Active Directory Abuse Primitives and Operation Security

Date

April 21, 2023

Time

14:00

Track

Track 2

PRESENTATION SLIDES (PDF)


Active Directory (AD) is widely used by enterprises for centralized management of digital assets such as accounts, machines, and access rights. AD is always the primary target for adversaries since compromising AD also grants control over an entire enterprise’s network. Furthermore, AD attacks techniques are mostly in the form of leveraging the privilege, configuration settings, or designed mechanism, that are also commonly called the abuse primitive.

In this talk, we will discuss how real-world adversaries abuse these attack techniques that are chained as attack paths to compromise Active Directory by demonstrating 4 attack paths. We will dive into these AD attack techniques abuse configuration settings and discuss the methodology such as enumeration, consideration, tactical goal, and how to evade blue team detection to make success operation.

In addition, attack paths demonstrated includes new AD abuse primitives such as diamond ticket, U2U ticket, or Shadow Credential. We will discuss how an attack path is formed from the abuse primitives in the AD environment with the explanation of root cause, implementation methods, and operational guidance. All 4 attack paths shared will also be shared with video demonstration from an adversary’s perspective using a C2 not only for a realistic experience of offensive operation but to make the impact easier to understand.

Speakers

Manager, PSIRT and Threat Research

TXOne Network Inc.

Threat Researcher

TXOne Networks Inc.

Other Talks in This Track

LOCATION

Track 2

DATE

April 21

TIME

15:00

LOCATION

Track 2

DATE

April 21

TIME

16:30