I Have the Power(View): Offensive Active Directory with PowerShell

Presented at TROOPERS16 (2016), March 16, 2016, 4 p.m. (Unknown duration)

Active Directory has been covered from a system administration perspective for as long as it has existed. However, much less information exists on how adversaries abuse and backdoor AD, leaving many defenders blind to the attacks carried out in their own environment. This talk will cover Active Directory from an offensive perspective, illustrating ways that attackers move through Windows networks with ease. These actions are facilitated by PowerView, an advanced AD enumeration tool written by the presenter that allows for easy local administrator enumeration, domain trust hopping, user hunting, ACL auditing, and more. PowerView has dramatically changed the way many operate on red team operations, and has helped to "bridge the gap" and bring advanced tradecraft to even time-constrained engagements.

Presenters:

  • Will Schroeder / @harmj0y as Will Schroeder
    Will Schroeder (@harmj0y) is a researcher and red teamer in Veris Groups' Adaptive Threat Division. He actively participates in the public community and has spoken at several industry conferences including Shmoocon, Derbycon, and Defcon on topics spanning AV-evasion, red-teaming, domain trust abuse, offensive PowerShell, and more. He also helps develop/teach the Adaptative Red Team Tactics Blackhat training class, is a co-founder of the Veil-Framework, developed PowerView and PowerUp, is an active PowerSploit contributor, and is a co-founder/core developer of the PowerShell post-exploitation agent Empire. His technical blog is at http://blog.harmj0y.net/.

Links: