A Decade of Active Directory Attacks: What We've Learned & What's Next

It has been a decade years since the infamous “Golden Ticket” talk at Black Hat which described how to escalate and persist in Active Directory like a ninja. Since then, attackers have continued to exploit weak configurations and identify Active Directory combinations to evade defenses, escalate, persist, and exfiltrate data.

Things haven’t gotten better in security in the 20+ years AD has been around and securing Active Directory is complicated further with cloud integration components. This talk is a collection of the most effective Active Directory attacks, including some of the more interesting cloud attacks, from the past 10 years and how best to mitigate and defend against them. Highlighted and explored during this presentation are some of the more nuanced attack techniques and how to best structure defenses to protect against the current threat.

Attendees will learn about effective attacker techniques leveraged in modern attacks & enterprise compromise and how to best defend today’s Microsoft Identity systems (Active Directory & Azure AD/Entra ID).

For this talk, I have gathered the most effective Active Directory & Azure AD/Entra ID attacks published during the past decade. This includes information I presented over the years, including some attack techniques I described and warned about years ago that attackers are incorporating in their playbook.

The goal of this talk is to take a short journey through the history of Microsoft Identity systems, primarily Active Directory and to a lesser extent, Azure AD/Entra ID and related cloud integration components, to better understand what attackers actually do and how to mitigate the most effective techniques.

Security budgets have increased, we have more people than ever focused on infosec, so why haven’t things gotten better? I will attempt to answer this question, at least through the lens of the most popular and used Identity systems around the world - Active Directory & Azure AD/Entra ID.

This presentation will be content dense, but rich with actionable information that helps all organizations level up their Identity Security program. Attendees of all background should learn something and be able to take some action items back to their workplace.