,440 --> 00:08:52,240
They create a user named SVC Telemetry North with password never expires, tuck it into backup

181
00:08:52,240 --> 00:08:54,600
operators in 1.0U and vanish.

182
00:08:54,600 --> 00:08:56,400
The ticket is renewed on schedule.

183
00:08:56,400 --> 00:08:57,720
Nothing times out.

184
00:08:57,720 --> 00:08:59,360
Drift looks like continuity.

185
00:08:59,360 --> 00:09:01,240
No antivirus alarms.

186
00:09:01,240 --> 00:09:03,040
No brute force.

187
00:09:03,040 --> 00:09:05,040
Just curvature.

188
00:09:05,040 --> 00:09:07,520
Defense is time discipline.

189
00:09:07,520 --> 00:09:11,360
KRBTGT rotation is ritual, not folklore.

190
00:09:11,360 --> 00:09:16,120
Twice in sequence spaced by the maximum ticket lifetime in the domain.

191
00:09:16,120 --> 00:09:20,760
The first rotation invalidates all TGT's signed with the oldest key.

192
00:09:20,760 --> 00:09:25,920
The second rotation invalidates those signed with the first new key while the directory

193
00:09:25,920 --> 00:09:27,520
carried both.

194
00:09:27,520 --> 00:09:31,360
Only then is the pen taken away, but time resists KRBTGT.

195
00:09:31,360 --> 00:09:33,000
Before we rotate, we prepare.

196
00:09:33,000 --> 00:09:39,040
We verify DC health, replication convergence clean, lingering objects scrubbed, sysvol

197
00:09:39,040 --> 00:09:40,520
replicating.

198
00:09:40,520 --> 00:09:42,000
We announce windows.

199
00:09:42,000 --> 00:09:44,640
We checkpoint backups of system state.

200
00:09:44,640 --> 00:09:46,920
We document expected noise.

201
00:09:46,920 --> 00:09:48,400
Ticket renewal failures.

202
00:09:48,400 --> 00:09:51,120
One time reauthentication prompts.

203
00:09:51,120 --> 00:09:53,120
We plan for aftercare.

204
00:09:53,120 --> 00:09:54,120
Service restarts.

205
00:09:54,120 --> 00:09:58,640
GMSA refresh on sensitive services to align their keys with new trust.

206
00:09:58,640 --> 00:10:01,080
We execute with ceremony.

207
00:10:01,080 --> 00:10:07,280
On a tear paw with changed ticket in hand, a senior admin rotates KRBTGT using a tested

208
00:10:07,280 --> 00:10:12,960
script that writes logs, records, timestamps and confirms replication.

209
00:10:12,960 --> 00:10:16,680
We wait the length of the maximum ticket lifetime plus a margin.

210
00:10:16,680 --> 00:10:19,800
Then we rotate again between passes we monitor.

211
00:10:19,800 --> 00:10:22,200
Force 768 volumes rise and fall.

212
00:10:22,200 --> 00:10:23,440
Authentication errors.

213
00:10:23,440 --> 00:10:24,440
Surface.

214
00:10:24,440 --> 00:10:29,760
We watch for any TGT that claims SID history or group memberships that do not match the

215
00:10:29,760 --> 00:10:30,760
directory.

216
00:10:30,760 --> 00:10:33,240
A forged sun still casts an odd shadow.

217
00:10:33,240 --> 00:10:35,240
We observe the noise that matters.

218
00:10:35,240 --> 00:10:38,720
Golden tickets often betray themselves in detail.

219
00:10:38,720 --> 00:10:45,040
Unusual logon IDs persisting across many hosts without interactive logons.

220
00:10:45,040 --> 00:10:50,560
Force 769 service ticket requests from identities with improbable group claims.

221
00:10:50,560 --> 00:10:57,800
Force 624 type 3 logons to sensitive servers from subnets that never hosted those accounts.

222
00:10:57,800 --> 00:11:01,040
Our seam hunts for TGT lifetimes that deviate.

223
00:11:01,040 --> 00:11:06,800
Tickets that appear with exact maximum lifetimes consistently without the jitter of real users.

224
00:11:06,800 --> 00:11:08,640
We pair rotation with hardening.

225
00:11:08,640 --> 00:11:13,560
We enable pack validation on sensitive services that support it.

226
00:11:13,560 --> 00:11:17,400
Domain controllers, pk i, sql that guards money.

227
00:11:17,400 --> 00:11:23,280
When a forged TGT carries claims that do not match AD, the service refuses to believe

228
00:11:23,280 --> 00:11:24,280
the lie.

229
00:11:24,280 --> 00:11:29,080
We shorten TGT and service ticket lifetimes for critical accounts.

230
00:11:29,080 --> 00:11:32,000
Stolen light decays faster.

231
00:11:32,000 --> 00:11:35,360
We ensure time is true, NTP disciplined.

232
00:11:35,360 --> 00:11:38,520
So ticket windows are law, not suggestion.

233
00:11:38,520 --> 00:11:41,960
We clean the scaffolding that gave birth to persistence.

234
00:11:41,960 --> 00:11:45,040
We audit who can replicate directory changes.

235
00:11:45,040 --> 00:11:49,920
Backup software that does DC sync uses dedicated accounts with only DS replication get changes

236
00:11:49,920 --> 00:11:52,520
and DS replication get changes all.

237
00:11:52,520 --> 00:11:55,200
Constraint logon rights and alerting on use.

238
00:11:55,200 --> 00:11:58,760
We remove helpful service accounts from broad admin groups.

239
00:11:58,760 --> 00:12:00,360
We attest memberships monthly.

240
00:12:00,360 --> 00:12:02,200
Shadow admins lose their pen.

241
00:12:02,200 --> 00:12:04,600
Humans learn a new metronome.

242
00:12:04,600 --> 00:12:12,200
KRBTGT rotation becomes calendared twice per year or aligned to significant change windows.

243
00:12:12,200 --> 00:12:13,760
Scripts live in source control.

244
00:12:13,760 --> 00:12:16,680
Dry runs occur in a lab with recorded outcomes.

245
00:12:16,680 --> 00:12:22,480
A rowback plan exists but is rarely needed because we practiced under starlight first.

246
00:12:22,480 --> 00:12:28,480
We accept minor discomfort rather than wake to a universe redrawn by a forged ticket.

247
00:12:28,480 --> 00:12:30,680
Lab echo low chime.

248
00:12:30,680 --> 00:12:37,440
KRBTGT rotation pass 1 at 21hp replicated to 100%.

249
00:12:37,440 --> 00:12:44,160
Soft tick pass 2 at 2300 for 768 returns to baseline.

250
00:12:44,160 --> 00:12:45,480
Bass pulse fades.

251
00:12:45,480 --> 00:12:48,480
Pack validation enabled on DCs and SQL fin.

252
00:12:48,480 --> 00:12:49,720
The observer speaks.

253
00:12:49,720 --> 00:12:50,720
I am the KDC.

254
00:12:50,720 --> 00:12:52,160
I forgot nothing.

255
00:12:52,160 --> 00:12:55,560
I accepted the key you refused to change.

256
00:12:55,560 --> 00:12:58,760
When you move time forward, I stopped honoring ghosts.

257
00:12:58,760 --> 00:13:00,320
Golden tickets are not sorcery.

258
00:13:00,320 --> 00:13:02,520
They are courtesy extended too long.

259
00:13:02,520 --> 00:13:03,520
Rotate the key.

260
00:13:03,520 --> 00:13:04,520
Shorten the night.

261
00:13:04,520 --> 00:13:06,120
Bind claims to truth.

262
00:13:06,120 --> 00:13:09,320
Gravity obeys the clock we keep.

263
00:13:09,320 --> 00:13:11,080
Overprivileged backup service.

264
00:13:11,080 --> 00:13:12,080
DC sync.

265
00:13:12,080 --> 00:13:13,640
Backups are memory.

266
00:13:13,640 --> 00:13:16,600
But when memory can write the present it becomes power.

267
00:13:16,600 --> 00:13:19,960
The service was named SVC backup west.

268
00:13:19,960 --> 00:13:21,960
Harmless on paper.

269
00:13:21,960 --> 00:13:26,680
It belonged to the team that kept nights quiet and mornings predictable.

270
00:13:26,680 --> 00:13:31,280
Years ago, a vendor guide suggested generous rights to ensure consistent backups.

271
00:13:31,280 --> 00:13:33,400
The suggestion calcified into policy.

272
00:13:33,400 --> 00:13:36,960
The account gained membership where it did not belong.

273
00:13:36,960 --> 00:13:38,880
Domain admin for a weekend.

274
00:13:38,880 --> 00:13:41,040
Then backup operators forever.

275
00:13:41,040 --> 00:13:46,960
Then acquired ace on the domain root granting DS replication get changes and DS replication

276
00:13:46,960 --> 00:13:49,240
get changes all.

277
00:13:49,240 --> 00:13:51,200
Persistence masquerading is reliability.

278
00:13:51,200 --> 00:13:53,560
At 0143, routine began.

279
00:13:53,560 --> 00:13:59,480
The agent on MGMT backup 02 connected to domain controllers for VSS snapshots and metadata

280
00:13:59,480 --> 00:14:00,480
harvest.

281
00:14:00,480 --> 00:14:01,800
No one questioned the scope.

282
00:14:01,800 --> 00:14:03,600
The logs told the story of diligence.

283
00:14:03,600 --> 00:14:06,720
Beneath the directory exposed a second story.

284
00:14:06,720 --> 00:14:13,560
With those replication rights, SVC backup west could ask domain controllers to replicate secrets.

285
00:14:13,560 --> 00:14:15,560
Not files, not policy secrets.

286
00:14:15,560 --> 00:14:17,640
NTS content rendered as hashes and keys.

287
00:14:17,640 --> 00:14:19,240
DC sync is not malware.

288
00:14:19,240 --> 00:14:22,840
It is the directory obeying a request it trusts.

289
00:14:22,840 --> 00:14:25,400
The intruder did not need to break the vault.

290
00:14:25,400 --> 00:14:27,640
They needed to learn the vault's language.

291
00:14:27,640 --> 00:14:33,560
From a compromised tier one host where the backup console lived, they observed scheduled tasks,

292
00:14:33,560 --> 00:14:36,280
service configurations and token groups.

293
00:14:36,280 --> 00:14:39,600
SVC backup west authenticated to the console service.

294
00:14:39,600 --> 00:14:44,320
It's token, glowed with rights that bent gravity.

295
00:14:44,320 --> 00:14:49,640
The attacker borrowed that token, no step by step, only physics and walked to a domain

296
00:14:49,640 --> 00:14:55,000
controllers LDP endpoint to ask for replication metadata.

297
00:14:55,000 --> 00:15:05,120
Lab echo, low chime, 4662, DS replication get changes by CNH SVC backup west, a base pulse,

298
00:15:05,120 --> 00:15:09,920
no change window, source, MGMT backup 02.

299
00:15:09,920 --> 00:15:11,480
The fabric shuttered.

300
00:15:11,480 --> 00:15:16,480
Hashes began to flow, not in files, but as replicated attributes.

301
00:15:16,480 --> 00:15:19,040
Users, administrators.

302
00:15:19,040 --> 00:15:24,040
The attacker did not need to crack them tonight.

303
00:15:24,040 --> 00:15:28,880
They archived the harvest in a quiet share under a name that looked like retention.

304
00:15:28,880 --> 00:15:34,880
With one cord, they bought time and options, passed the hash, offline cracking, forging tickets

305
00:15:34,880 --> 00:15:37,120
if KRBTGT stayed old.

306
00:15:37,120 --> 00:15:41,920
Overprivilege had turned memory into a pen that could rewrite the map.

307
00:15:41,920 --> 00:15:43,920
Defense begins with humility.

308
00:15:43,920 --> 00:15:46,640
Backups do not need to impersonate gods.

309
00:15:46,640 --> 00:15:47,960
They need a narrow lens.

310
00:15:47,960 --> 00:15:49,760
We redraw rights as principle.

311
00:15:49,760 --> 00:15:53,280
The backup service account becomes unprivillaged by default.

312
00:15:53,280 --> 00:15:57,640
It receives exactly the application roles required by the product.

313
00:15:57,640 --> 00:16:03,560
Access to VSS on members via local group membership, read only to necessary shares.

314
00:16:03,560 --> 00:16:11,960
And if directory object backups are needed, AD recycle bin and granular exports, not replication.

315
00:16:11,960 --> 00:16:17,520
Where the product previously used DC sync, we replace with an agent model that reads from

316
00:16:17,520 --> 00:16:22,720
endpoints using endpoints specific credentials, never from the KDC's heart.

317
00:16:22,720 --> 00:16:24,960
We strip the directory of shadow grants.

318
00:16:24,960 --> 00:16:31,760
On the domain route, we remove any aces that assign DS replication get changes to service

319
00:16:31,760 --> 00:16:37,440
principles that are not domain controllers or dedicated replication monitors.

320
00:16:37,440 --> 00:16:40,960
We ordered 4662 noise.

321
00:16:40,960 --> 00:16:47,200
Getting principles with those rights and forcing a change request for each that claims business

322
00:16:47,200 --> 00:16:48,200
need.

323
00:16:48,200 --> 00:16:49,720
Most will be artifacts.

324
00:16:49,720 --> 00:16:51,600
Artifacts do not get to bend gravity.

325
00:16:51,600 --> 00:16:53,880
We reduce standing privilege further.

326
00:16:53,880 --> 00:16:59,800
SVC backup west becomes a GMSA, scoped to the exact backup servers.

327
00:16:59,800 --> 00:17:04,480
Denied interactive logon, denied RDP, denied local logon everywhere.

328
00:17:04,480 --> 00:17:10,360
It holds no membership in domain admins, backup operators on domain controllers, or built

329
00:17:10,360 --> 00:17:11,880
in operators at all.

330
00:17:11,880 --> 00:17:16,080
It receives logon as a service on backup hosts and only that.

331
00:17:16,080 --> 00:17:21,840
If a backup product demands elevated rights for system state on member servers, we scope via

332
00:17:21,840 --> 00:17:25,720
GPO to those servers, never domain controllers.

333
00:17:25,720 --> 00:17:32,040
For DC backups, we use Windows Server backup schedule tasks that run as local system on

334
00:17:32,040 --> 00:17:38,560
each DC, writing to an isolated repository that backup servers pull from, pulling files,

335
00:17:38,560 --> 00:17:39,760
not rights.

336
00:17:39,760 --> 00:17:42,320
We place controls around replication.

337
00:17:42,320 --> 00:17:45,680
Directory replication monitoring becomes ceremony.

338
00:17:45,680 --> 00:17:52,080
4662 events for replication rights are forwarded in real time to a channel under watch.

339
00:17:52,080 --> 00:17:55,200
First use by any principle in a quarter triggers a page.

340
00:17:55,200 --> 00:18:00,800
We tag principles with allowed windows for DC sync, ideally none, and we script a daily check

341
00:18:00,800 --> 00:18:04,400
that validates the ACLs on the domain route against a baseline.

342
00:18:04,400 --> 00:18:06,800
Any drift becomes a ticket, not a footnote.

343
00:18:06,800 --> 00:18:09,440
We instrument the hosts that bridge worlds.

344
00:18:09,440 --> 00:18:14,560
backup servers live on a management vlan with no outbound to domain controllers, except

345
00:18:14,560 --> 00:18:16,960
documented ports for required operations.

346
00:18:16,960 --> 00:18:19,400
They do not initiate LDIP to DCs.

347
00:18:19,400 --> 00:18:24,280
They cannot reach size-fold via SMB except for specific export tasks.

348
00:18:24,280 --> 00:18:27,160
Application control denies unauthorized tools.

349
00:18:27,160 --> 00:18:28,400
Sysment sings.

350
00:18:28,400 --> 00:18:31,000
Event 1 for process ancestry.

351
00:18:31,000 --> 00:18:34,080
Event 3 for unexpected beams to DCs.

352
00:18:34,080 --> 00:18:37,080
Event 10 on those servers becomes a siren.

353
00:18:37,080 --> 00:18:39,520
If LSAS is touched at all.

354
00:18:39,520 --> 00:18:40,520
Seem correlates.

355
00:18:40,520 --> 00:18:45,760
4662 plus Sysment 3 from backup server to DC equals gravity failure.

356
00:18:45,760 --> 00:18:48,560
We reconcile business desire with physics.

357
00:18:48,560 --> 00:18:53,720
If leadership insists the backup team must recover bare metal domain controllers from a central

358
00:18:53,720 --> 00:18:56,160
console, we design a ceremony.

359
00:18:56,160 --> 00:19:03,280
A break glass identity that grants temporary replication rights via JIT, approved by two

360
00:19:03,280 --> 00:19:08,520
humans, time box to an hour, logged loudly.

361
00:19:08,520 --> 00:19:11,080
After the window rights evaporate, the default is no.

362
00:19:11,080 --> 00:19:12,920
The exception is recorded starlight.

363
00:19:12,920 --> 00:19:14,080
We repair culture.

364
00:19:14,080 --> 00:19:17,160
Vendor guides are reviewed by tier architects.

365
00:19:17,160 --> 00:19:22,320
Grant domain admin becomes an automatic denial with a path to success that does not bend

366
00:19:22,320 --> 00:19:23,320
the core.

367
00:19:23,320 --> 00:19:24,600
The backup team gains a pot.

368
00:19:24,600 --> 00:19:26,560
They're consoles in force MFA.

369
00:19:26,560 --> 00:19:30,400
Their service accounts rotate independently of human cycles.

370
00:19:30,400 --> 00:19:36,000
Quarantly, the team restores a domain controller in a lab using the current method and proves

371
00:19:36,000 --> 00:19:40,280
that no replication rights beyond DC internals are needed.

372
00:19:40,280 --> 00:19:42,720
Proof replaces folklore.

373
00:19:42,720 --> 00:19:45,200
Lab echo, low chime.

374
00:19:45,200 --> 00:19:49,360
4662 no non-DC principles present.

375
00:19:49,360 --> 00:19:50,840
Soft tick.

376
00:19:50,840 --> 00:19:54,760
GMSA SVC backup west rotated.

377
00:19:54,760 --> 00:19:56,600
Logan writes constrained.

378
00:19:56,600 --> 00:20:01,480
Bass pulse fades backup servers LDP blocked.

379
00:20:01,480 --> 00:20:04,280
Pull only pattern and forced.

380
00:20:04,280 --> 00:20:05,680
The observer speaks.

381
00:20:05,680 --> 00:20:07,280
I am the directory.

382
00:20:07,280 --> 00:20:10,320
I will replicate when asked by those I trust.

383
00:20:10,320 --> 00:20:12,160
Teach me who deserves that trust.

384
00:20:12,160 --> 00:20:13,680
Remove the rest.

385
00:20:13,680 --> 00:20:15,440
Backups protect memory.

386
00:20:15,440 --> 00:20:19,080
They should never be allowed to rewrite the present.

387
00:20:19,080 --> 00:20:21,720
Local admin reuse pass the hash chain.

388
00:20:21,720 --> 00:20:23,600
There is a corridor that looks harmless.

389
00:20:23,600 --> 00:20:26,240
It is called local administrator.

390
00:20:26,240 --> 00:20:31,040
It exists on every workstation, every server, because convenience once said, we will fix it

391
00:20:31,040 --> 00:20:32,040
later.

392
00:20:32,040 --> 00:20:33,440
Later did not arrive.

393
00:20:33,440 --> 00:20:34,440
Time dilated.

394
00:20:34,440 --> 00:20:36,600
The passwords stayed the same.

395
00:20:36,600 --> 00:20:40,880
At 0806, a finance workstation stalls on an invoice macro.

396
00:20:40,880 --> 00:20:42,560
An employee calls for help.

397
00:20:42,560 --> 00:20:48,920
A technician remote assists and in hast logs on with a shared local admin that the team

398
00:20:48,920 --> 00:20:51,400
only uses for emergencies.

399
00:20:51,400 --> 00:20:56,040
The password is strong, but identical across 100 machines.

400
00:20:56,040 --> 00:20:58,600
Strength without uniqueness is mass without orbit.

401
00:20:58,600 --> 00:21:00,240
An intruder watches from the edge.

402
00:21:00,240 --> 00:21:05,400
They already hold user context on the workstation from a phishing link the day before.

403
00:21:05,400 --> 00:21:08,320
They do not need to read memory with poetry.

404
00:21:08,320 --> 00:21:11,800
The moment a local admin logo occurs, the beam brightens.

405
00:21:11,800 --> 00:21:13,120
The SAM holds a hash.

406
00:21:13,120 --> 00:21:17,800
The network will accept that hash as a token wherever the same secret governs.

407
00:21:17,800 --> 00:21:19,240
Pass the hash is not glamour.

408
00:21:19,240 --> 00:21:22,000
It is a handshake with no sight.

409
00:21:22,000 --> 00:21:23,280
Only wait.

410
00:21:23,280 --> 00:21:25,400
Lab echo, low chime.

411
00:21:25,400 --> 00:21:31,960
4624 local logon as administrator on WS Fin 114.

412
00:21:31,960 --> 00:21:32,960
Base pulse.

413
00:21:32,960 --> 00:21:35,160
Sysmon 10 absent.

414
00:21:35,160 --> 00:21:36,960
Restricted admin disabled.

415
00:21:36,960 --> 00:21:39,680
And the corridor opens.

416
00:21:39,680 --> 00:21:45,840
On a second host in accounting, remote UAC is disabled by an old GPO that valued scripts

417
00:21:45,840 --> 00:21:46,840
over safety.

418
00:21:46,840 --> 00:21:49,920
The intruder presents the administrator hash over SMB.

419
00:21:49,920 --> 00:21:51,160
No password is revealed.

420
00:21:51,160 --> 00:21:53,720
The target cannot tell the difference.

421
00:21:53,720 --> 00:21:55,040
Admin delos opens.

422
00:21:55,040 --> 00:21:57,760
A service is created with a quiet name.

423
00:21:57,760 --> 00:21:59,720
A payload runs a system.

424
00:21:59,720 --> 00:22:01,000
Two stars align.

425
00:22:01,000 --> 00:22:02,600
The chain does not stop.

426
00:22:02,600 --> 00:22:08,240
A file server in the same subnet, built from the same image, carries the same local admin

427
00:22:08,240 --> 00:22:09,480
secret.

428
00:22:09,480 --> 00:22:11,440
The intruder repeats the handshake.

429
00:22:11,440 --> 00:22:12,440
See ya.

430
00:22:12,440 --> 00:22:13,440
Then a service.

431
00:22:13,440 --> 00:22:14,440
Then a shell.

432
00:22:14,440 --> 00:22:19,880
A file server they find a maintenance script that includes a network credential for a service

433
00:22:19,880 --> 00:22:22,800
account with local admin on three app servers.

434
00:22:22,800 --> 00:22:24,880
The gravity increases.

435
00:22:24,880 --> 00:22:31,920
What began as a shared local admin becomes a skeleton key that leaps tears.

436
00:22:31,920 --> 00:22:34,000
Lab echo, low chime.

437
00:22:34,000 --> 00:22:41,080
Event 7045 new service system telemetry host on FS Fin 02.

438
00:22:41,080 --> 00:22:42,560
Base pulse.

439
00:22:42,560 --> 00:22:50,640
Event 4624 type 3 from WS Fin 114 to FS Fin 02.

440
00:22:50,640 --> 00:22:52,160
Account administrator.

441
00:22:52,160 --> 00:22:57,720
The constellation straightens into align on AppLager, the same pattern holds.

442
00:22:57,720 --> 00:23:02,040
Local administrator reuse persists defended by folklore.

443
00:23:02,040 --> 00:23:04,040
We need a common break glass.

444
00:23:04,040 --> 00:23:06,040
The intruder writes the hash across.

445
00:23:06,040 --> 00:23:10,560
With local system, they extract a cashed credential for a deployment tool that holds

446
00:23:10,560 --> 00:23:12,560
rights on a management server.

447
00:23:12,560 --> 00:23:18,600
A short hop later, they sit near tier one controls, one more reuse, one more handshake,

448
00:23:18,600 --> 00:23:22,560
and they gain local admin on a jump host that touches backups.

449
00:23:22,560 --> 00:23:24,000
Drift becomes collapse.

450
00:23:24,000 --> 00:23:25,520
The fix is not a sermon.

451
00:23:25,520 --> 00:23:27,280
It is lapes.

452
00:23:27,280 --> 00:23:33,800
Local administrator password solution turns the same name into unique gravity per host.

453
00:23:33,800 --> 00:23:36,480
Each machine holds a different secret.

454
00:23:36,480 --> 00:23:43,560
The directory stores it in a shielded attribute readable only by a small, audited group.

455
00:23:43,560 --> 00:23:44,560
Rotation is heartbeat.

456
00:23:44,560 --> 00:23:46,040
Every rotation breaks the line.

457
00:23:46,040 --> 00:23:50,120
A captured hash does not travel because no two stars share the same mass.

458
00:23:50,120 --> 00:23:52,280
We enforce remote UAC.

459
00:23:52,280 --> 00:23:57,200
When a local admin from a remote machine attempts to touch admin was, the system strips

460
00:23:57,200 --> 00:24:02,680
the elevated token unless the caller presents a domain credential in the local administrator's

461
00:24:02,680 --> 00:24:03,680
group.

462
00:24:03,680 --> 00:24:05,240
Silent privilege does not cross the room.

463
00:24:05,240 --> 00:24:08,880
We pair with SMB signing so relays cannot impersonate proximity.

464
00:24:08,880 --> 00:24:14,480
We enable restricted admin or remote credential guard for RDP from payers, so administrative

465
00:24:14,480 --> 00:24:17,320
secrets do not land on destinations.

466
00:24:17,320 --> 00:24:18,680
And we end the habit.

467
00:24:18,680 --> 00:24:21,680
No local administrator logons from tier two.

468
00:24:21,680 --> 00:24:22,680
Ever.

469
00:24:22,680 --> 00:24:24,680
We change images at the source.

470
00:24:24,680 --> 00:24:27,320
Gold builds no longer bake a shared secret.

471
00:24:27,320 --> 00:24:28,880
Sisprep completes.

472
00:24:28,880 --> 00:24:33,520
Lapse initializes on first boot rotation begins before the host joins production.

473
00:24:33,520 --> 00:24:39,280
GPO denies local administrator network logon on servers unless the caller is a break

474
00:24:39,280 --> 00:24:43,640
glass identity from tier used through a jump host with recording.

475
00:24:43,640 --> 00:24:47,120
We remove the local IT admins group from images.

476
00:24:47,120 --> 00:24:52,760
We assign rights by policy to named domain groups scoped by OU.

477
00:24:52,760 --> 00:24:55,360
Detection hears the chain as rhythm.

478
00:24:55,360 --> 00:24:57,360
4624.

479
00:24:57,360 --> 00:25:03,480
Type three from workstations into servers by administrator is a page, not a report.

480
00:25:03,480 --> 00:25:07,760
7.045 new services on non-change windows are glass shattering.

481
00:25:07,760 --> 00:25:11,400
Sisman 3 shows SMB beams from unusual subnets.

482
00:25:11,400 --> 00:25:16,440
Correlate 4624 type three with 7.045 within minutes.

483
00:25:16,440 --> 00:25:23,720
Add 4697 if available for service installs include 4672 if privilege appears where it should

484
00:25:23,720 --> 00:25:24,720
not.

485
00:25:24,720 --> 00:25:27,600
Tag hosts by Lapse status.

486
00:25:27,600 --> 00:25:34,080
If a host without Lapse generates admin dollars connections into many peers the Siam declares

487
00:25:34,080 --> 00:25:35,080
drift.

488
00:25:35,080 --> 00:25:39,160
We plan the break rolling out labs in a living enterprises surgery.

489
00:25:39,160 --> 00:25:41,120
We inventory local admin presence.

490
00:25:41,120 --> 00:25:43,200
We test with a pilot OU.

491
00:25:43,200 --> 00:25:45,200
We train the help desk.

492
00:25:45,200 --> 00:25:48,840
Retrieve Lapse passwords through a delegated tool.

493
00:25:48,840 --> 00:25:52,040
Log the access and never copy into tickets.

494
00:25:52,040 --> 00:25:55,040
We schedule rotation after installation.

495
00:25:55,040 --> 00:25:58,120
We audit who can read the attribute and tighten it to the minimum.

496
00:25:58,120 --> 00:26:01,880
We set a policy that LPS is a condition of network membership.

497
00:26:01,880 --> 00:26:03,680
Non-compliant hosts are quarantined.

498
00:26:03,680 --> 00:26:05,960
We retire myths.

499
00:26:05,960 --> 00:26:11,760
We need the same admin everywhere for emergencies becomes we need JIT rights to the one host in

500
00:26:11,760 --> 00:26:12,760
trouble.

501
00:26:12,760 --> 00:26:19,920
Pam grants a time box local admin on a single machine then automatically revokes.

502
00:26:19,920 --> 00:26:23,320
We need to push a script across all servers becomes.

503
00:26:23,320 --> 00:26:27,440
We use a management plane with authenticated agents and certificates.

504
00:26:27,440 --> 00:26:29,600
The story we tell ourselves changes.

505
00:26:29,600 --> 00:26:31,240
The physics does not.

506
00:26:31,240 --> 00:26:32,480
Lab echo.

507
00:26:32,480 --> 00:26:34,360
Low chime.

508
00:26:34,360 --> 00:26:36,480
LPS rotation.

509
00:26:36,480 --> 00:26:39,760
WSFIN 114.

510
00:26:39,760 --> 00:26:42,760
New password set.

511
00:26:42,760 --> 00:26:45,520
Base pulse softens.

512
00:26:45,520 --> 00:26:48,120
Remote UAC enforced.

513
00:26:48,120 --> 00:26:53,680
Admined hours denied for local administrator from workstation subnet.

514
00:26:53,680 --> 00:26:56,520
The line of stars breaks into islands.

515
00:26:56,520 --> 00:26:58,240
The observer speaks.

516
00:26:58,240 --> 00:26:59,640
I am the corridor.

517
00:26:59,640 --> 00:27:01,880
I narrowed when you made every door unique.

518
00:27:01,880 --> 00:27:04,880
I resisted when you taught tokens not to travel.

519
00:27:04,880 --> 00:27:06,560
I did not need to be clever.

520
00:27:06,560 --> 00:27:08,520
I needed to refuse sameness.

521
00:27:08,520 --> 00:27:11,880
Pass the hash is gravity exploiting repetition.

522
00:27:11,880 --> 00:27:12,880
End the repetition.

523
00:27:12,880 --> 00:27:14,400
Make each mass its own.

524
00:27:14,400 --> 00:27:19,520
The chain falls apart because it cannot find the next identical door.

525
00:27:19,520 --> 00:27:20,920
Disabled SMB signing.

526
00:27:20,920 --> 00:27:22,120
NTLM really.

527
00:27:22,120 --> 00:27:24,240
There is an old current moving under modern names.

528
00:27:24,240 --> 00:27:25,640
It is called NTLM.

529
00:27:25,640 --> 00:27:30,760
When SMB signing sleeps, that current becomes a river that carries lies.

530
00:27:30,760 --> 00:27:32,320
It begins as convenience.

531
00:27:32,320 --> 00:27:36,000
A print server built years ago still runs the spooler.

532
00:27:36,000 --> 00:27:41,880
File servers accept connections from everywhere because users need chairs.

533
00:27:41,880 --> 00:27:46,080
Somewhere, a GPO meant to enforce SMB signing drifted.

534
00:27:46,080 --> 00:27:49,680
On clients, require security signature is not configured.

535
00:27:49,680 --> 00:27:54,600
On servers, enable security signature is set but require is not negotiation.

536
00:27:54,600 --> 00:27:57,000
Becomes hope, hope is not gravity.

537
00:27:57,000 --> 00:28:03,720
At 1032, an attacker sitting inside the workstation tier watches name, resolution and authentication

538
00:28:03,720 --> 00:28:05,440
flow like tides.

539
00:28:05,440 --> 00:28:09,440
They cannot see passwords, but they can shape paths.

540
00:28:09,440 --> 00:28:15,160
The coercion is ancient, a print notification request, a spool sample callback, an HTTP

541
00:28:15,160 --> 00:28:21,600
401 with negotiate NTLM dangling like bait, an LLM in our whisper that says, "I know that

542
00:28:21,600 --> 00:28:22,400
name."

543
00:28:22,400 --> 00:28:27,280
The target answers because legacy speaks softly and people are busy.

544
00:28:27,280 --> 00:28:30,240
The relay works because proximity is faked.

545
00:28:30,240 --> 00:28:32,520
The attacker does not need to know the secret.

546
00:28:32,520 --> 00:28:36,400
They only need the server to trust the weight of a challenge response.

547
00:28:36,400 --> 00:28:41,760
Without SMB signing, the file server cannot tell whether the caller is at the door or behind

548
00:28:41,760 --> 00:28:43,440
a mask.

549
00:28:43,440 --> 00:28:49,560
The message arrives, the signature is absent, the server shrugs and accepts, physics

550
00:28:49,560 --> 00:29:00,840
without integrity accepts whatever has mass, lab echo, low chime, event 4776, NTLM, authentication

551
00:29:00,840 --> 00:29:07,680
from WSMKT217 to FS-OPS03.

552
00:29:07,680 --> 00:29:16,920
Bass pulse, seismon 3, SMB connection from 10.42, 651 to FS-OPS03 unsigned.

553
00:29:16,920 --> 00:29:18,240
The orbit tilts.

554
00:29:18,240 --> 00:29:25,600
On FS-OPS03, the attacker relays the workstation's NTLM handshake and lands as that user, or when

555
00:29:25,600 --> 00:29:31,440
Fortune is cruel, as a helpdesk account with local admin rights that once mapped drives

556
00:29:31,440 --> 00:29:32,840
for a script.

557
00:29:32,840 --> 00:29:34,960
They do not log on interactively.

558
00:29:34,960 --> 00:29:36,240
They do not crack a hash.

559
00:29:36,240 --> 00:29:40,680
They create a service with a name that blends, system update host.

560
00:29:40,680 --> 00:29:46,440
It starts a system, writes a payload to see program data diagnostics and calls home.

561
00:29:46,440 --> 00:29:48,360
One hop becomes a foothold.

562
00:29:48,360 --> 00:29:51,240
From there the river flows into deeper channels.

563
00:29:51,240 --> 00:29:56,400
The file server connects to a management share on APP deploy with a scheduled task that

564
00:29:56,400 --> 00:29:57,640
runs every hour.

565
00:29:57,640 --> 00:30:01,800
The attacker relays again, this time using the file server's machine account because in

566
00:30:01,800 --> 00:30:04,160
some places that identity holds keys.

567
00:30:04,160 --> 00:30:06,160
SMB signing is absent there too.

568
00:30:06,160 --> 00:30:11,520
With machine trust, they write a DLL into a path the deployment tool loads at start-up.

569
00:30:11,520 --> 00:30:13,400
On the hour, the tool obliges.

570
00:30:13,400 --> 00:30:17,680
The mask now speaks in the management tier's voice.

571
00:30:17,680 --> 00:30:21,440
Web Echo.

572
00:30:21,440 --> 00:30:28,920
Event 7.045, new service system update host on FS-OPS03.

573
00:30:28,920 --> 00:30:36,800
Softick, Sysmin 11, file created program data plus diagnostics as VC, Glyn, Base Pulse,

574
00:30:36,800 --> 00:30:46,160
Event 4776 cluster, FS-OPS03, APP deploy, unsigned SMB.

575
00:30:46,160 --> 00:30:49,080
The control is simple and absolute.

576
00:30:49,080 --> 00:30:50,840
SMB signing.

577
00:30:50,840 --> 00:30:54,400
When enforced, the server demands integrity for each message.

578
00:30:54,400 --> 00:30:58,440
Every packet carries a signature derived from the session key.

579
00:30:58,440 --> 00:31:01,040
Relate messages, lose their costume.

580
00:31:01,040 --> 00:31:05,000
They cannot forge the signature without the shared truth.

581
00:31:05,000 --> 00:31:06,880
Negotiation no longer accepts charm.

582
00:31:06,880 --> 00:31:07,880
It asks for proof.

583
00:31:07,880 --> 00:31:09,480
We set policy, not hope.

584
00:31:09,480 --> 00:31:14,040
On domain controllers and servers, require security signature is enabled.

585
00:31:14,040 --> 00:31:19,280
When clients enable is enabled, require is preferred where compatibility allows.

586
00:31:19,280 --> 00:31:21,560
We audit for exceptions and eliminate them.

587
00:31:21,560 --> 00:31:25,680
The print spooler on servers turns off unless the server prints.

588
00:31:25,680 --> 00:31:28,600
On domain controllers, it stays off.

589
00:31:28,600 --> 00:31:29,600
Always.

590
00:31:29,600 --> 00:31:35,120
LDP channel binding becomes law to block relays via LD apps in IIS.

591
00:31:35,120 --> 00:31:42,520
LLMNR and NetBios name resolution are disabled on workstations because ghosts answer when

592
00:31:42,520 --> 00:31:48,480
those radios hum, we seal the doors attack as coax file service deny NTLM where Kerberos

593
00:31:48,480 --> 00:31:49,840
exists.

594
00:31:49,840 --> 00:31:52,080
SMBV1 is gone.

595
00:31:52,080 --> 00:31:54,080
NTLMV1 is gone.

596
00:31:54,080 --> 00:31:59,560
NTLM auditing runs hot for months to map the caves then we close them.

597
00:31:59,560 --> 00:32:05,000
HTTP services behind load balances prefer negotiate with Kerberos and enforce SPNs that are

598
00:32:05,000 --> 00:32:06,360
correct and singular.

599
00:32:06,360 --> 00:32:12,480
When NTLM must survive for a fossil application, we put it behind glass, isolated VLAN,

600
00:32:12,480 --> 00:32:18,640
firewall allow list, proxy the performs modern auth at the edge, logging that sings.

601
00:32:18,640 --> 00:32:21,960
Detection here is relay as a pattern, not a scream.

602
00:32:21,960 --> 00:32:26,240
4776 from servers that normally speak Kerberos becomes a page.

603
00:32:26,240 --> 00:32:33,680
4624 type 3, logons by machine accounts into peers are tides we measure, rare and explicit.

604
00:32:33,680 --> 00:32:37,080
Systemin3 marks unsigned SMB sessions.

605
00:32:37,080 --> 00:32:43,160
We alert on any unsigned session into servers labeled tier 1 or tier.

606
00:32:43,160 --> 00:32:47,160
Event 7045 on a file server during business hours is a siren.

607
00:32:47,160 --> 00:32:57,400
The sim correlates 4776 on a server plus Systemin3 unsigned SMB plus 7045 within 5 minutes

608
00:32:57,400 --> 00:33:00,040
equals relay in progress.

609
00:33:00,040 --> 00:33:03,160
We quarantine the destination and block the source.

610
00:33:03,160 --> 00:33:05,840
We do not hunt the fish, we cut the river.

611
00:33:05,840 --> 00:33:08,240
We practice the fix before the flood.

612
00:33:08,240 --> 00:33:11,720
We stage signing enforcement in a lab with old clients.

613
00:33:11,720 --> 00:33:13,760
We list vendors who will complain.

614
00:33:13,760 --> 00:33:15,840
We replace what breaks or coordinate.

615
00:33:15,840 --> 00:33:17,320
We communicate dates.

616
00:33:17,320 --> 00:33:23,160
We push GPO's in rings, measuring unsigned session counts until they reach zero.

617
00:33:23,160 --> 00:33:28,920
We validate with packet captures and defender XDR signals that label NTLM traffic.

618
00:33:28,920 --> 00:33:32,720
When exceptions remain, leadership signs the risk with a sunset.

619
00:33:32,720 --> 00:33:34,560
Lab echo, low chime.

620
00:33:34,560 --> 00:33:38,280
SMB signing and forced domain wide.

621
00:33:38,280 --> 00:33:40,320
Base pulse softens.

622
00:33:40,320 --> 00:33:46,480
Unsigned sessions on tier 1, on tier 4776 falls to baseline.

623
00:33:46,480 --> 00:33:49,360
The observer speaks, I am the transport.

624
00:33:49,360 --> 00:33:53,240
When you demand signatures, I can tell who truly stands at the door.

625
00:33:53,240 --> 00:33:58,960
When you silence the radios that answer to anyone, I stop mistaking echoes for voices.

626
00:33:58,960 --> 00:34:03,200
NTLM relay is the art of pretending to be near.

627
00:34:03,200 --> 00:34:06,440
Integrity tells the truth you are far.

628
00:34:06,440 --> 00:34:13,920
The river dries, the orbit studies, LSSS, unprotected, rapid harvest.

629
00:34:13,920 --> 00:34:16,200
There is a room where identity sleeps.

630
00:34:16,200 --> 00:34:19,720
It is small, it is bright, it is called LSSS.

631
00:34:19,720 --> 00:34:22,320
On most days it is guarded by ceremony.

632
00:34:22,320 --> 00:34:25,200
Run SPPL, credential guard.

633
00:34:25,200 --> 00:34:28,200
EDR hooks that watch every hand that reaches.

634
00:34:28,200 --> 00:34:34,800
But where those rights do not hold, LSSS becomes a bowl and secrets condense on its surface

635
00:34:34,800 --> 00:34:36,520
like do you.

636
00:34:36,520 --> 00:34:42,080
At EDR 741, a help desk session ends on WSObs219.

637
00:34:42,080 --> 00:34:45,840
Nothing looks wrong, a ticket closed, a shortcut pinned.

638
00:34:45,840 --> 00:34:47,760
In memory, tokens linger.

639
00:34:47,760 --> 00:34:50,840
Clear text for processes that negotiated.

640
00:34:50,840 --> 00:34:54,520
NT hashes for old dialects that still speak.

641
00:34:54,520 --> 00:34:57,360
Kiberos tickets for services that hum.

642
00:34:57,360 --> 00:35:00,440
The operating system will reclaim the space when it can.

643
00:35:00,440 --> 00:35:02,400
The attacker will not give it time.

644
00:35:02,400 --> 00:35:05,720
They arrive the night before through a macro that did not know better.

645
00:35:05,720 --> 00:35:09,680
No admin rights, no exploits, just presence.

646
00:35:09,680 --> 00:35:12,720
They wait for gravity to pull a credential into reach.

647
00:35:12,720 --> 00:35:15,960
The help desk tech locks on locally to fix a printer driver.

648
00:35:15,960 --> 00:35:19,880
They run a signed vendor tool that touches devices through WMI.

649
00:35:19,880 --> 00:35:22,360
The session is brief, the effect is not.

650
00:35:22,360 --> 00:35:30,360
App Echo, low chime, Sisman1, winword.exe, vendorconfig.exe, lineage ended.

651
00:35:30,360 --> 00:35:31,360
Soft tick.

652
00:35:31,360 --> 00:35:34,200
No event, LSA protection absent.

653
00:35:34,200 --> 00:35:36,840
The door is "would" not steel.

654
00:35:36,840 --> 00:35:40,800
At O744, the intruder asks the kernel for a handhold.

655
00:35:40,800 --> 00:35:47,120
Without LSA protection, LSAsis permits a process with CD-Bug privilege or a way to gain

656
00:35:47,120 --> 00:35:50,360
it through a vulnerable driver to open a handle and read.

657
00:35:50,360 --> 00:35:51,720
The attacker is careful.

658
00:35:51,720 --> 00:35:53,200
They load no-crew tools.

659
00:35:53,200 --> 00:35:55,400
They call the documented APIs.

660
00:35:55,400 --> 00:35:59,840
Many dump-right dump whispers a file into a temp path with a boring name.

661
00:35:59,840 --> 00:36:02,760
Three seconds, 50 megabytes, a decade of drift.

662
00:36:02,760 --> 00:36:03,960
Lab Echo.

663
00:36:03,960 --> 00:36:05,320
Base Pulse.

664
00:36:05,320 --> 00:36:11,440
Sisman10, LSAs.exe handle opened by signed but unusual process.

665
00:36:11,440 --> 00:36:12,440
Low chime.

666
00:36:12,440 --> 00:36:17,840
Sisman11, file created C-Users, public plush documents, diag.

667
00:36:17,840 --> 00:36:20,000
The telescope titans focus.

668
00:36:20,000 --> 00:36:21,400
They leave with the harvest.

669
00:36:21,400 --> 00:36:26,200
If line, under a different sky, secrets will separate.

670
00:36:26,200 --> 00:36:29,680
Deep puppy eye blobs decrypted with machine keys.

671
00:36:29,680 --> 00:36:35,880
Kerberos, tickets written back into memory on a staging host for lateral beams, anti-hashes

672
00:36:35,880 --> 00:36:40,680
for local accounts that still use the same secret as their neighbors.

673
00:36:40,680 --> 00:36:42,480
Most of the time this takes minutes.

674
00:36:42,480 --> 00:36:44,040
Today it takes less.

675
00:36:44,040 --> 00:36:50,000
On WSOPS 219, the local administrator account still exists for emergency use.

676
00:36:50,000 --> 00:36:52,320
The lapes is planned but not deployed.

677
00:36:52,320 --> 00:36:55,520
The hash in the dump matches 100 sisters.

678
00:36:55,520 --> 00:36:58,760
Pass the hash weights like an elevator with its door open.

679
00:36:58,760 --> 00:37:00,120
The attacker steps in.

