#TR18 Active Directory Security Track

A happy new year to everybody!

At Troopers18 there will be a new special track on Microsoft Active Directory and its security aspects, similar to the SAP security track which we established some years ago. The AD security track will feature, amongst others, the following talks.

Sean Metcalf: Active Directory Security. The Journey

Abstract: This talk is a journey into the challenges most organizations encounter while trying to secure their ‘castle’. The attacker has to be right only once, right? Not exactly. We will walk through effective security strategies that will stymie and frustrate attackers and better protect the Active Directory environment.

Attackers have set their sights squarely on Active Directory when targeting a company, though this typically isn’t the primary objective. The motivation and end goals range from stealing data to impacting corporate operations. In this regard, gaining control of Active Directory is a means to an end; compromising Active Directory is an easy way to gain access to all critical corporate resources. Effectively protecting Active Directory has become critical in limiting the impact of a breach.
This talk takes the audience on a journey covering the various security milestones and challenges with Active Directory. A variety of (fictionalized) companies and their AD security posture are highlighted along with the challenges they encounter with securing their systems. Key elements involve how enterprise “AD aware” applications can weaken Active Directory security and how leveraging cloud services complicate securing infrastructure. Also explored is what an attacker can do in an environment without having Domain Admin rights. The final section discusses the commonly heard excuses for not implementing security controls to protect Active Directory and the ways to counter these arguments.
Join the author of as he covers the critical issues affecting organizations today, as well as the biggest challenges; current attack techniques; and the most effective defensive techniques to prevent and mitigate compromise (including limitations to these approaches).

Bio: Sean Metcalf is founder and principal consultant at Trimarc Security, LLC (, which focuses on mitigating, detecting, and when possible, preventing modern attack techniques. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a former Microsoft MVP, and has presented on Active Directory attack and defense at Black Hat, BSides, DEF CON, DerbyCon, Shakacon and Sp4rkCon security conferences.
Sean has provided Active Directory and security expertise to government, corporate, financial, and educational entities since Active Directory was released. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog, Follow him on Twitter.


Vineet Bhatia: Defending Microsoft Environments at Scale

Abstract: Defending a Microsoft Environment at Scale looks at the innovations made in Windows 10 and the capabilities of a Microsoft stack to launch a capable defense against most vulnerability classes. The talk is based on a direct mapping of the MITRE ATTACK framework to the defense classes within the Microsoft offering.

This talk focuses on leveraging capabilities of a Microsoft stack to launch a capable defense against most vulnerability classes. It starts out by describing the MITRE ATTACK framework and how it has been used by us internally to build a defense model. We then expand to talk about specific capabilities of the Windows subsystem to detect and respond to the following: Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Execution, Collection, Exfiltration and Command and Control (C2).
As we continue, we describe a working defense model that extrapolates the telemetry from these indicators across Microsoft Windows to an enterprise view that reduces noise and improves signal. In order to do this, we explain how WEF works, a sample Sysmon deployment guide and how to collect rich event meta-data from all Windows Event Log sources to build correlation. This goes beyond traditional SIEM implementations and talks about specific use cases that address the MITRE ATTACK framework.
During the second half of the talk, we explain how to scale this to geographically dispersed machines and build correlation and response when physical / remote access might not be available. A high-level overview of the native Windows Defender engine is provided and how the expanded Windows Defender ATP product allows us to perform frequency analysis, look at process trees and generally identify malicious behavior on the endpoint.
In closing, we round up some of the capabilities of the Azure and Office365 cloud to talk about credential sync and cloud app security engines. This explains the protections offered to the end user and their access to any data source. The expectation is to address normal vs. abnormal user behavior and proactively identify users with weak credentials.

BioVineet Bhatia ‘s work focuses on digital forensics, threat hunting and aviation cybersecurity.


Will Schroeder & Andy Robbins: An ACE Up The Sleeve. Designing Security Descriptor Based Backdoors

Abstract: Active Directory (AD) and host-based security descriptors are an untapped offensive landscape, often overlooked by attackers and defenders alike. The control relationships between AD and host objects align perfectly with the “attackers think in graphs” philosophy and expose an entire class of previously unseen control edges, dramatically expanding the number of paths to complete domain compromise.
While security descriptor misconfigurations can provide numerous paths that facilitate elevation of domain rights, they also present a unique chance to covertly deploy persistence in an Active Directory environment. It’s often difficult to determine whether a specific security descriptor misconfiguration was set intentionally or implemented by accident, and modifications to specific host security descriptors can have far-reaching and unintended consequences in the domain as a whole. This makes security descriptor-based backdoors an excellent persistence opportunity: minimal forensic footprint, and maximum plausible deniability.
This talk will cover Active Directory and host security descriptors in depth, including our “misconfiguration taxonomy” and enumeration/analysis with BloodHound’s ever-expanding released feature set. We will cover how specific host host-based security descriptor modifications can affect the security of the system as a whole, filling in the gaps from the pure Active Directory approach. We will then cover methods to design chains of these backdoors, producing novel Active Directory persistence paths that evade most current detections.

Bios: Will Schroeder (@harmj0y) is a offensive engineer and red teamer for SpecterOps. He is a co-founder of Empire/Empyre, BloodHound, and the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a Microsoft PowerShell MVP. He has presented at a number of conferences on a variety of topics, including DEF CON, Black Hat, ShmooCon, DerbyCon, Troopers, BlueHat Israel, and various Security BSides conferences.
Andy Robbins (@_wald0) is the Adversary Resilience Lead at SpecterOps, an active red teamer, and co-author of the BloodHound project, a tool designed to reveal the hidden and unintended permission relationships in Active Directory domains. He has presented at DEF CON, Black Hat, BSides Las Vegas, DerbyCon, ekoparty, and actively researches Active Directory security.


Hao Wang: Attack and defend Microsoft Enhanced Security Administrative Environment

Abstract: Microsoft Enhanced Security Administrative Environment (ESAE) known as “Red Forest” has become a very popular architecture solution to enhance the security of Active Directory. Can ESAE be used to completely prevent cyber attackers from compromising Active Directory? In this talk, we will demonstrate the commonly overlooked techniques that can be used to obtain domain dominance within ESAE.

With the hardened admin environment and credentials partitioning solution built into Microsoft Enhanced Security Administrative Environment (ESAE), it can be extremely hard to compromise critical components of Active Directory such as domain controllers even after obtaining complete control of servers and
workstations. However, we found that there are multiple security controls that Enterprise always overlooks when implementing ESAE, which potentially allow
cyber attackers to compromise Active Directory within a short period of time.
During this presentation, we will focus on the commonly overlooked tools and techniques that can be used to compromise ESAE. First, we will demonstrate the approach used to identify and compromise shadow admin accounts with special delegated permissions that are typically overlooked since they are not members of a privileged Active Directory group. Our research disclosed that some domain accounts designed to run Microsoft Exchange and SharePoint servers are always configured with special delegated permissions which can be potentially used to replicate password hashes directly from domain controller, add any domain accounts into Domain Admin or Enterprise Admin group, and reset the passwords for privileged domain accounts within ESAE. Second, we will demonstrate how to compromise Enterprise virtualization platform such as VMware vCenter, which is used to host critical components of ESAE such as domain controllers. The secrets including all domain users’ password hashes can be potentially extracted from the virtualized image of domain controller via a hot clone approach we discovered.
Third, we will talk about how to attack Enterprise security solutions, such as System Center Configuration Manager (SCCM), Multi-Factor Authentication (MFA), and other endpoint monitoring technologies, which are implemented across ESAE.
A number of Enterprise Security solutions are always granted to have privileged access to the endpoints with remote command execution capability but not well protected. We will introduce a few creative approaches to compromise ESAE and demonstrate how to bypass Multi-Factor Authentication (MFA) implemented within ESAE. We will conclude the presentation with some recommended strategic countermeasures. We hope that this talk helps to educate and arm Enterprise defenders with the knowledge to enhance the security controls of ESAE

Bio: Hao Wang is a manager in Ernst & Young’s Advanced Security Center. Hao has more than six years of Attack & Penetration testing and Cyber  Investigation experience. Hao is currently responsible for leading Attack & Penetration assessments for Fortune 500 companies. Hao has utilized his experience as a lead tester on a wide array of red team and purple team assessments. Hao serves as a core technical team member for ASC, regularly contributing new hacking techniques to the team. His areas of research include advanced Active Directory attack against Microsoft ESAE, exploit development for both point of sale systems and gaming systems, and cyber threat hunting.


Stay tuned for further announcements…
cheers, Enno