Explore a hypothesis-driven hunting approach for detecting access token manipulation in Windows authentication systems. Learn about the Pyramid of Pain, Tactics Techniques Procedures (TTPs), and the hunt hypothesis process through a case study. Dive into Windows authentication concepts, including logon session types, token types, and token theft techniques. Discover how to identify collection requirements, collect data points and access tokens, and analyze benign impersonation scenarios. Gain practical insights through a demonstration and understand how to exclude factors and techniques to improve detection accuracy.
Overview
Syllabus
Intro
Game of Thrones
Jared Atkinson
Robby Winchester
Hypothesisdriven hunting
Pyramid of pain
Tactics Techniques Procedures
How does this apply
The hunt hypothesis process
Case Study Detecting Access Token Manipulation
First Step Tactics
Access Token Manipulation
Windows Authentication
logon session types
token types
token theft
how it works
create process with token
make impersonate token
set thread token
identify collection requirements
collect data points
collect access tokens
get access token
benign impersonation
impersonating system token
ticket granting token
identify scope
exclude factors
exclude techniques
demo
