BruCON 0x0E has ended
Back To Schedule
Thursday, September 29 • 16:00 - 17:00
0wn-premises: Bypassing Microsoft Defender for Identity

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Microsoft Defender for Identity (MDI) is a service that protects on-premises Active Directory identities. MDI analyses network traffic, Windows events, SIEM/Syslog and ETW data on DCs and/or AD FS servers to create user profiles and behaviour baselines that used to detect deviations from baseline and anomalies. MDI can generate alerts across phases of an attack "kill chain" - Reconnaissance, Compromised credentials, Lateral Movements, Domain Dominance and Exfiltration.

MDI detects popular attacks like Kerberoasting, AS-REP roasting, Pass-the-hash, Pass-the-ticket, Overpass-the-hash, Brute Force, DCSync, DCShadow, Golden Ticket, Remote code execution and more.

This talk focuses on TTPs that Red Teams can use to avoid generating anomalies that trigger detections. We will execute high impact attacks across the kill chain with precision to bypass or avoid MDI instance that has sensors configured and enriched in our target environment. Behold the 0wning of on-premises identities!

avatar for Nikhil Mittal

Nikhil Mittal

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 13+ years of experience in red teaming.He specializes in... Read More →

Thursday September 29, 2022 16:00 - 17:00 CEST
01. Gouden Carolus