Maxim Tumakov

Principal Analyst of Cyber Defense Center, BI.ZONE

About the speaker

Maxim researches cyber threats and develops detective content for the BI.ZONE Cyber Defense Center. Previously, he worked at Kaspersky and Informzaschita. Maxim has several CVEs assigned to his discoveries. Holds OSCP and eCPTXv2 certifications.
August 26
Track 1

Once a user account is compromised, an intruder has a foothold to attack the Active Directory domain. One of the primary tasks of the attacker at this stage is to collect information about domain objects for privilege escalation. While there is a great variety of enumeration tools, all of them, however, use LDAP to access the Active Directory database and the RPC mechanism to communicate with other Windows hosts.

This report describes the methods for collecting LDAP and RPC telemetry as well as methods for detecting anomalous and malicious activity based on the collected events. The proposed approach makes it possible to detect the use of popular hacking tools and some attacks that are difficult to spot when applying other telemetry sources.