The Forgotten Art of Hiding Data in Active Directory—and How Adversaries Could Use This Against You!

This session covers a key aspect of Active Directory (AD) security, which is often overlooked: the wealth of default read permissions that Microsoft has granted to any user and computer in the directory. The concept of an AD forest being a security boundary must not only be understood as a protective feature; if you do not have an account in an AD forest, you cannot access any of its AD objects and connected resources. Instead, the security boundary must also be understood as the scope of reach for an intruder to access and assess the security of AD objects once they gain a foothold into an organization’s network. Removing certain default read permissions and using other built-in mechanism to hide data in AD is often a low-risk operation that pays off by making it much more difficult for intruders to perform reconnaissance that helps them in planning their next steps to domain dominance. Likewise, intruders that have already gained access to your AD could utilize similar hiding techniques to achieve persistence in your AD, avoiding being found even by the highest privileged AD admin using normal LDAP lookups or searches. Join Principal Technologist, Guido Grillenmeier, to discuss the use of various techniques to hide data in Active Directory, including proper handling of the List Object mode and Security Property-Sets. You will also learn how to look for warning signs that AD has been compromised, how to find objects that intruders may have hidden from you and what steps to take in the event of an attack.