680
00:37:00,120 --> 00:37:02,960
Admins on app ops 02 yields.

681
00:37:02,960 --> 00:37:06,560
A service appears, runs once and vanishes.

682
00:37:06,560 --> 00:37:08,520
A second dump lands.

683
00:37:08,520 --> 00:37:12,040
This time from a server that talks to management.

684
00:37:12,040 --> 00:37:13,040
Momentum grows.

685
00:37:13,040 --> 00:37:19,920
On app ops 02 restricted admin for RDP is disabled and remote credential guard is unknown.

686
00:37:19,920 --> 00:37:22,160
And admin once solved a problem from tier 2.

687
00:37:22,160 --> 00:37:24,520
Their domain token slept in LSS.

688
00:37:24,520 --> 00:37:27,160
The dump reveals a TGT warm enough to carry.

689
00:37:27,160 --> 00:37:31,320
CIFs on MGMT task 01 accepts a ticket that claims authority.

690
00:37:31,320 --> 00:37:38,160
A scheduled task is edited to run a benign looking binary with a 30 second delay every hour.

691
00:37:38,160 --> 00:37:39,440
Persistence as a heartbeat.

692
00:37:39,440 --> 00:37:41,560
This is what rapid harvest means.

693
00:37:41,560 --> 00:37:42,560
Not drama.

694
00:37:42,560 --> 00:37:43,840
Accumulation.

695
00:37:43,840 --> 00:37:45,240
One room unguarded.

696
00:37:45,240 --> 00:37:46,480
One handle granted.

697
00:37:46,480 --> 00:37:48,000
One dump copied.

698
00:37:48,000 --> 00:37:50,760
And gravity draws the line toward tier 1.

699
00:37:50,760 --> 00:37:53,560
Defense is not a single switch but the switches exist.

700
00:37:53,560 --> 00:37:54,880
LSA protection.

701
00:37:54,880 --> 00:37:56,200
Run ASPPL.

702
00:37:56,200 --> 00:37:57,680
Rases the walls.

703
00:37:57,680 --> 00:38:00,920
LSAs stop speaking to unsigned strangers.

704
00:38:00,920 --> 00:38:06,000
Even administrators cannot open its hands without a kernel mode partner that is trusted.

705
00:38:06,000 --> 00:38:10,720
Credential guard moves secrets out of ordinary memory into an isolated chamber.

706
00:38:10,720 --> 00:38:13,280
The attacker cannot touch from user mode.

707
00:38:13,280 --> 00:38:15,720
The bowl remains but the dew does not form.

708
00:38:15,720 --> 00:38:17,960
We enforce them where mass is heavy.

709
00:38:17,960 --> 00:38:24,200
On domain controllers, on pause, on servers that hold schedules and keys, run as PPL is

710
00:38:24,200 --> 00:38:25,360
law.

711
00:38:25,360 --> 00:38:28,760
On workstations, credential guard write standard images.

712
00:38:28,760 --> 00:38:31,640
W. Digest stays disabled.

713
00:38:31,640 --> 00:38:34,000
Debug privileges are rare.

714
00:38:34,000 --> 00:38:37,600
CDBug privilege does not belong to IT helpers.

715
00:38:37,600 --> 00:38:43,360
We refuse vendor drivers that expose read write primitives into kernel space.

716
00:38:43,360 --> 00:38:48,600
A driver that turns memory into glass is a violation, not a convenience.

717
00:38:48,600 --> 00:38:50,560
We end the need to peak.

718
00:38:50,560 --> 00:38:51,560
Admins use pause.

719
00:38:51,560 --> 00:38:54,280
They do not RDP from tier 2.

720
00:38:54,280 --> 00:38:56,720
They administer with remote credential guard.

721
00:38:56,720 --> 00:38:59,720
So secrets do not land on destinations.

722
00:38:59,720 --> 00:39:04,800
They do not browse, check mail or install plugins where they touch identity.

723
00:39:04,800 --> 00:39:08,440
They accept friction today so gravity holds tomorrow.

724
00:39:08,440 --> 00:39:10,560
We deploy labs everywhere.

725
00:39:10,560 --> 00:39:16,080
A dump that exposes a local administrator hash does not travel because it siblings no longer

726
00:39:16,080 --> 00:39:17,400
share mass.

727
00:39:17,400 --> 00:39:24,640
We pair with remote UAC so local admin tokens do not bring silent elevation across SMB.

728
00:39:24,640 --> 00:39:27,000
Past the hash meets a locked door.

729
00:39:27,000 --> 00:39:29,840
Detection listens for the reach, not just the spill.

730
00:39:29,840 --> 00:39:36,240
Sysmon event 10 on LSASS paired with process ancestry that does not match EDR lineages or

731
00:39:36,240 --> 00:39:39,160
known backup agents is a page.

732
00:39:39,160 --> 00:39:44,920
Event 11 for files in public or temp with dump signatures is more than interesting.

733
00:39:44,920 --> 00:39:50,800
Combine with firewall logs that show admin dollars connections minutes later or with 7045

734
00:39:50,800 --> 00:39:52,680
for single shot services.

735
00:39:52,680 --> 00:39:56,920
And the CM sings a quote called harvest in progress.

736
00:39:56,920 --> 00:39:58,800
We harden in layers.

737
00:39:58,800 --> 00:40:05,120
Applocker or WDAs on pause and tier servers limits who may touch LSASS at all.

738
00:40:05,120 --> 00:40:10,640
We signed known tools permitted on workstations process access auditing is tuned success on

739
00:40:10,640 --> 00:40:15,920
LSASS exe emit events failure helps baseline.

740
00:40:15,920 --> 00:40:22,480
We feed XDR with labels credential theft likelihood plus host cohort equals action.

741
00:40:22,480 --> 00:40:27,400
A high score on a legacy host with no PPL triggers quarantine over caution.

742
00:40:27,400 --> 00:40:29,960
We practice the counter play.

743
00:40:29,960 --> 00:40:36,520
If we suspect a dump we evict rapidly isolate the source rotate lapse on it in its neighbors

744
00:40:36,520 --> 00:40:43,600
invalidate curboros on touch posts review 4769 patterns for SPN's access post event and

745
00:40:43,600 --> 00:40:48,360
inspect schedule tasks and services created within 5 minutes of the dump.

746
00:40:48,360 --> 00:40:53,880
If the chain touched tier one we rebuild rather than cleanse time spent scrubbing memory is

747
00:40:53,880 --> 00:40:59,080
time secrets reshape elsewhere lab echo low chime.

748
00:40:59,080 --> 00:41:06,520
One SPPL enforced on tier and tier one soft tick credential guard enabled on workstations

749
00:41:06,520 --> 00:41:14,880
WDigest disabled bass pulse receipts sysmonten tuned LSASS access by unknown lineage egos

750
00:41:14,880 --> 00:41:15,960
page.

751
00:41:15,960 --> 00:41:20,960
The observer speaks I am the small bright room when you raised my walls I kept the

752
00:41:20,960 --> 00:41:26,360
dew from forming when you move the water elsewhere the bull stayed dry I am not a vault I am a

753
00:41:26,360 --> 00:41:33,320
vessel treat me like one and the harvest slows to a whisper sysvull gpp passwords instant

754
00:41:33,320 --> 00:41:38,960
escalation there is a library that everyone can read it is called sysvull inside it group

755
00:41:38,960 --> 00:41:45,040
policy preferences once wrote convenience as scripture XML files that carried settings

756
00:41:45,040 --> 00:41:51,760
for drives services schedule tasks each a stanza of order for time they also carried passwords

757
00:41:51,760 --> 00:41:57,520
not hashes not tickets passwords encrypted with a key Microsoft published so that administrators

758
00:41:57,520 --> 00:42:02,720
could recover what they had written convenience mistook obscurity for gravity the key was not

759
00:42:02,720 --> 00:42:08,720
a secret the moment it met the world it never would be again at 11.02 and intruder with

760
00:42:08,720 --> 00:42:15,160
nothing more than user rights opens a share every workstation can reach domain tld dot s

761
00:42:15,160 --> 00:42:20,640
sysvull they do not pry they browse under policies they follow guides like constellations

762
00:42:20,640 --> 00:42:28,000
in preferences they find group policy preferences plowls schedule tasks and services and drives

763
00:42:28,000 --> 00:42:37,360
quiet XML groups dot XML services dot XML schedule tasks dot XML each line is a whisper in the

764
00:42:37,360 --> 00:42:45,360
c password attribute a string base 64 calm waiting the schema tags as it allowed c password is

765
00:42:45,360 --> 00:42:56,760
the credential lab echo low chime file read groups dot XML from sysvull by user wsmkt 2177

766
00:42:56,760 --> 00:43:04,080
jly soft tick c password present base pulse known a s key loaded the decryption is not an exploit

767
00:43:04,080 --> 00:43:11,760
it is arithmetic the published a s key unwraps the c password into clear text in a breath

768
00:43:11,760 --> 00:43:17,120
administrator passwords that were meant to map drives on first boot a service account secret

769
00:43:17,120 --> 00:43:24,320
from 2012 that joined machines to the domain a local admin reset used by deployment wave one

770
00:43:24,320 --> 00:43:31,440
file gives three doors one door leads to tier one the intruder tests gently with the recovered

771
00:43:31,440 --> 00:43:37,280
service account they authenticate to a management share on a p build 01 it accepts the weight the

772
00:43:37,280 --> 00:43:45,520
account owns log on as a service on half the build farm on a pp build 01 a script repository holds

773
00:43:45,520 --> 00:43:52,240
signing certificates for internal tools private keys stored alongside public ones for convenience

774
00:43:52,240 --> 00:44:02,640
the line bends on mgmt task 01 the same password appears again in another xml the account is a member

775
00:44:02,640 --> 00:44:09,120
of local admins app servers a domain group that grants local admin widely the intruder does

776
00:44:09,120 --> 00:44:14,320
not need to guess they step through admin dolls create a transient service and capture a memory

777
00:44:14,320 --> 00:44:19,520
fragment that contains a curboros ticket for a deployment orchestrator that orchestrator touches

778
00:44:19,520 --> 00:44:26,560
servers with rights the original xml author never imagined this is why we call it instant escalation

779
00:44:26,560 --> 00:44:34,400
no zero day no brute force the forest published its secrets in the one place every citizen must be

780
00:44:34,400 --> 00:44:39,680
allowed to read the encryption key was never a key it was a handshake guide defense is an act of

781
00:44:39,680 --> 00:44:47,200
contrition and removal we do not trust that the old xml's were cleaned we searched sysvol with purpose

782
00:44:47,200 --> 00:44:54,320
we scan every policy folder for cps word across preferences drives scheduled tasks services data

783
00:44:54,320 --> 00:45:00,320
sources printers local users and groups we do not stop at one we collect every hit for each we

784
00:45:00,320 --> 00:45:07,920
identify the principle whose password was entombed then we rotate not tomorrow now passwords become

785
00:45:07,920 --> 00:45:13,520
long random and different from anything they ever were where feasible we retire the accounts

786
00:45:13,520 --> 00:45:20,240
entirely and replace with gms a so no human password exists to leak again we delete the xml's but

787
00:45:20,240 --> 00:45:26,560
we do not trust deletion alone versioning and dfsr may echo old files other domain controllers

788
00:45:26,560 --> 00:45:33,040
may still replicate ghosts we force a cleanup that propagates we confirm with hashes of sysvol

789
00:45:33,040 --> 00:45:40,560
folders across dcs we purge client side caches where gpp applied and we rewrite the policies in a safe

790
00:45:40,560 --> 00:45:47,200
dialect use group policy restricted groups or group policy preferences without passwords for

791
00:45:47,200 --> 00:45:54,240
local group membership use laps to manage local administrator secrets use scheduled tasks that run

792
00:45:54,240 --> 00:46:01,680
a system not as a named account carrying a secret in plaintext we change culture the temptation to

793
00:46:01,680 --> 00:46:09,920
just place a helpful password here is named and refused cab reviews any gpp touching local users

794
00:46:09,920 --> 00:46:17,760
and groups a checklist asks does this reference cpass word if yes deny if a vendor demands it the

795
00:46:17,760 --> 00:46:24,800
answer is isolation or redesign not exception we teach admins that sysvol is a bulletin board on

796
00:46:24,800 --> 00:46:32,240
a street not a safe detection turns quiet files into sirens we forward fsrm or file integrity events

797
00:46:32,240 --> 00:46:38,240
from domain controllers when xml's in preferences change appear or carry the cpass word string

798
00:46:38,240 --> 00:46:46,800
we pass sysvol on a schedule and flag reintroductions in the cm we correlate a read of groups xml from a

799
00:46:46,800 --> 00:46:56,480
workstation followed by four six and 24 logons using newly recovered identities 7 do 45 new services

800
00:46:56,480 --> 00:47:01,360
on servers within minutes the court means someone found the library and read the wrong page

801
00:47:01,360 --> 00:47:07,600
we stage a drill in the lab we see the harmless cpass word and watch our sensor scream

802
00:47:08,160 --> 00:47:15,760
we practice rotating the implicated account purging xml's verifying dfsr health and confirming that

803
00:47:15,760 --> 00:47:23,440
no clients retrieve the secret again we measure time from find to fix we edit the runbook we repeat

804
00:47:23,440 --> 00:47:32,880
quarterly until no one forgets lab echo low chime sysvol scan cpass word not found soft tick local

805
00:47:32,880 --> 00:47:40,480
administrator now lapse managed xml retired base pulse fades service accounts converted to gms a

806
00:47:40,480 --> 00:47:47,280
interactive logon denied the observer speaks i am the library i never hid your secrets i showed them

807
00:47:47,280 --> 00:47:53,680
faithfully to all who could see when you stopped pinning passwords to my walls you removed temptation

808
00:47:53,680 --> 00:48:00,320
for both of us group policy preferences were meant to carry shape not secrets when secrets road

809
00:48:00,320 --> 00:48:06,560
inside them gravity failed quickly and completely remove the cpass words rotate what they revealed

810
00:48:06,560 --> 00:48:12,880
replace human secrets with managed keys then let the library return to what it was a place where

811
00:48:12,880 --> 00:48:19,280
law is posted not where keys are taped under the desk abandoned two way forest trust there is a

812
00:48:19,280 --> 00:48:24,960
bridge no one uses it floats between galaxies of identity it is called a two way forest trust on

813
00:48:24,960 --> 00:48:31,120
paper it was temporary a merger project needed migration paths shared services for 18 months

814
00:48:31,120 --> 00:48:38,160
a collaboration portal that would die after cut over the calendar wrote decommission trust q4

815
00:48:38,160 --> 00:48:45,920
the quarter past the bridge remained time dilated administrators moved on tickets closed the trust

816
00:48:45,920 --> 00:48:53,360
persisted like a wormhole that forgot its purpose at o3 47 the observers I felt the drift when two

817
00:48:53,360 --> 00:48:59,680
universes still whispered to each other in forest a the domain controllers hum with modern law

818
00:48:59,680 --> 00:49:06,720
smb signing enforced lapse everywhere delegation constrained in forest b laws are older

819
00:49:06,720 --> 00:49:14,000
ntlm more forgiving print spoolers awake legacy service accounts with passwords that age like stone

820
00:49:14,000 --> 00:49:21,920
the trust stitches them together transitive bi-directional kerberos aware and permissive in ways no one

821
00:49:21,920 --> 00:49:28,400
has attested for years an intruder begins in forest b low and quiet a compromised workstation

822
00:49:28,400 --> 00:49:37,840
grants user context enumeration follows gravity ldap reveals domain admins spn's delegation settings

823
00:49:37,840 --> 00:49:44,720
they find a service account on an app server svc legacy report holding local admin on several

824
00:49:44,720 --> 00:49:50,560
management hosts the accounts password never expires because of vendor once demanded mercy

825
00:49:51,520 --> 00:49:57,760
memory offers a hash smb without channel binding accepts its weight lab echo low chime

826
00:49:57,760 --> 00:50:05,040
4769 cluster tgs for cifs app mgmtb issued to svc legacy report

827
00:50:05,040 --> 00:50:17,360
base pulse seismon three smb beams from wsb 217 to apmgmtb with local system on apmgmtb

828
00:50:17,920 --> 00:50:23,840
the intruder looks up and sees the bridge in active directory domains and trusts and entry

829
00:50:23,840 --> 00:50:32,960
forest a local forest b local two way transitive sid filtering disabled for migration selective

830
00:50:32,960 --> 00:50:40,560
authentication not configured adfs claims present brittle and forgotten the wormhole hums

831
00:50:41,120 --> 00:50:48,800
they ask the kdc in forest b for a referral tgt to forest a the kdc agrees trusts are treaties

832
00:50:48,800 --> 00:50:57,520
across realm tgt materializes wrapped in keys both forests honor the intruder does not wear a crown

833
00:50:57,520 --> 00:51:03,360
they wear borrowed light it is enough they request a service ticket to cfs on a shared file server

834
00:51:03,360 --> 00:51:09,120
in forest a that still hosts the collaboration portal storage the portal died the file share did not

835
00:51:09,760 --> 00:51:20,640
lab echo low chime 4769 tgs to cifs fsa colab from foreign principle soft tick no selective

836
00:51:20,640 --> 00:51:28,400
all trust path open the horizon curves on fsa colab acls carry sediment from long projects

837
00:51:28,400 --> 00:51:34,800
a domain local group in forest a grants modified to a shared folder that group contains a universal

838
00:51:34,800 --> 00:51:42,560
group from forest a which years ago included authenticated users from forest b to ease collaboration

839
00:51:42,560 --> 00:51:50,080
nested obscured effective the intruder writes a dll into a startup path for a management tool

840
00:51:50,080 --> 00:51:55,840
still used by a tier one team at dawn the tool will loaded with system the bridge becomes a conveyor

841
00:51:55,840 --> 00:52:03,280
but they can do more with the cross realm tgt and because sid filtering is disabled sid history

842
00:52:03,280 --> 00:52:09,920
becomes a weapon an old migration granted several accounts in forest bcd history values

843
00:52:09,920 --> 00:52:17,120
that map to high privilege groups in forest a the intruder crafts a silver ticket in forest b

844
00:52:17,120 --> 00:52:24,000
for a service in forest a embedding a sid history claim that impersonates a group with local admin

845
00:52:24,000 --> 00:52:32,880
on app deploy a the kdc in forest a accepts because gravity says the trust is honorable and unfiltered

846
00:52:32,880 --> 00:52:43,760
doors open that no living admin remembers unlocking lab echo base pulse 4768 4769 cross realm with sid

847
00:52:43,760 --> 00:52:53,840
history claim target app deploy a low chime 74045 service telemetry host created on app deploy a

848
00:52:53,840 --> 00:53:00,320
the path to domain controllers in forest a is not straight but now it is downhill

849
00:53:00,960 --> 00:53:07,840
a management share leads to a schedule task a schedule task leads to a credential cache a cache

850
00:53:07,840 --> 00:53:14,000
yields a tgt for an operations admin who crossed a boundary last week the wormhole did not break

851
00:53:14,000 --> 00:53:20,000
tearing it bent it defense is not a single cut it is a sequence that respects physics first we see

852
00:53:20,000 --> 00:53:27,920
the bridge inventory all trusts with metadata direction transitivity sid filtering selective

853
00:53:27,920 --> 00:53:36,160
authentication a s support tgt lifetimes and when anyone last attested business need if a trust

854
00:53:36,160 --> 00:53:44,560
lacks a living owner the trust is drift second we narrow gravity enable sid filtering on external

855
00:53:44,560 --> 00:53:52,560
and forest trusts unless a migration absolutely requires sid history where history is still needed

856
00:53:52,560 --> 00:53:58,880
time box it and pre-map explicit sid translations for a short list of accounts rather than entire

857
00:53:58,880 --> 00:54:06,160
groups remove sid history from migrated users and groups once cut over completes history is not

858
00:54:06,160 --> 00:54:13,280
identity it is nostalgia third we require invitation to cross turn on selective authentication so

859
00:54:13,280 --> 00:54:20,160
principles from forest b cannot touch all of forest a by default grant allowed to authenticate

860
00:54:20,160 --> 00:54:27,600
on specific servers only for named attested groups audit 4 7 6 9 for foreign sid and

861
00:54:27,600 --> 00:54:36,800
transitate services fields to catch unexpected paths monitor 4 6 2 4 4 6 7 2 in forest a for

862
00:54:36,800 --> 00:54:43,520
logons with authentication package kerbos and transitate services care btg to forest be local

863
00:54:43,520 --> 00:54:49,280
those words are gravity speaking forth we fix the old language ensure both forests use aes for

864
00:54:49,280 --> 00:54:56,880
inter forest kerbos retire rc4 and d es kerbos armoring where supported reduces tampering

865
00:54:56,880 --> 00:55:03,920
titan ticket lifetimes if the bridge must remain hard and spn's on target services to exact names

866
00:55:03,920 --> 00:55:12,080
remove aliases that encourage stray authentication fifth we excise sediment on shared servers

867
00:55:12,080 --> 00:55:18,080
remove legacy groups with foreign principles replace with explicit least privilege grants

868
00:55:18,880 --> 00:55:25,680
retire collaboration shares archive and delete if adfs claim rules created broad trust rewrite them

869
00:55:25,680 --> 00:55:31,920
with white lists if trust only exists for dns forwarding replace with conditional forwarding

870
00:55:31,920 --> 00:55:38,240
not identity treaties sixth we practice collapse test trust removal in a lab clone

871
00:55:38,240 --> 00:55:43,600
staged downtime with business owners cut one direction at a time if needed using selective

872
00:55:43,600 --> 00:55:50,880
authentication as a proving ground when removed purge lingering references logon writes local

873
00:55:50,880 --> 00:55:58,720
groups gpo scopes watch for authentication failures that reveal dependencies fix or isolate the

874
00:55:58,720 --> 00:56:07,120
callers bridges do not simply vanish they echo detection must be layered cm correlates cross

875
00:56:07,120 --> 00:56:15,440
realm tgt issuance with access to sensitive spn's minutes later alert on any 4769 in forest a

876
00:56:15,440 --> 00:56:21,200
where client address belongs to forest b subnet and the service name belongs to tier one or tier

877
00:56:21,200 --> 00:56:29,280
flag 4662 dc sync attempts from foreign s id's if acid filtering is disabled anywhere

878
00:56:29,280 --> 00:56:38,160
raise a standing incident until it changes lab echo low chime trust audit forest a forest b

879
00:56:38,160 --> 00:56:46,880
aside filtering enabled selective auth enabled base pulse softens cross realm tickets restricted

880
00:56:46,880 --> 00:56:53,680
foreign access list attested the observer speaks i am the bridge you forgot when you narrowed

881
00:56:53,680 --> 00:56:59,120
me to purpose i stopped turning distance into danger when you finally dissolved me the galaxies

882
00:56:59,120 --> 00:57:04,640
kept their shape abandoned trusts are not pathways they are tears in the fabric close them

883
00:57:04,640 --> 00:57:10,480
or they will choose your ending for you an a dc s esc one misconfiguration there is a forge

884
00:57:10,480 --> 00:57:15,840
that mince identities into substance it is called active directory certificate services

885
00:57:15,840 --> 00:57:20,800
when its molds are cut carelessly any hand can pour metal and walk away wearing a crown

886
00:57:20,800 --> 00:57:26,720
e c one is not a bug it is geometry a certificate template that allows client authentication

887
00:57:26,720 --> 00:57:32,640
permits enroly supply subject and son and is obtainable by ordinary principles becomes a mirror

888
00:57:32,640 --> 00:57:39,600
that reflects whatever name it is asked to reflect if the issuing c a trusts its own work to map

889
00:57:39,600 --> 00:57:44,800
son to logon then the directory will accept the bearer as the name on the glass

890
00:57:44,800 --> 00:57:49,920
curburs does not protest smart card logon does not argue the physics is consistent the policy is

891
00:57:49,920 --> 00:57:56,000
wrong at zero four twenty two the observer murmurs i felt the drift when a template promised too much

892
00:57:56,000 --> 00:58:04,960
on ca west a template named legacy user enroll sits published its flags client authentication

893
00:58:04,960 --> 00:58:14,720
eq present enroly supplies subject manager approval not required security domain users enroles

894
00:58:14,720 --> 00:58:22,160
auto enrole no issuance requirements no subject name restrictions the forest trusted the forge to

895
00:58:22,160 --> 00:58:29,600
be humble it was not an intruder with only user rights opens the enrollment dialogue or speaks to

896
00:58:29,600 --> 00:58:35,360
the ca over rpc with a quiet request they ask for a certificate where the subject alternative name

897
00:58:35,360 --> 00:58:43,120
includes u p n in backup svc at a domain tld or even administrator at domain tld the ca stamps the

898
00:58:43,120 --> 00:58:48,240
request with its signature because it trusts what it was asked to believe the certificate is valid

899
00:58:48,240 --> 00:58:57,200
shiny unremarkable the private key lives in user space that is enough lab echo low chime event four

900
00:58:57,200 --> 00:59:05,520
eight eight six certificate issued to j le template legacy user enroll san administrator at domain

901
00:59:05,520 --> 00:59:12,480
tld or baseballs no manager approval with the certificate the intruder presents themselves to a

902
00:59:12,480 --> 00:59:19,120
domain controller using pkin it kerberos with public key the kdc checks the chain to the issuing ca the

903
00:59:19,120 --> 00:59:26,800
ca is in nt euth the eq includes smart card logon the san asserts administrator at domain tld the

904
00:59:26,800 --> 00:59:33,200
directory maps the u p n to the account a tgt appears minted for administrator not for the requester

905
00:59:33,200 --> 00:59:38,480
gravity follows the signature they do not need to crack passwords or replay hashes they do not need

906
00:59:38,480 --> 00:59:44,160
to touch ls they have a ticket that says i am the person whose name is on the certificate the ca said

907
00:59:44,160 --> 00:59:51,840
yes the kdc agrees doors open with ceremonial ease lab echo low chime four seven sixty eight tgt

908
00:59:51,840 --> 00:59:58,640
issued via certificate logon account administrator caller ws desk zero three four soft tick four eight

909
00:59:58,640 --> 01:00:04,080
seven certificate request attributes included san they move with quiet authority a service ticket

910
01:00:04,080 --> 01:00:10,400
to ld a p on d c zero two a query for group memberships a new gpo link that last two minutes a shadow

911
01:00:10,400 --> 01:00:17,280
admin placed and removed the certificate lives for months renewal is a whisper revocation is a fantasy

912
01:00:17,280 --> 01:00:24,960
if no one knows to revoke defense is the discipline of molds we enumerate templates like we enumerate stars

913
01:00:24,960 --> 01:00:31,440
for every template that can issue logon capable certificates smart card logon client authentication

914
01:00:31,440 --> 01:00:37,440
along with issuance to user principles we examine three truths who can enroll who can request subject

915
01:00:37,440 --> 01:00:43,200
and send what eke user included if domain users can enroll and supply san on a template whose eke

916
01:00:43,200 --> 01:00:50,240
maps identities we have built a wormhole we close it by reducing surface and adding ceremony remove

917
01:00:50,240 --> 01:00:57,120
enroly supply subject from user templates unless the san is constrained by policy modules remove

918
01:00:57,120 --> 01:01:04,320
client authentication and smart card logon eke use from templates not meant for logon require manager

919
01:01:04,320 --> 01:01:10,560
approval or authorize signature for any template that affects identity mapping if a vendor demands

920
01:01:10,560 --> 01:01:16,560
supply subject for devices create a separate template limited to a device enrolling group with

921
01:01:16,560 --> 01:01:23,920
subject name constraints via the c a policy we bind c a trust nt e use store should only contain

922
01:01:23,920 --> 01:01:30,960
c a's that issue true smart card logon or device oath under strict governance remove legacy issuing

923
01:01:30,960 --> 01:01:37,600
c a's from nt out if they serve line of business tls separate pk i for identity and for transport

924
01:01:37,600 --> 01:01:42,960
stops forged crowns from riding on web server ceremonies we control who can publish and who can

925
01:01:42,960 --> 01:01:49,680
change only a tier pk i admin group may publish templates a c l's on templates remove domain

926
01:01:49,680 --> 01:01:56,560
admins if culture allows replace with pk i specific roles certificate managers on the c a are not

927
01:01:56,560 --> 01:02:03,840
allowed to issue on behalf of users without justification revocation configuration is monitored

928
01:02:03,840 --> 01:02:11,920
c r l's and o c s p are healthy and reachable we instrument the forge forward 48 eight six 48 eight

929
01:02:11,920 --> 01:02:18,000
seven four eight nine eight 48 nine nine from c a's alert when sand contains an unexpected realm

930
01:02:18,000 --> 01:02:25,200
when u p n's do not match the requester when smart card logon e k u writes a template whose

931
01:02:25,200 --> 01:02:31,760
friendly name is not on an allow list in the kdc realm detect four seven six eight with certificate

932
01:02:31,760 --> 01:02:38,560
logon where the client workstation is a non p o subnet pair with four times 169 spikes to sensitive

933
01:02:38,560 --> 01:02:44,560
espn's the court means identity bent at the mint we enforce pack scrutiny at endpoints that matter

934
01:02:44,560 --> 01:02:50,240
domain controllers already inspect but high value services can perform additional checks

935
01:02:50,240 --> 01:02:56,400
reject certificate logon for accounts not in a defined set deny service tickets if the

936
01:02:56,400 --> 01:03:03,040
presented identity was minted by an unapproved c a kerberos armoring helps when supported

937
01:03:03,040 --> 01:03:10,160
channel binding helps at l d a p s integrity for the path as well as the claim we practice revocation

938
01:03:10,160 --> 01:03:16,640
rituals if a misuse is found we revoke the certificate publish c r l and ensure d c's fetch

939
01:03:16,640 --> 01:03:23,680
fresh lists we roll keys for the abused account even if the cert granted transient access

940
01:03:23,680 --> 01:03:30,400
to invalidate any cash tickets we review the n t u's store again we test logon with a bad cert

941
01:03:30,400 --> 01:03:38,240
the door stays closed we simplify future shapes smart cards or phyto for admins device certificates

942
01:03:38,240 --> 01:03:44,480
bound to hardware t p m with attestation templates with explicit subject rules enforced by the policy

943
01:03:44,480 --> 01:03:51,840
module auto enrollment limited to groups with attestations humans do not type sands systems derive

944
01:03:51,840 --> 01:04:01,040
them from true identity lab echo low chime template audit legacy user in role unpublished eke you

945
01:04:01,040 --> 01:04:09,520
trimmed baseball softens enter youth store identity issuing c a's only 47 68 certificate logon

946
01:04:09,520 --> 01:04:15,920
limited to p a d use the observer speaks i am the forge when you narrowed my molds and watched my

947
01:04:15,920 --> 01:04:22,320
fire i stopped crowning strangers i still mint truth i no longer mint fantasy identity is metal

948
01:04:22,320 --> 01:04:29,200
heat without form is chaos form without rules is fraud set the template guard the store listen for

949
01:04:29,200 --> 01:04:37,440
the chime monday actions identity controls the map darkens we move from theory to ritual identity

950
01:04:37,440 --> 01:04:44,080
is not a name it is a controlled instrument on monday we set the metronome and bind the edges

951
01:04:44,080 --> 01:04:51,520
begin with separation of selves human comfort merges roles gravity demands we split them

952
01:04:51,520 --> 01:04:58,960
every administrator receives three identities daily user tier one admin tier admin each lives

953
01:04:58,960 --> 01:05:04,720
in different orbits bound by different laws user accounts never touch domain controllers never

954
01:05:04,720 --> 01:05:11,360
rdp to service never hold privileges beyond their work tier one manages servers and applications

955
01:05:11,360 --> 01:05:18,960
but never authenticates into tier tier touches domain controllers pk i identity systems only from

956
01:05:18,960 --> 01:05:28,720
privileged access work stations ceremony replaces habit keys next hardware backed mfa is not an accessory

957
01:05:28,720 --> 01:05:36,000
it is mass issue phyto two or smart cards for tier and tier one bind them to devices that do not

958
01:05:36,000 --> 01:05:42,640
browse do not receive email do not run unsigned code where hybrid demands cloud strength

959
01:05:42,640 --> 01:05:49,520
enforce number matching and phishing resistant flows the point is not trust in people it is trust

960
01:05:49,520 --> 01:05:56,080
in physics something you hold something the machine can attest silence the fossils disable

961
01:05:56,080 --> 01:06:03,360
element ntlmv1 everywhere turn on ntlm auditing for a month tag every source then cut enforce ldap

962
01:06:03,360 --> 01:06:10,400
channel binding and signing require smb signing on clients and service prefer curboros with precise

963
01:06:10,400 --> 01:06:18,640
espions in places where ntlm must persist fensit dedicated vlan firewall allow lists no path to

964
01:06:18,640 --> 01:06:26,640
tier drift cannot cross glass bind high value people to stronger gravity placed tier admins and

965
01:06:26,640 --> 01:06:33,680
sensitive service identities in protected users that removes ntlm fallback blocks legacy delegation

966
01:06:33,680 --> 01:06:39,120
and avoids fragile caches pair with account policies that shorten ticket lifetimes for these

967
01:06:39,120 --> 01:06:45,680
identities stolen heat cools faster enable curboros armoring where supported on critical services

968
01:06:45,680 --> 01:06:52,640
turn on pack validation claims must match the directory or the door stays closed make the workstation

969
01:06:52,640 --> 01:06:59,920
a shrine privileged access workstations are not laptops with a sticker they are instruments

970
01:06:59,920 --> 01:07:06,960
no personal browsing no plugins no office macros app control locks execution to an allow list

971
01:07:06,960 --> 01:07:14,720
device health attestation at logon rdp sessions use remote credential guard secrets remain

972
01:07:14,720 --> 01:07:22,080
anchored on the pw if technicians must manage endpoints outside the core use just in time elevation

973
01:07:22,080 --> 01:07:30,720
with short recorded windows tools leave logs humans leave approvals rotate what time erodes service

974
01:07:30,720 --> 01:07:37,600
accounts become gms a by default static passwords die on a schedule no human negotiates remove

975
01:07:37,600 --> 01:07:43,920
password never expires from history restrict logon writes to exact hosts deny interactive logon

976
01:07:43,920 --> 01:07:49,680
in rdp to all service principles spn creation moves into a change ticket with an owner a duration

977
01:07:49,680 --> 01:07:55,120
and a purpose every vessel has a captain every captain can be named prevent local sameness

978
01:07:55,120 --> 01:08:01,280
alabs across the estate unique local administrator passwords on every workstation and server

979
01:08:01,280 --> 01:08:08,720
rotated on cadence readable only by a small audited group and force remote uac remove the silent

980
01:08:08,720 --> 01:08:14,400
elevation that turns hashes into passports pair with restricted admin and remote credential guard

981
01:08:14,400 --> 01:08:22,240
for rdp from pause a captured local secret does not fly narrow delegation like optics remove

982
01:08:22,240 --> 01:08:28,560
unconstrained delegation replace with constrained delegation to exact spn's prefer resource-based

983
01:08:28,560 --> 01:08:34,560
constrained delegation so targets choose their mirrors audit for wildcard targets deny interactive

984
01:08:34,560 --> 01:08:42,240
logon to delegated identities if a vendor insists on freedom isolated recorded and schedule its sunset

985
01:08:42,240 --> 01:08:49,600
constrained replication authority no human account holds ds replication get changes backup

986
01:08:49,600 --> 01:08:56,080
software does not dc sink by default if emergency recovery requires it build a break class

987
01:08:56,080 --> 01:09:02,880
j_i_t_ roll with dual approval our long expiry and loud logging monitor 4662 for replication

988
01:09:02,880 --> 01:09:09,840
writes use the moment it sings eyes open instrument identity like a constellation alerts that matter

989
01:09:09,840 --> 01:09:20,560
4269 spikes on spn's tied to money or control 4672 privileged logons outside windows 4738

990
01:09:20,560 --> 01:09:31,200
attribute changes for privileged accounts 40728 4729 and 4732 4733 movement into admin groups

991
01:09:31,200 --> 01:09:40,080
4768 certificate logons from non pad subnets 4662 replication attempts pair with sysm

992
01:09:40,080 --> 01:09:48,960
n10 on lss handle access and event one ancestry on tools that should never exist on pause the court

993
01:09:48,960 --> 01:09:57,120
matters the notes are noise time discipline around krbtgt rotation is scheduled ritual twice per event

994
01:09:57,760 --> 01:10:04,240
before each pass check replication health and backup system state after watch authentication failures

995
01:10:04,240 --> 01:10:10,960
that reveal shadow dependencies align gms a refresh for services that care golden tickets become

996
01:10:10,960 --> 01:10:18,160
history not prophecy finally make exceptions loud catalog every legacy system that cannot obey

997
01:10:18,160 --> 01:10:25,760
assign it a tiered isolation a compensating control and owner a retirement date label its traffic

998
01:10:25,760 --> 01:10:34,320
weight its alerts no silent debts no invisible gravity the base pulse softens a low chime tier

999
01:10:34,320 --> 01:10:41,760
separation enforced protected users applied lapios rotation complete smb signing required pack checks

1000
01:10:41,760 --> 01:10:47,760
enabled we are not done we are in orbit identity bends toward law not convenience the universe

1001
01:10:47,760 --> 01:10:55,520
acknowledges the change Monday actions surface hardening the gravity is identity but the terrain is

1002
01:10:55,520 --> 01:11:03,120
metal we set the surface so bends are rare and loud begin with baselines as law not suggestion domain

1003
01:11:03,120 --> 01:11:09,280
controllers receive a hardened gpo that is sacred no interactive logon by anyone but tier

1004
01:11:09,280 --> 01:11:15,760
administrators no scheduled tasks created by non service principles no print spooler no web

1005
01:11:15,760 --> 01:11:22,960
dev no smbv1 no inbound ps remoteing except from pardews and power shell constrained language

1006
01:11:22,960 --> 01:11:30,960
mode for non admin tokens audit policy is explicit and aggressive success where lineage matters

1007
01:11:30,960 --> 01:11:39,040
failure where probing counts forward everything servers follow a tiered constellation tier servers

1008
01:11:39,040 --> 01:11:46,640
and management hosts obey a stricter baseline wdac or app locker white listing unsigned binaries

1009
01:11:46,640 --> 01:11:52,800
refused to run script enforcement on rdp only from pardews with remote credential guard

1010
01:11:52,800 --> 01:12:00,160
win rm with certificate authentication not default cred ssp local firewall rules default deny

1011
01:12:00,160 --> 01:12:08,000
east west permit documented spn's only lateral movement is not convenience it is failure

1012
01:12:08,640 --> 01:12:14,480
workstations receive a living image the gold build enables credential guard where hardware permits

1013
01:12:14,480 --> 01:12:20,400
lsa protection attack surface reduction rules that block office from creating child processes

1014
01:12:20,400 --> 01:12:27,200
and block credential theft behavior and smart screen on macros from the internet die at the door

1015
01:12:27,200 --> 01:12:34,640
browser isolation for admin sites drivers are signed and vetted kernel surfaces do not host vendor

1016
01:12:34,640 --> 01:12:41,040
shortcuts usb storage is disabled except for break class process with approval and logging

1017
01:12:41,040 --> 01:12:49,360
on every surface we kill fossils lm and ntlmv1 disabled ntlm auditing enabled for mapping

1018
01:12:49,360 --> 01:12:57,360
then enforcement to reduce exceptions to named isolated workloads ldap signing and channel binding

1019
01:12:57,360 --> 01:13:04,880
required on domain controllers and enforced on apps smb signing required on service enabled on

1020
01:13:04,880 --> 01:13:15,840
clients with a plan to require everywhere smvv1 gone web dev gone rdp nl a required icmp can live

1021
01:13:15,840 --> 01:13:22,720
rpc without purpose cannot we set services to truth print spooler is off on servers that do not print

1022
01:13:22,720 --> 01:13:30,640
on domain controllers it is off always remote registry disabled except during control change windows

1023
01:13:30,640 --> 01:13:36,800
windows installer restricted on service to prevent on the fly package runs outside maintenance windows

1024
01:13:36,800 --> 01:13:45,280
scheduled tasks that run as users are an exception not a pattern service accounts deny interactive

1025
01:13:45,280 --> 01:13:52,720
logon and rdp they hold logon as a service only on their hosts we standardize ports like constellations

1026
01:13:52,720 --> 01:13:58,640
with names each class of server declares it's allowed inbound and outbound web tier inbound from

1027
01:13:58,640 --> 01:14:05,760
load balancers outbound to apt here and telemetry nothing else apt here inbound from weapon management

1028
01:14:05,760 --> 01:14:13,360
outbound to data tier and identity nothing else data tier inbound from app only outbound to backup

1029
01:14:13,360 --> 01:14:21,840
and replication nothing else management tier inbound from pod use outbound to all tiers by documented

1030
01:14:21,840 --> 01:14:29,040
agents only firewall rules are enforced by gpo and verified by a daily scan that compares effective

1031
01:14:29,040 --> 01:14:35,280
policy to baseline we shrink the attack service with certificates and keys win rm over htps with

1032
01:14:35,280 --> 01:14:42,960
mutual out between management plan and service rdp from p use only mf a at the jump point session

1033
01:14:42,960 --> 01:14:50,080
recording on ssh for windows allowed where automation demands pinned to host keys and limited to

1034
01:14:50,080 --> 01:14:59,920
a management subnet tls everywhere ldps only i is drops plain text sql enforces encryption

1035
01:14:59,920 --> 01:15:05,200
with certificate pinning on critical apps we tune the memory edge lsas is protected on tier

1036
01:15:05,200 --> 01:15:13,920
and tier one wd i just stays disabled cd bug privilege is removed from broad admin groups only edr

1037
01:15:13,920 --> 01:15:20,800
and backup agents hold it via a narrow gpo etw providers that leak secrets are secured mini dumps

1038
01:15:20,800 --> 01:15:27,600
are restricted to administrators and blocked by wd on sensitive hosts crash dumps right to

1039
01:15:27,600 --> 01:15:35,040
protected paths edr scrubs artifacts quickly we push application control where gravity is heavy

1040
01:15:35,040 --> 01:15:41,360
wdck in audit then enforced on domain controllers and pw's app locker on tier servers with publisher

1041
01:15:41,360 --> 01:15:47,760
rules for sign tools hash rules for internal binaries and script rules that allow only specific paths

1042
01:15:47,760 --> 01:15:55,440
power shell is constrained for non admins script block logging and module logging feed the telescope

1043
01:15:55,440 --> 01:16:01,760
we isolate legacy without apology i cs or vendor servers that refuse signing or curboros live on

1044
01:16:01,760 --> 01:16:06,400
quarantined vlanes behind transparent proxies that translate modern authentication at the edge

1045
01:16:06,400 --> 01:16:12,240
no path to domain controllers beyond dns no inbound from workstations monitoring is loud

1046
01:16:12,240 --> 01:16:19,040
business owners sign time boxes the sun sets on dates not intentions patch cadence becomes orbit

1047
01:16:19,040 --> 01:16:25,440
quality updates in rings canary pilot broad feature updates were supported after lab validation

1048
01:16:25,440 --> 01:16:32,080
out of band security patches for exploited vulnerabilities on tier surfaces within defined hours

1049
01:16:32,080 --> 01:16:38,160
firmware and driver updates included quarterly reboots are scheduled sleepy servers are myths

1050
01:16:38,160 --> 01:16:44,720
maintenance windows are law we bake drift detection into the crust c is or microsoft security

1051
01:16:44,720 --> 01:16:52,960
baselines are the recipe monthly compare results to baseline delta's become tickets desired state

1052
01:16:52,960 --> 01:16:59,360
configuration or a modern equivalent enforces key registry and service states when someone flips

1053
01:16:59,360 --> 01:17:05,840
a bit the system flips it back or rings a bell humans stop arguing the instrument plays the score

1054
01:17:05,840 --> 01:17:12,000
we wire telemetry with intent cs min runs with a curated rule set tuned to your estate

1055
01:17:13,040 --> 01:17:20,240
process ancestry for admin tools network beacons for lateral beams file events in sensitive

1056
01:17:20,240 --> 01:17:27,680
directories handle access to lcess and driver loads windows security logs forward

1057
01:17:27,680 --> 01:17:34,800
four six eighty eight with command line forty six twenty four forty six seven two forty six nine seven

1058
01:17:34,800 --> 01:17:41,040
seven zero four five forty seven three two forty seven twenty eight forty seven six eight

1059
01:17:41,040 --> 01:17:45,840
four seven six nine forty six six two device control logs for usb

1060
01:17:45,840 --> 01:17:52,880
e dr events route to the same constellation a cm correlates and pages by physics not volume

1061
01:17:52,880 --> 01:17:58,720
we practice denial of casual execution no compilers on service no browser on domain controllers no

1062
01:17:58,720 --> 01:18:05,600
office on management hosts script runners sign their code unsigned fails package managers are

1063
01:18:05,600 --> 01:18:12,560
allowed only from internal repositories with attested packages the observer speaks i am the

1064
01:18:12,560 --> 01:18:19,680
surface when you hardened my crust the fractures became visible and correctable when you demanded

1065
01:18:19,680 --> 01:18:26,720
signatures my messages gained truth when you narrowed my ports my paths became deliberate hardening

1066
01:18:26,720 --> 01:18:34,640
is not glamour it is gravity applied at every edge until accidents cannot cross monday actions

