Hunting backdoors in Active Directory Environment

We conducted multiple investigations and assessments, observed techniques that attackers preferred as they conducted privilege escalation to move laterally, persist in the Active Directory environment, and blend in. Backdoors and misconfigurations on Active directory systems provided attackers with long term privileged access to the environment.

We will cover, in depth, different methods used by attackers to maintain persistence, covertly elevate privileges at will, and maintain and exert control over systems managed by Active Directory. We will talk about different methods of hunting and detecting for misconfigurations and backdoors to help find these faster and respond effectively.

Some of the hunt use cases that may be discussed include:

Hybrid Active Directory Backdoors
DACL Based Backdoors
Delegation Misuse
GPO based Backdoors
SID History Abuse
Misconfigurations of Authentication Methods
Persistent access using Machine Account password

Thirumalai Natarajan Muthiah, Principal Consultant, Mandiant -   / th1rum  
Anurag Khanna, Manager - Incident Response & Consulting Services, Crowdstrike Services -   / khannaanurag  

View upcoming Summits: http://www.sans.org/u/DuS
Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE
#ThreatHuntingSummit #ActiveDirectory