{"id":8342,"date":"2021-03-19T09:42:35","date_gmt":"2021-03-19T08:42:35","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?post_type=session&#038;p=8342"},"modified":"2023-05-17T08:11:00","modified_gmt":"2023-05-17T08:11:00","slug":"active-directory-abuse-primitives-and-operation-security","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/active-directory-abuse-primitives-and-operation-security\/","title":{"rendered":"Active Directory Abuse Primitives and Operation Security"},"content":{"rendered":"<p><iframe title=\"#HITB2023AMS D2T2 - Active Directory Abuse Primitives And Operation Security - M. Cheng &amp; D. Chen\" width=\"800\" height=\"450\" src=\"https:\/\/www.youtube.com\/embed\/CIkSiECswYw?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe><\/p>\n<p><a href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/materials\/D2T2%20-%20Active%20Directory%20Abuse%20Primitive%20and%20Operation%20Security%20-%20Mars%20Cheng.pdf\">PRESENTATION SLIDES (PDF)<\/a><\/p>\n<hr \/>\n<p style=\"text-align: justify;\">Active Directory (AD) is widely used by enterprises for centralized management of digital assets such as accounts, machines, and access rights. AD is always the primary target for adversaries since compromising AD also grants control over an entire enterprise\u2019s network. Furthermore, AD attacks techniques are mostly in the form of leveraging the privilege, configuration settings, or designed mechanism, that are also commonly called the abuse primitive.<\/p>\n<p style=\"text-align: justify;\">In this talk, <strong>we will discuss how real-world adversaries abuse these attack techniques that are chained as attack paths to compromise Active Directory by demonstrating 4 attack paths<\/strong>. We will dive into these AD attack techniques abuse configuration settings and discuss the methodology such as enumeration, consideration, tactical goal, and how to evade blue team detection to make success operation.<\/p>\n<p style=\"text-align: justify;\">In addition, attack paths demonstrated <strong>includes new AD abuse primitives such as diamond ticket, U2U ticket, or Shadow Credential<\/strong>. We will discuss how an attack path is formed from the abuse primitives in the AD environment with the explanation of root cause, implementation methods, and operational guidance. All 4 attack paths shared will also be shared with video demonstration from an adversary\u2019s perspective using a C2 not only for a realistic experience of offensive operation but to make the impact easier to understand.<\/p>\n","protected":false},"template":"","class_list":["post-8342","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Active Directory Abuse Primitives and Operation Security - HITBSecConf2023 - Amsterdam<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/active-directory-abuse-primitives-and-operation-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Active Directory Abuse Primitives and Operation Security - HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"og:description\" content=\"PRESENTATION SLIDES (PDF) Active Directory (AD) is widely used by enterprises for centralized management of digital assets such as accounts, machines, and access rights. AD is always the primary target for adversaries since compromising AD also grants control over an entire enterprise\u2019s network. Furthermore, AD attacks techniques are mostly in the form of leveraging the [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/active-directory-abuse-primitives-and-operation-security\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-17T08:11:00+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/active-directory-abuse-primitives-and-operation-security\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/active-directory-abuse-primitives-and-operation-security\/\",\"name\":\"Active Directory Abuse Primitives and Operation Security - HITBSecConf2023 - Amsterdam\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\"},\"datePublished\":\"2021-03-19T08:42:35+00:00\",\"dateModified\":\"2023-05-17T08:11:00+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/active-directory-abuse-primitives-and-operation-security\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/active-directory-abuse-primitives-and-operation-security\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/active-directory-abuse-primitives-and-operation-security\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Active Directory Abuse Primitives and Operation Security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\",\"name\":\"HITBSecConf2023 - Amsterdam\",\"description\":\"#HITB2021AMS\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Active Directory Abuse Primitives and Operation Security - HITBSecConf2023 - Amsterdam","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/active-directory-abuse-primitives-and-operation-security\/","og_locale":"en_US","og_type":"article","og_title":"Active Directory Abuse Primitives and Operation Security - HITBSecConf2023 - Amsterdam","og_description":"PRESENTATION SLIDES (PDF) Active Directory (AD) is widely used by enterprises for centralized management of digital assets such as accounts, machines, and access rights. AD is always the primary target for adversaries since compromising AD also grants control over an entire enterprise\u2019s network. Furthermore, AD attacks techniques are mostly in the form of leveraging the [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/active-directory-abuse-primitives-and-operation-security\/","og_site_name":"HITBSecConf2023 - Amsterdam","article_modified_time":"2023-05-17T08:11:00+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/active-directory-abuse-primitives-and-operation-security\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/active-directory-abuse-primitives-and-operation-security\/","name":"Active Directory Abuse Primitives and Operation Security - HITBSecConf2023 - Amsterdam","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website"},"datePublished":"2021-03-19T08:42:35+00:00","dateModified":"2023-05-17T08:11:00+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/active-directory-abuse-primitives-and-operation-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/active-directory-abuse-primitives-and-operation-security\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/active-directory-abuse-primitives-and-operation-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/"},{"@type":"ListItem","position":3,"name":"Active Directory Abuse Primitives and Operation Security"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/","name":"HITBSecConf2023 - Amsterdam","description":"#HITB2021AMS","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session\/8342"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/types\/session"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/media?parent=8342"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}