00:00:07 presenting on Defending ActiveDirectory Against Cyberattacks. 00:00:11 We're going to look at tacticthree, defending your directory. 00:00:14 In the agenda here, we havea couple of parts and a demo. 00:00:17 The first part is goingto be Persistence through 00:00:20 Access Control Lists, or ACLs, 00:00:22 which is definitelya risk to your directory. 00:00:24 And we'll go through why andwhat you can do about it. 00:00:28 Then Josh will take us througha demo in which we can see 00:00:31 an attack using DCSync,and again, 00:00:34 covering what youcan do about it. 00:00:36 And finally the second part, andwe'll cover all this in this one 00:00:40 module, is to look at othermeans of persistence. 00:00:46 >> All right, just to recap,earlier we went through 00:00:49 protecting privilegedidentities. 00:00:53 And we're gonna build uponthat now with this section 00:00:56 on defending the directory. 00:01:01 So, first thing I want todiscuss is admins that are, 00:01:04 let me a little bitless obvious, or 00:01:07 you don't realizethey're admins. 00:01:10 And this happens througha number of means that we're 00:01:12 gonna go into a littlebit more detail on here. 00:01:15 So one example would be a userthat maybe isn't necessarily 00:01:20 a member of any of thoseprivileged groups that people 00:01:24 tend to focus on. 00:01:25 So a lot of customersthat I work with, 00:01:28 they get just kind of laserfocused on domain admins and 00:01:32 enterprise admins and the builtin admins and the schema admins. 00:01:38 And they think that if Iknow who's a member in 00:01:43 any one of those groups,I know who my admins are, 00:01:47 which isn't always necessarilythe case, because with the way 00:01:51 that Active Directory works,you can delegate access to 00:01:55 different objects throughthose access control lists. 00:01:59 And here, if I have a userthat's maybe not a member of any 00:02:02 one of those groups thatwe typically think about, 00:02:05 they'll have, if we look back atthe slide here, a permission to, 00:02:11 for example,link a GPO to an OU or 00:02:17 a container that containsa tier zero object in it. 00:02:22 So if I could link a GPO tothe domain controller's OU where 00:02:28 all my DCs sit, then I could usethat to set some settings that 00:02:32 would give me access to itthat I didn't previously have. 00:02:35 So now, I go from whatappears to be an unprivileged 00:02:39 account to having full controlover Active Directory. 00:02:46 Here are some examples ofdifferent types of sensitive 00:02:50 objects that we have. 00:02:52 So obviously the onesthat we just mentioned, 00:02:54 the ones that peopletend to focus on. 00:02:56 But there's that domaincontroller's OU, our sites, 00:03:00 we can link GPOsto sites as well. 00:03:02 This schema, if I could modifythe schema in Active Directory, 00:03:06 I can make it do allsorts of things. 00:03:08 And a lot of products out thereactually extend the schema in AD 00:03:13 to add functionality to it. 00:03:14 For example,in our earlier session, 00:03:17 we talked about the localadmin password solution. 00:03:20 And that had a schema extensionto add two attributes 00:03:24 onto our computer object, sothat we could access it and 00:03:27 store our passwords andstuff in there. 00:03:30 Then you also have theconfiguration partition in AD. 00:03:34 The root domain itself, 00:03:37 which was what we're gonna showin our demo coming up here, 00:03:42 where if I have certainrights to that object in AD, 00:03:47 I can easily gain control,right. 00:03:50 And it'd be less obvious, 00:03:52 because I don't have to bea member of these groups. 00:03:55 All these groups that we'retalking about here have 00:03:59 a lot of theserights by default. 00:04:01 They can modify these objectsby default, because they're just 00:04:04 the built in, but they,I can have access outside of it. 00:04:09 So with that,let's get our demo set up here. 00:04:15 All right, and here we're gonnago back to that Mimikatz tool 00:04:18 that we demoed inour earlier session. 