Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Detecting Access Token Manipulation

Black Hat via YouTube

Overview

Explore the intricacies of Windows access token manipulation attacks in this 39-minute Black Hat conference talk. Delve into the complex world of Windows security internals, including logon sessions, access tokens, UAC, and network authentication protocols like Kerberos and NTLM. Gain insights into how attackers exploit legitimate Windows functionality for lateral movement and domain compromise. Learn effective detection strategies to identify these attacks at scale across enterprises. Discover the inner workings of logon sessions, access tokens, network authentication, and impersonation techniques. Examine various token manipulation methods, including NETONLY, CreateProcessWithLogon, Pass-The-Ticket, and Overpass-the-hash. Understand the Frida Basic Shocking template and its applications. Equip yourself with the knowledge to detect and mitigate access token manipulation attacks, bridging the gap between offensive tactics and defensive practices in Windows environments.

Syllabus

Intro
Objectives
Agenda
Logon Sessions and Access Tokens
Network Authentication
Impersonation
Initial Compromise
Token Manipulation: The Art of the possible
NETONLY
CreateProcessWithLogonW
Pass-The-Ticket
Overpass-the-hash
Frida Basic Shocking template
Detecting Access Token Manipulation
Conclusion

Taught by

Black Hat

Reviews

Start your review of Detecting Access Token Manipulation

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.