BlueHat IL 2018 - Vincent Le Toux & Benjamin Delpy - What Can Make Your Million Dollar SIEM Go Blind

Описание: Active Directory: What Can Make Your Million Dollar SIEM Go Blind?

Active Directory is a key element for security and is a primary target in most of the common attacks today. There are also many tools used to ensure its protection. In large companies where there have been millions of dollars of investment in security, it appears that the logical choice to provide security monitoring of Active Directory is by using the company SIEM tool. Even if the chances of detecting a golden ticket are low, the logs processed by the SIEM can help track any object changes and can raise an alert in case of a suspicious modification to a privileged account.
With Benjamin Delpy the mimikatz author in a guest appearance, this talk focuses on two topics:
How an attacker can have more insight into your domains than you and how the attacker can also exploit distant domains, while being undetected by your SIEM
How the new mimikatz attack "DCShadow", by transforming a compromised workstation into a DC, can push changes that are unseen by your SIEM.

While post incident response handlers can use replication metadata to build the attack history, the DCShadow attack will demonstrate that this replication metadata can no longer be trusted and how the technical specification of the AD (MS-ADTS) can be bypassed in most cases. An example is, instead of gathering the krbtgt hash via DCSync, you can push your own secret.

Speaker Bio:
Vincent LE TOUX, 37 years old, French Security Manager in a large company SOC / CSIRT / SECOPS manager / AD expert CEO of My Smart Logon - smart card logon (www.mysmartlogon.com) Author of Ping Castle - an AD security tool (www.pingcastle.com) Contributions in Mimikatz Many open source contributions (OpenPGP, OpenSC, GIDS applet, ...) Presenter in many conferences including FIRST (Puerto Rico, 2017) & in France.

Guest Speaker:
Benjamin Delpy, is a Security Researcher known as `gentilkiwi`. A Security enthusiast, he publishes tools and articles that speak about products’ weaknesses and prove some of his ideas. Mimikatz was the first software he developed that reached an international audience. It is now recognized as a Windows security audit tool. He previously spoke at PHDays, ASFWS, StHack, BlackHat, BlueHat US and many more.