00:04:20 This tool by Benjamin Delpythat's used commonly both 00:04:24 by good guys and bad guys. 00:04:26 On the good guy side,we like to use it for 00:04:28 things like doing somepenetration testing. 00:04:31 The bad guy side, well, 00:04:32 they use it to do exactly whatwe're going to demo here. 00:05:00 >> All right, so can youtalk us a little bit through 00:05:02 what you're doing? 00:05:02 >> Yeah, so what I'm doingright now is I'm going 00:05:05 to sync withthe domain controller, 00:05:09 basically pretending likeI am a domain controller. 00:05:13 >> Okay. 00:05:13 >> So that I can get the secretsof this account here. 00:05:16 And I'm gonna actually dothis against a couple of 00:05:19 different accounts, just toshow that in our last demo, 00:05:23 when we were doingthe pass-the-hash, 00:05:25 when I obtained the hash, I wasonly obtaining what had been 00:05:29 exposed to the workstationI was logged in at. 00:05:32 >> Right.>> With this account, 00:05:34 I have local admin rights to 00:05:38 this computer, but I don'thave any rights on the domain. 00:05:43 So here, here's my hash again. 00:05:45 I just took the hash for 00:05:48 the built-in administratoraccount in the dev domain here. 00:05:53 And if I go over,I'm gonna look here in AD. 00:05:57 And let's take a look at thegroup membership of this account 00:06:02 that I'm logged in with. 00:06:04 I'm sorry, wrong tab,there we go. 00:06:07 Does it look like Ihave any privileges? 00:06:10 Not really, right? 00:06:11 I'm only a domain user. 00:06:13 So how am I able to do this? 00:06:15 Well, I'm able to do thisbecause this account has been 00:06:19 delegated a couple of rightsat the domain DNS level here. 00:06:25 >> Okay. 00:06:26 >> Solet's pull that up real quick. 00:06:29 I'm gonna find, here'sthe account that we're using. 00:06:32 And if I scrolldown through here, 00:06:35 you can see that thisaccount has been granted, 00:06:39 replicating changes anddirectory changes all. 00:06:44 >> Okay.>> So 00:06:45 one without the otherisn't enough. 00:06:47 I have to have both of theserights in order to carry out 00:06:51 this attack, but it'sa sneaky way to hide, right? 00:06:55 It just gives us somepersistence there, 00:06:57 because most people probablyaren't looking at the ACLs 00:07:02 at this level ona regular basis. 00:07:05 And I could leavethis as a plant. 00:07:07 Maybe I was doing all my passto hash stuff earlier and 00:07:10 that's what led me tothe privileges that I needed to 00:07:13 grant myself these rights. 00:07:15 But now maybe you found someof my other activity, but 00:07:20 I created just this plainlooking user account. 00:07:24 That happens on a regularbasis in large organizations, 00:07:28 you're creatingaccounts every day. 00:07:29 >> Mm-hm. 00:07:30 >> Doesn't look suspicious, 00:07:31 it looks just like anyother one in there. 00:07:33 >> And again, you said thiscould be set up by default? 00:07:36 >> No, this one is notset up by default. 00:07:38 So this is kind of an exampleof what an attacker plant 00:07:42 might look like. 00:07:43 The other thing that might putyou in the same situation is, 00:07:47 a lot of organizations have beenusing Active Directory since it 00:07:52 was released back in 2000. 00:07:54 Maybe they migrated from NT4,and now, they went to 2000, and 00:07:58 then 2003, and then 2008,and now they're on 2012. 00:08:02 And over that time period, 00:08:04 they probably had a lot ofturnover in the organization. 00:08:07 The guy that set up AD ten yearsago isn't with the company 00:08:10 anymore and 00:08:11 the guy that replaced him alsoisn't with the company anymore. 00:08:15 And the guy that's doing itnow is inheriting a mess, 00:08:19 potentially, from severalprevious administrators. 00:08:22 And people could havedelegated this for 00:08:26 what they thought wasa legitimate reason. 00:08:31 And it leaves anotherattack vector 00:08:34 that is less obvious, right? 00:08:36 >> Got it.>> So that's going with 00:08:37 that non-obvious admin themethat we're talking there. 00:08:40 >> Right.>> So 00:08:40 let's go back intoour demo here. 00:08:44 And I'm gonna pullanother account there, 00:08:47 just to show that I can pullwhatever account that I want 00:08:51 just by specifyingthe account name. 00:08:53 And I'm gonna go afterthe krbtgt account. 00:08:57 >> Something we'regonna talk about later. 00:09:00 >> And you see,I get a little bit more 00:09:01 information that scrolledpast it with there. 00:09:04 But here again, are my hash anda bunch of other 00:09:10 information that I have forthe krbtgt account. 00:09:16 What a lot of peopledon't realize, I find, 00:09:19 is that this account is actuallythe most powerful account 00:09:24 in the domain, in AD. 00:09:26 It's not your domainadmin account, 00:09:29 it's actuallythe krbtgt account, 00:09:31 cuz this one can grant ticketsto become anything I want. 00:09:35 So with control over thisaccount, I can start doing 00:09:40 golden ticket attacks whereI can just give myself 00:09:45 access to impersonateany user that I want. 00:09:48 I can be anything that I want. 00:09:51 And that's the endof our demo here. 00:09:53 So let's go back into our talk. 00:10:01 Well, thank you forshowing us that. 00:10:04 Now let's go throughthe access control basics. 00:10:06 We'll look at the subject,objects, 00:10:08 and the accesschecks between them. 00:10:12 >> So, with access control,you have a subject, and 00:10:17 this is basically the who. 00:10:19 Who is trying toaccess something and 00:10:21 then the ACL itselfis kind of the what? 00:10:24 What can that object orthat person do? 00:10:29 And then the object is whatwe're trying to access, 00:10:32 what we're trying tomodify in this case. 00:10:34 In absolutely everythinginside of Active Directory 00:10:38 is an object. 00:10:39 Even the ACLs themselvesexist as an object and 00:10:42 these things can be manipulatedin a great number of ways 00:10:46 depending on whatprivileges you have there. 00:10:54 Big thing that you wannabe aware of are those 00:10:56 unintentional administrators,the ones that are not obvious. 00:11:01 And I kinda split those intotwo different categories. 00:11:04 One of them you can be an adminthrough nested groups. 00:11:08 So if I am a member of 00:11:13 a group that is inside ofone of my privileged groups. 00:11:17 Maybe it was there by accident,somebody added it in. 00:11:21 I have the same 00:11:24 level of privileges asthat top level group. 00:11:26 >> Mm-hm.>> The next, I'm sorry, you had? 00:11:28 >> On that point, 00:11:29 is that something that youcommonly see at your customers? 00:11:32 >> I have seen that quite a bit,yeah, 00:11:34 where people are nestinggroups inside of other ones. 00:11:39 Usually I'll seea couple levels deep. 00:11:44 Yeah, you can get it in there. 00:11:45 >> That sounds like it can getpretty messy at that point. 00:11:48 >> Yeah and that's a reasonwhy you really want to make 00:11:52 sure that you keepa clean directory, right? 00:11:55 Having a clean directory helpsit also be a secure directory. 00:11:59 The other thing I see withthat is these groups, 00:12:03 or maybe sometimes the membersof the groups, are old and 00:12:07 not used anymore. 00:12:09 When it comes down to themembership it's an account from 00:12:13 maybe somebody that leftthe organization and sometimes, 00:12:17 they may have at leastdisabled the account, 00:12:19 but it's still a member of thesegroups that grant privileges. 00:12:24 Other times, the account's stillactive and the person hasn't 00:12:27 worked there in six months,a year, or whatever. 00:12:30 You gotta clean those things up. 00:12:32 The other thing is maybe a groupwas created for a specific 00:12:36 purpose, maybe to grant rightsto something and that's no 00:12:41 longer necessary but nobodyever got rid of the group. 00:12:44 And the biggest offenderI think I see with these 00:12:47 often tends to beservice accounts. 00:12:50 People createservice accounts and 00:12:52 then they use them allover the place and 00:12:54 then they have no idea wherethey're being used at. 00:12:57 >> So if you haven't checked outour reducing privilege account 00:13:00 series, or that tactic, go backand watch that, because that 00:13:05 complements a lot of what Joshis saying here right now. 00:13:07 So what's the secondcategory here? 00:13:11 >> The second one I callcontest your delegates, 00:13:15 meaning challenge them, right? 00:13:16 Go and find out who has beendelegated what privileges. 00:13:20 And find out to go along withthat least privileged thing, 00:13:24 do they actuallyneed these rights? 00:13:26 So like the example we sawin the demo there, somebody, 00:13:31 either possibly legitimately orin that case, illegitimately, 00:13:36 was granted rights that gavethem a lot of power, right? 00:13:39 They could grab the hash for 00:13:41 any account they wanted to andbecome that account simply 00:13:45 by having been delegatedthe replication changes, 00:13:48 and replication changesall rights on that object. 00:13:57 So here, just a example of goingin and looking at nested group 00:14:02 membership through the ADusers and computers tool here. 00:14:08 I'm looking at the built-inadministrator's account, or 00:14:12 group, I'm sorry. 00:14:14 And in there you see thatthere's a group called 00:14:17 Universal Admins. 00:14:19 Which is one that I made upit doesn't exist by default. 00:14:21 But I can create anygroup I want, right. 00:14:23 >> Okay.>> And then inside 00:14:24 of the Universal Adminsthere's one that's called 00:14:28 File Share Admins and inside ofthat is this user David Ahs. 00:14:33 So here, this user David,not supposed to be a domain 00:14:38 admin but because he's nestedinto the built-in administrators 00:14:42 group through membership inthe file server admins group, 00:14:46 he effectively hasdomain admin privileges. 00:14:50 Now it could have beenan honest mistake here. 00:14:52 Maybe somebody thought thatbecause the File Share Admin's 00:14:56 Group had the name admin in it,it belonged in 00:14:58 the Universal Admin Group thatis meant for some other purpose. 00:15:02 And they had that inthe administrators group, 00:15:06 because people tend to overdoit, right, and then it goes back 00:15:09 into that reducing privileges,and doing least privilege. 00:15:13 But the real intended purposeof this File Share Admin Group 00:15:17 may have just been sothat this particular user 00:15:22 had full control of justa share on a file server. 00:15:27 >> Mm-hm.>> He doesn't necessarily need 00:15:29 permissions to administerthe server itself or 00:15:31 administer any server forthat matter. 00:15:33 >> Right.>> So, 00:15:34 I've seen things like thishappen too where people just get 00:15:37 confused on what the purposeof a particular group was and 00:15:40 then they throw itin somewhere else. 00:15:42 And then you end up withthese unintended admins. 00:15:46 >> Right. 00:15:47 >> If we look back here, you canalso do this through PowerShell. 00:15:52 I find it easier to figureout who's nested in what, 00:15:56 especially when those nestscan go several layers deep 00:16:00 by running this PowerShellcommand in here. 00:16:01 I'm just doing a getAD group member and 00:16:04 here I'm looking atthe administrator's group. 00:16:06 And I put onthe recursive switch and 00:16:09 it shows me just the accounts 00:16:12 that are a member in therethrough recursive membership. 00:16:15 The next, let's go intocontesting our delegates. 00:16:22 There's a few different placeswe wanna look at ACLs on. 00:16:26 First thing you wanna startwith is just kind of looking at 00:16:30 the generic permission, so 00:16:32 we have things like fullcontrol and right and modify. 00:16:37 Here this is one ofthe default permissions, so 00:16:40 I'm looking at thatFile Share Admins and 00:16:43 I can see that account operatorshas full control over it. 00:16:48 And account operators is one ofthe groups that you guys talked 00:16:53 about in that earliersession that can 00:16:56 lead to domain adminlevel privileges. 00:17:01 And here,since this has full control, 00:17:05 it could add, if I'm a memberof account operators but 00:17:09 not a member of thisFile Share Admins, 00:17:11 I could add myselfinto File Share Admins. 00:17:14 And as we saw in ourprevious example, 00:17:15 since that is nested intosomething that gives me domain 00:17:19 admin level privileges, I'venow granted myself domain admin 00:17:23 where account operators wouldnot be able to add the account 00:17:27 directly into the domain adminsgroup because it's protected. 00:17:31 >> Effectively that'sa means of escalation. 00:17:33 >> It is a meansof escalation and 00:17:35 that's what we're looking forout here. 00:17:38 So I don't have to havefull control to do that. 00:17:40 I could have any of these otherprivileges that we show here. 00:17:45 If I have right membersthat gives me enough 00:17:50 privileges to addmembership into this group, 00:17:52 or whichever one I'mlooking at here. 00:17:54 The other one, if we're lookingat accounts, if a group or 00:18:01 an account has been grantedchange password on an account 00:18:06 and that account is privileged,I can change the password 00:18:11 on that account andnow I own it, I take over it. 00:18:15 Let's take a look at what thismight look like in PowerShell. 00:18:21 You can use the get ACLcmdlet with active directory 00:18:26 as long as you've importedthe AD module there. 00:18:29 And you just specifythe distinguished name for 00:18:32 the object you want to look at,and then we expand the access 00:18:35 property, and here,I have it just showing me 00:18:40 who has the rights onthe object that I'm looking at. 00:18:44 Soa gain, we're looking at thatFile Share Admins and then 00:18:47 on the right column there we'reshowing what rights they have. 00:18:50 Now some of the, 00:18:54 like the change password forexample, is an extended right. 00:18:58 And you'd have to look a littlebit deeper in PowerShell, 00:19:02 not shown on the screen here. 00:19:03 So where we see it says extendedright, there's actually 00:19:07 a big long GUID, and these arewell documented out on TechNet. 00:19:10 But you can actually look insideof Active Directory itself. 00:19:14 It's stored inthe configuration, and 00:19:15 you can figure out whatright that GUID maps to. 00:19:20 >> So we're getting down into 00:19:21 the real nittygritty details here. 00:19:23 >> We are, we're getting prettydeep on the inner workings of 00:19:26 Active Directory. 00:19:27 >> But based on what youshowed us in the demo, 00:19:29 it's super important. 00:19:30 >> It is very important. 00:19:32 So cuz these are all differentways that, like you said, 00:19:36 I could use these toescalate privilege. 00:19:40 And they're not obvious because 00:19:45 it's controlled bythe access controllers. 00:19:48 >> Got it. 00:19:50 >> Here we kind of mentionedthe gPLink in the intro for 00:19:55 this session here. 00:19:57 This one is a little bit moredifficult to dig through and 00:20:02 find. 00:20:03 You have to look at the advancedsecurity properties. 00:20:06 So here I'm looking atthe domain controller's OU, 00:20:10 and then I had to gointo advanced and 00:20:12 then it doesn't show youG-P link, it says special. 00:20:19 So you have to kindof go through and 00:20:20 find the ones thatsay special and 00:20:22 bring up the full properties andlook and 00:20:25 see if they have this onethat I've highlighted here. 00:20:28 The right G-P link. 00:20:32 Assigned to them. 00:20:34 So if I have that permission,again, I can link a GPO. 00:20:39 And if I can link a GPO I could 00:20:42 create settings inside thatGPO that would give me control 00:20:47 over that object likea domain controller. 00:20:52 Next, we're getting into whatwe actually showed in the demo 00:20:56 there and 00:20:57 there's three different objectsinside Active Directory. 00:21:01 The first one here,the DomainDNS, 00:21:04 is what we looked at in the demowhen I brought up the properties 00:21:08 for the domain itself. 