We conducted multiple investigations and assessments, observed techniques that attackers preferred as they conducted privilege escalation to move laterally, persist in the Active Directory environment, and blend in. Backdoors and misconfigurations on Active directory systems provided attackers with long term privileged access to the environment.
We will cover, in depth, different methods used by attackers to maintain persistence, covertly elevate privileges at will, and maintain and exert control over systems managed by Active Directory. We will talk about different methods of hunting and detecting for misconfigurations and backdoors to help find these faster and respond effectively.
Some of the hunt use cases that may be discussed include:
Hybrid Active Directory Backdoors
DACL Based Backdoors
GPO based Backdoors
SID History Abuse
Misconfigurations of Authentication Methods
Persistent access using Machine Account password
Thirumalai Natarajan Muthiah, Principal Consultant, Mandiant – https://twitter.com/th1rum
Anurag Khanna, Manager – Incident Response & Consulting Services, Crowdstrike Services – https://twitter.com/khannaanurag