More than 95% of the biggest corporates use Active Directory (AD) to manage identity, enforce policies and control business-critical assets. Despite AD represents the single point of failure in most cases, companies are still struggling with securing it; More than often, after obtaining an initial foothold, the attackers gain the maximum privileges within a short time period and even without being noticed before it's too late. The aim of this talk is to bring awareness on the techniques that adversaries might employ whilst providing practical advices on how to stop and detect them.
What you will learn:
- Familiarise with the most common persistence techniques used in AD environments (DCSync, DCShadow, Skeleton Keys, Ticket Forgery and more)
- For each showed technique, where applicable, create relevant detection rules or provide strategies that can be integrated in your threat hunting sprints
- How to prevent, as much as we can, attackers from gaining a privileged position
- How design choices would help you in containing attackers after a breach happened
- How to use BloodHound and other open source tools for analysing your environment, not just to identify ongoing attacks but also to prevent them
