Hidden Pathways: Exploring the Anatomy of ACL-Based Active Directory Attacks and Building Strong Defenses

We will cover the Active Directory attack path that arises from permissions granted in the ACLs of Active Directory objects. The talk will discuss common attack paths, the technical details of their existence, and how attackers can execute them with limited risk of detection. The presentation will also provide a comprehensive remediation plan for organizations to prevent these attack paths from emerging again, including best practices, tools, and techniques. Attendees will gain a deeper understanding of ACL-based attack paths in AD and practical knowledge on how to protect their organizations from these attacks.

This presentation will cover the Active Directory attack path that emerges from permissions granted in the ACLs of Active Directory objects. Specifically, we will discuss the attack paths we commonly see in the field, the technical details of why they exist, and how attackers can execute them with limited risk of detection.

Our talk will focus on the importance of understanding how ACLs work in Active Directory, how these attack paths occur, and the potential risks they pose to organizations. We will demo examples of how both old and new ACL-based attacks can be executed to escalate privileges in Active Directory and gain Domain Admin access, for example. Additionally, we will discuss the technical details of why the attack paths are hard to avoid in even a hardened Active Directory environment.

Finally, we will present a comprehensive remediation plan that organizations can use to build an OU structure and configure ACLs to prevent these attack paths from emerging again. We will share best practices, tools, and techniques for implementing these measures and ensuring that they effectively prevent similar attacks in the future.

Attendees will leave our talk with a deeper understanding of ACL-based attack paths in AD and the potential risks, as well as practical knowledge of how to protect their organizations from these attacks. Our talk will be of particular interest to both offensive and defensive security professionals, system administrators, and IT managers.