Finding Our Path: How We're Trying to Improve Active Directory Security

Black Hat USA 2019

Presented by: Andy Robbins, Will Schroeder, Rohan Vazarkar
Date: Thursday August 08, 2019
Time: 11:00 - 11:50
Location: South Seas ABE

As the dominant directory service solution, Active Directory persists as the crucial backbone of identity, authentication, and security for organizations of all sizes. Over time, nearly every Active Directory environment becomes an unwieldy, complex, and dynamic web of operating systems, user behaviors, and configurations. Historically, understanding the implications of any one user logon or configuration has taken hours -- understanding the implications of millions of user logons and configurations was almost impossible.

In this talk, we will share our success stories, lessons learned, and methodologies for enumerating, understanding, and mitigating the risks posed by disparate user behaviors and configurations. Whether your network has 50, 5,000, or 500,000 computers joined to Active Directory, you’ll walk away from this talk knowing how to greatly enhance your organization’s Active Directory security posture in days or weeks, not years. We will also demonstrate several attack primitives that are newly tracked by BloodHound, including Resource-Based Constrained Delegation.

Andy Robbins

Andy Robbins is the Adversary Resilience Lead at SpecterOps and has performed penetration tests and red team assessments for a number of Fortune 500 commercial clients and major U.S. Government agencies. In addition, Andy researched and presented findings related to a business logic flaw with certain processes around handling ACH files affecting thousands of banking institutions around the country at DerbyCon. He has a passion for offensive development and red team tradecraft, and helps to develop and teach the 'Adversary Tactics - Red Team Ops' course at Black Hat USA. Twitter: @_wald0

Rohan Vazarkar

Rohan Vazarkar is an operator and developer for SpecterOps with extensive experience performing penetration tests and red team engagements. He has spoken at numerous security conferences including DEF CON, Black Hat, SANS Hackfest, and more. He also conducts research and releases tactics for leveraging security weaknesses in Windows based platforms. Rohan is the co-author of the BloodHound analysis platform and has contributed to other open source projects such as Empire and EyeWitness.

Will Schroeder

Will Schroeder is an experienced operator and researcher in the field of information security with a focus on red teaming, Active Directory, and offensive development. He has spoken at a number of security conferences including ShmooCon, DerbyCon, Troopers, DEF CON, BlueHat Israel, and more. He co-founded the Veil-Framework, developed PowerUp/PowerView, is an active PowerSploit developer, co-founded the BloodHound analysis platform, and co-founded Empire/EmPyre. Will is a Microsoft PowerShell MVP, a veteran Black Hat trainer, and actively blogs at http://blog.harmj0y.net.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats