Cybersecurity, learned like a practitioner.

Attacker Mindset — Cloud Intermediate Free

Cloud Logs Have Detection Gaps

CloudTrail records management plane by default. Data plane (S3 reads) requires explicit data events. Most teams skip it for cost. Result: attacker reads sensitive S3 buckets; no log entry. Defender has no evidence post-breach. The mindset: enabling all logs is expensive. Enabling none is more expensive. Tier by sensitivity.

Apr 27, 2026 15 min Open

Attacker Mindset — Active Directory Intermediate Free

Service Accounts Outlive Their Purpose

Service accounts get created. They stay forever. The original requester left in 2019. The service was decommissioned in 2021. The account remains, with the same permissions, the same password. Audit reveals: 30-50% of high-priv service accounts have no current owner. 20%+ haven’t had password change in 5+ years. The mindset: service accounts need lifecycle. Ownership, […]

Apr 27, 2026 15 min Open

Attacker Mindset — Cloud Intermediate Free

The Tenant-of-One Assumption

Multi-tenant cloud: same physical hardware, different tenants. Side channels exist. Cross-tenant attacks researched (Spectre/Meltdown class). Most are theoretical or patched. Some succeed. The assumption “I’m the only tenant on this VM” is wrong; the assumption “tenant boundary is impervious” is sometimes wrong. The mindset: high-stakes workloads → confidential computing or single-tenant variants where available.

Apr 27, 2026 15 min Open

Attacker Mindset — Active Directory Intermediate Free

Permission Drift

User joins team A. Gets group memberships. Moves to team B. Gets new memberships. Old memberships rarely removed. Repeats over years. Result: senior engineers have memberships from every team they’ve been on. The set of effective permissions is unknowable without explicit query. The mindset: permissions need negative review (what should be removed) more than positive […]

Apr 27, 2026 15 min Open

Attacker Mindset — Active Directory Intermediate Free

Reading the Directory as a Graph

Microsoft Management Console shows AD as a tree. BloodHound shows it as a graph. The graph view changes everything. Nodes: users, groups, computers, GPOs, OUs. Edges: HasMember, AdminTo, GenericWrite, GenericAll, ForceChangePassword, etc. Attack paths emerge from graph structure. The mindset: think in graphs. Every node has incoming edges (who controls me) and outgoing edges (what […]

Apr 27, 2026 15 min Open

Attacker Mindset — Active Directory Intermediate Free

Why GPO Defaults Matter

GPOs have defaults. Defaults from when AD launched. “Not Defined” usually means “system default” — which may be insecure. Examples: NTLM still allowed. LM hash still stored on some configs. Anonymous SID enumeration enabled. Each is a backdoor that nobody actively turned on. The mindset: assume nothing is restricted unless explicitly restricted. Apply CIS or […]

Apr 27, 2026 15 min Open

Attacker Mindset — Active Directory Intermediate Free

The Time Aspect of Kerberos

TGT typical lifetime: 10 hours. Forged Golden Ticket: any lifetime. Until krbtgt rotates, attacker maintains DA via tickets attacker forges. Service ticket cache: residual access for hours after permission revocation. Cache flushing rare; impact uncertain. The mindset: time-bound credentials need time-bound revocation, not just permission revocation.

Apr 27, 2026 15 min Open

Attacker Mindset — Active Directory Intermediate Free

Cross-Forest, Cross-Tenant Trust

M&A: company A acquires company B. Trust between forests established for “convenience.” Compromise of one becomes compromise of both. Hybrid AD + Entra: AD Connect bridges; compromise of either side reaches the other. Multi-tenant Entra: B2B guest accounts persist; compromise of guest tenant reaches host. The mindset: every trust relationship is a control merge. Document; […]

Apr 27, 2026 15 min Open

Attacker Mindset — Active Directory Intermediate Free

The Backup-Account Anti-Pattern

Every AD has a “break glass” account: backup_admin, recovery_account, etc. Reasoning: “what if everything else fails?” Reality: account exists with full rights, no MFA, password unchanged for years. Attackers find it. Use it. Backup-admin compromise = full domain compromise with no anomaly detection. The mindset: break-glass accounts must be specifically monitored. Any login = SOC […]

Apr 27, 2026 15 min Open

Attacker Mindset — Active Directory Intermediate Free

Why Passwords Persist 5+ Years

Service-account password rotation breaks services. Documentation incomplete. Owner unknown. Last person who knew has left. Result: passwords from 2018 still active. This is the structural reason Kerberoasting works at every internal pentest. The mindset: gMSA (Group Managed Service Account) where possible — Windows manages rotation. Where not possible, ≥25-char passwords (cracking economically unfeasible).

Apr 27, 2026 15 min Open