Detecting Access Token Manipulation

Windows access token manipulation attacks are well known and abused from an offensive perspective, but rely on an extensive body of arcane Windows security internals: logon sessions, access tokens, UAC, and network authentication protocols, such as Kerberos and NTLM, to name a few. Furthermore, some of this information is not easily found and can be complex for defensive practitioners to get to grips with, resulting in brittle detections and making it hard to identify the signal from the noise.

This presentation aims to demystify how access tokens work in Windows environments and show how attackers abuse legitimate Windows functionality to move laterally and compromise entire Active Directory domains. Most importantly, it will cover how to catch attackers in the act, and at scale, across enterprises.

By William Burgess

Full Abstract & Presentation Materials: https://www.blackhat.com/us-20/briefi...