Presented at TROOPERS16 (2016)
March 16, 2016, 4 p.m.
Active Directory has been covered from a system administration perspective for as long as it has existed. However, much less information exists on how adversaries abuse and backdoor AD, leaving many defenders blind to the attacks carried out in their own environment. This talk will cover Active Directory from an offensive perspective, illustrating ways that attackers move through Windows networks with ease. These actions are facilitated by PowerView, an advanced AD enumeration tool written by the presenter that allows for easy local administrator enumeration, domain trust hopping, user hunting, ACL auditing, and more. PowerView has dramatically changed the way many operate on red team operations, and has helped to "bridge the gap" and bring advanced tradecraft to even time-constrained engagements.
Will Schroeder / @harmj0y
as Will Schroeder
Will Schroeder (@harmj0y) is a researcher and red teamer in Veris
Groups' Adaptive Threat Division. He actively participates in the public
community and has spoken at several industry conferences including Shmoocon,
Derbycon, and Defcon on topics spanning AV-evasion, red-teaming, domain trust
abuse, offensive PowerShell, and more. He also helps develop/teach the
Adaptative Red Team Tactics Blackhat training class, is a co-founder of the
Veil-Framework, developed PowerView and PowerUp, is an active PowerSploit
contributor, and is a co-founder/core developer of the PowerShell
post-exploitation agent Empire. His technical blog is at