Hi [[ session.user.profile.firstName ]]

Dns Admins Revisited -Achieving Privileged Persistence on a DC

In a post on Medium in 2017, security researchers showed how users from the DNSAdmins group could use a feature abuse in the Microsoft DNS management protocol to make the DNS service load any DLL. This service runs on Domain Controllers as NT Authority\System, allowing DNSAdmins to escalate privileges to SYSTEM on DC (with permissions equal at least to Domain Admins). This “cute trick,” as the original researcher, Shay Ber, called it, can be useful for Red Teams exploring AD privilege escalation and is a potential backdoor for attackers into the domain controller. In this presentation, I’ll expand on Shay Ber’s research by showing how to overcome a problem with the previous technique and how to make it more stealthy. I’ll also review the required permissions to show that an adversary could use this tactic to leave a backdoor to DC that likely would not be noticed and might bypass some tools.
Recorded Jul 29 2021 30 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Yuval Gordon | Security Researcher at Semperis
Presentation preview: Dns Admins Revisited -Achieving Privileged Persistence on a DC

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
  • Would Your Organization Fail the Active Directory Security Assessment? Oct 13 2021 3:00 pm UTC 54 mins
    Darren Mar-Elia and Ran Harel
    As cyberattacks proliferate, many organizations are investing resources in plugging holes in their security strategy. But one common attack entry point—also used in the SolarWinds breach—is consistently overlooked: Active Directory. According to results from a new security assessment tool that evaluates security weaknesses in Active Directory configurations, even large organizations with extensive resources are seeing average scores of 58%—a failing grade.

    Where are companies failing in securing Active Directory—and how can you strengthen your AD defenses? Join Microsoft identity experts Darren Mar-Elia and Ran Harel as they walk through the most common weak spots in Active Directory configurations—and how to fix them.
    You’ll come away from this session with a practical checklist of AD vulnerabilities to watch for in your environment, including:

    - Password policies that are inadequate for modern account protection
    - Accounts with elevated privileges in place that haven’t been adequately reviewed
    - Accounts with delegated permissions over Active Directory that have unwanted consequences on AD security that have proliferated over time
    - Weaknesses in Kerberos usage that are increasingly being exploited to gain privileged access
    - Weak Group Policy configuration, which creates a variety of holes that attackers can drive through
  • Ransomware, Risk and Recovery Sep 29 2021 3:00 am UTC 34 mins
    Sean Deuby, Director of Services
    Disaster Recovery (DR) strategies have traditionally focused on natural disasters, then expanded into other physical events such as terrorism. Today, cyber weaponization is everywhere, and the "extinction event" is a genuine threat with no respect for geographic boundaries.

    Join us on September 29th for a live webinar co-hosted by Semperis about how to quickly recover critical business operations following a ransomware attack. Working in tandem with Dell PowerProtect, Semperis focuses on an often neglected but essential part of the BCDR story: Active Directory recovery.

    Presented by 15-time Microsoft MVP and identity security expert Sean Deuby (Semperis Director of Client Services), this session will cover:

    • Recent cyberattacks that have targeted Active Directory, which is the primary source of identity and access trust for 90% of enterprises
    • Why AD is the cyber kill chain’s weakest link – exploited in virtually every modern attack
    • New “cyber-first” DR technologies automate recovery of complex systems, facilitate recovery to the cloud, and eliminate the risk of reinfection from system state and bare-metal backups.
  • Stepping Up Your Active Directory Defenses Recorded: Sep 15 2021 51 mins
    Sean Deuby | Director of Services at Semperis
    Stepping Up Your Active Directory Defenses: Lessons Learned from Recent Attacks Like PrintNightmare

    Cybercriminals have been busy this summer, and many of the attacks have targeted Active Directory. In the month of July alone, attackers exploited Microsoft vulnerabilities that led to the PrintNightmare and PetitPotam attacks, in addition to other flaws that were not directly related to Active Directory. The REvil ransomware group used the zero-day vulnerability to deliver malware through a fake, automated update to Kaseya’s VSA solution, which MSPs across the U.S. and the United Kingdom use to manage their clients’ systems. And a MeteorExpress wiper attack used Active Directory to compromise Iran's train system.

    In this informal discussion with Sean Deuby (Semperis Director of Services), we'll talk about how these attacks worked, what they might have in common, and how you can take steps to guard against them.

    What you'll take away:
    - How these attacks used Active Directory as an entry point
    - How attackers are building upon past success to compromise identity systems
    - How to guard against common attack methods and step up monitoring for sophisticated Active Directory attacks
  • Retour sur les cyberattaques récentes, l'AD au centre des attentions Recorded: Aug 24 2021 53 mins
    Matthieu Trivier
    L’année 2020 et la crise sanitaire ont bousculé nos standards. Les nouvelles méthodes de travail et de production ont démultiplié les opportunités de déstabiliser les entreprises. Le nombre et l’impact des cyberattaques ont explosé, notamment en France, avec une augmentation des ransomwares de 255% par rapport à 2019. Un point commun entre la plupart de ces attaques : l’annuaire Active Directory qui en a été la cible ou le vecteur de propagation.
    Matthieu Trivier, Solutions Architect chez Semperis, vous donne rendez-vous pour vous présenter un récapitulatif des cyberattaques en France ainsi que des pistes d’améliorations de la sécurité de votre Active Directory avant, pendant et après une cyberattaque.
  • The Future of Identity Recorded: Jul 31 2021 71 mins
    John Craddock and Pamela Dingle
    Are passwords really dead? Tune in to this lively conversation among some of the leading luminaries of identity and access management as they debate challenges and solutions of managing access to systems and data in an escalating threat landscape. Moderated by Semperis Chief Architect Gil Kirkpatrick, "The Future of Identity" includes perspectives from John Craddock. Pam Dingle, Ulf Simon-Weidner, Guido Grillenmeier, and Ben Cauwel.
    Listen as these experienced identity management experts discuss the current challenges with cloud security.
  • What Are Your First Steps Recorded: Jul 30 2021 42 mins
    Ben Cauwel | Security Delivery Manager at Accenture Security
    What are you supposed to do when you are called at 4PM by a Global company, that is under attack, for whom you have never worked with. How far did the attacker go and is he still there? What monitoring tools are in-place, do they have a DRP plan, are the backups safe? I would like to discuss how we leveraged our partners and tools to offer a secure approach including DRP + full remediation
  • Is Cloud Security an Oxymoron? Recorded: Jul 30 2021 41 mins
    Tony Redmond and Sean Deuby
    Is cloud security an oxymoron? In this panel session, featured in the inaugural HIP Europe 2021, moderators Sean Deuby and Guido Grillenmeier discuss the current state of cloud security with panelists Tony Redmond, Jan De Clercq, and Jorge de Almeida Pinto. This lively conversation covers the evolution of enterprise trust in cloud security: Cloud providers Microsoft, AWS, and Google deliver compelling platforms that are gradually winning the hearts and minds of enterprise customers, but recent successful breaches of cloud services by threat actors have started to erode that trust.
  • The Future of Identity: DIDs and VCs Recorded: Jul 29 2021 58 mins
    John Craddock | IT Infrastructure and Security Analyst at XTSeminars
    In this keynote, John Craddock will introduce you to the future of Identity with Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs). Today, users have their identity distributed, outside of their control, across many Identity Providers (IdPs). Users are constantly being asked to prove who they are to multiple services; some proofing can be arduous and time-consuming. How would it be if you owned your identity without dependence on IdPs and only needed to prove who you are once and use that proof as often as necessary? Come and understand the possibilities with DIDs and VCs. Microsoft has a Verifiable Claims service running in Azure AD, and you can test out your ideas and concepts.
  • Identity Recovery in Hybrid Infrastructures Recorded: Jul 29 2021 44 mins
    Ulf Simon-Weidner | Solution Manager Microsoft 365at Computacenter
    Nowadays everything is about cloud –however the key to the cloud and your users data is the identity of your users. These identities are in most cases synced from on-premises or they are even authenticating against on-premises services. In this session Ulf –who delivered deep-level sessions about Active Directory Recovery and Delegations for many years –talks about the challenges to secure and in the worst case to recover identities across multiple instances: on-premises as well as in multiple instances in your enterprises cloud services.
  • Identify Lateral Movement Paths(LMPs) with Microsoft Defender for Identity(MDI) Recorded: Jul 29 2021 55 mins
    Holger Zimmermann | Technical Specialist at Microsoft
    Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. A ‘life hack’ (brute-force attack a overpass-the-hash attack a pass-the-ticket a domain dominance) and learn how to identify & investigate Lateral Movement and how to de-risk LMPs using Microsoft Defender for Identity.
  • Deploying a Zero Trust Infrastructure Recorded: Jul 29 2021 61 mins
    Jean-Francois Aprea and Seyfallah Tagrerout
    The objective of this session is to show you by example and demos how you can implement the principles of the Zero Trust model within a Microsoft hybrid cloud infrastructure. During these 60 minutes, you will learn about Zero Trust fundamentals and why, beyond the concepts, it is important today to protect Identities and assets by turning intentions into reality.
    You will discover the Microsoft security stack with Azure AD, Control & Conditional Access Management features and Microsoft 365 Defender suite. At the end of this session you will leave with a ton of best practices to drive your Zero Trust implementation and secure your hybrid infrastructure.
  • Dns Admins Revisited -Achieving Privileged Persistence on a DC Recorded: Jul 29 2021 30 mins
    Yuval Gordon | Security Researcher at Semperis
    In a post on Medium in 2017, security researchers showed how users from the DNSAdmins group could use a feature abuse in the Microsoft DNS management protocol to make the DNS service load any DLL. This service runs on Domain Controllers as NT Authority\System, allowing DNSAdmins to escalate privileges to SYSTEM on DC (with permissions equal at least to Domain Admins). This “cute trick,” as the original researcher, Shay Ber, called it, can be useful for Red Teams exploring AD privilege escalation and is a potential backdoor for attackers into the domain controller. In this presentation, I’ll expand on Shay Ber’s research by showing how to overcome a problem with the previous technique and how to make it more stealthy. I’ll also review the required permissions to show that an adversary could use this tactic to leave a backdoor to DC that likely would not be noticed and might bypass some tools.
  • Future of Microsoft Cloud Services Recorded: Jul 27 2021 54 mins
    Tony Redmond | Owner and Principal at Tony Redmond & Associates
    Now generating more than $60 billion in annual revenues, Microsoft’s cloud services are more wildly successful than anyone anticipated when Microsoft launched Office 365 in June 2011. In this session, we look at the economics, software engineering, ecosystem, and landscape of Microsoft 365 with special attention on the Office 365 workloads. We’ll discuss the reliability and security of Office 365 and the numbers driving Microsoft strategy.
  • Cloud Security: What’s Next? Recorded: Jul 26 2021 45 mins
    Jan De Clercq | Sr Security Architect Hewlett Packard Enterprise
    Cloud security is evolving from a purely cloud infrastructure-focused to a more cloud experience-focused discipline. It is about securing the cloud experience independently of where services are living: on-prem, in a shared datacenter or on the infrastructure of a cloud service provider. Spanning this heterogeneous infrastructure space and providing a simple and unified hybrid security management engine is one of the key challenges. Building this abstraction layer for security management only becomes more important with the recent focus on cloud-native applications and the shift towards serverless and cloudless infrastructures. In this session we will sketch the current cloud security landscape, describe what HPE Pointnext Services thinks it is evolving to and what challenges this will create for organizations.
  • Fixing the Bad for the Good! Recorded: Jul 23 2021 41 mins
    Jorge De Almeida Pinto | Lead Identity/Security Consultant at IAMTEC
    Active Directory (AD) has been around for about 2 decades, and many organizations started using it as soon as it became available, some even earlier. Especially large orgs have Identity Management systems to manage the lifecycle of identities somehow (user accounts, service accounts, computer accounts, other account purposes). AD has evolved and with every new release of the OS, it became more secure. However, that does not mean you are automatically using all of the most secure account settings. It also does not mean you automatically stopped using the least secure account settings. What about passwords? Are your users using weak or compromised passwords, and how do you know? Do users own multiple accounts and are they sharing passwords across accounts they own, and how do you know? Weak settings and passwords (i.e. bad account hygiene) are what the bad guys need to take over your systems, accounts and ultimately your AD through e.g. "lateral movement". Even with large orgs and/or well managed ADs, you'll be surprised of what you will see when you dig in. Although the best option is to go passwordless, or at least decrease password usage, that may not be a viable option for all orgs. So what can you do about all of this? Please join me in this session where I will explain what can be done from a technical and process perspective.
  • A View From the Trenches: Running a SOC on Microsoft Solutions Recorded: Jul 22 2021 49 mins
    Alex Benoit | CEO at Dinext
    The world of cybersecurity is constantly evolving. A few years ago, Microsoft wasn't even considered a security vendor. Today, however, they are one of the top-tier solution providers in the world. Based on the experiences from running a SOC, Alex will shed a light on what it means doing so on top of Microsoft's solutions. You'll get to see the good, the bad, and also some of the ugly sides, illustrated by some cases he saw in the past.
  • The Changing Role of Active Directory Engineers in a Cyber-Resilient Organizatio Recorded: Apr 23 2021 71 mins
    Gil Kirkpatrick and Guido Grillenmeier
    As cyber-attacks increasingly target Active Directory as an initial entry point, the role of AD engineers and architects is rapidly expanding to include security responsibilities. At the same time that AD engineers must secure access to cloud applications, they must also guard against attackers that take advantage of AD configuration errors and Windows vulnerabilities, target user credentials, and try to maintain persistence in on-premises systems. CISOs and other technology leaders are recognizing the need to facilitate cooperation between security and identity teams to ensure secure user access in the age of cloud computing and an increasingly remote workforce. And AD experts should expect to take a more active role in security discussions.

    What you'll learn in this session:

    - How recent cyberattacks are using Active Directory's weak points to gain access to information systems
    - How to stay up-to-date with identity-related security risks
    - How to initiate discussions with security leaders and the C suite to ensure that protecting Active Directory is a core part of the company's overall security strategy
  • Podcast | Breaking Down Identity Updates From Microsoft Ignite with Doug Davis Recorded: Mar 18 2021 25 mins
    Doug Davis | Semperis Senior Product Manager
    Are passwords dead? In this session, Sean Deuby and Doug Davis (Semperis, Senior Product Manager) discuss Microsoft's recent announcements at Ignite about passwordless authentication, a new concept called Temporary Access Pass, increased integration of Hello for Business provisioning, and other initiatives Microsoft is pursuing to shore up security of its products in the wake of proliferating cyberattacks that target authentication services.
  • A CISO Debate: What's the Achilles Heel of Security in 2021? Recorded: Feb 10 2021 66 mins
    Chris Roberts | Hacker in Residence at Semperis
    The adoption of cloud-based applications and remote workforces is rapidly changing the threat landscape, and security leaders have been preparing. But no one could have predicted a global pandemic to dramatically accelerate digital transformation and force businesses to adapt literally overnight. In this time of exceptional turbulence, it's even more critical to come together as a community of peers and exchange ideas.

    Join this conversation with our panel of security experts as they challenge yesteryear's best practices and push towards a safer tomorrow.

    You'll hear from industry CISOs, each bringing unique perspectives, challenges, and solutions to the table. The panel includes:

    Limor Kessem | CISO, CISM
    James Azar | CISO, Confidential
    Evan Francen | CEO and co-Founder, FRSecure
    Chris Roberts | Hacker in Residence at Semperis
  • Podcast | Exploring the Future of Identity Standards with Pamela Dingle Recorded: Dec 10 2020 26 mins
    Pamela Dingle | Director of Identity Standards at Microsoft
    Pamela Dingle, Microsoft Director of Identity Standards and founding member of Women in Identity, joins Sean for an overview of why identity standards are so important, why you should care, and what we’ll be seeing in the future. 

    Host: Sean Deuby @shorinsean
    Guest: Pamela Dingle - Director of Identity Standards, Microsoft @pamelarosiedee
Identity-Driven Cyber Resilience
Semperis is the pioneer of identity-driven cyber resilience for cross-cloud and hybrid environments. The company provides cyber preparedness, incident response, and disaster recovery solutions for enterprise directory services—the keys to the kingdom. Semperis’ patented technology for Microsoft Active Directory protects over 40 million identities from cyberattacks, data breaches, and operational errors. Semperis is headquartered in New York City and operates internationally, with its research and development team distributed between San Francisco and Tel Aviv.

Semperis hosts the award-winning Hybrid Identity Protection conference. The company has received the highest level of industry accolades; most recently being named Best Business Continuity / Disaster Recovery Solution by SC Magazine’s 2020 Trust Awards. Semperis is accredited by Microsoft and recognized by Gartner.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Dns Admins Revisited -Achieving Privileged Persistence on a DC
  • Live at: Jul 29 2021 12:55 am
  • Presented by: Yuval Gordon | Security Researcher at Semperis
  • From:
Your email has been sent.
or close