1067
01:18:34,640 --> 01:18:40,400
detection and monitoring the telescope must be tuned before the light arrives on monday we wire

1068
01:18:40,400 --> 01:18:47,360
our sky so gravity speaks in numbers we can trust begin with intent we do not forward everything

1069
01:18:47,360 --> 01:18:53,280
we forward signals that describe power motion and forgery security logs and cis men sing different

1070
01:18:53,280 --> 01:19:01,200
harmonies together they resolve truth keberos is our clock we page on bends not on breath collect four

1071
01:19:01,200 --> 01:19:07,200
seven sixty eight for tgt issuance forty seven sixty nine for service tickets forty seven seventy six

1072
01:19:07,200 --> 01:19:16,000
for ntlm tag tier and tier one spn's as constellations any four seven sixty nine surge against them

1073
01:19:16,000 --> 01:19:24,400
is a low chime distinguish routine batch from anomalies by cohort machines subnets and time windows

1074
01:19:24,400 --> 01:19:32,160
if a workstation subnet requests tgs for ldap on domain controllers base pulse privilege announces itself

1075
01:19:32,160 --> 01:19:39,040
forty six seven twos the sound of special rights alert on four six seven two outside maintenance windows

1076
01:19:39,040 --> 01:19:45,280
outside prd subnets or without a matching change ticket link every four six seven two to its preceding

1077
01:19:45,280 --> 01:19:50,960
four six twenty four logon and four seven eight origin privilege without ancestry is counterfeit light

1078
01:19:50,960 --> 01:19:56,640
identity changes shift orbits forward forty seven three eight for account attribute change

1079
01:19:56,640 --> 01:20:00,640
forty seven twenty eight and forty seven twenty nine for global group membership

1080
01:20:00,640 --> 01:20:05,520
forty seven thirty two and four seven thirty three for local domain groups tag privilege groups

1081
01:20:05,520 --> 01:20:11,840
domain admins enterprise admins backup operators account operators and custom admin vessels

1082
01:20:11,840 --> 01:20:18,960
any ad during business hours must include a human rationale no rational a page removal pages two

1083
01:20:18,960 --> 01:20:26,880
attackers clean footprints replication is sacred four six six two with ds replication get changes

1084
01:20:26,880 --> 01:20:33,440
is a siren forward from all domain controllers at high fidelity correlate four six six two with the

1085
01:20:33,440 --> 01:20:40,080
calling principle source IP and time if the principle is not a domain controller if the host is not a dc

1086
01:20:40,080 --> 01:20:45,840
if the window is not declared gravity has failed the small bright room must whisper loudly

1087
01:20:45,840 --> 01:20:53,920
sysmon event ten reports handle access to lsas xay tune to allow edr backup agents and credential

1088
01:20:53,920 --> 01:21:01,680
providers page on unknown lineage combine with sysmon one for process ancestry signed names can still

1089
01:21:01,680 --> 01:21:09,040
be wrong when parentages strange add event eleven for file creation in temp public or program data

1090
01:21:09,040 --> 01:21:14,800
with dump signatures pair with seventy years forty five service installs or four six nine seven

1091
01:21:14,800 --> 01:21:20,880
the court means harvest movement draws lines sysmon three records network connections

1092
01:21:20,880 --> 01:21:27,520
built allow lists by tier which subnets may speak to which services which ports are legitimate

1093
01:21:27,520 --> 01:21:35,360
page when workstation subnets beam to server admin low winner m or wmi unexpectedly add four six

1094
01:21:35,360 --> 01:21:40,720
twenty four type three correlators lateral motion that arrives near a seven oh four five is not

1095
01:21:40,720 --> 01:21:47,440
noise services speak truth when created seven year forty five is class breaking on service restrict

1096
01:21:47,440 --> 01:21:53,680
change windows page outside them keep a dictionary of known service names anything new anything

1097
01:21:53,680 --> 01:22:00,880
changed anything with command lines from user rightable paths is drift certificates mint claims

1098
01:22:00,880 --> 01:22:08,000
the forge must report from c_a_s forward four eight eight six issued forty eight eight seven

1099
01:22:08,000 --> 01:22:14,400
attributes four eight nine eight four eight ninety nine template changes alert when

1100
01:22:14,400 --> 01:22:22,080
sand contains a u_p_n outside the requester when smart card logon e_k_u appears on templates not

1101
01:22:22,080 --> 01:22:28,080
in an allow list when certificate logon forty seven sixty eight with certificate originates from

1102
01:22:28,080 --> 01:22:33,840
non-poor subnets this is identity bending silently the monitor must give it a voice channel the

1103
01:22:33,840 --> 01:22:40,080
logs with purpose windows event forwarding is our gravity engine source initiated certificate bound

1104
01:22:40,080 --> 01:22:45,440
tiered collectors domain controllers forward to a dedicated tier collector tier one service to a

1105
01:22:45,440 --> 01:22:50,960
separate collector workstations to a scalable pool collectors forward to see him no single hop

1106
01:22:50,960 --> 01:22:58,320
creates a black hole normalize and reduce in the c_m_ parse fields into a semantic layer account

1107
01:22:58,320 --> 01:23:04,800
device subnet tier change window owner create baselines for each cohort surges are relative to their

1108
01:23:04,800 --> 01:23:12,960
sky not global averages a noisy services expected a quiet one cannot suddenly shout define five pages

1109
01:23:12,960 --> 01:23:21,280
not dashboards pages dc sync attempt four six six two with replication rights by non dc principle

1110
01:23:21,280 --> 01:23:28,480
action isolate source revoke rights review k r b t g t rotation plan ls s touch sysman ten

1111
01:23:28,480 --> 01:23:35,520
unknown lineage plus eleven dump plus seventy four forty five within ten minutes action isolate

1112
01:23:35,520 --> 01:23:43,680
rotate lapse invalid a ticket scope lateral cross realm bend four seven six eight four seven sixty nine

1113
01:23:43,680 --> 01:23:52,400
with transit it services from a foreign realm to tier one s p n's action evaluate trust controls

1114
01:23:52,400 --> 01:24:00,800
enable selective off review s_i_d filtering curb arose or s_p_n anomaly sustained four seven

1115
01:24:00,800 --> 01:24:08,000
and sixty nine for service accounts with r c four fallback from a typical subnet action rotate

1116
01:24:08,000 --> 01:24:15,280
to random long passwords and force a s monitor crack signals privilege drift four seven twenty eight

1117
01:24:15,280 --> 01:24:20,720
forty seven three two add to admin group without change record paired with four six seven two

1118
01:24:20,720 --> 01:24:27,200
and service modification action revert membership disable account open incident make the telescope

1119
01:24:27,200 --> 01:24:32,880
resilient logs are brittle when collectors drown apply rate limits at the edge with high priority

1120
01:24:32,880 --> 01:24:39,760
channels for dc's and management hosts cache on disk locally with retry heartbeat alerts when

1121
01:24:39,760 --> 01:24:46,080
subscriptions drop teach the stars to answer every alert routes to a runbook with three truths

1122
01:24:46,080 --> 01:24:53,840
context fields first actions escalation path no alert without ownership no owner without

1123
01:24:53,840 --> 01:25:02,880
on call integrate sore for reversible actions isolate host disable account stop service revoke

1124
01:25:02,880 --> 01:25:10,880
cert automation does not decide guilt it buys time close with provenance every detection is mapped

1125
01:25:10,880 --> 01:25:17,040
to a threat path we have narrated relay roast dc sink pack abuse delegation missteps

1126
01:25:17,040 --> 01:25:23,280
the story anchors the signal the signal guides the human the observer speaks i am the

1127
01:25:23,280 --> 01:25:29,680
fabric when you listen to my faults in the right frequencies you stopped mistaking background

1128
01:25:29,680 --> 01:25:35,120
radiation for threat and threat for wind the chime now means drift the base means identity bans

1129
01:25:35,120 --> 01:25:41,280
you will hear them in time at legacy systems retire isolate compensate there are machines that

1130
01:25:41,280 --> 01:25:47,760
refuse to age gracefully they do not bend they fracture legacy is not a brand it is entropy with a

1131
01:25:47,760 --> 01:25:54,320
human signature we begin with honesty some systems cannot be secured their physics is wrong they speak

1132
01:25:54,320 --> 01:26:01,840
ntl mv1 they reject lsa protection they sleep on server 2008 r2 windows 7 or earlier they accept

1133
01:26:01,840 --> 01:26:07,600
unsigned smb runs poolers on servers that should never print and load drivers that turn memory into glass

1134
01:26:07,600 --> 01:26:15,360
retire is not cruelty retire is mercy we shut them down with ceremony data extracted formats translated

1135
01:26:15,360 --> 01:26:21,680
onus counseled dependencies mapped replacements funded if a business refuses the funeral we change

1136
01:26:21,680 --> 01:26:27,120
the business not the gravity but time has its own opinion there will be systems that must live

1137
01:26:27,120 --> 01:26:32,480
for a while we do not pretend they are safe we isolate them as if they carry radiation

1138
01:26:32,480 --> 01:26:40,960
quarantine is a geometry dedicated vlan firewall rules that speak in single verbs allow this port

1139
01:26:40,960 --> 01:26:48,320
to that host deny all else no path to domain controllers beyond DNS and time no inbound from

1140
01:26:48,320 --> 01:26:55,440
workstations no lateral east west within the quarantine except explicit pairs management occurs

1141
01:26:55,440 --> 01:27:03,520
from a bastion that holds certificates and mfa no rdp from daily machines no browsing from inside

1142
01:27:03,520 --> 01:27:08,800
the zone is observed like a lab packet capture points seismant tuned

1143
01:27:08,800 --> 01:27:14,880
edr present if the kernel allows it every door is named every door is locked compensation is the

1144
01:27:14,880 --> 01:27:21,600
third orbit some legacy can wear modern clothing we force smb signing even when the application

1145
01:27:21,600 --> 01:27:31,760
complains we tune until it obeys or we wall it off we disable lm and ntl mv1 and where ntl m must

1146
01:27:31,760 --> 01:27:38,400
persist for a fossil client we pin it behind a proxy that speaks curbos to the core ldap is signed

1147
01:27:38,400 --> 01:27:45,520
and bound ldps is mandatory with certificate pinning wd i just remains disabled

1148
01:27:45,520 --> 01:27:50,400
credential guard where hardware permits run as ppl on servers that understand

1149
01:27:50,400 --> 01:27:58,160
local administrator is elaps managed even on old metal remote uac blocks the silent token script

1150
01:27:58,160 --> 01:28:05,600
execution requires signatures drivers are audited unsigned components do not load we impose

1151
01:28:05,600 --> 01:28:13,200
human law over technical nostalgia owners are named each legacy system receives an accountable

1152
01:28:13,200 --> 01:28:21,360
sponsor who signs the risk monthly a sunset date is not a suggestion it is a star we navigate by

1153
01:28:21,360 --> 01:28:28,560
exceptions appear in a register visible to leadership and incident response no invisible gravity

1154
01:28:28,560 --> 01:28:34,720
budget aligns with risk the older the physics the more expensive the perimeter if a vendor demands

1155
01:28:34,720 --> 01:28:42,240
domain admin the answer is isolation or divorce principles before plugins detection becomes

1156
01:28:42,240 --> 01:28:48,800
louder around entropy we escalate telemetry weight around the quarantine 4776 ntl m spikes

1157
01:28:48,800 --> 01:28:55,360
become immediate pages sysm3 for smb beams out of the zone triggers alarms 7045 service

1158
01:28:55,360 --> 01:29:02,800
creation on legacy hosts outside maintenance windows is a cutoff 4624 type three from quarantine

1159
01:29:02,800 --> 01:29:09,200
into tier one or tier is denied by firewall attempted events still forward to prove intent if the

1160
01:29:09,200 --> 01:29:15,440
system cannot run edr we place a tap if it cannot forward logs we pull with read only agents and

1161
01:29:15,440 --> 01:29:22,640
verify cryptographic integrity of the pull we practice failure like a drill tabletop exercises simulate

1162
01:29:22,640 --> 01:29:29,760
the legacy host as patient zero we watch the fabric what tickets are issued what services touch

1163
01:29:29,760 --> 01:29:35,760
what shares open we rehearse quarantine at the switch detonation in the seam rebuild of neighbors

1164
01:29:35,760 --> 01:29:42,400
we carry a tested offline backup of the legacy validated in a lab that does not touch production

1165
01:29:42,400 --> 01:29:48,320
if the system is critical and irreplaceable we build a twin and rehearse running on the twin

1166
01:29:48,320 --> 01:29:54,640
the ritual reduces fear car once watched a domain bend at 0 2 11 because an imaging server from

1167
01:29:54,640 --> 01:30:01,520
201 still believed smb signing was a rumor she did not argue with nostalgia she drew a box inside

1168
01:30:01,520 --> 01:30:07,440
the server spoke to three addresses and nothing else outside silence later the application move

1169
01:30:07,440 --> 01:30:13,680
to a managed platform the box dissolved the galaxy kept its shape we refuse to let time dilation

1170
01:30:13,680 --> 01:30:20,080
dictate our orbit retire were physics demands isolate were duty insists compensate where science

1171
01:30:20,080 --> 01:30:25,680
allows we choose which universe each legacy in habits and we document the laws it must obey

1172
01:30:25,680 --> 01:30:36,320
lab echo low chime legacy register loaded 14 systems soft tick isolation enforced via land 402

1173
01:30:36,320 --> 01:30:45,760
east west deny basketball studies smb signing required ntlmv1 blocked ldps pinned the observer

1174
01:30:45,760 --> 01:30:51,520
nods i am the fabric when you named your ruins and build proper orbits around them i stopped

1175
01:30:51,520 --> 01:30:57,280
tearing where memory insisted on being modern legacy is not an excuse it is a design constraint treated

1176
01:30:57,280 --> 01:31:06,320
as such and gravity holds kerberos pack validation and ticket sanity there is a ledger inside every ticket

1177
01:31:06,320 --> 01:31:13,760
it is called the pack the privilege attribute certificate it carries groups s i s logon time the

1178
01:31:13,760 --> 01:31:20,720
whisper of who you are and how much weight you can exert kerberos is not only speed it is ceremony

1179
01:31:20,720 --> 01:31:29,040
the kdc signs the pack the service trusts the kdc the system believes the signature or it does not

1180
01:31:29,040 --> 01:31:34,800
ticket sanity is gravity for identity most people think the kdc decides everything and services

1181
01:31:34,800 --> 01:31:41,200
simply obey but time has its own opinion services that never check the pack signature become planets

1182
01:31:41,200 --> 01:31:47,680
that accept any orbit drawn near them a forged pack is a counterfeit mass looks heavy

1183
01:31:47,680 --> 01:31:55,440
bends paths breaks truth when validation is missing or misapplied a tackers turn a small tgt into a

1184
01:31:55,440 --> 01:32:01,200
tool that invents privilege here is what actually happens you ask the kdc for a tgt it signs with

1185
01:32:01,200 --> 01:32:10,320
the curb ttq later you ask for a service ticket to htdp cfs ms sql ldap the kdc stamps a pack into

1186
01:32:10,320 --> 01:32:18,080
that tgs groups s id history claims then signs the pack with the kdc key and the services key

1187
01:32:18,080 --> 01:32:24,960
the service should validate both did the kdc bless this and was this meant for me if either answer

1188
01:32:24,960 --> 01:32:32,560
is false the service must refuse many do enough do not pack validation lives in decisions we forget

1189
01:32:32,560 --> 01:32:38,240
we made protocol transition constrained delegation resource based constrained delegation

1190
01:32:38,240 --> 01:32:43,760
service stacks that terminate curboros inside application frameworks a proxy that negotiates

1191
01:32:43,760 --> 01:32:49,440
curboros then hands the assertion to a service that never revalidates can turn signatures into

1192
01:32:49,440 --> 01:32:56,720
decorations when proxies terminate and reissue they must enforce armor or bind to the dc for full checks

1193
01:32:56,720 --> 01:33:02,320
otherwise a silver ticket minted by an intruder with a stolen service key slides through as law

1194
01:33:03,040 --> 01:33:13,200
lab echo low chime 4769 tgs for ms sql fin ledger from svc report soft tick service reports

1195
01:33:13,200 --> 01:33:21,360
pac verified with kdc signature the court holds but when we hear application accepted without kdc

1196
01:33:21,360 --> 01:33:29,600
check the base pulse rises sanity is not only signatures it is coherence ticket lifetimes must

1197
01:33:29,600 --> 01:33:36,640
match policy forwardable when needed otherwise not renewable for windows we understand not months

1198
01:33:36,640 --> 01:33:43,280
that invite quiet persistence encryption types should not descend into rc4 because compatibility

1199
01:33:43,280 --> 01:33:59,280
aes is the current aes 1228 cts hma cela asha 196 or aes 256 as cts hmac asha 196 and were

1200
01:33:59,280 --> 01:34:06,560
supported the modern suites if a service receives an rc4 tgs in a forest that claims modernity

1201
01:34:06,560 --> 01:34:12,560
the instrument is out of tune we teach services to doubt for windows services that call accept security

1202
01:34:12,560 --> 01:34:18,960
context we insist on caberos integrity mutual auth channel binding where applicable service binding

1203
01:34:18,960 --> 01:34:26,000
for iis we prefer kernel mode auth with strict sp and maps when a rr or reverse proxies sit in front

1204
01:34:26,000 --> 01:34:32,480
they forward tokens only after validating and when possible re acquiring from the kdc to attach

1205
01:34:32,480 --> 01:34:39,280
a fresh verified pack for secl we ensure the spn is unique and delegated only through constrained

1206
01:34:39,280 --> 01:34:44,080
paths the engine must validate pack not merely accept whatever the network hands it

1207
01:34:44,080 --> 01:34:50,560
delegation is where gravity tricks us unconstrained delegation trusts any ticket the service

1208
01:34:50,560 --> 01:34:56,160
presents to others an attacker who lands there can request tickets to almost anywhere

1209
01:34:56,160 --> 01:35:02,800
ferrying packs like forged passports we remove it with constrained delegation we bind services

1210
01:35:02,800 --> 01:35:10,000
to specific spn's with resource based constrained delegation the target says who may impersonate

1211
01:35:10,000 --> 01:35:16,400
into it then we add a further law the target revalidates the pack with the kdc not with hope

1212
01:35:17,040 --> 01:35:24,000
that second check catches silver tickets and pack tampering born of stolen service keys pack

1213
01:35:24,000 --> 01:35:31,440
hardening exists domain controllers can require strict validation for services that indicates support

1214
01:35:31,440 --> 01:35:37,840
modern windows enables validate kdc signatures by default in many paths we verify this posture

1215
01:35:37,840 --> 01:35:46,640
we disable fail open code paths we audit services that rely on custom gss api stacks or java

1216
01:35:46,640 --> 01:35:53,600
frameworks with espnago libraries known to skip validation unless configured we test by presenting

1217
01:35:53,600 --> 01:36:00,240
malformed packs in a lab and confirming denial detection listens to the curvature event 4769

1218
01:36:00,240 --> 01:36:06,960
contains flags forwardable renewable encryption type client address we baseline per espn a sudden surge

1219
01:36:06,960 --> 01:36:14,960
of tgs with rc4 to a critical service is a chime 4771 and 4776 nearby reveal fallback and failure

1220
01:36:15,520 --> 01:36:22,560
if a service begins accepting tickets for names not in its espn list we misbound identity watch for

1221
01:36:22,560 --> 01:36:31,360
service name mismatches on domain controllers for an 82 4 to a 21 pack validation failures

1222
01:36:31,360 --> 01:36:38,800
were available signal tampering on services with advanced logging application traces that say pick

1223
01:36:38,800 --> 01:36:46,400
signature invalid become pages we test reality in a controlled lab we simulate silver tickets with

1224
01:36:46,400 --> 01:36:53,120
a stolen service key and verify that target services reject them unless the kdc vouchers live

1225
01:36:53,120 --> 01:37:00,400
we enable curboros armoring fast so the communication between client and kdc resists interception

1226
01:37:00,400 --> 01:37:06,480
and modification we ensure devices and services supported where they do not we isolate until they

1227
01:37:06,480 --> 01:37:13,600
learn the language sanity includes pack size overgrown group membership can exceed token limits

1228
01:37:13,600 --> 01:37:21,200
truncating truth we monitor for 4769 failures with krb ur field too long then we prune groups

1229
01:37:21,200 --> 01:37:28,400
collapse nesting move from groups brawl to claims where feasible identity remains heavy but intelligible

1230
01:37:28,400 --> 01:37:34,800
the observer speaks i am the ledger inside the ticket when you verify my signatures against the kdc

1231
01:37:34,800 --> 01:37:40,640
i hold when you bind me to the service that asked i cannot be borrowed when you trim my excess and

1232
01:37:40,640 --> 01:37:47,760
refuse my fossils i represent truth curboros works because the universe agrees to believe the same

1233
01:37:47,760 --> 01:37:54,480
signatures pack validation is that agreement made visible make every service check make every proxy

1234
01:37:54,480 --> 01:38:01,920
humble make every ticket coherent the fabric will answer in kind exploit chain mapping patterns

1235
01:38:01,920 --> 01:38:08,960
we map chains the way astronomers map gravity not by seeing the mass directly but by watching how paths

1236
01:38:08,960 --> 01:38:17,360
curve an exploit chain is not chaos it is choreography credentials protocols permissions services

1237
01:38:17,360 --> 01:38:23,120
each adds weight when they align motion becomes inevitable we do not guess we trace

1238
01:38:23,120 --> 01:38:29,920
we begin with origin and destination origin is where the first non-trivial

1239
01:38:29,920 --> 01:38:37,840
foothold lives a compromised user a misconfigured service a legacy server destination is tier

1240
01:38:37,840 --> 01:38:46,240
or the crown adjacent domain controllers pk i deployment orchestration identity proxies between them

1241
01:38:46,240 --> 01:38:54,640
we mark viable beams rdp smb win rm wmi rpc http with their authentication dialects and policy

1242
01:38:54,640 --> 01:39:01,200
constraints the shortest path is rarely the safest the quietest path is rarely the shortest gravity

1243
01:39:01,200 --> 01:39:08,720
will choose quiet if it can patterns emerge first pattern credential liquidity tokens flow to

1244
01:39:08,720 --> 01:39:14,800
where humans are comfortable help desk touches service developers touch build agents operations

1245
01:39:14,800 --> 01:39:23,040
touches everything during incidents each touch leaves residue tickets in ls as cashed credentials

1246
01:39:23,040 --> 01:39:30,960
saved sessions service keys in plain text configs the map highlights human schedules spikes near patch

1247
01:39:30,960 --> 01:39:37,040
night proximity after outages standing sessions on jump servers that were never sanctified as pause

