Presentation information

Who owns your hybrid Active Directory? Hunting for adversary techniques!

Thirumalai Natarajan Muthiah (Mandiant Consulting) & Anurag Khanna (Mandiant Consulting)
live only
16:30 UTC on Day 2
THURSDAY 01 OCTOBER
Hybrid Active Directory (AD) is the new workhorse to manage single user identity for both authentication and authorization in on-premises and cloud environments. Hybrid AD environments are of interest to threat actors and defenders alike.

Through our experience in performing incident response and remediation engagements across the globe, we observed various backdoors and misconfigurations in hybrid AD that provided threat actors long term at will privileged access to organizations’ IT environments.

We will cover techniques used by threat actors to maintain persistence, covertly elevate privileges at will, and to maintain and exert control over systems managed by hybrid AD. We will share different hypotheses and hunting techniques to detect misconfigurations and backdoors in a hybrid AD environment.
Thirumalai Natarajan Muthiah
Mandiant Consulting Thirumalai Natarajan is a principal consultant with Mandiant Consulting where he is responsible for performing incident response and remediation for large-scale breaches, active directory and cloud security assessments, and ransomware defence assessments for global organizations. Over his career experience, Thiru has built and managed security operation centres and detection and response engineering teams across APAC to support organizations to improve their detection and defence posture. Thiru currently holds CISSP, GREM, OSCP and PMP certifications.
Anurag Khanna
Mandiant Consulting Anurag Khanna is a principal consultant with Mandiant Consulting where he is responsible for performing incident response & remediation and helping organizations improve their security posture. Over his career Anurag has worked in the full gamut of cybersecurity roles including penetration tester, incident handler and security architect, helping organizations improve detection capabilities and testing their security posture. He is among the few cybersecurity experts to have the GIAC Security Expert (GSE#97) credential.
arrow left Back

Who owns your hybrid Active Directory? Hunting for adversary techniques!

16:30 - 17:00 UTC Fri 8 Oct 2021
Thirumalai Natarajan Muthiah (Mandiant Consulting) & Anurag Khanna (Mandiant Consulting)
Hybrid Active Directory (AD) is the new workhorse to manage single user identity for both authentication and authorization in on-premises and cloud environments. Hybrid AD environments are of interest to threat actors and defenders alike.

Through our experience in performing incident response and remediation engagements across the globe, we observed various backdoors and misconfigurations in hybrid AD that provided threat actors long term at will privileged access to organizations’ IT environments.

We will cover techniques used by threat actors to maintain persistence, covertly elevate privileges at will, and to maintain and exert control over systems managed by hybrid AD. We will share different hypotheses and hunting techniques to detect misconfigurations and backdoors in a hybrid AD environment.
Thirumalai Natarajan Muthiah
Mandiant Consulting Thirumalai Natarajan is a principal consultant with Mandiant Consulting where he is responsible for performing incident response and remediation for large-scale breaches, active directory and cloud security assessments, and ransomware defence assessments for global organizations. Over his career experience, Thiru has built and managed security operation centres and detection and response engineering teams across APAC to support organizations to improve their detection and defence posture. Thiru currently holds CISSP, GREM, OSCP and PMP certifications.
Anurag Khanna
Mandiant Consulting Anurag Khanna is a principal consultant with Mandiant Consulting where he is responsible for performing incident response & remediation and helping organizations improve their security posture. Over his career Anurag has worked in the full gamut of cybersecurity roles including penetration tester, incident handler and security architect, helping organizations improve detection capabilities and testing their security posture. He is among the few cybersecurity experts to have the GIAC Security Expert (GSE#97) credential.