Module 13 · Permission Drift

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 27, 2026
1 min read
Read as

Last updated: April 29, 2026

100% Free

No signup. No paywall. No catch. One of our 10 most-requested practitioner modules — published in full so anyone can learn for free. We earn through consulting, not by gating knowledge.

See all 10 free modules →

User joins team A. Gets group memberships. Moves to team B. Gets new memberships. Old memberships rarely removed. Repeats over years.

User joins team A. Gets group memberships. Moves to team B. Gets new memberships. Old memberships rarely removed. Repeats over years.

Result: senior engineers have memberships from every team they’ve been on. The set of effective permissions is unknowable without explicit query.

The mindset: permissions need negative review (what should be removed) more than positive review (what should be added).

🧠
Check your understanding

Module Quiz · 2 questions

Pass with 80%+ to mark this module complete. Unlimited retries. Each question shows an explanation.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants
← Previous · Module 12
Module 12 · Service Accounts Outlive Their Purpose
← Back to Academy Hub
Continue Learning

Other modules in this track

View all modules
Academy
Module 1 · Beginner

AD's defaults accumulated risk for 20 years — authenticated-read-everything, NTLM, RC4, backwards compat.

Apr 22, 2026 · 4 min read
Academy
Module 2 · Intermediate

BloodHound, SharpHound, Impacket, CrackMapExec, PowerView. Any authenticated user sees the whole directory.

Apr 22, 2026 · 5 min read
Academy
Module 3 · Intermediate

Edges, queries, custom Cypher. Why BloodHound changed offensive AD since 2017.

Apr 22, 2026 · 5 min read