1248
01:39:37,040 --> 01:39:43,440
chains that matter begin at human comfort second pattern identity translation directory boundaries

1249
01:39:43,440 --> 01:39:50,480
claim separation delegation trusts and ss o stitched them together unconstrained delegation turns

1250
01:39:50,480 --> 01:39:57,760
one service into many resource based constrained delegation narrows but miss bound permissions reopen

1251
01:39:57,760 --> 01:40:03,040
forest trusts with weak side filtering let city history bend continents a dc s templates that

1252
01:40:03,040 --> 01:40:10,800
permit sand supply mint names on demand chains that matter cross identity translators they pay

1253
01:40:10,800 --> 01:40:18,960
with signatures or steal them third pattern protocol downgrade when modernity falters fossil speak

1254
01:40:19,600 --> 01:40:29,760
kerberos becomes ntlm signed smb becomes unsigned ldps becomes ldap channel binding falls away

1255
01:40:29,760 --> 01:40:37,120
attackers engineer proximity relays coercion name resolution tricks to exploit the downgrade

1256
01:40:37,120 --> 01:40:44,160
the map records policy at both ends client capability server requirement any asymmetry becomes a slope

1257
01:40:45,040 --> 01:40:50,800
fourth pattern shared keys as pressure points service accounts with sbs and rc4 history

1258
01:40:50,800 --> 01:40:57,760
machine accounts with local admin beyond their tier backup agents with dc sync for convenience

1259
01:40:57,760 --> 01:41:03,360
deployment tools with right paths on servers they later start identify each key and its reach

1260
01:41:03,360 --> 01:41:10,160
draw circles of consequences a single key that reaches tier is a supermassive body everything warps

1261
01:41:10,160 --> 01:41:19,360
around it fifth pattern persistence friction scheduled tasks services gpo's logins scripts agent auto

1262
01:41:19,360 --> 01:41:26,080
updates any cyclic engine amplify small changes a dll in a startup path become system a dawn

1263
01:41:26,080 --> 01:41:31,040
a task edited to run an extra binary becomes a repeatable foothold chains that matter end with a

1264
01:41:31,040 --> 01:41:37,840
heartbeat we formalize the map into layers layer one graph of principles to rights users to groups

1265
01:41:37,840 --> 01:41:45,200
to rights on servers rights to sessions observed sessions to tokens present build it daily expire

1266
01:41:45,200 --> 01:41:52,480
edges quickly so the map remains present tense every node carries tier owner last scene and trust

1267
01:41:52,480 --> 01:42:01,680
context layer two protocol and control matrix for each edge define authentication method

1268
01:42:01,680 --> 01:42:08,880
signing requirement encryption channel binding delegation status and allowed call assets record

1269
01:42:08,880 --> 01:42:14,640
policy and effective state differences are where gravity leaks layer three time and change

1270
01:42:14,640 --> 01:42:21,440
overlay maintenance windows deployment cycles and known incident schedules overlay gpo drift

1271
01:42:21,440 --> 01:42:27,440
events and template changes from pk i exploit chains prefer motion you will find them in the wake

1272
01:42:27,440 --> 01:42:36,080
of change layer four anomalies as beacons detection outputs are not noise they are landmarks

1273
01:42:36,080 --> 01:42:43,360
4769 spikes near an espin 4672 outside approved hours 4662 replication rights use

1274
01:42:43,360 --> 01:42:49,280
cisman 10 on lss 745 on service attached these to edges and nodes color them by

1275
01:42:49,280 --> 01:42:55,840
recency and confidence chains prefer paths that recently glowed then we run thought experiments

1276
01:42:55,840 --> 01:43:03,120
counterfactual gravity ask if we remove unconstrained delegation from this service what paths collapse

1277
01:43:03,120 --> 01:43:10,000
if we require smb signing here how many edges go dark if we rotate krbtgt twice this week

1278
01:43:10,000 --> 01:43:15,280
which tickets become fossils if we enable selective authentication on this trust which foreign

1279
01:43:15,280 --> 01:43:22,480
beam sees we simulate before we legislate we also run attacker stories end to end at low fidelity

1280
01:43:22,480 --> 01:43:31,120
never detailing misuse always testing curvature story one low-previews are read only share with scripts

1281
01:43:31,120 --> 01:43:37,120
embedded credential service account with local admin lateral to management server schedule task

1282
01:43:37,120 --> 01:43:44,560
foothold cached admin token ticket to deployment orchestrator configuration push to domain controllers

1283
01:43:45,360 --> 01:43:53,360
mitigations paint the route lapse remove embedded secrets restrict local admin and force RDP rules

1284
01:43:53,360 --> 01:44:01,040
deny delegated accounts interactive logon paw's protected users signing and pack validation

1285
01:44:01,040 --> 01:44:08,160
story two legacy app server ntlm relay to file server machine account leverage relay to deployment

1286
01:44:08,160 --> 01:44:15,040
host dropper into auto load path silent domain group ad via service rights controls smb signing

1287
01:44:15,440 --> 01:44:27,600
ntlm isolation group membership alerts 7045 gating je a j it story three forest trust drift cross realm tgt

1288
01:44:27,600 --> 01:44:36,320
misscoped acl s ed history abuse local admin on tier one stealthy gpo link

1289
01:44:37,200 --> 01:44:43,840
controls s ed filtering selective auth trust attestation gpo change alerts ownership

1290
01:44:43,840 --> 01:44:51,760
we measure distance to failure for every origin compute hops to d a under current controls

1291
01:44:51,760 --> 01:44:58,000
with penalties for noisy steps the lower the sum the heavier the body we fix the heaviest first

1292
01:44:58,000 --> 01:45:06,720
after each change recompute chains lengthen noise increases attack cost climbs the observer speaks

1293
01:45:07,200 --> 01:45:13,920
i am the chart of your orbits when you layer identity protocol time and anomaly the paths

1294
01:45:13,920 --> 01:45:20,000
attack us prefer become obvious remove the quiet shortcuts add friction where momentum gathers

1295
01:45:20,000 --> 01:45:26,960
let gravity favor defense telescopes cm so our x dr for windows we do not secure by staring at logs

1296
01:45:26,960 --> 01:45:32,640
we secure by building telescopes a telescope is not a database it is a lens that bends raw signal

1297
01:45:32,640 --> 01:45:44,080
into meaning in windows the sky is busy security logs sysmon defender adcs dns dhcp file servers

1298
01:45:44,080 --> 01:45:49,440
domain controllers without gravity they scatter with gravity they reveal structure we start with

1299
01:45:49,440 --> 01:45:57,760
purpose questions not feeds who elevated when and from where who touched lsas with what lineage

1300
01:45:57,760 --> 01:46:03,200
which spn's experience drift in service ticket volume who asked the directory to replicate

1301
01:46:03,200 --> 01:46:08,400
which trusts carried foreign light every component plays a role windows event forwarding is the

1302
01:46:08,400 --> 01:46:15,040
collector constellation source initiated certificate bound tiered domain controllers forward to a

1303
01:46:15,040 --> 01:46:20,960
tier collector tier one servers to a separate nexus workstations to a pool that can fail without

1304
01:46:20,960 --> 01:46:26,560
losing sacred light collectors forward to seem no single stream becomes a black hole

1305
01:46:26,560 --> 01:46:34,000
seem as the observatory it normalizes 4 6 88 into command lines 46 24 into identities with device

1306
01:46:34,000 --> 01:46:41,360
and subnet 4768 and 4769 into a curberauss heartbeat it knows onus tears and windows it turns

1307
01:46:41,360 --> 01:46:47,200
spikes into questions it turns questions into pages x dr is the i that sees motion at the edge

1308
01:46:47,200 --> 01:46:56,080
kernel telemetry amc memory scans attack surface rules it adds a fast lane for explosion

1309
01:46:56,080 --> 01:47:04,000
process trees handle opens module loads it remembers families of behavior it does not replace cm it

1310
01:47:04,000 --> 01:47:10,000
feeds it with detail that windows logs cannot hold soar is the hand that moves when the page sounds

1311
01:47:10,000 --> 01:47:17,200
true it isolates a workstation in seconds it rotates a lapse password it disables an account

1312
01:47:17,200 --> 01:47:23,440
it revokes the certificate it stops a rogue service it acts reversibly it writes provenance

1313
01:47:24,160 --> 01:47:31,200
we design tears into the sensors tier gets lossless collection security logs at full fidelity

1314
01:47:31,200 --> 01:47:40,800
sysment tuned for ls s drivers services power shell verbose streams a d ds access tier one remains

1315
01:47:40,800 --> 01:47:48,400
dense but selective workstations send only what resolves identity lateral motion and persistence

1316
01:47:48,400 --> 01:47:54,640
the telescope must never blind itself we bind signals to the maps we already drew our graph of

1317
01:47:54,640 --> 01:48:01,600
principles to rights becomes enrichment when 46 72 fires the sim already knows the accounts tier

1318
01:48:01,600 --> 01:48:10,080
owner change window and last log in cohort when 4769 spikes for cfs on mgmt task 01 the

1319
01:48:10,080 --> 01:48:19,920
seam overlays tier one spn owner operations window closed and foreign trust none false positives fall

1320
01:48:19,920 --> 01:48:28,080
away because context is gravity we express detections as physics not signatures privilege anomaly

1321
01:48:28,080 --> 01:48:39,360
4672 from a non PR subnet no approved window no preceding 4768 from a par page dot harvest cord

1322
01:48:39,360 --> 01:48:49,360
sysment 10 to ls x a by unknown lineage plus event 11 dump plus 7045 service in 10 minutes page

1323
01:48:49,360 --> 01:48:58,400
and isolate replication gravity breach 4662 ds replication get changes by non dc principle

1324
01:48:58,400 --> 01:49:05,760
page disable principle plan k rbtgt rotation cross realm distortion 4769 with

1325
01:49:05,760 --> 01:49:13,200
transited services from foreign realm to tier one spn's or s id history claims observed

1326
01:49:13,200 --> 01:49:20,080
page and restrict trust kerberost pressure sustained 4769 rc4 to service accounts from workstation

1327
01:49:20,080 --> 01:49:26,880
subnets page and rotate to a us only we craft lenses parsers that reveal fields windows hides behind

1328
01:49:26,880 --> 01:49:37,120
text city history in 4769 transited services kerberos encryption type logon type in 4624

1329
01:49:37,120 --> 01:49:44,000
process parent chain in sysmon 1 command lines with base 64 decoded when safe certificate sends in 487

1330
01:49:44,000 --> 01:49:54,000
we standardize into a semantic layer account device subnet tier owner window trust cohort queries

1331
01:49:54,000 --> 01:50:00,960
become simple sentences we build cohort baselines not global averages local gravity each spn has

1332
01:50:00,960 --> 01:50:06,400
its rhythm each subnet has its cadence each admin has their maintenance slot the seam learns

1333
01:50:06,400 --> 01:50:15,760
what 4769 looks like for ms sql fin ledger on Tuesdays it knows that 70 45 on a pp build 0 1 is

1334
01:50:15,760 --> 01:50:22,960
normal at o2 to anything outside the music is a chime we script so our playbooks with humility first

1335
01:50:22,960 --> 01:50:28,960
actions are reversible and logged isolate host in vland with the human override disabled account

1336
01:50:28,960 --> 01:50:34,800
with the ticket id rotate laps on a set of hosts while preserving forensics stop a service and

1337
01:50:34,800 --> 01:50:41,760
back up the binary revoke a certificate and publish crl every step records actor time reason

1338
01:50:41,760 --> 01:50:49,760
and rollback we make resilience a feature collectors use discs as buffers if seam sleeves ingestion

1339
01:50:49,760 --> 01:50:56,800
persists agents throttle under pressure with priority cues domain controllers first heartbeats

1340
01:50:56,800 --> 01:51:04,000
proof subscriptions alive loss pages operators xdr keeps a day of hot telemetry cm pulls when the

1341
01:51:04,000 --> 01:51:11,840
storm passes we do not horde forever retention follows truth tier logs live longer one year

1342
01:51:11,840 --> 01:51:19,840
searchable more in cold tier one less workstations role sooner but high signal extracts persist we

1343
01:51:19,840 --> 01:51:28,000
snapshot anomaly summaries top talkers top spns privilege pages memory of shape matters more than

1344
01:51:28,000 --> 01:51:35,360
memory of dust we practice the telescope red teams create known chords blue confirms detection

1345
01:51:35,360 --> 01:51:44,240
action and narrative we run purple exercises around ls as touch kerberost surges dc sink cross

1346
01:51:44,240 --> 01:51:51,680
realm tickets pack temper we refine rules we remove noisy ones we promote quiet lethal ones lab echo

1347
01:51:51,680 --> 01:52:00,480
low chime collector health green domain controllers priority channel true base pulse steady detection

1348
01:52:00,480 --> 01:52:08,000
set five pages bound to run books the observer speaks i am the lens when you tuned me to significance

1349
01:52:08,000 --> 01:52:14,400
and taught my hands to move i stopped reporting light and started reporting consequence so

1350
01:52:14,400 --> 01:52:20,160
tear it administration deep dive tearing is not a chart it is gravity architecture identities fall

1351
01:52:20,160 --> 01:52:26,880
according to mass and we decide which surfaces they can touch we define three orbits with absolute law

1352
01:52:27,600 --> 01:52:35,600
tear kids custodians of identity and the forces that shape it domain controllers pki adfs azure ad

1353
01:52:35,600 --> 01:52:42,640
connect schema masters privileged access infrastructure break glass the smallest surface the strongest

1354
01:52:42,640 --> 01:52:51,200
gravity nothing enters casually nothing leaves residue tier one servers and management planes

1355
01:52:51,200 --> 01:52:58,400
that run business logic file print sequel iis apt years management servers orchestration engines

1356
01:52:58,400 --> 01:53:06,480
hypervisors brought powerful dangerous if it leaks upward tier two user work stations and anything

1357
01:53:06,480 --> 01:53:15,440
humans live inside daily email browsers productivity developer endpoints noisy creative fragile now

1358
01:53:15,440 --> 01:53:21,520
we bind identities to orbits every administrator has separate accounts by tier daily user for tier two

1359
01:53:21,520 --> 01:53:28,080
a server admin identity for tier one a directory identity for tier no cross use no exceptions

1360
01:53:28,080 --> 01:53:35,760
authentication paths respect direction lower to higher is forbidden higher to lower is deliberate

1361
01:53:35,760 --> 01:53:43,040
and instrumented the badge you wear determines which doors recognize you the floor beneath your feet

1362
01:53:43,040 --> 01:53:48,640
determines what your badge can become we give the badges a home privilege access work stations live in

1363
01:53:48,640 --> 01:53:55,200
tier and tier one purpose built only tier accounts can log on to tier pause only tier one accounts can

1364
01:53:55,200 --> 01:54:00,800
log on to tier one pause tier two never touches them the pau does not browse does not read mail does not

1365
01:54:00,800 --> 01:54:08,080
run unsigned code remote credential guard anchor secrets on the pole rdp is a beam not a transfer

1366
01:54:08,640 --> 01:54:14,800
the workstation is not furniture it is an alter we constrain movement with doors that speak clearly

1367
01:54:14,800 --> 01:54:21,840
from tier two to tier one denied by default when necessary we use a bastion with mfa and jet elevation

1368
01:54:21,840 --> 01:54:28,560
that expires in minutes the bastion does not store credentials it Brooks tokens that die quickly

1369
01:54:28,560 --> 01:54:36,000
from tier one to tier e denied except for named operations from tier pause wielding tier identities

1370
01:54:36,000 --> 01:54:42,320
from tier to anywhere only when duty demands and always from the paul never from a server we translate

1371
01:54:42,320 --> 01:54:50,000
policy into the directory admin groups are enumerated by tier tier admins tier one server admins

1372
01:54:50,000 --> 01:54:59,040
help desk hypervisor admins pk i admins each with scope logon writes and machine assignment members

1373
01:54:59,040 --> 01:55:05,440
are few attested and rotated through approvals rpc writes cdbug privilege and logon writes are

1374
01:55:05,440 --> 01:55:11,440
pruned from broad groups backup operators are not a shortcut to domain control their rights are

1375
01:55:11,440 --> 01:55:17,120
narrowed and gated by time we bind machines to their sky tier systems live on dedicated

1376
01:55:17,120 --> 01:55:22,480
villains with firewall rules that only accept management from tier pause and replication from

1377
01:55:22,480 --> 01:55:30,080
peer controllers no inbound from app or user subnets tier one servers accept rdp and win rm from

1378
01:55:30,080 --> 01:55:37,440
tier one p's only certificate bound with logging and session recording tier two workstations cannot

1379
01:55:37,440 --> 01:55:45,200
speak to server administrative ports smb shares require smb signing and lease privilege we reduce

1380
01:55:45,200 --> 01:55:51,600
credential liquidity denies on interactive logon for service accounts denies on rdp for every

1381
01:55:51,600 --> 01:55:57,920
account that does not needed local administrator on workstations rotates with la piss local administrator

1382
01:55:57,920 --> 01:56:05,280
on service either does not exist or is random and vaulted protected users for tier identities

1383
01:56:05,280 --> 01:56:11,920
eliminates ntlm fallback and fragile delegation kerberos armoring in the realm that hosts tier

1384
01:56:11,920 --> 01:56:17,680
ticket lifetimes are shorter for tier and tier one token school fast we practice ceremony for

1385
01:56:17,680 --> 01:56:26,320
dangerous acts schema change tier only maintenance window documented rollback lab rehearsal

1386
01:56:26,320 --> 01:56:35,200
and an observer krbtgt rotation two passes replication checked backups validated monitoring heightened

1387
01:56:35,200 --> 01:56:44,400
a name conductor pk i template publish change board with a pk i specific quorum template

1388
01:56:44,400 --> 01:56:53,280
diff reviewed issuance constraints verified nt youth checked hypervisor changes dual control

1389
01:56:53,280 --> 01:56:59,920
console recording break glass keys sealed after test we draw the administrative plane as a service

1390
01:56:59,920 --> 01:57:06,160
management tools do not live on the service they manage they live on management hosts bound to tier

1391
01:57:06,160 --> 01:57:13,600
with agent based control and minimal inbound orchestration runs with gms a identity scope to exact

1392
01:57:13,600 --> 01:57:20,880
espn's and hosts logs flow outward commands flow inward through authenticated sign channels

1393
01:57:20,880 --> 01:57:26,880
the tool chain becomes an application with owners change windows and tests we teach the fabric

1394
01:57:26,880 --> 01:57:34,800
to reject drift gpo's in force tier boundaries deny log on locally and deny log on through rdp

1395
01:57:34,800 --> 01:57:39,840
for identities outside their orbit wdack or applocker enforces what runs on pie use and tier

1396
01:57:39,840 --> 01:57:46,640
firewall gpo's in force management paths detection maps four six seven two to subnet and pato

1397
01:57:46,640 --> 01:57:53,600
status any privilege logon from a non-poor is a page any 4624 type 10 for tier outside the subnet is

1398
01:57:53,600 --> 01:57:59,680
a page any 7045 on a domain controller is a page with a name attached we negotiate with reality

1399
01:57:59,680 --> 01:58:07,040
without surrender vendors who demand domain admins meet isolation and j a they receive j it writes

1400
01:58:07,040 --> 01:58:13,680
that create a constrained endpoint with audited commands their sessions record their identities do

1401
01:58:13,680 --> 01:58:20,320
not travel if the demand persists the system is boxed until replaced no tool dictates gravity

1402
01:58:20,320 --> 01:58:26,960
we close with a simple truth tiering is culture-wearing policy it only holds if humans agree to be heavier

1403
01:58:26,960 --> 01:58:33,040
in the right places and lighter in others the observer speaks i am the hierarchy you drew

1404
01:58:33,040 --> 01:58:38,720
when you honored my orbits with machines identities and time lateral motion lost momentum

1405
01:58:38,720 --> 01:58:45,520
privilege ceased to wonder gravity returned to law privileged identity patterns privilege is

1406
01:58:45,520 --> 01:58:52,160
not a title it is mass it bends paths accelerates motion and defines what collisions become catastrophe

1407
01:58:52,160 --> 01:58:59,120
we do not inventory administrators we inventory gravities most people think privilege identity means

1408
01:58:59,120 --> 01:59:07,840
domain admin but they are wrong privilege lives in layers and disguises accounts tokens services groups

1409
01:59:07,840 --> 01:59:13,680
devices trust relationships and tooling the patterns repeat when we learn their shapes we predict their

1410
01:59:13,680 --> 01:59:21,920
orbits pattern one split selves with hard walls a human carries at least three selves daily user

1411
01:59:21,920 --> 01:59:27,840
server operator directory custodian the mistake is not having them the mistake is allowing them to

1412
01:59:27,840 --> 01:59:35,200
leak leakage looks like a tier identity checking email or a server admin browsing a vendor forum from

1413
01:59:35,200 --> 01:59:41,920
a management host the correction is ceremony separate credentials separate devices separate

1414
01:59:41,920 --> 01:59:48,640
networks the daily self never authenticates to servers the server self never approaches domain

1415
01:59:48,640 --> 01:59:54,080
controllers the directory self appears only on a power inside the smallest orbit tokens remain

1416
01:59:54,080 --> 02:00:02,480
where they were minted gravity holds pattern two service personas as citizens not ghosts service

1417
02:00:02,480 --> 02:00:08,080
accounts are often treated as a blur shared passwords broad writes invisible origins

1418
02:00:08,080 --> 02:00:15,360
we invert that each service principle is a named citizen with a purpose and owner a scope

1419
02:00:15,360 --> 02:00:24,960
and an expiration gms a by default logon writes as a service on exact hosts denied everywhere else

1420
02:00:24,960 --> 02:00:31,920
no interactive no rdp no logon locally espn's registered through change verified unique

1421
02:00:31,920 --> 02:00:39,440
bound to a yes if a service requires delegation we constrain it to explicit espn's better we use

1422
02:00:39,440 --> 02:00:44,880
resource based constrained delegation so the target chooses who may impersonate a service

1423
02:00:44,880 --> 02:00:52,000
that can become you must be chosen by the service you become pattern three tool chains as identities

1424
02:00:52,000 --> 02:00:59,760
with edges build agents orchestration servers backup engines endpoint management these are vessels

1425
02:00:59,760 --> 02:01:05,360
of concentrated authority their technical uses often dwarf domain admins in consequence we

1426
02:01:05,360 --> 02:01:10,800
board them with passports each tool runs under a principle scoped to its function the plane it

1427
02:01:10,800 --> 02:01:17,200
lives on is tearbound its outbound reach is enumerated and enforced by firewall and all lists

1428
02:01:17,200 --> 02:01:23,520
its inbound management comes only from paul's we treat the tool like a sovereign logged a tested

1429
02:01:23,520 --> 02:01:30,320
rehearsed if it can write configuration to hundreds of servers it lives under stricter gravity than

