Elevator Pitch
Active Directory runs at the majority the world’s organizations’ identity and access control for nearly three decades, yet with new attacks and creative attack paths found constantly. Uniquw lessons learned on AD forensics incidents, hunting for clues without AD logs (wiped), with open-source tools.
Description
We are used to talk about & examine how they got in, what they took out, but not as much about how they moved laterally, performed reconnaissance for assets & entities, achieved persistence & escalated privileges. Active Directory still runs at the majority the world’s organization’s identity and access control. AD Security has come a long way in three decades, with new attacks and creative attack paths found constantly. We’ll take a dive into lessons learned from dozens of AD forensics hands-on incidents, hunting for clues in an enterprise without AD logs (wiped), and share open-source tools.
Notes
AD is as popular as TCP/IP in Microsoft networks. Coming from nearly 3 decades of work with AD technologies, inc 8 years in Microsoft, and ex-member of an AD-Defense by deception startup sold to Symantec (Javelin networks), with dozens of international incident response cases in 4 continents building attack timelines from scratch with zero knowledge, no logs, no SIEM, Domain Controllers encrypted etc - I feel very comfortable to share my experience and insights on the topic - including sharing free tools I’ve created to help organizations before, during and after an incident.