00:21:09 The other two, the Configurationand the Schema, 00:21:11 I would actually have to usesomething like ADSI Edit 00:21:15 to go in andview the properties on it. 00:21:19 I can also use PowerShellto do it, too. 00:21:21 I can usethe Get-ADObject there. 00:21:25 I have to have bothof the rights here, 00:21:27 the DS-Get-Replication-Changesand 00:21:29 DS-Get-Replication-Changes-All. 00:21:32 One without the otherdoesn't allow me to carry out 00:21:34 the attack. 00:21:35 But, it's reallythe get-replication-changes-all 00:21:38 that is the most sensitive ofthe two, cuz the all includes 00:21:43 the secrets is what gives methat hash when I run the attack. 00:21:49 And here's just a screenshot of showing, 00:21:53 this is a littlebit easier to see. 00:21:56 I can go intothe advanced properties. 00:21:58 We showed it in the demo, too. 00:22:00 Find out who has replicatingchanges in both that and 00:22:04 get replicating changes. 00:22:06 In PowerShell I'm gonna beposting another script here, 00:22:13 I've got a screenshot ofit called Get-DCSyncRights. 00:22:17 And what this one does isit looks at all three of 00:22:20 the objects here andgives me just a list of who's 00:22:24 been granted thatlevel of access. 00:22:27 >> So, you just walked usthrough a bunch of examples of 00:22:29 what to look out for, right? 00:22:31 >> Yes. 00:22:32 >> Within these ACLs. 00:22:33 Is there a place or a referencemaybe on tech matter somewhere 00:22:36 else where customers can go for 00:22:38 more of a complete list of whatto look for or more guidance. 00:22:43 Building on these examples? 00:22:45 >> So currently there are listsout there, mostly on MSDN and 00:22:51 a couple of them on TechNetof what all of the default 00:22:56 objects that exist in ADR>> And what the ACLs 00:23:02 are and what they do, what eachright that it does happens. 00:23:07 Zade and I are working onnarrowing that list down to show 00:23:13 which ones can actuallylead to command and 00:23:18 control of active directory cuzthat's the ones that we wanna 00:23:20 focus on here for the defense. 00:23:23 Some of the other onesare really not interesting to us 00:23:26 from a defender perspective andthey're not interesting to 00:23:29 attackers froman attacker perspective. 00:23:30 >> Right.>> Because they don't give them 00:23:32 the privileges thatthey're seeking or 00:23:34 a way to escalate to them sothat's not available yet but 00:23:38 it's coming soon and>> We'll add that into the side 00:23:42 here where these videos will be,when everybody's watching. 00:23:46 >> Is that also part ofthe ADSH services offering? 00:23:50 >> That is part ofthat offering, yeah. 00:23:51 So that's where we'restarting out with it at. 00:23:55 >> Cool, look forward toseeing that, thank you. 00:24:00 Okay, so now let's talk a littlebit more about some other means 00:24:04 of persistence. 00:24:06 The first thing wehave is AdminSDHolder. 00:24:11 In all those default accountsthat we talked, or the default 00:24:15 privileged groups that we talkedabout, your domain admins and 00:24:18 enterprise admins are protectedby AdminSDHolder. 00:24:23 So if I go in andmodify an ACL on top of 00:24:30 domain admins, as soon asthe SDProp process runs, 00:24:35 it's going to undo that change. 00:24:38 So It's a good protectionmechanism for those groups, but 00:24:44 as you saw the nestedgroups doesn't apply to. 00:24:49 So, that's why looking for 00:24:51 those nested groupsis really important. 00:24:53 It's better to havean account be a direct member 00:24:58 of something like domainadmins than to be 00:25:01 member through nested, cuz onceyou get to those nested levels, 00:25:05 you start losing theseAdminSDHolder protections. 00:25:08 >> Okay.>> One of the other things you 00:25:09 gotta look for too, though, sothose additional groups that we 00:25:13 talked about, the accountoperators and server operators 00:25:18 and backup operators andprint operators. 