It's The Only Way To Be Sure: Obtaining and Detecting Domain Persistence

Presented at DEF CON 23 (2015), Aug. 8, 2015, 1 p.m. (60 minutes)

When a Windows domain is compromised, an attacker has several options to create backdoors, obscure his tracks, and make his access difficult to detect and remove. In this talk, I discuss ways that an attacker who has obtained domain administrator privileges can extend, persist, and maintain control, as well as how a forensic examiner or incident responder could detect these activities and root out an attacker.

Presenters:

• Grant Bugher - Perimeter Grid
  Grant Bugher has been hacking and coding since the early 90's and working professionally in information security for the last 11 years. He is currently a security consultant and engineer for a cloud service provider, and has previously been an architect, program manager and software engineer on a variety of online services, developer tools and platforms. Grant is a prior speaker at BlackHat and DEF CON and a regular DEF CON attendee since DEF CON 16. Most of his research and work is on cloud computing and storage platforms, application security, and detecting attacks against web-scale applications. Twitter: @fishsupreme Web: http://perimetergrid.com

Links:

• https://defcon.org/html/defcon-23/dc-23-speakers.html#Bugher
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 slides/DEF CON 23 - Grant Bugher - Its the Only way to be Sure - Obtaining and Detecting Domain Persistence - Slides.mp4
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 video/DEF CON 23 - Grant Bugher - Its the Only way to be Sure - Obtaining and Detecting Domain Persistence - Video.mp4
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 slides/DEF CON 23 - Grant Bugher - Its the Only way to be Sure - Obtaining and Detecting Domain Persistence - Slides.srt (subtitles)
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 video and slides/DEF CON 23 - Grant Bugher - Its the Only way to be Sure - Obtaining and Detecting Domain Persistence - Video and Slides.srt (subtitles)
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 video/DEF CON 23 - Grant Bugher - Its the Only way to be Sure - Obtaining and Detecting Domain Persistence - Video.srt (subtitles)
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 video and slides/DEF CON 23 - Grant Bugher - Its the Only way to be Sure - Obtaining and Detecting Domain Persistence - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=gajEuuC2-Dk

Similar Presentations:

• May Contain Hackers (MCH2022) / Bring Your Own IDentity
• Black Hat USA 2021 / Zerologon: From Zero to Domain Admin by Exploiting a Crypto Bug
• Black Hat Europe 2018 / When Everyone's Dog is Named Fluffy: Abusing the Brand New Security Questions in Windows 10 to Gain Domain-Wide Persistence