#TR19 Active Directory Security Track

As some of you might recall we’ve introduced a dedicated “Active Directory Security Track” at last year’s Troopers. For Troopers19 we’ve expanded it to two days (as the SAP Security Track was discontinued), and in the following I’ll provide a list of talks in the track.

Vincent Le Toux: You “try” to detect mimikatz

Abstract: This is 2019 and you still “try” to detect mimikatz. “Try”, because after many years, this post exploitation tool continues to be successful.
As a contributor to mimikatz and also a blue team guy, I’m asking myself why antivirus vendors are unable to catch it after many years.
How can a tool be blocked if nobody does not know what this tool is doing? Because surprisingly, it is known only for credential collection but mimikatz is a lot more.
To mitigate the lack of antivirus vendor, should we buy new fancy EDR tool or try a technical approach? Apply a Framework? Rely on Compliance? Use a SIEM to collect logs and apply correlation? In sumarry, can we detect mimikatz?
In this presentation we will try to understand why mimikatz has such power and especially some weakness related to credential gathering and active directory will be exposed.

Bio: Vincent Le Toux is working as a security guy in an energy utility.
He is the CEO of My Smart Logon, a company specialized in smart cards, and the author of Ping Castle – an Active Directory security tool.
He has also made many open source contributions such as mimikatz, OpenPGP, OpenSC, GIDS applet, etc. Finally, he already did presentations in security events, mainly BlackHat, FIRST and BlueHat.


Sean Metcalf: From Workstation to Domain Admin. Why Secure Administration Isn’t Secure and How to Fix It

Abstract: Organizations have been forced to adapt to the new reality: Anyone can be targeted and many can be compromised. This has been the catalyst for many to tighten up operations and revamp ancient security practices. They bought boxes that blink and software that floods the SOC with alerts. Is it enough?
The overwhelming answer is: No.
The security controls that matter most are the ones that best protect those with the keys to the enterprise, the Active Directory administrators. With this access, an attacker can do anything they want in the environment: access all sensitive data, change access controls and security settings, embed to persist (for years), and often fully manage and control routers, switches, the virtualization platform (VMware or Microsoft Hyper-V), and increasingly, the cloud platform.

Administrators are being dragged into a new paradigm where they have to more securely administer the environment. This involves protecting privileged credentials and limiting access. Again the question is: Are the new ways to securely administer Active Directory enough to protect against attackers?
Join me in this session to find out.

Bio: Sean Metcalf is founder and principal consultant at Trimarc ( a professional services company which focuses on improving enterprise security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory attack and defense at Black Hat, BSides, DEF CON, DerbyCon, Microsoft BlueHat, Shakacon and Walmart Sp4rkCon security conferences. He currently provides security consulting services to customers and regularly posts interesting Active Directory security information on his blog,


Andy Robbins & Rohan Vazarkar: BloodHound and the Adversary Resilience Methodology

Abstract: Almost 20 years after its initial release, Active Directory remains the dominant directory service in use by the vast majority of businesses of all size around the world. AD also remains a favorite landscape for adversaries, who commonly abuse overly liberal permissions, poor credential hygiene, and other misconfigurations to gain full control of the enterprise. Enumerating, measuring the impact of, and remediating these issues has historically been extremely tedious, if not downright impossible for defenders. As a result, most Active Directory environments remain highly vulnerable to chained attack paths that are easy for attackers to find, but very difficult for defenders to effectively and proactively remediate.

In this talk, we will demonstrate and showcase the Active Directory Adversary Resilience methodology, which allows organizations to exhaustively enumerate, visually understand, and empirically/statistically reduce the attack paths that exist in any Active Directory environment. Organizations can quickly and easily measure the percentage of users that have an attack path to any given principal in the directory, most notably including the Domain Admins group. Then, by virtually testing “remediation hypotheses” against the graph database, organizations can find the precise and practical changes they should make that reduce the overall attack surface in AD — often
times with the least amount of effort and money.

