Red vs Blue: Modern Active Directory Attacks Detection and Protection

Black Hat USA 2015

Presented by: Sean Metcalf
Date: Wednesday August 05, 2015
Time: 13:50 - 14:40
Location: Mandalay Bay EF

Kerberos "Golden Tickets" were unveiled by Alva "Skip" Duckwall & Benjamin Delpy in 2014 during their Black Hat USA presentation. Around this time, Active Directory (AD) admins all over the world felt a great disturbance in the Force. Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can't be detected, right?The news is filled with reports of breached companies and government agencies with little detail on the attack vectors and mitigation. This briefing discusses in detail the latest attack methods for gaining and maintaining administrative access in Active Directory. Also covered are traditional defensive security measures that work (and ones that don't) as well as the mitigation strategies that can keep your company's name off the front page. Prepare to go beyond "Pass-the-Hash" and down the rabbit hole.This talk explores the latest Active Directory attack vectors and describes how Golden Ticket usage can be detected. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage!Some of the topics covered:

How attackers go from zero to (Domain) AdminMS14-068: the vulnerability, the exploit, and the danger."SPN Scanning" with PowerShell to identify potential targets without network scans (SQL, Exchange, FIM, webservers, etc.).Exploiting weak service account passwords as a regular AD user.Mimikatz, the attacker's multi-tool.Using Silver Tickets for stealthy persistence that won't be detected (until now).Identifying forged Kerberos tickets (Golden & Silver Tickets) on your network.Detecting offensive PowerShell tools like Invoke-Mimikatz.PowerShell v5 security enhancementsActive Directory attack mitigation.

Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members.

Kerberos "Golden Tickets" were unveiled by Alva "Skip" Duckwall & Benjamin Delpy in 2014 during their Black Hat USA presentation. Around this time, Active Directory (AD) admins all over the world felt a great disturbance in the Force. Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can't be detected, right?

The news is filled with reports of breached companies and government agencies with little detail on the attack vectors and mitigation. This briefing discusses in detail the latest attack methods for gaining and maintaining administrative access in Active Directory. Also covered are traditional defensive security measures that work (and ones that don't) as well as the mitigation strategies that can keep your company's name off the front page. Prepare to go beyond "Pass-the-Hash" and down the rabbit hole.This talk explores the latest Active Directory attack vectors and describes how Golden Ticket usage can be detected. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage!Some of the topics covered:

Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members.

Sean Metcalf

Sean Metcalf is the Chief Technology Officer at DAn Solutions, a company that provides Microsoft platform engineering and security expertise. Mr. Metcalf is one of about 100 people in the world who holds the elite Microsoft Certified Master Directory Services (MCM) certification. Furthermore, he assisted Microsoft in developing the Microsoft Certified Master Directory Services certification program for Windows Server 2012. Mr. Metcalf has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers with large Active Directory environments and regularly posts useful Active Directory security information on his blog, ADSecurity.org. Follow him on Twitter @PyroTek3.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats