Hi [[ session.user.profile.firstName ]]

SpecterOps

  • Date
  • Rating
  • Views
  • An ACE Up the Sleeve: Designing Active Directory DACL Backdoors
    An ACE Up the Sleeve: Designing Active Directory DACL Backdoors Will Schroeder, Security Research / SpecterOps and Andy Robbins, Adversary Resilience Lead / SpecterOps Recorded: Aug 15 2017 61 mins
    Active Directory (AD) object discretionary access control lists (DACLs) are an untapped offensive landscape, often overlooked by attackers and defenders alike. The control relationships between AD objects align perfectly with the "attackers think in graphs" philosophy and expose an entire class of previously unseen control edges, dramatically expanding the number of paths to complete domain compromise.

    While DACL misconfigurations can provide numerous paths that facilitate elevation of domain rights, they also present a unique chance to covertly deploy Active Directory persistence. It's often difficult to determine whether a specific AD DACL misconfiguration was set intentionally or implemented by accident. This makes Active Directory DACL backdoors an excellent persistence opportunity: minimal forensic footprint, and maximum plausible deniability.

    This talk will cover Active Directory DACLs in depth, our "misconfiguration taxonomy," and enumeration/analysis with BloodHound's newly released feature set. We will cover the abuse of AD DACL misconfigurations for the purpose of domain rights elevation, including common misconfigurations encountered in the wild. We will then cover methods to design AD DACL backdoors, including ways to evade current detections, and will conclude with defensive mitigation/detection techniques for everything described.
  • Catch Me If You Can - Red vs. Blue
    Catch Me If You Can - Red vs. Blue Will Schroeder and Jared Atkinson Recorded: Aug 10 2017 58 mins
    Attackers’ love for PowerShell is now no longer a secret, with 2016 producing an explosion in offensive PowerShell toolsets. PowerShell is gaining respect in offensive circles as “Microsoft’s Post-Exploitation Language” and being integrated into many offensive toolkits. Unfortunately, the offensive community often fails to research or share relevant mitigations with their defensive counterparts. This leaves many defenders without the information they need to protect themselves and their networks from these attacks. In a quest to combat the perceived threat, many defenders attempt to disable PowerShell rather than realizing its defensive potential.

    In this webinar, Will Schroeder (@harmj0y) and Jared Atkinson (@jaredcatkinson) will cover offensive and defensive PowerShell tools and techniques, including PowerPick, subversive PowerShell profiles, PowerForensics, and Get-InjectedThread. They will also cover mitigations and detections for popular offensive tools and techniques, demonstrating how to best handle the new offensive reality of widespread offensive PowerShell usage.

Embed in website or blog