The Backup Operators Guide to the Galaxy

Presented at DerbyCon 9.0 Finish Line (2019), Sept. 8, 2019, 11 a.m. (45 minutes)

Backup Operator accounts are ubiquitous and often overlooked by both blue and red teams.These accounts have abusable permissions and are rarely maintained properly.In this talk we will examine and demonstrate novel techniques to stealthily compromise Active Directory through the Backup Operator’s account.We will use the Backup Operator account to gain local Admin privilege, establish persistence, and pivot laterally throughout a domain.However, all is not lost in that we can further lockdown our systems and enable auditing measures to deter and detect these attacks.

Presenters:

• Dave Mayer
  Dave Mayer is a Senior Security Consultant with InGuardians, specializing in Red Teaming and Penetration Testing. Previously he was on the Red Team for a global financial organization where he performed Red Team engagements, internal and external penetration tests, and product testing. Prior to that he worked within healthcare as an Information Security Generalist.

Links:

• https://infocon.org/cons/DerbyCon/DerbyCon 9 2019/The Backup Operators Guide to the Galaxy Dave Mayer.mp4
• https://infocon.org/cons/DerbyCon/DerbyCon 9 2019/The Backup Operators Guide to the Galaxy Dave Mayer.eng.srt (subtitles)
• https://www.youtube.com/watch?v=BR4l8x2hLUQ

Similar Presentations:

• Black Hat Europe 2015 / Authenticator Leakage through Backup Channels on Android
• BruCON 0x0A (2018) / Operator Jail Breakout