Hidden in Plain Sight: Exposing Shadow Admins in Active Directory

Scattered Spider, ESX Admins, and the Built-In Backdoor to Root

In this episode, Craig Birch breaks down how Scattered Spider, also known as Octo Tempest, is exploiting a built-in trust relationship between Active Directory and VMware ESXi to escalate privileges and deploy ransomware — all without triggering traditional security tools. Learn how the ESX Admins group becomes an unintentional backdoor to root access on every ESXi host in your environment, and why this attack path — warned about in CVE-2024-37085 — is being actively exploited in the wild. You’ll also get a quick PowerShell walkthrough to detect the ESX Admins group and hear how Cayosoft Guardian can proactively detect and block this behavior before it causes damage. * Who is Scattered Spider and what makes their attacks unique * How Active Directory and VMware vSphere integration can expose your hypervisors * The role of the ESX Admins AD group in privilege escalation * Live PowerShell examples to detect group presence and abuse * How Cayosoft Guardian detects and stops unauthorized privilege paths * CVE-2024-37085 and its relevance to real-world breaches Check if the ESX Admins group exists: List group members: Search for changes to group membership: * Real-time detection of suspicious AD group membership changes * Custom Change Roles to block group creation like ESX Admins * 200+ identity misconfigurations covered across AD, Entra ID, Microsoft 365, and Intune * Rollback and audit features for fast response and recovery “If you’ve got domain-joined ESXi hosts and an ESX Admins group in AD — you’ve got a direct path to root. And attackers like Scattered Spider know it.” Until next time stay guarded, stay informed, and be the guardian of your directory.

Exposing the DNS Danger: Unsecure Dynamic Updates in Active Directory

Welcome to Directory Insights in 10 Minutes, a bite-sized cybersecurity briefing from Guardians of the Directory. I’m your host, Craig Birch—Principal Security Engineer and Identity Security Enthusiast. In this episode, we dive into a critical misconfiguration that still lurks in many AD environments: DNS zones allowing unsecure dynamic updates. 🔍 Here’s what we cover: * What dynamic updates are and how they work in AD-integrated DNS * The three update modes—Secure Only, Nonsecure and Secure, and None * Why nonsecure dynamic updates are a serious attack surface * Real-world DNS attack tactics using spoofed records and tools like Responder * A simple PowerShell script to detect vulnerable DNS zones * How to fix your zones using DNS Manager * And why Cayosoft Guardian is your best defense against configuration drift 🛡️ In Active Directory, trust starts with DNS—make sure that trust isn’t anonymous. * PowerShell Detection Script: * Learn more about Cayosoft Guardian: https://www.cayosoft.com/guardian If you found this episode helpful, don’t forget to: * Subscribe on YouTube, Spotify, or your favorite podcast platform * Drop a comment with your AD security questions—we may feature it in a future episode! * Share with your IT team or security peers 🔗 LinkedIn [https://www.linkedin.com/in/craigbirch] 🌐 Focus on Identity [https://focusonidentity.com] 🧰 Resources Mentioned:powershellCopyEditGet-DnsServerZone | Where-Object { $_.DynamicUpdate -ne "Secure" }🔔 Subscribe & Follow:📢 Connect with Craig Birch:

Hidden Admins: How Non-Standard Primary Group IDs Expose Active Directory to Risk

Welcome to Guardians of the Directory, the podcast where we break down real-world threats, best practices, and insights in Active Directory, Entra ID, and Microsoft identity security. In today’s episode, Craig Birch dives into one of Active Directory’s oldest — and most quietly dangerous — features: the primaryGroupID. While originally designed for POSIX compatibility and legacy systems, this attribute can now be misused to grant hidden privileges, bypass group auditing, and create stealth admin access. 🔍 In this episode, you'll learn: * What the primaryGroupID attribute is and why it still exists * Why anything other than 513 (Domain Users) should raise red flags * How attackers can leverage this setting to hide elevated privileges * How to detect non-standard values using PowerShell * How to safely remediate misconfigured accounts * Why real-time detection with Cayosoft Guardians is a smarter defense Craig walks you through not just how to fix the problem — but how to prevent it entirely with intelligent alerting, automation, and policy enforcement.

Hidden in Plain Sight: Exposing Shadow Admins in Active Directory

Shadow admins might not wear capes—but they can bring down your Active Directory if left unchecked. In this episode of Directory Insights in 10 Minutes, Craig Birch takes a sharp dive into AD delegations that slip through the cracks—commonly misconfigured permissions that give users dangerous access without being in official admin groups. You'll learn: * What shadow admins are and why they’re so often missed * Key permissions that signal elevated access risk * Where to look inside your AD to find hidden privilege paths * PowerShell tools and techniques to surface these threats * Practical next steps to verify and remediate access Whether you're managing AD or auditing security posture, this is the 10-minute hit you need to guard your directory from internal elevation risks. Episode Highlights: * (00:00) Introduction to shadow admins and delegated permissions * (01:15) Deep dive into risky permissions: GenericAll, WriteOwner, ReplicateDirectoryChanges * (03:42) Where to find shadow admins: domain root, Domain Controllers OU, Sync OUs * (06:05) PowerShell tools to uncover hidden delegations * (07:30) Tips for reviewing and remediating shadow admin rights * (09:00) Final thoughts: stay vigilant, stay guarded 📌 Show Notes (YouTube / Podcast Website)

AdminSDHolder in Active Directory: Hidden Risks and Persistent Threats

🎙️ In This Episode of Directory Insights in 10 Minutes Craig Birch breaks down the misunderstood AdminSDHolder object and the SDProp process in Active Directory—why they exist, how they protect privileged groups, and how attackers exploit misconfigurations to maintain persistence. 🔍 What You’ll Learn: • What AdminSDHolder and SDProp actually do • Why they matter for Tier 0 group protection • How attackers abuse them for persistent elevated access • Which ACLs and inherited permissions to look for • PowerShell methods to quickly audit for dangerous ACEs 🛠️ PowerShell Script – AdminSDHolder ACL Audit # Get AdminSDHolder ACL and filter for dangerous ACEs $domainNC = (Get-ADDomain).DistinguishedName $adminSDHolderDN = "CN=AdminSDHolder,CN=System,$domainNC" $acl = (Get-ADObject -Identity $adminSDHolderDN -Properties nTSecurityDescriptor).nTSecurityDescriptor $dangerousACEs = $acl.Access | Where-Object { $_.AccessControlType -eq "Allow" -and $_.ActiveDirectoryRights -match "GenericAll|GenericWrite|WriteDacl|WriteOwner" } $dangerousACEs | Format-Table IdentityReference, ActiveDirectoryRights ✅ Run this to find potentially exploitable permissions in protected AD groups. 📌 Brought to you by Guardians of the Directory