Presented at
Black Hat Asia 2021 Virtual,
May 6, 2021, 12:30 p.m.
(40 minutes).
Mandiant conducted multiple investigations and observed techniques that attackers preferred as they conducted privilege escalation to move laterally, persist in the environment, and blend in. Backdoors and misconfigurations on Active directory systems provided attackers with long term privileged access to the environment.<br><br>Based on our learnings dealing with remediation on the frontlines, we observed closely the challenges customers had in recognizing and remediating these attacker techniques. These challenges were further influenced by the adoption of controls, and attacker sophistication in APJ.<br><br>We will cover, in depth, different methods used by attackers to maintain persistence, covertly elevate privileges at will, and maintain and exert control over systems managed by Active Directory. We will talk about different methods of hunting for misconfigurations and backdoors to help find these faster and respond effectively.<br><br>Some of the hunt use cases that may be discussed include:<br>1. DACL Based Backdoors<br>2. Constrained, Unconstrained and RBCD Delegation Misuse<br>3. Excessive Permissions on Active Directory Objects<br>4. AdminSDHolder Based Persistence<br>5. Cross Forest Trust Abuses<br>6. Credential Stealing Techniques <br>7. Misconfigurations of Authentication Methods<br>8. GPO for Lateral Movement and Maintaining Access<br>9. Domain Dominance Attack Skelton Keys, DC Shadow, DCSync<br>10. Hybrid Active Directory Malicious Configurations
Presenters:
-
Anurag Khanna
- Principal Consultant, Mandiant Consulting
Anurag Khanna is a Principal Consultant with Mandiant Consulting where he is responsible for performing Incident Response & Remediation and helping organizations improve their security posture. Across his career Anurag has worked in the gamut of cyber security roles including Penetration Tester, Incident Handler and Security Architect, helping organizations improve detection capabilities and testing their security posture. He is among the few cyber security experts to have the GIAC Security Expert (GSE#97) credential.
-
Thirumalai Natarajan Muthiah
- Principal Consultant, Mandiant Consulting
Thirumalai Natarajan is a Principal Consultant with Mandiant Consulting where he is responsible for performing incident response and remediation for large scale breaches, active directory and cloud security assessments, and ransomware defense assessments for global organizations. Across his career experience, Thiru has built and managed security operation centers and detection and response engineering teams across APAC to support organizations to improve their detection and defense posture. He currently holds CISSP, GREM, OSCP and PMP certifications.
Links:
Similar Presentations: