THS25 - The 'Hacktive' Directory: domain-wide forensics for exploitation indicators - Yossi Sassi

Hacktive Directory' environments, whether hybrid or full On-Prem, are here to stay for the foreseeable future. They are the 'Microsoft Mainframe' and still very common, especially in Enterprises. yet managing the Security posture of AD remains challenging, even at its 4th decade of existence, many times with inadequate tools. I've spent over 25 years understanding AD in and out, as a Red Teamer, Blue/Purple Teamer, and IR specialist. When comes to understanding AD domain forensics - and getting a good response regarding the question "Is/Was my domain hacked with Privilege persistence?", there are tools to be introduced that can help. In this talk I'll go over a set of open-source tools and scripts to help with unveiling Privileged Persistence and/or Exploitation of your core AD infrastructure.