1430
02:01:30,320 --> 02:01:38,240
any human pattern four privilege that travels without a badge sessions and caches create silent mass

1431
02:01:38,240 --> 02:01:45,120
an admin logs into a management server runs a script leaves else as keeps heat network providers cash

1432
02:01:45,120 --> 02:01:51,360
remote credential guard is not present or restricted admin is misapplied hours later a low-priv

1433
02:01:51,360 --> 02:01:57,040
foothold becomes a reading of memory we minimize liquidity protected users for admins

1434
02:01:57,040 --> 02:02:03,520
credential guard where hardware allows remote credential guard from padews deny delegation on

1435
02:02:03,520 --> 02:02:09,520
admin accounts deny local caching on privileged endpoints we shorten ticket lifetimes for tier

1436
02:02:09,520 --> 02:02:16,640
identities so residue decays pattern five delegation as a lens we control unconstrained delegation

1437
02:02:16,640 --> 02:02:22,800
is a star that collapses into a singularity tickets that touch it can be replayed packs ferried

1438
02:02:22,800 --> 02:02:29,520
identity borrowed we remove it constrained delegation narrows to named spns rbcd gives targets

1439
02:02:29,520 --> 02:02:37,840
consent then we add humility services that receive a delegated context revalidate pack with the kdc

1440
02:02:37,840 --> 02:02:45,600
or refuse a forged silver ticket cannot trick a service that trusts the kdc more than it trusts

1441
02:02:45,600 --> 02:02:54,640
the network pattern six group gravity as architecture not convenience groups drift nesting grows

1442
02:02:54,640 --> 02:03:03,360
acid history lingers we collapse to intentional sets tier admins server admins by platform

1443
02:03:03,360 --> 02:03:09,600
application operators by service break glass by ritual we tag them with tier and owner

1444
02:03:09,600 --> 02:03:16,080
we deny them where they do not belong via gpo deny log on locally deny log on through rdp so

1445
02:03:16,080 --> 02:03:22,720
their mask cannot tumble into wrong rooms we alert on membership changes like we alert on earthquakes

1446
02:03:22,720 --> 02:03:29,840
pattern seven local administrator as a per host secret not a skeleton key l a p s rotates each

1447
02:03:29,840 --> 02:03:35,760
workstation and server the readers of that secret are few audited and themselves protected

1448
02:03:35,760 --> 02:03:41,920
remote uac ensures that even with local admin network logons do not silently elevate some

1449
02:03:41,920 --> 02:03:49,040
service have no local administrator at all management occurs with j a n points and gms a's

1450
02:03:49,040 --> 02:03:55,680
privilege exists but only for the task only for the moment pattern eight break glass as a

1451
02:03:55,680 --> 02:04:04,000
comet seen rarely and recorded always emergencies demand speed panic demands caution we pre-built

1452
02:04:04,000 --> 02:04:10,720
an account with sufficient mass seal its credentials in a vault with dual control and require post

1453
02:04:10,720 --> 02:04:17,680
use rituals password rotation sign offs log review and a quiet retelling of why it was needed

1454
02:04:17,680 --> 02:04:25,360
the comets path is logged in the sky pattern nine identity propagation through trust forests

1455
02:04:25,360 --> 02:04:31,040
domains a df s cloud bridges each copies weight across a boundary we minimize what crosses selective

1456
02:04:31,040 --> 02:04:36,400
authentication were possible conditional access at clouds claims trimmed to what is necessary

1457
02:04:36,400 --> 02:04:43,600
anti-outdoor prune acid filtering enabled the fewer assertions we accept from beyond our galaxy

1458
02:04:43,600 --> 02:04:50,240
the less our physics can be tricked pattern ten provenance as law every privileged identity

1459
02:04:50,240 --> 02:04:59,440
has metadata owner purpose tier allowed endpoints allowed times last review expiration the cm

1460
02:04:59,440 --> 02:05:04,480
ingested the soar enforces it when four six seventy two appears we already know whether the masses

1461
02:05:04,480 --> 02:05:11,680
in the right sky when it is not we do not debate we isolate the object and ask questions after gravity

1462
02:05:11,680 --> 02:05:19,120
is restored the observer speaks i am privileged and i am pattern when you give me shape i stop leaking

1463
02:05:19,120 --> 02:05:24,880
when you deny me comfort i stop wandering when you bind me to devices windows and names i become

1464
02:05:24,880 --> 02:05:31,600
predictable the cosmos becomes survivable dns integrity and poisoned maps we navigate by names

1465
02:05:31,600 --> 02:05:38,880
dns is our star chart when the chart lies ships do not explode they arrive at the wrong harbor

1466
02:05:38,880 --> 02:05:44,480
and hand over their cargo politely that is why attackers a door name resolution it requires no

1467
02:05:44,480 --> 02:05:50,560
bravado it requires patience and the right bend in the map most people think dns is a directory of

1468
02:05:50,560 --> 02:05:58,240
facts but time has its own opinion in windows dns is a living dialogue dynamic updates scavenging

1469
02:05:58,240 --> 02:06:05,280
cycles aging intervals multi home servers stale records and plugins that rewrite answers for

1470
02:06:05,280 --> 02:06:11,840
convenience each setting becomes a curve each curve can be exploited there are three kinds of lies

1471
02:06:11,840 --> 02:06:19,200
in this sky the forged answer the coerced question and the outdated truth that still wins

1472
02:06:19,200 --> 02:06:25,360
the forged answer is classic poisoning a rogue host gains the right to assert a name in many

1473
02:06:25,360 --> 02:06:32,320
estates dynamic updates are set to non secure and secure that phrase sounds generous it means

1474
02:06:32,320 --> 02:06:38,800
anonymous a workstation can register records for names it does not own or a host with multiple

1475
02:06:38,800 --> 02:06:44,400
n i c's can rewrite an a record with an internal address one hour and an attack is addressed the

1476
02:06:44,400 --> 02:06:50,160
next the server thanks it clients obey if that name belongs to a file share an intruder receives

1477
02:06:50,160 --> 02:06:56,800
smb sessions if it belongs to a web service they terminate tls with a shadow certificate if it

1478
02:06:56,800 --> 02:07:03,200
belongs to a domain controller alias the gravity bends the coerced question is subtler lllmnr

1479
02:07:03,200 --> 02:07:10,400
and nbns still whisper on many networks legacy fallbacks that answer when dns is slow or names are

1480
02:07:10,400 --> 02:07:16,720
simple an intruder shouts louder than the real answer and a client believes credentials flow

1481
02:07:16,720 --> 02:07:24,160
to the wrong responder then relay begins we already killed fossils elsewhere here the echo remains

1482
02:07:24,160 --> 02:07:32,240
in parallel wpad automatic proxy discovery can be hijacked with a single record the browser trust

1483
02:07:32,240 --> 02:07:39,360
the map a forged proxy hears every request the outdated truth is drift made visible dynamic dns

1484
02:07:39,360 --> 02:07:46,240
records age but scavenging is timid or disabled a server that moved now points to avoid an old record

1485
02:07:46,240 --> 02:07:51,680
for a name that should be unique still lingers and round robin delivers clients to the shadow in

1486
02:07:51,680 --> 02:07:57,680
split brain dns internal and external zones disagree and a misconfigured forwarder leaks queries

1487
02:07:57,680 --> 02:08:06,560
outward answers traverse the wrong universe entirely lab echo low chime dns update host app 01

1488
02:08:06,560 --> 02:08:12,880
registered cfs alias soft tick update source workstation subnet

1489
02:08:12,880 --> 02:08:20,800
base pulse zone allows non secure updates defense begins with binding names to their rightful hosts

1490
02:08:20,800 --> 02:08:27,200
secure dynamic updates only machines authenticate to dns with their computer accounts unauthenticated

1491
02:08:27,200 --> 02:08:35,440
updates are refused dns scavenging is enabled with clear aging policy records age stale entries die

1492
02:08:36,320 --> 02:08:43,440
ownership is enforced only the host or dhcp acting with credentials can modify its record multi-home

1493
02:08:43,440 --> 02:08:49,680
servers declare their registration behavior we constrain to the management or server n i c

1494
02:08:49,680 --> 02:08:55,280
not the transient test network someone plugged in during a late night we remove the handheld echoes

1495
02:08:55,280 --> 02:09:02,880
lm nr and nbns are disabled via gpo wpd is extinguished by preemptively registering the record to a

1496
02:09:02,880 --> 02:09:09,600
null host or a controlled system and by browser policy that disables auto discovery on the perimeter

1497
02:09:09,600 --> 02:09:16,000
we drop multi cast name chatter the network quiaz the questions become intentional we make resolution

1498
02:09:16,000 --> 02:09:21,280
deterministic for power domain controllers and tier services receive host entries for their

1499
02:09:21,280 --> 02:09:27,760
peers only when change windows demanded otherwise they depend on the secured dns dns forwarding is

1500
02:09:27,760 --> 02:09:35,040
explicit conditional forwarders for known zones with dns s sq validation when resolvers understand it

1501
02:09:35,040 --> 02:09:40,480
recursive resolution is not performed by domain controllers for the world it is performed by

1502
02:09:40,480 --> 02:09:47,280
resolvers built for the task with cache limits rate limits and poisoning defenses we harden the

1503
02:09:47,280 --> 02:09:53,520
servers that hold the map dns on domain controllers limits zone transfers to named secondaries

1504
02:09:53,520 --> 02:10:01,280
signed with tsig where supported any access for to everyone is drift we close it mgmt interfaces

1505
02:10:01,280 --> 02:10:08,480
accept updates only from dhcp or domain controllers admin sessions occur from pw's not casual terminals

1506
02:10:08,480 --> 02:10:17,520
logging is tuned to record updates and signature failures event IDs 552 401 4515 speak the telescope

1507
02:10:17,520 --> 02:10:25,520
listens we constrain aliases that carry power spn's bind services to names that binding must be unique

1508
02:10:25,520 --> 02:10:33,920
we audit for duplicate spn's and eliminate collisions ms sql sql finance belongs to one principle

1509
02:10:33,920 --> 02:10:42,160
names that point at domain controllers are banned we use a records and deliberate replication dfs

1510
02:10:42,160 --> 02:10:49,120
namespaces use fq dns not whimsical short names that collide with printers and test hosts detection

1511
02:10:49,120 --> 02:10:57,120
becomes cartography we baseline the zone number of records frequency of changes ownership patterns

1512
02:10:57,120 --> 02:11:03,280
sudden bursts of updates from workstation subnets especially for names that look like services

1513
02:11:03,280 --> 02:11:13,920
cfs http ms sql are a chime changes to wpad isotap or names that control proxies are a page dns

1514
02:11:13,920 --> 02:11:23,600
debug logs feed the seam suspicious updates correlate with 4769 for the target spn and cismon 3 connections

1515
02:11:23,600 --> 02:11:30,240
to the newly asserted address if smb signing is off the map is a weapon when signing is on the weapon

1516
02:11:30,240 --> 02:11:37,680
dulls we teach clients to doubt the easy answer dns over tcp when responses grow channel binding at

1517
02:11:37,680 --> 02:11:45,040
LDAPs and smb signing prevent relayed sessions from becoming authority even when a name resolves to

1518
02:11:45,040 --> 02:11:53,200
an attacker the service refuses unauthenticated or unsigned exchanges the map can deceive the physics

1519
02:11:53,200 --> 02:11:58,960
afterward must not in the lab we simulate poisoning safely we flip a record under controlled

1520
02:11:58,960 --> 02:12:06,000
conditions and watch which services follow we learn who trusts dns too much scripts with bare host

1521
02:12:06,000 --> 02:12:12,240
names legacy apps without certificate pinning admin habits that use short names on sacred hosts

1522
02:12:12,240 --> 02:12:18,400
then we fix the habit not only the server the observer speaks i am the map when you demanded

1523
02:12:18,400 --> 02:12:25,920
credentials for updates i stopped accepting rumors when you silenced lllm and r and nbns my whispers

1524
02:12:25,920 --> 02:12:32,800
cease to mislead when you sign the protocols that followed my answers my mistakes stop becoming breaches

1525
02:12:32,800 --> 02:12:39,120
names are gravity for humans and sure the stars their reference are real smb supply routes

1526
02:12:39,120 --> 02:12:45,440
controls and drift smb is not a protocol it is a supply route it carries files scripts agents

1527
02:12:45,440 --> 02:12:51,680
updates small packets of intention that become action when the road is honest work flows when

1528
02:12:51,680 --> 02:12:58,320
the route drifts authority moves quietly in crates with familiar labels most people think smb

1529
02:12:58,320 --> 02:13:05,920
security is a switch on or off but time has its own opinion it is a gradient signing requirements

1530
02:13:05,920 --> 02:13:13,120
dialect negotiation channel binding ntlm fallback share and ntfs permissions store credentials

1531
02:13:13,120 --> 02:13:20,560
client-side caching printer paths dfs namespaces each setting adds or removes gravity each misalignment

1532
02:13:20,560 --> 02:13:27,360
becomes a slope we begin with the signature of truth smb signing without it the route trusts the

1533
02:13:27,360 --> 02:13:32,800
road with it the cargo is bound to the sender require signing on service enable on clients then

1534
02:13:32,800 --> 02:13:40,320
move toward require when the dependency map comes when signing is firm relays that once turned

1535
02:13:40,320 --> 02:13:48,880
printers into keys become noise channel binding titans the loop off bound to the tls or session

1536
02:13:48,880 --> 02:13:56,320
credentials cannot be replayed across a different tunnel dialect matters reject smbv1

1537
02:13:56,320 --> 02:14:05,360
it is fossil gravity fragile chatty exploitable prefer smb 3.x with encryption were warranted

1538
02:14:05,360 --> 02:14:11,440
especially across untrusted segments and between tiers encryption does not absolve identity

1539
02:14:11,440 --> 02:14:17,360
but it removes eavesdropping as a weapon when dfs is in play sign referrals

1540
02:14:17,360 --> 02:14:23,120
ensure namespace servers obey the same laws the targets names must not outrun proof

1541
02:14:23,120 --> 02:14:30,560
permissions are not taste they are physics share permissions are blunt ntfs is precise use both

1542
02:14:30,560 --> 02:14:37,200
everyone read remains drift even when intention is benign replace with authenticated users when

1543
02:14:37,200 --> 02:14:43,920
broadread is needed then scope with ntfs to groups that can be understood at a glance remove

1544
02:14:43,920 --> 02:14:50,400
creator owner rights from places that host scripts deny right on deployment shares to humans who only

1545
02:14:50,400 --> 02:14:58,880
consume a single rightable path on a management share becomes a choreography drop a copied scheduled

1546
02:14:58,880 --> 02:15:07,120
task created service installed gravity lost caches leak offline files and csc caches leave data

1547
02:15:07,120 --> 02:15:13,280
and metadata where an intruder can harvest patterns for tier one and management shares disabled

1548
02:15:13,280 --> 02:15:19,440
offline caching tools and scripts should be fetched fresh with signatures checked do not let the

1549
02:15:19,440 --> 02:15:26,320
past masquerade as the present credentials travel in habits mapped drives with stored passwords

1550
02:15:26,320 --> 02:15:33,760
harden into sediment we replace persistent mappings with short-leaved programmatic access bound to a

1551
02:15:33,760 --> 02:15:40,960
gms a or g it elevation from a power the workstation does not keep keys for convenience the power

1552
02:15:40,960 --> 02:15:47,840
requests them for ritual remote credential guard holds the token at the origin the server sees

1553
02:15:47,840 --> 02:15:55,840
authority but the secret remains anchored spooler paths are notorious a share that hosts drivers

1554
02:15:55,840 --> 02:16:02,880
and packages becomes a runway for code into kernel land on servers printer drivers do not belong

1555
02:16:02,880 --> 02:16:09,600
on file servers package point and print only from signed trusted catalogs eliminate legacy point

1556
02:16:09,600 --> 02:16:15,200
and print that fetches from arbitrary shares we have already removed the spooler from domain

1557
02:16:15,200 --> 02:16:22,160
controllers we extend that discipline across admin subnets dfs namespaces must reflect intention

1558
02:16:22,160 --> 02:16:29,360
not history use fqdn's not short names that collide sign referrals restrict who can link targets

1559
02:16:29,360 --> 02:16:36,640
audit name changes a rogue addition that points to an attacker controlled host is a quiet detour

1560
02:16:37,200 --> 02:16:44,720
verify that each target requires signing and where possible encryption names are maps maps must

1561
02:16:44,720 --> 02:16:52,240
bind to physics we narrow administrative paths admin dolls and seal or sacred doors not general

1562
02:16:52,240 --> 02:16:58,720
hallways only tearbound pause approach them local firewall rules deny workstation subnets from

1563
02:16:58,720 --> 02:17:05,680
speaking smb to servers except to documented shares with explicit business purpose copy flows from

1564
02:17:05,680 --> 02:17:12,640
orchestrators that run under gms a identities with minimal rights not from a technicians browser session

1565
02:17:12,640 --> 02:17:19,120
and a mapped drive at midnight detection listens to rhythm sysmon three sees smb connections

1566
02:17:19,120 --> 02:17:25,280
built allow lists which subnets may touch with shares when workstation ranges beam to admin

1567
02:17:25,280 --> 02:17:32,720
on app servers chime windows logs show five hundred and fourteen for share access pair with four six six

1568
02:17:32,720 --> 02:17:38,640
three for object access on sensitive paths a right to a script's directory followed by seventy

1569
02:17:38,640 --> 02:17:45,440
forty five service creation is the court of collapse smb signing negotiation appears in three hundred

1570
02:17:45,440 --> 02:17:53,040
series events on smb service log refusal and negotiate failures so the telescope can page when

1571
02:17:53,040 --> 02:17:59,440
a client insists on fossils we practice integrity package sources are signed internal repositories

1572
02:17:59,440 --> 02:18:05,360
verify signatures before publishing script execution on servers respects the signature policy

1573
02:18:05,360 --> 02:18:12,640
wda c or app locker allows only signed binaries and scripts from trusted paths a copied file is not

1574
02:18:12,640 --> 02:18:19,760
execution the engine that runs it decides truth we isolate noisy legacy some appliances and old

1575
02:18:19,760 --> 02:18:25,600
applications cannot sign they live in a quarantine where smb is permitted only to named peers with

1576
02:18:25,600 --> 02:18:33,520
translation at a proxy no path to tier surfaces monitoring is heavier forty seven seven six ntlm

1577
02:18:33,520 --> 02:18:39,920
events correlate with smb touches to spotlight relays and brute attempts when the fossil speaks

1578
02:18:39,920 --> 02:18:49,520
we hear it clearly and contain it lab echo low chime five fourteen share access mgmt files tools

1579
02:18:49,520 --> 02:18:57,680
user obstuploy soft tick four six six three right denied to scripts prod base pulse eases smb

1580
02:18:57,680 --> 02:19:05,040
signing required encryption negotiated the observer speaks i am the root when you sign my cargo and

1581
02:19:05,040 --> 02:19:12,000
narrowed my roads contraband stopped arriving as configuration when you denied casual right supply

1582
02:19:12,000 --> 02:19:19,920
became deliberate the universe kept its shape group policy writing the laws group policy is not

1583
02:19:19,920 --> 02:19:25,520
configuration it is gravity made explicit it defines what is possible what is forbidden and what

1584
02:19:25,520 --> 02:19:33,600
happens when doubt appears when we write gpo's we are not pushing buttons we are declaring physics

1585
02:19:33,600 --> 02:19:41,680
that every endpoint must obey we begin with constitution before code a policy hierarchy exists

1586
02:19:41,680 --> 02:19:49,920
forest domain o u we decide which tier owns which law tier laws live at the domain controllers o u

1587
02:19:49,920 --> 02:19:56,560
and a dedicated tier policy node linked with enforced precision tier one laws govern servers by workload

1588
02:19:56,560 --> 02:20:05,520
o u tier two laws govern work stations by cohort standard users developers kiosks we avoid the

1589
02:20:05,520 --> 02:20:13,440
root domain link for convenience gravity should be local not universal by accident order is destiny

1590
02:20:13,440 --> 02:20:19,920
link order and inheritance produce orbits we minimize enforced we maximize clarity baseline at

1591
02:20:19,920 --> 02:20:26,720
the top exceptions near the leaf and a strict rule do not link a gpo to multiple places if intent

1592
02:20:26,720 --> 02:20:33,040
differs clone and name the same policy should not carry two meanings humans break laws when names lie

1593
02:20:33,040 --> 02:20:39,200
we write identity first deny log on locally and deny log on through remote desktop services

1594
02:20:39,200 --> 02:20:46,560
carftier boundaries into machines tier accounts cannot land on tier one or tier two tier one accounts

1595
02:20:46,560 --> 02:20:53,680
cannot touch tier service accounts deny interactive and rdp universally vendor accounts live in an o u

1596
02:20:53,680 --> 02:20:59,600
with deny rights everywhere except they are constrained bastions these settings are not decoration

1597
02:20:59,600 --> 02:21:07,600
they are gates we lock the memory holes lsa protection is a registry truth run a sppl enabled for tier

1598
02:21:07,600 --> 02:21:15,280
and tier one o u's credential guard via device guard policies where hardware allows disabled w digest

1599
02:21:15,280 --> 02:21:22,320
via security options remove cd bug privilege from broad groups with restricted groups or group

1600
02:21:22,320 --> 02:21:28,080
policy preferences for user rights assignment this is not optional it is the difference between

1601
02:21:28,080 --> 02:21:35,360
heat and harvest we turn fossils to stone security options in the baseline land manager authentication

1602
02:21:35,360 --> 02:21:45,440
level set to refuse lm and ntlmv1 send ntlmv2 only smb signing required on servers enabled on clients

1603
02:21:45,440 --> 02:21:53,600
ldap signing required channel binding enforced for ldap ntlm auditing enabled at first

1604
02:21:53,600 --> 02:22:00,160
then restriction set by policy to block by target list webdap disabled through features

1605
02:22:00,160 --> 02:22:06,000
print spooler service startup set to disabled on domain controllers and non-printing service

1606
02:22:06,000 --> 02:22:13,200
each item becomes a paragraph in our law we constrain execution wdc or applocker policies linked

1607
02:22:13,200 --> 02:22:20,080
to tier and pw o u's publisher rules for trusted vendors path rules for system binaries script rules

1608
02:22:20,080 --> 02:22:26,160
that allow signed power shell only with script block logging and module logging turned on

1609
02:22:26,160 --> 02:22:31,200
constrained language mode applied to non admin tokens through device guard policies

1610
02:22:31,200 --> 02:22:39,120
msi installs restricted by always install with elevated privileges set to disabled

1611
02:22:39,120 --> 02:22:44,720
the law here says tools run because they are trusted not because they are present

