Advanced Active Directory and Azure exploitation

4200€ | 30th of September to the 3rd of October 2024 | Espace Vinci, Rue des Jeuneurs, Paris, France

Active Directory and Azure are the heart of identity and access management for many companies and their ubiquity within information systems makes them prime targets during red team engagements. While their security is vastely explored within the public space, mature environments may prove more challenging for operators, requiring advanced exploitation techniques to lead the intrusion to its success. With a focus on hands-on practice (70%), this training will deepen your intrusion skills on modern and mature organizations, with discretion in mind. Each student will access an individual and realistic corporate network to study advanced techniques of reconnaissance, lateral movements, elevation of privileges, extraction of secrets and persistence, within Active Directory and Azure.


Objectives of the training

Gain state-of-the-art exploitation skills within hybrid AD and Azure environments

Exploit complex yet realistic scenarios

Access a corporate network of 20+ machines with multiple forests

Understand the typical caveats of AD and Azure intrusion

Field experience from 2 red team operators

The trainer

Who will run this training?

Hugo
Vincent

SYNACKTIV
@hugow_vincent

Hugo Vincent is a security researcher at Synacktiv, he performs vulnerability research and penetration tests of enterprise networks and cloud environments. His passion lies in exploring and mastering new exploitation techniques, particularly in Active Directory and cloud environments.
He presented previously at SSTIC, THCon and Pass-the-Salt.

Wilfried
Bécard

SYNACKTIV
@tiyeuse

Wilfried Bécard is a hacker and researcher working at Synacktiv. With a particular interest in Active Directory and Azure exploitation, his passion lies in uncovering new techniques to enhance cybersecurity in these areas. Constantly experimenting, testing, and collaborating with the security community, he aims at constantly improving his knowledge in these fields.

Syllabus

What will we do?

To apply theoretical notions, each participant will be granted access to an individual lab of 20+ machines and multiple network zones, simulating a mature corporate environment with several Active Directory forests and hybrid connection to Azure. Built from our own red team experience, this lab offers a complete scenario from external unauthenticated access to the full compromise of the organization, using techniques such as credentials digging on sharepoints, pivoting to and from Azure through browser dumping, intune abuses or ADFS compromise, ADCS exploitation, advanced kerberos delegation and so on. Finally, practical exploitation will always be with discretion in mind to defeat common monitoring capabilities.

Fundamentals

  • Active Directory mechanisms
  • Azure mechanisms and security settings / licenses
  • General and specific intrusion principles

Recognition and first authenticated actions

  • ADIDNS
  • Services detection via LDAP and GPO
  • Advanced use of BloodHound/AzureHound
  • Roadrecon

Lateral movements

  • ADIDNS
  • WinRM and JEA poisoning
  • gMSA/sMSA secrets extraction
  • MS-SQL trust abuse
  • Coercion
  • Kerberos relaying
  • Cross-forest pivots
  • Azure PHS, PTA, ADFS
  • Azure Intune

Privilege escalation

Local

  • Access tokens and impersonation
  • Analysis of potatoes exploits

Domain

  • Advanced exploitation of Kerberos delegation
  • ADCS
  • Analysis of public vulnerabilities

Secrets extraction

  • Review of LSASS dump methods and tools
  • Registry secrets
  • DPAPI
  • Azure tokens
  • Azure keyvaults
  • Sharepoints

Persistence

  • ADCS certificates
  • Kerberos tickets and delegation
  • DSRM
  • Golden gMSA
  • GPO poisoning

Audience and prerequisites

This training is intended for red teamers who already have a good knowledge of
Active Directory and fundamentals in Azure. Good networking and Unix knowledge
is also recommended.

Software requirements

  • OS: Linux or Windows
  • Virtualization: VirtualBox or VMWare Workstation Player

Hardware requirements

  • At least 50 GB of free disk space
  • At least 12 GB of RAM
  • Ability to plug in an untrusted USB drive (relevant for corporate laptops)

Provided to students

  • Presentation slides
  • VPN profile to access the lab
  • Virtual machine to attack the lab

Other trainings

What else might interest you?

Android Kernel Security

Vitaly Nikolenko

Hypervisor development for security analysis

Satoshi Tanda

Attacking Instant Messaging Applications

Iddo Eldor & Jacob Bech

Introduction to Browser Exploitation

Javier Jimenez

iOS for Security Engineers

Quentin Meffre & Etienne Helluy-Lafont

Practical Baseband Exploitation

Pedro Ribeiro & Nitay Artenstein

Software Deobfuscation Techniques

Tim Blazytko

Windows Exploit Engineering Foundation

Cedric Halbronn