00:00:05 Hi, welcome back.

00:00:07 Here we're

00:00:07 presenting on Defending ActiveDirectory Against Cyberattacks.
00:00:11 We're going to look at tacticthree, defending your directory.
00:00:14 In the agenda here, we havea couple of parts and a demo.
00:00:17 The first part is goingto be Persistence through
00:00:20 Access Control Lists, or ACLs,
00:00:22 which is definitelya risk to your directory.
00:00:24 And we'll go through why andwhat you can do about it.
00:00:28 Then Josh will take us througha demo in which we can see
00:00:31 an attack using DCSync,and again,
00:00:34 covering what youcan do about it.
00:00:36 And finally the second part, andwe'll cover all this in this one
00:00:40 module, is to look at othermeans of persistence.
00:00:46 >> All right, just to recap,earlier we went through
00:00:49 protecting privilegedidentities.
00:00:53 And we're gonna build uponthat now with this section
00:00:56 on defending the directory.
00:01:01 So, first thing I want todiscuss is admins that are,
00:01:04 let me a little bitless obvious, or
00:01:07 you don't realizethey're admins.
00:01:10 And this happens througha number of means that we're
00:01:12 gonna go into a littlebit more detail on here.
00:01:15 So one example would be a userthat maybe isn't necessarily
00:01:20 a member of any of thoseprivileged groups that people
00:01:24 tend to focus on.
00:01:25 So a lot of customersthat I work with,
00:01:28 they get just kind of laserfocused on domain admins and
00:01:32 enterprise admins and the builtin admins and the schema admins.
00:01:38 And they think that if Iknow who's a member in
00:01:43 any one of those groups,I know who my admins are,
00:01:47 which isn't always necessarilythe case, because with the way
00:01:51 that Active Directory works,you can delegate access to
00:01:55 different objects throughthose access control lists.
00:01:59 And here, if I have a userthat's maybe not a member of any
00:02:02 one of those groups thatwe typically think about,
00:02:05 they'll have, if we look back atthe slide here, a permission to,
00:02:11 for example,link a GPO to an OU or
00:02:17 a container that containsa tier zero object in it.
00:02:22 So if I could link a GPO tothe domain controller's OU where
00:02:28 all my DCs sit, then I could usethat to set some settings that
00:02:32 would give me access to itthat I didn't previously have.
00:02:35 So now, I go from whatappears to be an unprivileged
00:02:39 account to having full controlover Active Directory.
00:02:46 Here are some examples ofdifferent types of sensitive
00:02:50 objects that we have.
00:02:52 So obviously the onesthat we just mentioned,
00:02:54 the ones that peopletend to focus on.
00:02:56 But there's that domaincontroller's OU, our sites,
00:03:00 we can link GPOsto sites as well.
00:03:02 This schema, if I could modifythe schema in Active Directory,
00:03:06 I can make it do allsorts of things.
00:03:08 And a lot of products out thereactually extend the schema in AD
00:03:13 to add functionality to it.
00:03:14 For example,in our earlier session,
00:03:17 we talked about the localadmin password solution.
00:03:20 And that had a schema extensionto add two attributes
00:03:24 onto our computer object, sothat we could access it and
00:03:27 store our passwords andstuff in there.
00:03:30 Then you also have theconfiguration partition in AD.
00:03:34 The root domain itself,
00:03:37 which was what we're gonna showin our demo coming up here,
00:03:42 where if I have certainrights to that object in AD,
00:03:47 I can easily gain control,right.
00:03:50 And it'd be less obvious,
00:03:52 because I don't have to bea member of these groups.
00:03:55 All these groups that we'retalking about here have
00:03:59 a lot of theserights by default.
00:04:01 They can modify these objectsby default, because they're just
00:04:04 the built in, but they,I can have access outside of it.
00:04:09 So with that,let's get our demo set up here.
00:04:15 All right, and here we're gonnago back to that Mimikatz tool
00:04:18 that we demoed inour earlier session.
00:04:20 This tool by Benjamin Delpythat's used commonly both
00:04:24 by good guys and bad guys.
00:04:26 On the good guy side,we like to use it for
00:04:28 things like doing somepenetration testing.
00:04:31 The bad guy side, well,
00:04:32 they use it to do exactly whatwe're going to demo here.
00:05:00 >> All right, so can youtalk us a little bit through
00:05:02 what you're doing?
00:05:02 >> Yeah, so what I'm doingright now is I'm going
00:05:05 to sync withthe domain controller,
00:05:09 basically pretending likeI am a domain controller.
00:05:13 >> Okay.
00:05:13 >> So that I can get the secretsof this account here.
00:05:16 And I'm gonna actually dothis against a couple of
00:05:19 different accounts, just toshow that in our last demo,
00:05:23 when we were doingthe pass-the-hash,
00:05:25 when I obtained the hash, I wasonly obtaining what had been
00:05:29 exposed to the workstationI was logged in at.
00:05:32 >> Right.>> With this account,
00:05:34 I have local admin rights to
00:05:38 this computer, but I don'thave any rights on the domain.
00:05:43 So here, here's my hash again.
00:05:45 I just took the hash for
00:05:48 the built-in administratoraccount in the dev domain here.
00:05:53 And if I go over,I'm gonna look here in AD.
00:05:57 And let's take a look at thegroup membership of this account
00:06:02 that I'm logged in with.
00:06:04 I'm sorry, wrong tab,there we go.
00:06:07 Does it look like Ihave any privileges?
00:06:10 Not really, right?
00:06:11 I'm only a domain user.
00:06:13 So how am I able to do this?
00:06:15 Well, I'm able to do thisbecause this account has been
00:06:19 delegated a couple of rightsat the domain DNS level here.
00:06:25 >> Okay.
00:06:26 >> Solet's pull that up real quick.
00:06:29 I'm gonna find, here'sthe account that we're using.
00:06:32 And if I scrolldown through here,
00:06:35 you can see that thisaccount has been granted,
00:06:39 replicating changes anddirectory changes all.
00:06:44 >> Okay.>> So
00:06:45 one without the otherisn't enough.
00:06:47 I have to have both of theserights in order to carry out
00:06:51 this attack, but it'sa sneaky way to hide, right?
00:06:55 It just gives us somepersistence there,
00:06:57 because most people probablyaren't looking at the ACLs
00:07:02 at this level ona regular basis.
00:07:05 And I could leavethis as a plant.
00:07:07 Maybe I was doing all my passto hash stuff earlier and
00:07:10 that's what led me tothe privileges that I needed to
00:07:13 grant myself these rights.
00:07:15 But now maybe you found someof my other activity, but
00:07:20 I created just this plainlooking user account.
00:07:24 That happens on a regularbasis in large organizations,
00:07:28 you're creatingaccounts every day.
00:07:29 >> Mm-hm.
00:07:30 >> Doesn't look suspicious,
00:07:31 it looks just like anyother one in there.
00:07:33 >> And again, you said thiscould be set up by default?
00:07:36 >> No, this one is notset up by default.
00:07:38 So this is kind of an exampleof what an attacker plant
00:07:42 might look like.
00:07:43 The other thing that might putyou in the same situation is,
00:07:47 a lot of organizations have beenusing Active Directory since it
00:07:52 was released back in 2000.
00:07:54 Maybe they migrated from NT4,and now, they went to 2000, and
00:07:58 then 2003, and then 2008,and now they're on 2012.
00:08:02 And over that time period,
00:08:04 they probably had a lot ofturnover in the organization.
00:08:07 The guy that set up AD ten yearsago isn't with the company
00:08:10 anymore and
00:08:11 the guy that replaced him alsoisn't with the company anymore.
00:08:15 And the guy that's doing itnow is inheriting a mess,
00:08:19 potentially, from severalprevious administrators.
00:08:22 And people could havedelegated this for
00:08:26 what they thought wasa legitimate reason.
00:08:31 And it leaves anotherattack vector
00:08:34 that is less obvious, right?
00:08:36 >> Got it.>> So that's going with
00:08:37 that non-obvious admin themethat we're talking there.
00:08:40 >> Right.>> So
00:08:40 let's go back intoour demo here.
00:08:44 And I'm gonna pullanother account there,
00:08:47 just to show that I can pullwhatever account that I want
00:08:51 just by specifyingthe account name.
00:08:53 And I'm gonna go afterthe krbtgt account.
00:08:57 >> Something we'regonna talk about later.
00:09:00 >> And you see,I get a little bit more
00:09:01 information that scrolledpast it with there.
00:09:04 But here again, are my hash anda bunch of other
00:09:10 information that I have forthe krbtgt account.
00:09:16 What a lot of peopledon't realize, I find,
00:09:19 is that this account is actuallythe most powerful account
00:09:24 in the domain, in AD.
00:09:26 It's not your domainadmin account,
00:09:29 it's actuallythe krbtgt account,
00:09:31 cuz this one can grant ticketsto become anything I want.
00:09:35 So with control over thisaccount, I can start doing
00:09:40 golden ticket attacks whereI can just give myself
00:09:45 access to impersonateany user that I want.
00:09:48 I can be anything that I want.
00:09:51 And that's the endof our demo here.
00:09:53 So let's go back into our talk.
00:10:01 Well, thank you forshowing us that.
00:10:04 Now let's go throughthe access control basics.
00:10:06 We'll look at the subject,objects,
00:10:08 and the accesschecks between them.
00:10:12 >> So, with access control,you have a subject, and
00:10:17 this is basically the who.
00:10:19 Who is trying toaccess something and
00:10:21 then the ACL itselfis kind of the what?
00:10:24 What can that object orthat person do?
00:10:29 And then the object is whatwe're trying to access,
00:10:32 what we're trying tomodify in this case.
00:10:34 In absolutely everythinginside of Active Directory
00:10:38 is an object.
00:10:39 Even the ACLs themselvesexist as an object and
00:10:42 these things can be manipulatedin a great number of ways
00:10:46 depending on whatprivileges you have there.
00:10:54 Big thing that you wannabe aware of are those
00:10:56 unintentional administrators,the ones that are not obvious.
00:11:01 And I kinda split those intotwo different categories.
00:11:04 One of them you can be an adminthrough nested groups.
00:11:08 So if I am a member of
00:11:13 a group that is inside ofone of my privileged groups.
00:11:17 Maybe it was there by accident,somebody added it in.
00:11:21 I have the same
00:11:24 level of privileges asthat top level group.
00:11:26 >> Mm-hm.>> The next, I'm sorry, you had?
00:11:28 >> On that point,
00:11:29 is that something that youcommonly see at your customers?
00:11:32 >> I have seen that quite a bit,yeah,
00:11:34 where people are nestinggroups inside of other ones.
00:11:39 Usually I'll seea couple levels deep.
00:11:44 Yeah, you can get it in there.
00:11:45 >> That sounds like it can getpretty messy at that point.
00:11:48 >> Yeah and that's a reasonwhy you really want to make
00:11:52 sure that you keepa clean directory, right?
00:11:55 Having a clean directory helpsit also be a secure directory.
00:11:59 The other thing I see withthat is these groups,
00:12:03 or maybe sometimes the membersof the groups, are old and
00:12:07 not used anymore.
00:12:09 When it comes down to themembership it's an account from
00:12:13 maybe somebody that leftthe organization and sometimes,
00:12:17 they may have at leastdisabled the account,
00:12:19 but it's still a member of thesegroups that grant privileges.
00:12:24 Other times, the account's stillactive and the person hasn't
00:12:27 worked there in six months,a year, or whatever.
00:12:30 You gotta clean those things up.
00:12:32 The other thing is maybe a groupwas created for a specific
00:12:36 purpose, maybe to grant rightsto something and that's no
00:12:41 longer necessary but nobodyever got rid of the group.
00:12:44 And the biggest offenderI think I see with these
00:12:47 often tends to beservice accounts.
00:12:50 People createservice accounts and
00:12:52 then they use them allover the place and
00:12:54 then they have no idea wherethey're being used at.
00:12:57 >> So if you haven't checked outour reducing privilege account
00:13:00 series, or that tactic, go backand watch that, because that
00:13:05 complements a lot of what Joshis saying here right now.
00:13:07 So what's the secondcategory here?
00:13:11 >> The second one I callcontest your delegates,
00:13:15 meaning challenge them, right?
00:13:16 Go and find out who has beendelegated what privileges.
00:13:20 And find out to go along withthat least privileged thing,
00:13:24 do they actuallyneed these rights?
00:13:26 So like the example we sawin the demo there, somebody,
00:13:31 either possibly legitimately orin that case, illegitimately,
00:13:36 was granted rights that gavethem a lot of power, right?
00:13:39 They could grab the hash for
00:13:41 any account they wanted to andbecome that account simply
00:13:45 by having been delegatedthe replication changes,
00:13:48 and replication changesall rights on that object.
00:13:57 So here, just a example of goingin and looking at nested group
00:14:02 membership through the ADusers and computers tool here.
00:14:08 I'm looking at the built-inadministrator's account, or
00:14:12 group, I'm sorry.
00:14:14 And in there you see thatthere's a group called
00:14:17 Universal Admins.
00:14:19 Which is one that I made upit doesn't exist by default.
00:14:21 But I can create anygroup I want, right.
00:14:23 >> Okay.>> And then inside
00:14:24 of the Universal Adminsthere's one that's called
00:14:28 File Share Admins and inside ofthat is this user David Ahs.
00:14:33 So here, this user David,not supposed to be a domain
00:14:38 admin but because he's nestedinto the built-in administrators
00:14:42 group through membership inthe file server admins group,
00:14:46 he effectively hasdomain admin privileges.
00:14:50 Now it could have beenan honest mistake here.
00:14:52 Maybe somebody thought thatbecause the File Share Admin's
00:14:56 Group had the name admin in it,it belonged in
00:14:58 the Universal Admin Group thatis meant for some other purpose.
00:15:02 And they had that inthe administrators group,
00:15:06 because people tend to overdoit, right, and then it goes back
00:15:09 into that reducing privileges,and doing least privilege.
00:15:13 But the real intended purposeof this File Share Admin Group
00:15:17 may have just been sothat this particular user
00:15:22 had full control of justa share on a file server.
00:15:27 >> Mm-hm.>> He doesn't necessarily need
00:15:29 permissions to administerthe server itself or
00:15:31 administer any server forthat matter.
00:15:33 >> Right.>> So,
00:15:34 I've seen things like thishappen too where people just get
00:15:37 confused on what the purposeof a particular group was and
00:15:40 then they throw itin somewhere else.
00:15:42 And then you end up withthese unintended admins.
00:15:46 >> Right.
00:15:47 >> If we look back here, you canalso do this through PowerShell.
00:15:52 I find it easier to figureout who's nested in what,
00:15:56 especially when those nestscan go several layers deep
00:16:00 by running this PowerShellcommand in here.
00:16:01 I'm just doing a getAD group member and
00:16:04 here I'm looking atthe administrator's group.
00:16:06 And I put onthe recursive switch and
00:16:09 it shows me just the accounts
00:16:12 that are a member in therethrough recursive membership.
00:16:15 The next, let's go intocontesting our delegates.
00:16:22 There's a few different placeswe wanna look at ACLs on.
00:16:26 First thing you wanna startwith is just kind of looking at
00:16:30 the generic permission, so
00:16:32 we have things like fullcontrol and right and modify.
00:16:37 Here this is one ofthe default permissions, so
00:16:40 I'm looking at thatFile Share Admins and
00:16:43 I can see that account operatorshas full control over it.
00:16:48 And account operators is one ofthe groups that you guys talked
00:16:53 about in that earliersession that can
00:16:56 lead to domain adminlevel privileges.
00:17:01 And here,since this has full control,
00:17:05 it could add, if I'm a memberof account operators but
00:17:09 not a member of thisFile Share Admins,
00:17:11 I could add myselfinto File Share Admins.
00:17:14 And as we saw in ourprevious example,
00:17:15 since that is nested intosomething that gives me domain
00:17:19 admin level privileges, I'venow granted myself domain admin
00:17:23 where account operators wouldnot be able to add the account
00:17:27 directly into the domain adminsgroup because it's protected.
00:17:31 >> Effectively that'sa means of escalation.
00:17:33 >> It is a meansof escalation and
00:17:35 that's what we're looking forout here.
00:17:38 So I don't have to havefull control to do that.
00:17:40 I could have any of these otherprivileges that we show here.
00:17:45 If I have right membersthat gives me enough
00:17:50 privileges to addmembership into this group,
00:17:52 or whichever one I'mlooking at here.
00:17:54 The other one, if we're lookingat accounts, if a group or
00:18:01 an account has been grantedchange password on an account
00:18:06 and that account is privileged,I can change the password
00:18:11 on that account andnow I own it, I take over it.
00:18:15 Let's take a look at what thismight look like in PowerShell.
00:18:21 You can use the get ACLcmdlet with active directory
00:18:26 as long as you've importedthe AD module there.
00:18:29 And you just specifythe distinguished name for
00:18:32 the object you want to look at,and then we expand the access
00:18:35 property, and here,I have it just showing me
00:18:40 who has the rights onthe object that I'm looking at.
00:18:44 Soa gain, we're looking at thatFile Share Admins and then
00:18:47 on the right column there we'reshowing what rights they have.
00:18:50 Now some of the,
00:18:54 like the change password forexample, is an extended right.
00:18:58 And you'd have to look a littlebit deeper in PowerShell,
00:19:02 not shown on the screen here.
00:19:03 So where we see it says extendedright, there's actually
00:19:07 a big long GUID, and these arewell documented out on TechNet.
00:19:10 But you can actually look insideof Active Directory itself.
00:19:14 It's stored inthe configuration, and
00:19:15 you can figure out whatright that GUID maps to.
00:19:20 >> So we're getting down into
00:19:21 the real nittygritty details here.
00:19:23 >> We are, we're getting prettydeep on the inner workings of
00:19:26 Active Directory.
00:19:27 >> But based on what youshowed us in the demo,
00:19:29 it's super important.
00:19:30 >> It is very important.
00:19:32 So cuz these are all differentways that, like you said,
00:19:36 I could use these toescalate privilege.
00:19:40 And they're not obvious because
00:19:45 it's controlled bythe access controllers.
00:19:48 >> Got it.
00:19:50 >> Here we kind of mentionedthe gPLink in the intro for
00:19:55 this session here.
00:19:57 This one is a little bit moredifficult to dig through and
00:20:02 find.
00:20:03 You have to look at the advancedsecurity properties.
00:20:06 So here I'm looking atthe domain controller's OU,
00:20:10 and then I had to gointo advanced and
00:20:12 then it doesn't show youG-P link, it says special.
00:20:19 So you have to kindof go through and
00:20:20 find the ones thatsay special and
00:20:22 bring up the full properties andlook and
00:20:25 see if they have this onethat I've highlighted here.
00:20:28 The right G-P link.
00:20:32 Assigned to them.
00:20:34 So if I have that permission,again, I can link a GPO.
00:20:39 And if I can link a GPO I could
00:20:42 create settings inside thatGPO that would give me control
00:20:47 over that object likea domain controller.
00:20:52 Next, we're getting into whatwe actually showed in the demo
00:20:56 there and
00:20:57 there's three different objectsinside Active Directory.
00:21:01 The first one here,the DomainDNS,
00:21:04 is what we looked at in the demowhen I brought up the properties
00:21:08 for the domain itself.
00:21:09 The other two, the Configurationand the Schema,
00:21:11 I would actually have to usesomething like ADSI Edit
00:21:15 to go in andview the properties on it.