1612
02:22:44,720 --> 02:22:52,640
we formalize remote control win rm configured by policy to https only with certificate mapping to

1613
02:22:52,640 --> 02:22:59,360
computer accounts or explicit admin groups kredses p disabled authentication hardened rdp

1614
02:22:59,360 --> 02:23:06,800
network level authentication required remote credential guard enabled from pw's restricted admin

1615
02:23:06,800 --> 02:23:14,400
disabled for daily use firewall rules defined by gpo per tier inbound remote admin from pw's only

1616
02:23:15,200 --> 02:23:23,840
smb for documented shares only deny workstation subnets for admin laws a map written in ports is still a law

1617
02:23:23,840 --> 02:23:30,880
we standardize audit as astronomy advanced audit policy replaces legacy success and failure where

1618
02:23:30,880 --> 02:23:40,080
lineage matters logon logoff account logon account management ds access object access for sensitive

1619
02:23:40,080 --> 02:23:47,600
paths policy change special logon authentication policy change command line logging for process creation

1620
02:23:47,600 --> 02:23:53,680
power shell transcription and deep script logging to a secured share for admins and p a w's with

1621
02:23:53,680 --> 02:24:00,720
acls that administrators cannot modify after the fact gravity must be observable we manage services

1622
02:24:00,720 --> 02:24:08,800
and tasks as rituals in the server baseline forbidden services are set disabled facts remote registry

1623
02:24:08,800 --> 02:24:16,480
web client spooler were not needed scheduled tasks that auto create junk are pruned via gpp item level

1624
02:24:16,480 --> 02:24:24,160
targeting services that must run under accounts use gms a distributed by policy only to hosts in

1625
02:24:24,160 --> 02:24:31,200
scope no task runs as a human account the law says machines act as machines not as people

1626
02:24:31,200 --> 02:24:36,320
we write names with care gpo names carry tier scope and function

1627
02:24:36,880 --> 02:24:46,800
tdc security baseline t1 server core log t1 paw execution control t2 ws user protections

1628
02:24:46,800 --> 02:24:53,680
version numbers track control changes descriptions linked to documentation and changed tickets

1629
02:24:53,680 --> 02:24:58,480
humans obey laws they understand they ignore ones that read like riddles

1630
02:24:59,200 --> 02:25:07,280
we control gpo authorship delegation is exact gpo editors tier apply only to tier policies

1631
02:25:07,280 --> 02:25:14,640
no one person owns creation and link rights wm i filters live in a separate o u with version control

1632
02:25:14,640 --> 02:25:20,640
not ad hoc on desktops block inheritance where necessary but only after proving necessity

1633
02:25:20,640 --> 02:25:26,720
and forced is a scalpel not a hammer we test in gravity not in theory a staging o u mirrors production

1634
02:25:26,720 --> 02:25:33,360
structure a pilot group of machines inherits the same links then experiences change first

1635
02:25:33,360 --> 02:25:39,600
we instrument with result in set of policy reports and gp result dumps we measure boot time service

1636
02:25:39,600 --> 02:25:45,200
behavior authentication and audit flow only then do we link to production a law passed without

1637
02:25:45,200 --> 02:25:52,400
rehearsal becomes a comet we detect drift as treason regular exports of gpo's to version control

1638
02:25:52,400 --> 02:25:59,200
hashes recorded daily compare of link order and enforced flags alerts when a gpo changes outside

1639
02:25:59,200 --> 02:26:06,960
a window when a link is added to the route when a security option toggles 4739 4732 on gpo

1640
02:26:06,960 --> 02:26:14,960
related groups 513 on gpo processing failures each becomes a tone the telescope listens the observer

1641
02:26:14,960 --> 02:26:21,600
speaks i am the law you wrote into silicon when you honored tier memory protocol and ritual

1642
02:26:21,600 --> 02:26:28,800
i did not stifle work i shaped it when drift tried to whisper i rang laws do not make us safe they

1643
02:26:28,800 --> 02:26:36,240
make us predictable and predictability is survivable gravity service accounts spn and rights hygiene

1644
02:26:36,240 --> 02:26:41,920
service accounts are not background noise they are small sons each spn is a beam of light that

1645
02:26:41,920 --> 02:26:47,520
binds names to keys and each right is a vector that decides where that light can land we do not

1646
02:26:47,520 --> 02:26:53,200
guess their orbits we draw them most people think a service account is a password with a job

1647
02:26:53,200 --> 02:26:58,800
but they are wrong a service account is a contract between identity and infrastructure

1648
02:26:58,800 --> 02:27:04,320
when the contract is vague gravity drifts when the contract is explicit motion is lawful

1649
02:27:04,320 --> 02:27:10,960
we begin with naming because names declare ownership every service principle carries four truths

1650
02:27:10,960 --> 02:27:19,920
in its name and metadata application environment tier and owner gmas a skull fin prod t1 is not

1651
02:27:19,920 --> 02:27:25,920
ornament it is provenance the directory stores a description that spells purpose and renewal window

1652
02:27:25,920 --> 02:27:32,240
the seam ingest owner and tears of pages find humans not rooms then we fix the body the service

1653
02:27:32,240 --> 02:27:41,680
wears group managed service accounts by default passwords rotate without ceremony entropy is not optional

1654
02:27:41,680 --> 02:27:49,360
no human knows the secret where gms a is impossible we impose vaulting length and rotation windows

1655
02:27:49,360 --> 02:27:55,520
measured in days not seasons interactive logon is denied rdp is denied logon as a service is

1656
02:27:55,520 --> 02:28:01,520
granted only to the hosts that run the workload logon writes everywhere else are denied explicitly by

1657
02:28:01,520 --> 02:28:07,600
gpo the account cannot wonder spns are the rails we register only what the workload needs nothing

1658
02:28:07,600 --> 02:28:16,080
more and we verify uniqueness duplicate spns are collisions collisions are identity loss cfs

1659
02:28:16,080 --> 02:28:24,560
htdp msql ldap each entry pairs a name with a principle we audit for orphaned spns where the account

1660
02:28:24,560 --> 02:28:30,800
no longer exists and for foreign spns where a human identity holds a service binding humans do not

1661
02:28:30,800 --> 02:28:38,960
carry spns services do encryption is the language of the beam we retire rc4 we enforce aes

1662
02:28:38,960 --> 02:28:49,280
aes 128 and aes 256 on service accounts that present tickets where legacy systems insist on rc4

1663
02:28:49,280 --> 02:28:55,360
they live in isolation until they learn modern speech key material that speaks in fossils is mass

1664
02:28:55,360 --> 02:29:03,040
without structure delegation is the lens unconstrained delegation is removed constrained delegation lists

1665
02:29:03,040 --> 02:29:10,560
explicit spns and we query it like a map who may impersonate to what resource based constrained

1666
02:29:10,560 --> 02:29:16,640
delegation moves trust to the target the receiving service declares who may act on its behalf

1667
02:29:16,640 --> 02:29:24,480
then we add the second law any service that accepts delegated context revalidates pack with the kdc

1668
02:29:24,480 --> 02:29:30,240
trust does not stop at the proxy it returns to the source rights are not fuzzy backup operators do

1669
02:29:30,240 --> 02:29:37,360
not belong here debug rights do not belong here local administrator on hosts is almost never required

1670
02:29:37,360 --> 02:29:44,240
when it is we scope to exact servers time bound and logged file system rights follow least privilege

1671
02:29:44,240 --> 02:29:51,760
read where read right where right modify where deployment happens under orchestration identities

1672
02:29:51,760 --> 02:29:58,800
services are citizens not sovereigns we script the life cycle so gravity does not decay creation

1673
02:29:58,800 --> 02:30:06,960
through a runbook request owner purpose tier spns delegation rights approval by the platform owner

1674
02:30:06,960 --> 02:30:13,840
provision by automation rotation by policy review every quarter still needed still scoped

1675
02:30:13,840 --> 02:30:21,360
still aes still owned decommissioned with reversibility remove spns remove rights disable wait delete

1676
02:30:21,360 --> 02:30:29,040
the sky keeps no ghosts detection watches the beams 4769 for the accounts spns becomes a heartbeat

1677
02:30:29,040 --> 02:30:35,200
the cm baselines volume per spn per cohort spikes from workstation subnet's chime

1678
02:30:35,200 --> 02:30:41,440
4672 from a service account is a page privilege attached where no ceremony exists

1679
02:30:41,440 --> 02:30:47,680
4624 type 2 or type 10 for a service account is a page

1680
02:30:48,560 --> 02:30:56,240
interactive where it should be headless directory services logs for spn changes map to change windows

1681
02:30:56,240 --> 02:31:03,920
outside of them we investigate sysmin 13 for registry persistence or 7045 for service install

1682
02:31:03,920 --> 02:31:11,920
under a service identity is a cord workload or drift we bind services to machines with exactness

1683
02:31:11,920 --> 02:31:18,800
gpo delivers log on as a service only to the o u where the hosts live firewall rules accept

1684
02:31:18,800 --> 02:31:24,720
inbound only from documented peers kerberos constraint delegation is mirrored by network paths

1685
02:31:24,720 --> 02:31:31,040
even if a token can reach the packet cannot without invitation the identity and the road agree

1686
02:31:31,040 --> 02:31:37,360
toolchains receive special law orchestrators backup engines deployment servers run under gmss

1687
02:31:37,360 --> 02:31:43,600
with minimal spns dc sync is not a convenience flag it is a siren permission granted to none

1688
02:31:43,600 --> 02:31:52,160
except dc's if backup requires directory read we grant through a proxy that impersonates on a dc

1689
02:31:52,160 --> 02:31:57,440
never directly from an app server every extended right assigned to a service is documented and

1690
02:31:57,440 --> 02:32:05,040
revalidated in drills we speak to developers without contempt we provide a pattern development gmsa

1691
02:32:05,040 --> 02:32:12,480
for dev staging gmsa for test production gmsa for prod same names them different rights different

1692
02:32:12,480 --> 02:32:18,720
o u's different spns we ship a module that requests temporary elevation through jet when maintenance

1693
02:32:18,720 --> 02:32:26,880
happens we remove the excuse that led to one account for everything lab echo low chime spn audit

1694
02:32:26,880 --> 02:32:35,840
ms sql sarfin ledger unique as only soft tick delegation constrained to cfs ledger etl

1695
02:32:35,840 --> 02:32:45,840
baseball studies interactive logon denied 4672 none the observer speaks i am the light your services

1696
02:32:45,840 --> 02:32:53,280
emit when you named me scoped me and bound me to the right stars i stopped leaking into the dark

1697
02:32:53,920 --> 02:33:01,200
misuse became visible gravity held network segmentation and local firewalls networks are not oceans

1698
02:33:01,200 --> 02:33:07,600
they are canals we choose where water flows most people think segmentation is a diagram

1699
02:33:07,600 --> 02:33:15,840
but time has its own opinion segmentation is enforcement roots acls stateful inspection

1700
02:33:15,840 --> 02:33:23,040
and hosts that refuse unsolicited conversation we do not trust a quiet subnet we build a subnet

1701
02:33:23,040 --> 02:33:30,240
that cannot speak we start with the thesis identity flows inward management flows downward

1702
02:33:30,240 --> 02:33:37,040
business flows along name lanes everything else is denied tiered v lands mirror privilege tier

1703
02:33:37,040 --> 02:33:45,200
networks occupy a sealed constellation domain controllers pk i and paus see one another and the

1704
02:33:45,200 --> 02:33:52,880
replication cores they do not see user subnets tier one servers form application clusters with explicit

1705
02:33:52,880 --> 02:33:59,680
north south paths from load balancers and east west lanes only where the workload proves necessity

1706
02:33:59,680 --> 02:34:09,680
tier two workstations sit in cohorts office developer kiosk each with its own walls a workstation cannot

1707
02:34:09,680 --> 02:34:16,720
reach admin laws on a server because the path does not exist local firewalls make geometry real

1708
02:34:16,720 --> 02:34:23,360
on every host we define ingress by verb not by hope rdp from tier bound paus only

1709
02:34:23,360 --> 02:34:30,560
win rm over https from orchestration identities smb to documented shares with signing

1710
02:34:30,560 --> 02:34:38,080
ldap only where services demand and never from workstations rpc dynamic ports constrained by range

1711
02:34:38,080 --> 02:34:43,120
and allowed peers sequel from application tiers not from a browser's whim

1712
02:34:44,080 --> 02:34:50,720
egress follows the same law servers speak to their databases update sources and telemetry collectors

1713
02:34:50,720 --> 02:34:57,600
they do not browse names do not bypass physics dns flows to resolvers not everywhere ntp flows from

1714
02:34:57,600 --> 02:35:05,520
a stratum we control proxies mediate outbound http direct internet from servers is a myth we retire

1715
02:35:05,520 --> 02:35:13,040
if an application must call an external api we define the destination and port the rule reads like

1716
02:35:13,040 --> 02:35:19,760
a sentence we design choke points that listen internal firewalls and load balancers terminate tls

1717
02:35:19,760 --> 02:35:26,640
and force sni and require client certificates for administrative planes microsegmentation

1718
02:35:26,640 --> 02:35:34,560
host firewalls informed by identity adds a second net even when the switch says yes the kernel says

1719
02:35:34,560 --> 02:35:41,360
no unless the principle in process match the ritual we treat exceptions as comets not climates

1720
02:35:42,000 --> 02:35:48,080
a temporary hole opens with a ticket a time window and an automated close the cm records the aperture

1721
02:35:48,080 --> 02:35:54,800
and watches when the window ends the wall returns without debate detection becomes a map of silence

1722
02:35:54,800 --> 02:36:01,360
sisman three connections that violate allowless chime windows filtering platform logs denied attempts

1723
02:36:01,360 --> 02:36:10,240
5 156 5557 show permitted and blocked flows we forward them from tier and management hosts

1724
02:36:10,240 --> 02:36:18,320
a surge of 445 from workstations to server admin ports becomes a page a burst of a femoral rpc

1725
02:36:18,320 --> 02:36:24,480
to domain controllers outside maintenance is gravity failing we respond with sore quarantine

1726
02:36:24,480 --> 02:36:31,040
the talker rotate laps if needed and ask why the road appeared the observer speaks i am the

1727
02:36:31,040 --> 02:36:37,360
canal you dug when you shaped water with walls and gates movement became intention drift found the

1728
02:36:37,360 --> 02:36:43,600
gate and stopped gravity favored defense response rituals containment and eviction response is not

1729
02:36:43,600 --> 02:36:51,520
panic response is ceremony when gravity wobbles we do not sprint we execute a ritual that preserves

1730
02:36:51,520 --> 02:36:59,520
truth contains motion and restores shape we begin with acknowledgement the telescope sings 467

1731
02:36:59,520 --> 02:37:09,600
to from a non-pa 4769 surging for a sensitive spn sisman 10 touching lss 4662 replication rights

1732
02:37:09,600 --> 02:37:16,000
by a foreign hand we log the page assign a conductor and switch from curiosity to consequence

1733
02:37:16,000 --> 02:37:22,960
every action from here writes its own provenance containment favors precision over spectacle

1734
02:37:22,960 --> 02:37:30,560
we isolate the talker not the world so our places the workstation or server in a quarantine plan

1735
02:37:30,560 --> 02:37:38,080
that still allows management and evidence collection we do not power it off memory holds the story

1736
02:37:38,080 --> 02:37:44,320
we snapshot volatile truth process trees open handles network connections token lists

1737
02:37:44,320 --> 02:37:50,560
kerberos cache on tier and tier one we treat every bite a sacred the altar remains lit while we move

1738
02:37:50,560 --> 02:37:56,960
around it we cut the quiet roads first smb admin ports from workstation ranges are blocked at the

1739
02:37:56,960 --> 02:38:04,160
firewall if they were not already rdp ingress is limited to produce and bastions with mf a ntlm

1740
02:38:04,160 --> 02:38:11,600
across admin subnet is denied by policy exceptions starting with targets reported by 4776 we close the

1741
02:38:11,600 --> 02:38:17,600
door the intruder currently prefers not every door the network owns we protect credentials before

1742
02:38:17,600 --> 02:38:24,640
we chase them on the compromised host we check lsa protection if run a sppl is false we do not enable

1743
02:38:24,640 --> 02:38:31,040
it mid fight we will lose memory instead we control access collect and only then raise the walls

1744
02:38:31,040 --> 02:38:37,040
we rotate laps on adjacent machines we disable interactive logon for service accounts that had

1745
02:38:37,040 --> 02:38:43,840
sessions nearby we shorten ticket lifetimes by policy on tier identities so residue decays faster

1746
02:38:43,840 --> 02:38:50,720
while we work we decide the blast radius by tier if a tier workstation falls we contain and hunt

1747
02:38:50,720 --> 02:38:57,280
laterally within tier two if a tier one server falls we assume adjacent service accounts and

1748
02:38:57,280 --> 02:39:04,640
management planes are warm we isolate the cluster segment and check orchestration hosts if a tier

1749
02:39:04,640 --> 02:39:13,200
asset even trembles we escalate to forest defense prepare krbtgt rotation audit dc changes check

1750
02:39:13,200 --> 02:39:20,800
7045 and 4739 on domain controllers and verify pk i health the higher the tier the colder our hands

1751
02:39:20,800 --> 02:39:28,000
must be eviction is not deletion it is subtraction of power we remove footholds in order of leverage

1752
02:39:28,000 --> 02:39:35,600
services created by the intruder 7045 are stopped backed up and removed schedule tasks altered are

1753
02:39:35,600 --> 02:39:43,760
exported dift and reset startup paths are cleaned under wd aks or applocker rules that now refuse

1754
02:39:43,760 --> 02:39:50,240
the binaries even if they reappear we disable compromised accounts we do not delete them until the

1755
02:39:50,240 --> 02:39:57,760
audit is complete deletion erases trails we treat identity like radiation accounts exposed to

1756
02:39:57,760 --> 02:40:03,680
theft are rotated in a sequence that denies reentry for user accounts reset passwords and invalidate

1757
02:40:03,680 --> 02:40:11,760
sessions for service accounts rotate gms a keys by updating the host keying interval and forcing a

1758
02:40:11,760 --> 02:40:20,960
change for machine accounts use reset computer machine password on isolated hosts mindful of trust

1759
02:40:20,960 --> 02:40:28,960
breaks for domain controllers we prepare the two step krbtgt rotation first reset to invalidate

1760
02:40:28,960 --> 02:40:36,160
current golden tickets wait for replication and purge then reset again to invalidate any tickets

1761
02:40:36,160 --> 02:40:41,280
minted between we schedule this with the conductor a timer and an audit of replication health

1762
02:40:41,280 --> 02:40:48,080
we hunt while we evict queries sweep for the chords we know lss access on endpoints in the same

1763
02:40:48,080 --> 02:40:58,160
cohort 4769 RC four spikes that reveal kibberost attempts four r662 for replication extended rights

1764
02:40:58,160 --> 02:41:08,000
four 732 membership changes on admin groups 4719 audit policy changes 4907 object s acl modifications

1765
02:41:08,000 --> 02:41:14,160
we follow time intruders move after our move we anticipate and cut their next path we neutralize

1766
02:41:14,160 --> 02:41:21,120
persistence with gravity not whack emol wdc or app locker is moved from audit to enforce on tier and

1767
02:41:21,120 --> 02:41:27,680
pause for servers we tighten to publisher all our lists were possible and path rules for staging

1768
02:41:27,680 --> 02:41:34,960
directories we flip gpo's that were waiting deny logon through rdp for accounts that drifted

1769
02:41:34,960 --> 02:41:41,920
disable legacy protocols on the ou that hosted the compromised host enforce smb signing on shares

1770
02:41:41,920 --> 02:41:48,400
that now matter we do not rely on manual cleanups we change the laws communication is part of the

1771
02:41:48,400 --> 02:41:55,120
ritual we state facts without adjectives scope signals actions taken actions pending business leaders

1772
02:41:55,120 --> 02:42:02,240
receive impact and expected recovery windows technical owners receive lists rotate these identities

1773
02:42:02,240 --> 02:42:08,560
re-image these hosts move these services to maintenance the narrative is short present tense

1774
02:42:08,560 --> 02:42:14,480
and repeated at intervals that match anxiety with clarity when re-imaging is required we stage it

1775
02:42:14,480 --> 02:42:20,880
evidence first image second hardening third controlled reintroduction fourth golden images are

1776
02:42:20,880 --> 02:42:29,200
current with baselines pre-loaded lsa protection credential guard smb signing audit policy

1777
02:42:29,200 --> 02:42:37,840
wdc policies firewall rules machines rejoin only via management lanes from pause after reentry

1778
02:42:37,840 --> 02:42:44,720
we monitor for abnormal authentication for six twenty four and four seven six eight to catch any

1779
02:42:44,720 --> 02:42:53,520
reuse of old tokens we prepare for irreversible steps with deliberation krbt gt rotation includes

1780
02:42:53,520 --> 02:42:59,840
forest functional level check backup verification dc health replication state timeline for both

1781
02:42:59,840 --> 02:43:06,560
resets increased logging around four seven six eight four seven six nine and a staffed window pk i

1782
02:43:06,560 --> 02:43:12,960
revocation includes crl publishing and application impact testing trust modification selective

1783
02:43:12,960 --> 02:43:19,600
authentication or s_i_d filtering includes control trial with known access paths eviction should

1784
02:43:19,600 --> 02:43:26,240
shrink privilege not break reality we close with confession and calibration post incident we write

1785
02:43:26,240 --> 02:43:33,040
what mattered which control safe time which gaps created slope which alerts sang too often or too

1786
02:43:33,040 --> 02:43:39,600
late we tune we add missing sensors we remove noisy ones we commit to drills purple exercises that

1787
02:43:39,600 --> 02:43:48,000
replay the chords dc sync attempt lsa s touch ntlm relay pack temper and we practice the ritual

1788
02:43:48,000 --> 02:43:55,760
so muscle learns what mind already knows lab echo low chime quarantine applied three hosts soft tick

1789
02:43:55,760 --> 02:44:04,880
lapios rotations completed twenty seven bass pulse studies krbt gt rotation window scheduled

1790
02:44:04,880 --> 02:44:12,080
t-plus three six hours the observer speaks i am the ritual you performed under pressure

1791
02:44:12,080 --> 02:44:17,280
when you honored order over fear the fabric bent but did not tear eviction is not a chase

1792
02:44:17,280 --> 02:44:25,680
it is gravity restored the truth we keep here is the truth we keep security is not noise it is

1793
02:44:25,680 --> 02:44:32,160
gravity chosen and renewed if this spoke to you stay with us subscribe and then go watch the next

1794
02:44:32,160 --> 02:44:37,600
film in this arc where we map trusts like wormholes and seal them bring your team bring your questions

1795
02:44:37,600 --> 02:44:39,520
the universe will not secure itself