Explore the intricacies of Windows access token manipulation attacks in this 39-minute Black Hat conference talk. Delve into the complex world of Windows security internals, including logon sessions, access tokens, UAC, and network authentication protocols like Kerberos and NTLM. Gain insights into how attackers exploit legitimate Windows functionality for lateral movement and domain compromise. Learn effective detection strategies to identify these attacks at scale across enterprises. Discover the inner workings of logon sessions, access tokens, network authentication, and impersonation techniques. Examine various token manipulation methods, including NETONLY, CreateProcessWithLogon, Pass-The-Ticket, and Overpass-the-hash. Understand the Frida Basic Shocking template and its applications. Equip yourself with the knowledge to detect and mitigate access token manipulation attacks, bridging the gap between offensive tactics and defensive practices in Windows environments.
Overview
Syllabus
Intro
Objectives
Agenda
Logon Sessions and Access Tokens
Network Authentication
Impersonation
Initial Compromise
Token Manipulation: The Art of the possible
NETONLY
CreateProcessWithLogonW
Pass-The-Ticket
Overpass-the-hash
Frida Basic Shocking template
Detecting Access Token Manipulation
Conclusion
Taught by
Black Hat
Related Courses
-
A Process is No One - Hunting for Token Manipulation
-
Process is No One Hunting for Token Manipulation
-
Social Engineering the Windows Kernel - Finding and Exploiting Token Handling Vulnerabilities
-
Still Passing the Hash 15 Years Later - Using Keys to the Kingdom to Access Data
-
Deploying PAWs as Part of a Strategy to Limit Credential Theft and Lateral Movement
