Talk

Beyond LSASS: Cutting-Edge Techniques for Undetectable Threat Emulation

March 13, 10:30 (CAMPUS)

In most Active Directory post-exploitation scenarios, the initial focus of red teamers for lateral movement is often the Local Security Authority Subsystem Service (LSASS) process. However, due to its extensive monitoring, any competent Endpoint Detection and Response (EDR) system will detect and flag such activities.

In this presentation, we will delve into innovative methods for navigating Microsoft Azure Active Directory (now Entra ID) based environments and achieving our objectives with greater stealth. We will discuss searching for authentication tokens in memory and on disk for Microsoft 365 applications and how these can be exploited. Additionally, we will examine chromium-based applications utilizing WebView technology, exploring how they are constructed and the potential vulnerabilities where secrets may be exposed.

We will cover lateral movement within cloud environments, the use of long-lived Single Sign-On (SSO) tokens, conditional access policies, and other specific features of Entra ID that can make your next threat emulation exercise undetectable by defenders.

Finally, we will provide defenders with valuable tips on monitoring these techniques and suggest other defense-in-depth practices. Join us to enhance your knowledge of both offensive and defensive strategies in this evolving landscape.

Speaker

Priyank Nigam

As an Senior Red teamer, Priyank's primary areas of focus is conducting security exercises that emulate real-world threats impacting billions of users. He is well-known for his expertise in identifying high-impact vulnerabilities and has shared his research openly through various industry conferences.

He excels at identifying initial access points in a network and performing post-exploitation tasks with as much stealth as possible. In the past, he has advised Fortune 500 brands and startups and does mobile and IoT related research in his spare time.

As a new(ish) parent, he is now (re)learning hacking from his toddlers who defeat all the "restrictions" to limit their mobility.
Solmaz Salimi is a postdoctoral researcher in the Software and System Security (S3) Group at EURECOM. He earned her PhD from Sharif University of Technology.

Organized by

Technology partners

Partner events

Scroll to Top