Red vs. Blue: Modern Active Directory Attacks & Defense

DerbyCon V - Unity

Presented by: Benjamin Delpy, Alva Duckwall (Skip), Sean Metcalf
Date: Friday September 25, 2015
Time: 15:00 - 15:50
Location: Track 1
Track: Break Me

In 2014 during their Black Hat USA presentation. Around this time, Active Directory (AD) admins all over the world felt a great disturbance in the Force. Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can’t be detected, right? This talk covers the latest Active Directory attack vectors and describes how to detect Golden Ticket usage. Provided are key indicators that can detect Kerberos attacks on your network, including Golden tickets, Silver tickets & MS14- 068 exploitation, as well as methods to identify, mitigate, and prevent common Active Directory attack vectors. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage!

Sean Metcalf

Alva Duckwall

Benjamin Delpy


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats