Red vs Blue: Modern Active Directory Attacks, Detection & Protection - Sean Metcalf, DAn Solutions





The interactive transcript could not be loaded.



Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Sep 22, 2015

While Kerberos "Golden Tickets" and "Silver Tickets" received a lot of press in the second half of 2014, there hasn't been much detail provided on how exactly they work, why they are successful, and how to mitigate them (other than: "don't get pwned"). Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can't be detected, right?

This talk covers the latest Active Directory attack vectors and describes how to detect Gold Ticket usage. Provided are key indicators that can detect Kerberos attacks on your network, including Golden tickets, Sliver tickets & MS14-068 exploitation, as well as methods to identify, mitigate, and prevent common Active Directory attack vectors. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage!

Some of the topics covered:
- How attackers go from zero to (Domain) Admin
- MS14-068: the vulnerability, the exploit, and the danger
- "SPN Scanning" with PowerShell to identify potential target without network scans (SQL, Exchange, FIM, webservers, etc)
- Exploiting weak service account passwords as a regular AD user
- Mimikatz, the attacker's multi-tool
- Using Silver Ticket for stealthy persistence that won't be detected (until now)
- Identifying forged Kerberos tickets (Golden & Silver Tickets) on your network
- Detecting offensive PowerShell tools like Invoke-Mimikatz
- Active Directory attack mitigation

Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members as well as AD administrators.


When autoplay is enabled, a suggested video will automatically play next.

Up next

to add this to Watch Later

Add to

Loading playlists...