00:21:19 I can also use PowerShellto do it, too.
00:21:21 I can usethe Get-ADObject there.
00:21:25 I have to have bothof the rights here,
00:21:27 the DS-Get-Replication-Changesand
00:21:29 DS-Get-Replication-Changes-All.
00:21:32 One without the otherdoesn't allow me to carry out
00:21:34 the attack.
00:21:35 But, it's reallythe get-replication-changes-all
00:21:38 that is the most sensitive ofthe two, cuz the all includes
00:21:43 the secrets is what gives methat hash when I run the attack.
00:21:49 And here's just a screenshot of showing,
00:21:53 this is a littlebit easier to see.
00:21:56 I can go intothe advanced properties.
00:21:58 We showed it in the demo, too.
00:22:00 Find out who has replicatingchanges in both that and
00:22:04 get replicating changes.
00:22:06 In PowerShell I'm gonna beposting another script here,
00:22:13 I've got a screenshot ofit called Get-DCSyncRights.
00:22:17 And what this one does isit looks at all three of
00:22:20 the objects here andgives me just a list of who's
00:22:24 been granted thatlevel of access.
00:22:27 >> So, you just walked usthrough a bunch of examples of
00:22:29 what to look out for, right?
00:22:31 >> Yes.
00:22:32 >> Within these ACLs.
00:22:33 Is there a place or a referencemaybe on tech matter somewhere
00:22:36 else where customers can go for
00:22:38 more of a complete list of whatto look for or more guidance.
00:22:43 Building on these examples?
00:22:45 >> So currently there are listsout there, mostly on MSDN and
00:22:51 a couple of them on TechNetof what all of the default
00:22:56 objects that exist in ADR>> And what the ACLs
00:23:02 are and what they do, what eachright that it does happens.
00:23:07 Zade and I are working onnarrowing that list down to show
00:23:13 which ones can actuallylead to command and
00:23:18 control of active directory cuzthat's the ones that we wanna
00:23:20 focus on here for the defense.
00:23:23 Some of the other onesare really not interesting to us
00:23:26 from a defender perspective andthey're not interesting to
00:23:29 attackers froman attacker perspective.
00:23:30 >> Right.>> Because they don't give them
00:23:32 the privileges thatthey're seeking or
00:23:34 a way to escalate to them sothat's not available yet but
00:23:38 it's coming soon and>> We'll add that into the side
00:23:42 here where these videos will be,when everybody's watching.
00:23:46 >> Is that also part ofthe ADSH services offering?
00:23:50 >> That is part ofthat offering, yeah.
00:23:51 So that's where we'restarting out with it at.
00:23:55 >> Cool, look forward toseeing that, thank you.
00:24:00 Okay, so now let's talk a littlebit more about some other means
00:24:04 of persistence.
00:24:06 The first thing wehave is AdminSDHolder.
00:24:11 In all those default accountsthat we talked, or the default
00:24:15 privileged groups that we talkedabout, your domain admins and
00:24:18 enterprise admins are protectedby AdminSDHolder.
00:24:23 So if I go in andmodify an ACL on top of
00:24:30 domain admins, as soon asthe SDProp process runs,
00:24:35 it's going to undo that change.
00:24:38 So It's a good protectionmechanism for those groups, but
00:24:44 as you saw the nestedgroups doesn't apply to.
00:24:49 So, that's why looking for
00:24:51 those nested groupsis really important.
00:24:53 It's better to havean account be a direct member
00:24:58 of something like domainadmins than to be
00:25:01 member through nested, cuz onceyou get to those nested levels,
00:25:05 you start losing theseAdminSDHolder protections.
00:25:08 >> Okay.>> One of the other things you
00:25:09 gotta look for too, though, sothose additional groups that we
00:25:13 talked about, the accountoperators and server operators
00:25:18 and backup operators andprint operators.
00:25:23 So those four by default areprotected by an MSD holder and
00:25:29 each one of those could beused in a different way for
00:25:31 that privilege escalation.
00:25:33 But it is also possible toexclude those from admin
00:25:37 SD holder protection.
00:25:38 So going back into that scenario
00:25:43 where you've had that changeoverin your administrators.
00:25:46 You know, you could have hadsomebody one or two admins ago,
00:25:49 that, for whatever reason,
00:25:52 decided to exclude thosegroups from protection.
00:25:56 And now, I can modifythe ACLs on them and the SD
00:26:02 process is not gonna remove them>> Okay.
00:26:04 >> So there's anotherpersistence mechanism.
00:26:06 So we do have a script thatwe'll be posting and linking to,
00:26:11 that checks to see if any ofthose have been excluded.
00:26:17 All right, so now we're goingto talk again about the KRBTGT.
00:26:19 We kind of mentionedit briefly earlier.
00:26:22 So this is an account that isused for granting tickets.
00:26:26 It's our ticket granting ticket.
00:26:28 So we use this,well attackers use this for
00:26:32 things like the golden ticketattack that we mentioned.
00:26:35 There is also anotherone called silver.
00:26:37 Ticket and
00:26:38 we have some references atthe end of the deck here.
00:26:41 Some very good write upsby Sean Metcalf on KRBTGT,
00:26:46 the golden ticket attack, and
00:26:48 the silver ticket attack onhis AD security.org blog.
00:26:53 If a series uses,they can, like I said,
00:26:56 forge any ticket that they want,if they get ahold of that and
00:26:59 do that golden ticket attack.
00:27:01 One thing that you wanna do withthis account is periodically
00:27:06 roll the password on it,reset the password on it.
00:27:09 You need to do a doublereset with that.
00:27:13 And the reason that we do thatdouble reset is because there's
00:27:16 an n- 1 history in there.
00:27:19 So we gotta roll it that secondtime to kinda flush that out.
00:27:23 And one of the main scenariosthat we do this in is in
00:27:27 a recovery event where we'retrying to evict the bad guys.
00:27:31 But we're now actuallyrecommending that you do it
00:27:34 on a fairly regularbasis just to.
00:27:38 Even if you don't know you'recurrently compromised,
00:27:42 we can do this as proactivelyto help reduce the potential
00:27:47 of compromise there.
00:27:48 >> And is there a scriptthat we provide here to help
00:27:51 our customers with that?
00:27:52 >> Yeah.So
00:27:53 there is a script that will walkyou through the reset process.
00:27:58 And it actually does a bunchof checks and makes sure that
00:28:02 the environment is healthy andready to do the reset.
00:28:06 Because if you mess it up you'regonna break AD, and everything.
00:28:11 >> Okay.>> You have to be very careful
00:28:13 what they have, and that scriptis very excellent at helping you
00:28:16 do it in a cautious manner.
00:28:19 >> And be fully prepared.
00:28:20 Awesome.
00:28:23 All right.
00:28:23 Well, that wraps up this tacticfor defending your directory.
00:28:29 We're going into the nexttactic, defending your
00:28:32 domain controllers, andthat's coming up next.
00:28:35 And here are some of thoseresources that we mentioned,
00:28:39 though again all the writeupson KRBTGT and all the attacks,
00:28:44 they are from Sean Metcalf.
00:28:46 A very good referenceon the AdminSDHolder,
00:28:50 that reference is actuallythe one that I used to build
00:28:53 the script that we'retalking about there.
00:28:56 And then, the guidance and
00:28:57 script on resettingthe account is here as well.
00:29:01 And then we havethe reference on some
00:29:05 of the rights that are in theschema in AD [INAUDIBLE] there.
00:29:09 >> Great, and don't forget youcan reach out to us at CyberRFI
00:29:12 if you're interested in,>> Learning more or
00:29:15 engaging Microsoft services tohelp with some of our offerings.
00:29:19 >> Right, you might even get towork with folks like Claire and
00:29:22 myself andZaid if you engage in that.
00:29:25 >> Thank you for joining.