Black Hat & DEF CON Presentation Slides Posted

I just uploaded the slides from my Black Hat & DEF CON talks from the past week in Vegas.  They are a bit different with the BH talk more Blue (defensive) and the DC talk mostly Red (Offensive) in focus. Also note that the only real overlap in content is the MFA & password vault sections and those were updated in my DEF CON talk to focus on the attack aspect.

An important note: The methods I show are real and work well in many real-world customer deployments. The issues with MFA and password vaults I highlight are often deployment issues and not necessarily vendor best practices. With that noted, I have seen enterprise password vaults deployed with poor security so often that I don’t think customers are very familiar with the vendor security best practices.

Slides are in the Presentations section.

Black Hat USA 2018 Talk:  “From Workstation to Domain Admin: Why Secure Administration isn’t Secure and How to Fix it”


This talk walks the audience through how AD administration has evolved over time with newer, more “secure” methods and the potential ways to exploit modern AD administration. I explore some methods to exploit current implementation weaknesses in many deployments of multi-factor authentication (MFA) and enterprise password vaults. The latter third of the talk dives into the best defenses and how to employ and deploy them appropriately.
[Slides]

Black Hat Talk Agenda:

  • Current State
  • Evolution of Administration
  • Exploiting Typical Administration
  • Common Methods of Protecting Admins (& bypassing them)
  • MFA
  • Enterprise Password Vaults
  • Admin Forest
  • Building the Best Defenses

DEF CON 26 Talk: “Exploiting Active Directory Administrator Insecurities”


This talk repeats the slide concepts from my Black Hat talk specific to exploiting current implementation weaknesses in many deployments of multi-factor authentication (MFA) and enterprise password vaults.  The talk adds in some challenges in properly discovering AD admins and some additional methods of exploiting current AD environments. I also cover how in many environments it may be possible to compromise a Read-Only Domain Controller to compromise the AD forest. This talk also includes a special, new sneaky AD persistence method which only the DEF CON audience was privy to (not in the slides, at least not directly). I will post a blog article as time allows. 🙂
[Slides]

DEF CON Talk Agenda:

  • Evolution of Admin Discovery
  • Exploiting Typical Administration
  • Multi-Factor Authentication (MFA)
  • Password Vaults
  • Admin Forest
  • Attacking RODCs

Thank you all for your support and your kind words!
– Sean

(Visited 6,946 times, 21 visits today)

1 comment

    • Sharad on August 13, 2018 at 3:29 am

    Awesome… Keep up the great work

Comments have been disabled.