Presentation Material
Abstract
Using Deception for defence in Active Directory is very fruitful. It makes it possible to target multiple phases of an adversary’s attack methodology. While attacking an enterprise network, adversaries generally enumerate the AD trusts. It is important for them to map the relationships and trusts between domains and forests as it helps in lateral movement and post exploitation.
This talk discusses forging and implanting computers, domain and forest objects in an AD environment. Such objects target the attacker mind-set and methodology by providing easy yet high value targets. We will see how this deception technique traps an adversary across an enterprise attack cycle.
Open source scripts for deployment of discussed techniques will also be discussed during the talk. The talk will be full of live demonstrations.
AI Generated Summarymay contain errors
Here is a summary of the content:
The speaker is discussing a tool they’ve created to deceive attackers by making it seem like a legitimate user is logging in,0000. The goal is to increase detection rates and make it harder for attackers to remain undetected. The tool creates a profile for a domain admin user on the domain controller, , but restricts their logon to a non-existent workstation, which makes it appear as though the user is legitimate.
The speaker acknowledges that the tool still needs to mature and may produce false positives initially. They also mention that inventory management or asset management tools may trigger logs that could compromise the deception.
Future goals for the tool include automating the deployment of COI domain and forest objects, using virtualization to deploy a forest automatically, and creating a web console for logging. The speaker emphasizes that this approach can be more effective than purchasing expensive security tools with vulnerable web consoles.
In response to questions from the audience, the speaker clarifies that attackers may still try to gather information by listing properties of objects, but the tool is designed to make it difficult for them to access certain properties. They also address concerns about potential dangers associated with creating a decoy domain admin user, such as the possibility of the account being used to obtain an SPN ticket or perform LDAP queries on the domain environment. However, they note that the decoy user would need to authenticate with the domain controller at least once for this to happen, which is restricted by the tool.