00:25:23 So those four by default areprotected by an MSD holder and 00:25:29 each one of those could beused in a different way for 00:25:31 that privilege escalation. 00:25:33 But it is also possible toexclude those from admin 00:25:37 SD holder protection. 00:25:38 So going back into that scenario 00:25:43 where you've had that changeoverin your administrators. 00:25:46 You know, you could have hadsomebody one or two admins ago, 00:25:49 that, for whatever reason, 00:25:52 decided to exclude thosegroups from protection. 00:25:56 And now, I can modifythe ACLs on them and the SD 00:26:02 process is not gonna remove them>> Okay. 00:26:04 >> So there's anotherpersistence mechanism. 00:26:06 So we do have a script thatwe'll be posting and linking to, 00:26:11 that checks to see if any ofthose have been excluded. 00:26:17 All right, so now we're goingto talk again about the KRBTGT. 00:26:19 We kind of mentionedit briefly earlier. 00:26:22 So this is an account that isused for granting tickets. 00:26:26 It's our ticket granting ticket. 00:26:28 So we use this,well attackers use this for 00:26:32 things like the golden ticketattack that we mentioned. 00:26:35 There is also anotherone called silver. 00:26:37 Ticket and 00:26:38 we have some references atthe end of the deck here. 00:26:41 Some very good write upsby Sean Metcalf on KRBTGT, 00:26:46 the golden ticket attack, and 00:26:48 the silver ticket attack onhis AD security.org blog. 00:26:53 If a series uses,they can, like I said, 00:26:56 forge any ticket that they want,if they get ahold of that and 00:26:59 do that golden ticket attack. 00:27:01 One thing that you wanna do withthis account is periodically 00:27:06 roll the password on it,reset the password on it. 00:27:09 You need to do a doublereset with that. 00:27:13 And the reason that we do thatdouble reset is because there's 00:27:16 an n- 1 history in there. 00:27:19 So we gotta roll it that secondtime to kinda flush that out. 00:27:23 And one of the main scenariosthat we do this in is in 00:27:27 a recovery event where we'retrying to evict the bad guys. 00:27:31 But we're now actuallyrecommending that you do it 00:27:34 on a fairly regularbasis just to. 00:27:38 Even if you don't know you'recurrently compromised, 00:27:42 we can do this as proactivelyto help reduce the potential 00:27:47 of compromise there. 00:27:48 >> And is there a scriptthat we provide here to help 00:27:51 our customers with that? 00:27:52 >> Yeah.So 00:27:53 there is a script that will walkyou through the reset process. 00:27:58 And it actually does a bunchof checks and makes sure that 00:28:02 the environment is healthy andready to do the reset. 00:28:06 Because if you mess it up you'regonna break AD, and everything. 00:28:11 >> Okay.>> You have to be very careful 00:28:13 what they have, and that scriptis very excellent at helping you 00:28:16 do it in a cautious manner. 00:28:19 >> And be fully prepared. 00:28:20 Awesome. 00:28:23 All right. 00:28:23 Well, that wraps up this tacticfor defending your directory. 00:28:29 We're going into the nexttactic, defending your 00:28:32 domain controllers, andthat's coming up next. 00:28:35 And here are some of thoseresources that we mentioned, 00:28:39 though again all the writeupson KRBTGT and all the attacks, 00:28:44 they are from Sean Metcalf. 00:28:46 A very good referenceon the AdminSDHolder, 00:28:50 that reference is actuallythe one that I used to build 00:28:53 the script that we'retalking about there. 00:28:56 And then, the guidance and 00:28:57 script on resettingthe account is here as well. 00:29:01 And then we havethe reference on some 00:29:05 of the rights that are in theschema in AD [INAUDIBLE] there. 00:29:09 >> Great, and don't forget youcan reach out to us at CyberRFI 00:29:12 if you're interested in,>> Learning more or 00:29:15 engaging Microsoft services tohelp with some of our offerings. 00:29:19 >> Right, you might even get towork with folks like Claire and 00:29:22 myself andZaid if you engage in that. 00:29:25 >> Thank you for joining.