Detecting Access Token Manipulation

Presented at Black Hat USA 2020 Virtual, Aug. 6, 2020, 11 a.m. (40 minutes)

Windows access token manipulation attacks are well known and abused from an offensive perspective, but rely on an extensive body of arcane Windows security internals: logon sessions, access tokens, UAC, and network authentication protocols, such as Kerberos and NTLM, to name a few. Furthermore, some of this information is not easily found and can be complex for defensive practitioners to get to grips with, resulting in brittle detections and making it hard to identify the signal from the noise.<br /> <br /> This presentation aims to demystify how access tokens work in Windows environments and show how attackers abuse legitimate Windows functionality to move laterally and compromise entire Active Directory domains. Most importantly, it will cover how to catch attackers in the act, and at scale, across enterprises. In doing so, defense practitioners will understand the key signals to identify access token manipulation within their own environments in order to detect and respond to these types of attacks.<br /> <br /> The presentation will be heavy on Windows internals/APIs, undocumented tips and tricks, and reveal how red teaming and attack tools really work their magic.

Presenters:

• William Burgess - Security Research Engineer, Elastic
  William Burgess is a Security Research Engineer at Elastic, where he focuses on Windows internals, reverse engineering, and detection engineering.

Links:

• https://www.blackhat.com/us-20/briefings/schedule/#detecting-access-token-manipulation-20524

Similar Presentations:

• Black Hat Asia 2021 Virtual / Threat Hunting in Active Directory Environment
• Black Hat Asia 2021 Virtual / The Rise of Potatoes: Privilege Escalations in Windows Services
• HushCon Seattle 2019 / Understanding Windows Access Token Manipulation: Finding Alternatives to winlogon.exe