Bio: Andy Robbins is an active red teamer and co-author of BloodHound, a tool designed to reveal the hidden and unintended permission relationships in Active Directory domains. He has performed numerous red team operations and penetration tests against banks, credit unions, health-care providers, defense companies, and other Fortune 500 companies across the world. He has presented at DEF CON, BSides Las Vegas, DerbyCon, ekoparty, and actively researches Active Directory security. He is also a veteran Black Hat trainer.

Rohan is also known as CptJesus and he is widely considered the brain behind BloodHound.


Friedwart Kuhn & Heinrich Wiederkehr: Active Directory and Azure – Core Security Principles

Abstract: Although Active Directory continues being the target number one for credential theft and credential reuse attacks in order to extract valuable information of enterprise assets, sustainable defense techniques are still often neither well understood nor well implemented. In this talk we give an outline of what we call “Active Directory and Azure – Core Security Principles”, which consist of Admin Tiering, Clean Source Principle, Hardening of Security Dependency Paths and Active Directory Security Logging and Monitoring. We explain the underlying ideas and how they will work in real life.

Bios: Friedwart Kuhn is a renowned expert for Active Directory security and he has performed a huge number of projects both in the concept and design space as well as in pentesting, auditing and incident analysis of complex AD environments. He’s the mastermind behind the Active Directory Audit & Reporting tool DirectoryRanger.

Heinrich Wiederkehr is a Security Consultant at ERNW and part of the Microsoft Security team. He focuses on research, conception und assessment in various areas of Windows-based environments. Apart from security trainings, his work concentrates on audits and pentests of large-scale enterprise networks with emphasis on Active Directory. A wide variety of projects for different customers give him a solid awareness of the practical realities and an eye for essentials. Heinrich holds a Bachelor degree in Corporate & IT Security at University of Applied Sciences Offenburg.


Dirk-jan Mollema: I’m in your cloud, reading everyone’s emails – hacking Azure AD via Active Directory

Abstract: Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.

Bio: Dirk-jan is one of the core researchers of Active Directory and Azure AD at Fox-IT. Amongst the open source tools published to advance the state of AD research are mitm6, ldapdomaindump and a Python port of the popular BloodHound tool. He is also co-author of ntlmrelayx and contributor to several other open source tools and libraries. After discovering that breaking stuff is a lot of fun he never looked back at his freelance web developer days, but is still thankful for the knowledge and experience that those days provided him.


Will Schroeder & Lee Christensen: Not A Security Boundary. Breaking Forest Trusts

Abstract: For years, Microsoft has stated that the forest is the security boundary in Active Directory. Many organizations have built their Active Directory trust architectures with this in mind, trusting that the compromise of one forest can not be leveraged to compromise a foreign forest. However, we have discovered that this is not the case. The forest is no longer a security boundary.
By combining a legacy printer protocol “feature” with several architectural flaws in Active Directory, the compromise of one forest can be leveraged to compromise a foreign forest and all resources within it. We will deep dive into the architectural components that enable this trust violation, demonstrate a fully weaponized attack with available tools, and provide complete mitigation/detection guidance.

Bios: Will Schroeder and Lee Christensen are offensive engineers and red teamers for SpecterOps. Will is the co-founder of various offensive projects including the Veil-Framework, Empire, GhostPack, and BloodHound. He has presented at a number of industry conferences including ShmooCon, BlackHat, DEF CON, Troopers, DerbyCon, BlueHat Israel, and more.
Lee enjoys building tools to support red team and hunt operations and is the author of several offensive tools and techniques, including UnmanagedPowerShell (incorporated into the Metasploit, Empire, and Cobalt Strike toolsets) and KeeThief.


Benjamin Delpy: You (dis)liked mimikatz? Wait for kekeo

Abstract: For years, you have tried to fight mimikatz, first to understand it, and maybe fighting again.
This little kiwi fruit shaped program has given you a hard time, extracted your password, stolen your credentials, played with your nerves and certificates … But our New Zealand friends know it: there are many different kiwis… and perhaps the fruit is the most lucrative, it’s not the most sadistic.
The kiwi animal may not fly, and it remains complex to build it from source, its effects are not less devastating…
In this talk I will introduce “kekeo”, the little animal brother of mimikatz. If you enjoyed playing with Kerberos, ASN1, security providers…, then you’ll love adopting this furry, sweet animal. From its birth with MS14-068 to cleartext passwords without local administrator rights, you’ll know everything about this animal.

Bio: Benjamin Delpy is a security researcher known as gentilkiwi. A Security enthusiast, he publishes tools and articles that speak about products’ weaknesses and prove some of his ideas. Mimikatz was the first software he developed that reached an international audience. It is now recognized as a Windows security audit tool. He previously spoke at PHDays, ASFWS, StHack, BlackHat, BlueHat and many more.


Thomas Fischer: Beyond Windows Forensics with Built-in Microsoft Tooling

Abstract: Traditional Windows forensics typically requires a complex or expensive toolset (like EnCase). Windows 8 and beyond introduced features that can considerably facilitate the windows forensics process. In this talk, we will examine the tools available from PowerShell to System Resource Usage Monitor and their ability to bootstrap the forensics process and how this can be used to move left into the incident response process.

Bio: Thomas has over 30 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. He is currently a security advocate and threat researcher focused on advising companies on understanding their data protection activities against malicious parties not just for external threats but also compliance instigated. Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, ISSA UK chapter board member.


Doug Bienstock & Austin Baker: I am AD FS and so can you. Attacking Active Directory Federated Services

Abstract: With the rise in popularity of enterprise cloud applications – email, data processing, and data warehousing for example –organizations find themselves contending with the need to securely share identity information with their cloud service providers.
This talk explores one common model for this, Active Directory Federated Services, and how it can be exploited by attackers to access cloud applications as any user, without knowing their password and without MFA.

Bio: Doug Bienstock splits his time at Mandiant performing Incident Response and Red Team work. He uses lessons learned from IRs to better simulate attacker techniques and aid organizations stay ahead of the bad guys.


Ronnie Flathers: Fun with LDAP and Kerberos. Attacking AD from non-Windows machines

Abstract: You don’t need Windows to talk to Windows. This talk will explain and walk through various techniques to (ab)use LDAP and Kerberos from non-Windows machines to perform reconnaissance, gain footholds, and maintain persistence, with an emphasis on explaining *how* the attacks and protocols work.

Bio: Ronnie Flathers (ropnop) is an experienced pentester and consultant who consistently toes the line between netsec and appsec. Previously he was the Sr. Manager of Application Security at Uptake Technologies, where he split his time pretty equally between building and breaking. Before that, he was a member of Cisco’s Assessment and Penetration Team where he specialized in internal network penetration testing. Ronnie loves tinkering, writing tools and scripts, and teaching. Besides speaking at conferences, he blogs, mentors, teaches and tries to share the knowledge in any way he can.


Walter Legowski: CypherDog 2.0 – Attackers think in Graphs, Managements needs Metrics…

Abstract: Over the last couple of years, Bloodhound has become the tool of choice in the red team toolbox when it comes to Active Directory Recon. Even though it was originally designed for offensive purposes, BloodHound can also be very useful for Blue Teamers and regular Active Directory Administrators wanting to gain visibility on their domains and forests.
In this demo driven session, I will present the latest version of CypherDog 2.0, a PowerShell Module to interact with the BloodHound database by sending cypher queries to its REST API. Doing so expands the tool capabilities, and I will demonstrate how to query and manipulate the Bloodhound data from the command line, extract relevant Active Directory Metrics from the database, calculate the cheapest attack path, or blacklist nodes from path queries via cypher and more… All this, without the need to master the Neo4j database query language.
This latest version of the CypherDog PowerShell Module reflects all the features that have been added to the Bloodhound UI since version 2.0 and allows for advanced Bloodhound automation with a set of simple PowerShell Cmdlets.

Bio: SadProcessor works as Windows Security Consultant at ERNW. He’s the author of a number of tools incl. EmpireStrike, CypherDog and PoSh_ATTCK.



While, unfortunately, as of today the main conference is sold out there’s still seats in some trainings available. For those with an interest in Windows security namely the following ones come to mind:

Hardening Microsoft Environments
Insight into Windows Internals
Windows & Linux Binary Exploitation
Windows PowerShell for Security Professionals by DarkOperator


See you at Troopers,
take care