Unsafe Active Directory permissions I commonly find during internal pentests and how to find them yourself.

🧵 A quick rundown, starting with my favorite... 1. Unsafe users with dangerous permissions on privileged resources.

AKA - Everyone with FullControl over the root of the domain.

Every time I mention this, I'm reminded that while it's uncommon, I know many of you have seen this one too.

To find it: View the permissions on the root of the domain. It's that simple. Look for users/groups that shouldn't be there.

Attackers love low-hanging fruit.

And insecurely installed 3rd-party software is one of their favorite snacks..

🧵 Here’s how these issues turn into privesc goldmines (and how to fix them fast) TLDR...Attackers don't need to use complex malware when your install paths are writable.

Action to take today --> Audit your 3rd-party Windows apps for who can write where they install... then lock them down.

PS - webinar/slides linked at the end of this thread.

How to find unsecured credentials on file shares...

This is the exact method I use for discovering credentials on file shares, adapted to fit what might work for a sysadmin.

🧵4 step process to follow... Step #1. Map out file shares.

Since you know your environment, document all your file shares in one location. Doesn’t matter where, just document them.

We all know it’s not a great idea to log into end-user systems with Domain Admin creds, but it still happens. A lot.

And every time I see it, it makes me 😔 — here’s why:

🧵A short (probably relatable) thread of how it can go sideways.. We’ve all probably seen DA creds sitting in LSASS on Suzie in accountings machine but some of the worst I’ve seen are:

😣 Kiosks
🤦‍♂️ Stationary conference room machines
💻 Suzie's corporate laptop that she is also using for personal stuff