This course aims to teach learners how to detect access token manipulation attacks in Windows environments. The learning outcomes include understanding how attackers abuse legitimate Windows functionality, catching attackers in the act, and implementing detections at an enterprise scale. The course covers topics such as logon sessions, access tokens, network authentication, impersonation, token manipulation techniques like Pass-The-Ticket and Overpass-the-hash, and tools like Frida. The teaching method includes demystifying Windows access tokens and demonstrating attack techniques. This course is intended for defensive practitioners and security professionals looking to enhance their skills in identifying and mitigating access token manipulation attacks.
Overview
Syllabus
Intro
Objectives
Agenda
Logon Sessions and Access Tokens
Network Authentication
Impersonation
Initial Compromise
Token Manipulation: The Art of the possible
NETONLY
CreateProcessWithLogonW
Pass-The-Ticket
Overpass-the-hash
Frida Basic Shocking template
Detecting Access Token Manipulation
Conclusion
Taught by
Black Hat
