06 - BruCON 0x0E - 0wn-premises: Bypassing Microsoft Defender for Identity - Nikhil Mittal

Microsoft Defender for Identity (MDI) is a service that protects on-premises Active Directory identities. MDI analyses network traffic, Windows events, SIEM/Syslog and ETW data on DCs and/or AD FS servers to create user profiles and behaviour baselines that used to detect deviations from baseline and anomalies. MDI can generate alerts across phases of an attack "kill chain" - Reconnaissance, Compromised credentials, Lateral Movements, Domain Dominance and Exfiltration.

MDI detects popular attacks like Kerberoasting, AS-REP roasting, Pass-the-hash, Pass-the-ticket, Overpass-the-hash, Brute Force, DCSync, DCShadow, Golden Ticket, Remote code execution and more.

This talk focuses on TTPs that Red Teams can use to avoid generating anomalies that trigger detections. We will execute high impact attacks across the kill chain with precision to bypass or avoid MDI instance that has sensors configured and enriched in our target environment. Behold the 0wning of on-premises identities!