Active Directory Attacks: The Good, The Bad, and The LOLwut

Presented at DEF CON 31 (2023), Aug. 12, 2023, 9 a.m. (240 minutes).

Threat actors such as ransomware affiliates around the world are carrying out attacks on Active Directory (AD) at scale. When doing so, such actors often stick to the mainstream in terms of attack methodologies and tooling. But… that’s lame! Why borrow tactics, techniques, and procedures (TTPs) that are so well known and thus readily detectable?! Come hang out with us as we provide an overview of AD, show the most common attack scenarios, then show you how to detect and prevent those very attacks. Stick around as we then transition to covering what you could, and should, be doing instead. We will be providing a remote network range to which you will connect. Once in the range, you will be acting as the ransomware threat actor, “pentester” as they like to call themselves. You will carry out attacks such as enumeration via Bloodhound, credential discovery and compromise, pass the hash attacks, and kerberoasting via common tools such as Mimikatz & Rubeus. After carrying out the attacks yourself, you’ll then learn how to prevent and detect those very attacks. We’ll then show you custom-developed methods to carry out the same attacks without the reliance on well-known TTPs/tools. And even better, we’ll show you how you could, at least where it’s even possible, detect the more custom/advanced methodologies. Join us if you are a blue teamer, red teamer, purple teamer, cyber defender, DFIR analyst… basically anyone who wants (or needs!) to learn to defend and/or attack Active Directory. Come for the tech, stay for the humor. See ya there! Skill Level: Intermediate to Advanced Prerequisites for students: - The primary requirement for this course is a desire to learn and the determination to tackle challenging problems. In addition, having some familiarization with the following topics will help students maximize their time in this course: - A general background in Digital Forensics & Incident Response (DFIR) - Familiarity with blue team-oriented tools - An understanding of general networking concepts - Familiarity with Active Directory – though we’ll cover everything students need to know Materials or Equipment students will need to bring to participate: - A laptop with Linux/Windows/Mac desktop environment - Networking capability: Students will be connecting to a remote network range – They will need a wireless NIC (assuming the workshop area provides Wi-Fi, not not we’ll need to know) that can be enabled along with administrator privileges on their system - IMPORTANT: This workshop relies on network connectivity. Any student not able to connect to our range will be unable to follow along with the hands-on portion of the workshop.

Presenters:

  • Brandon DeVault - Pluralsight
    Brandon DeVault is a security researcher, blue teamer, and educator. Currently works as an author for Pluralsight and member of the FL Air National Guard. Prior experience includes work at Elastic and multiple deployments with Special Operations Command.
  • Ryan Chapman
    Ryan Chapman is the author of SANS’ “FOR528: Ransomware for Incident Responders” course, teaches SANS’ “FOR610: Reverse Engineering Malware” course, works as a principal incident response consultant for $dayJob, and helps run the CactusCon conference in Phoenix, Arizona, USA. Ryan has a passion for life-long learning, loves to teach people about ransomware-related attacks, and enjoys pulling apart malware. He has presented workshops at DefCon and other conferences in the past and knows how to create a step-by-step instruction set to maximize hands-on learning.
  • Aaron Rosenmund - Director of Security Research and Content at Pluralsight
    Aaron Rosenmund is the Director of Security Research and Content for Pluralsight, where he has also authored over 115 courses and technical labs across offensive and defensive security operations topics. Part time work includes service as an Cyber Warfare Operations office in the Delaware Air National guard, where he has also lead a 100+ member red team for the largest cyber exercise in the Nation, Cybershield. 4 years of highly rated talks and workshops have earned him the Distinguished speaker title from RSAC, and he looks forward to returning for the 3rd year to Defcon Workshops to bring practical emulation and testing capabilities to the people who need it most.

Similar Presentations: