#RSAC
SESSION ID:
#RSAC
SESSION ID:
Matthew McWhirt
Proactive Directory: : Practical
Counterdefenses to Securing Active
Directory
TECH-R07
Director
FireEye / Mandiant
#RSAC
Presenter
2
Matthew McWhirt
–Mandiant Consulting - Security Transformation Services (STS)
–Passionate about Active Directory defenses
…Impactful breaches are preventable
#RSAC
Why Active Directory Defenses are Necessary?
3
Discuss common attacker tactics and Active Directory (AD)
configuration weaknesses that can lead to a large scale compromise.
Provide practicable and actionable recommendations that can be
implemented to harden an environment to protect against AD
exploitation and compromise.
Recommendations provided are the same steps that organizations
must implement to contain and eradicate attackers from an
environment.
While breaches are inevitable…
…Impactful breaches are preventable
#RSAC
Simplified Exploitation Model
4
Access
+ Credentials
+ Connectivity
Profit
=
#RSAC
Common Attack Lifecycle
5
• PsExec
• WMI
• WinRM
• Admin Shares
• RDP
• Net Use commands
Escalate
Privileges
Internal
Recon
Complete Mission
Move
Laterally
Maintain
Presence
Establish
Foothold
Initial
Compromise
• External-Facing
Systems
• Protocol Vulnerability
Abuse (SMB / RDP)
• Single-Factor
Authentication
• Phishing Emails
• Malware Deployment
• Backdoors
• Cobalt Strike Beacon
• Metasploit /
Meterpreter
• Credential Dumping
• Local Credentials
• Mimikatz
• Kerberoasting
• PsInfo
• ADFind
• Massscan
• AD PowerShell cmdlets
• Ransomware
Deployment
• Cryptominers
• Steal Data
Access Credentials
Connectivity
