Author: David Horák

Do you know how attackers hide inside Active Directory?

🔒 Secure Bits 💡 𝗗𝗼 𝘆𝗼𝘂 𝗸𝗻𝗼𝘄 𝗵𝗼𝘄 𝗮𝘁𝘁𝗮𝗰𝗸𝗲𝗿𝘀 𝗵𝗶𝗱𝗲 𝗶𝗻𝘀𝗶𝗱𝗲 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆? It’s called persistence. Attackers often want to stay in your environment long-term without being spotted – which means being a loud Domain Admin is usually not the plan. To spot this, you need to understand what options attackers have and how ACLs […]

From the Field: Naming Convention

🔎 𝗙𝗿𝗼𝗺 𝘁𝗵𝗲 𝗙𝗶𝗲𝗹𝗱 — Real-World Findings from Security Assessments 💥 𝟮𝟯.𝟴% of environments I assessed 𝗵𝗮𝗱 𝗻𝗼 𝗻𝗮𝗺𝗶𝗻𝗴 𝗰𝗼𝗻𝘃𝗲𝗻𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝗮𝗰𝗰𝗼𝘂𝗻𝘁𝘀 𝗮𝗻𝗱 𝗱𝗲𝘃𝗶𝗰𝗲𝘀 Sounds like a boring “admin hygiene” topic… but it becomes a real security problem fast. 𝗪𝗵𝘆 𝗶𝘀 𝗶𝘁 𝗶𝗺𝗽𝗼𝗿𝘁𝗮𝗻𝘁? 1️⃣ Operations – you immediately know what a system/account is and where it belongs. 2️⃣ […]

From the Field: Critical Roles

🔎 𝗙𝗿𝗼𝗺 𝘁𝗵𝗲 𝗙𝗶𝗲𝗹𝗱 — Real-World Findings from Security Assessments 💥 ~𝟯𝟬% of environments I assessed 𝘀𝘁𝗶𝗹𝗹 𝗰𝗼-𝗵𝗼𝘀𝘁 𝗰𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗿𝗼𝗹𝗲𝘀 𝗶𝗻𝘀𝘁𝗲𝗮𝗱 𝗼𝗳 𝘀𝗲𝗽𝗮𝗿𝗮𝘁𝗶𝗻𝗴 𝘁𝗵𝗲𝗺 𝗜 𝘀𝗲𝗲 𝘁𝗵𝗶𝘀 𝗮𝗹𝗹 𝘁𝗵𝗲 𝘁𝗶𝗺𝗲: 🔸 DHCP on Domain Controllers (and yes—there are some nasty escalation paths with default DHCP groups when hosted on a DC) 🔸 AD CS on Domain Controllers 🔸 Entra ID […]

From the Field: Patching

🔎 𝗙𝗿𝗼𝗺 𝘁𝗵𝗲 𝗙𝗶𝗲𝗹𝗱 — Real-World Findings from Security Assessments 💥 𝟯𝟯.𝟯% of environments I assessed 𝗱𝗼 𝗻𝗼𝘁 𝗽𝗮𝘁𝗰𝗵 𝘁𝗵𝗲𝗶𝗿 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗱𝗲𝘃𝗶𝗰𝗲𝘀 𝗿𝗲𝗴𝘂𝗹𝗮𝗿𝗹𝘆 This one is honestly shocking. I still encounter systems that haven’t been patched 𝗳𝗼𝗿 𝗺𝗼𝗻𝘁𝗵𝘀 — 𝘀𝗼𝗺𝗲𝘁𝗶𝗺𝗲𝘀 𝗲𝘃𝗲𝗻 𝘆𝗲𝗮𝗿𝘀. And yes, I know what many administrators think: “𝙈𝙞𝙘𝙧𝙤𝙨𝙤𝙛𝙩 𝙪𝙥𝙙𝙖𝙩𝙚𝙨 𝙨𝙤𝙢𝙚𝙩𝙞𝙢𝙚𝙨 𝙗𝙧𝙚𝙖𝙠 𝙩𝙝𝙞𝙣𝙜𝙨, 𝙩𝙝𝙚𝙮 […]

From the Field: Windows Firewall

🔎 𝗙𝗿𝗼𝗺 𝘁𝗵𝗲 𝗙𝗶𝗲𝗹𝗱 — Real-World Findings from Security Assessments 💥 𝟯𝟴.𝟭% of environments I assessed 𝗵𝗮𝘃𝗲 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗙𝗶𝗿𝗲𝘄𝗮𝗹𝗹 𝘁𝘂𝗿𝗻𝗲𝗱 𝗢𝗙𝗙 I often joke in my courses that the first thing admins do on a new Windows device is disable the firewall. 𝗨𝗻𝗳𝗼𝗿𝘁𝘂𝗻𝗮𝘁𝗲𝗹𝘆… it’s not really a joke. It’s the sad reality. 🧱 𝗪𝗵𝘆? For historical reasons, […]

From the Field: Local Groups

🔎 𝗙𝗿𝗼𝗺 𝘁𝗵𝗲 𝗙𝗶𝗲𝗹𝗱 — Real-World Findings from Security Assessments 💥 𝟯𝟴.𝟭% of environments I assessed 𝘀𝘁𝗶𝗹𝗹 𝗺𝗮𝗻𝗮𝗴𝗲 𝗹𝗼𝗰𝗮𝗹 𝗴𝗿𝗼𝘂𝗽𝘀 𝗺𝗲𝗺𝗯𝗲𝗿𝘀𝗵𝗶𝗽 𝗺𝗮𝗻𝘂𝗮𝗹𝗹𝘆 It’s a 𝘀𝗶𝗺𝗽𝗹𝗲 𝗳𝗶𝘅 — with a 𝗯𝗶𝗴 𝗶𝗺𝗽𝗮𝗰𝘁. 𝗠𝗮𝗻𝘂𝗮𝗹𝗹𝘆 𝗰𝗼𝗻𝘁𝗿𝗼𝗹𝗹𝗶𝗻𝗴 𝗹𝗼𝗰𝗮𝗹 𝗴𝗿𝗼𝘂𝗽 𝗺𝗲𝗺𝗯𝗲𝗿𝘀𝗵𝗶𝗽 𝗹𝗲𝗮𝗱𝘀 𝘁𝗼: 🔹 Unmapped privileges 🔹 Untracked admin access 🔹 Messy permissions that attackers love Years later, no one remembers who has access […]

From the Field: AD CS

🔎 𝗙𝗿𝗼𝗺 𝘁𝗵𝗲 𝗙𝗶𝗲𝗹𝗱 — Real-World Findings from Security Assessments 💥 In 𝟰𝟮.𝟵% of infrastructures I’ve assessed, 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗖𝗲𝗿𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗲 𝗦𝗲𝗿𝘃𝗶𝗰𝗲𝘀 (𝗔𝗗 𝗖𝗦) 𝗮𝗿𝗲 𝘀𝘁𝗶𝗹𝗹 𝗶𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁𝗲𝗱 𝘂𝘀𝗶𝗻𝗴 𝗮 𝘀𝗶𝗻𝗴𝗹𝗲-𝘁𝗶𝗲𝗿 𝗵𝗶𝗲𝗿𝗮𝗿𝗰𝗵𝘆 Let me borrow a line straight from 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 on this one: “𝘖𝘯𝘦-𝘵𝘪𝘦𝘳 𝘩𝘪𝘦𝘳𝘢𝘳𝘤𝘩𝘺 𝘪𝘴 𝘯𝘰𝘵 𝘳𝘦𝘤𝘰𝘮𝘮𝘦𝘯𝘥𝘦𝘥 𝘧𝘰𝘳 𝘢𝘯𝘺 𝘱𝘳𝘰𝘥𝘶𝘤𝘵𝘪𝘰𝘯 𝘴𝘤𝘦𝘯𝘢𝘳𝘪𝘰. 𝘈 𝘤𝘰𝘮𝘱𝘳𝘰𝘮𝘪𝘴𝘦 𝘰𝘧 𝘵𝘩𝘪𝘴 𝘴𝘪𝘯𝘨𝘭𝘦 𝘊𝘈 […]

From the Field: AD Sites and Services

🔎 𝗙𝗿𝗼𝗺 𝘁𝗵𝗲 𝗙𝗶𝗲𝗹𝗱 — Real-World Findings from Security Assessments 💥 𝟰𝟮.𝟵% of infrastructures I’ve assessed 𝗱𝗼 𝗻𝗼𝘁 𝗽𝗿𝗼𝗽𝗲𝗿𝗹𝘆 𝗰𝗼𝗻𝗳𝗶𝗴𝘂𝗿𝗲 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗦𝗶𝘁𝗲𝘀 𝗮𝗻𝗱 𝗦𝗲𝗿𝘃𝗶𝗰𝗲𝘀 𝗜 𝗼𝗳𝘁𝗲𝗻 𝘀𝗲𝗲 𝘁𝘄𝗼 𝗰𝗮𝘀𝗲𝘀: ▪️ admins configure it “how they feel,” or ▪️ they don’t configure it at all. Both are wrong. If you have multiple sites (DCs in multiple […]

From the Field: Role Separation

🔎 𝗙𝗿𝗼𝗺 𝘁𝗵𝗲 𝗙𝗶𝗲𝗹𝗱 — Real-World Findings from Security Assessments 💥 𝟰𝟮.𝟵% of infrastructures I’ve assessed 𝗿𝘂𝗻𝘀 𝗺𝘂𝗹𝘁𝗶𝗽𝗹𝗲 𝗿𝗼𝗹𝗲𝘀/𝘀𝗲𝗿𝘃𝗶𝗰𝗲𝘀 𝗼𝗻 𝘁𝗵𝗲𝗶𝗿 𝗱𝗼𝗺𝗮𝗶𝗻 𝗰𝗼𝗻𝘁𝗿𝗼𝗹𝗹𝗲𝗿𝘀 🚫 𝗧𝗵𝗶𝘀 𝗶𝘀 𝗳𝗮𝗿 𝘁𝗼𝗼 𝗰𝗼𝗺𝗺𝗼𝗻 — especially in smaller environments — but it’s one of the fastest ways to weaken your security posture. Domain Controllers should normally host only two services: ✅ […]

From the Field: Windows Server Core

🔎 𝗙𝗿𝗼𝗺 𝘁𝗵𝗲 𝗙𝗶𝗲𝗹𝗱 — Real-World Findings from Security Assessments 💥 𝟳𝟭.𝟰% of infrastructures I’ve assessed 𝗱𝗼 𝗻𝗼𝘁 𝘂𝘀𝗲 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗦𝗲𝗿𝘃𝗲𝗿 𝗖𝗼𝗿𝗲 𝗲𝗱𝗶𝘁𝗶𝗼𝗻 To be honest, I don’t even remember seeing it in use by most customers — the 28.6% might just be environments I secured myself in the past and later reassessed. So, is there […]