Attacks on Windows Infrastructure (Blue Team edition)
2021-09-02, 16:00–16:40, Main track

Nowadays with the peak of security incidents adversaries detection became crucial challenge for blue teamers. Beside detection of the most popular tactics, techniques and procedures like network discovery and lateral movement, are you ready for incidents where adversaries abuse windows infrastructure to achieve their goals? We will dive into internals of such attacks as kerberoasting and golden tickets to find detection opportunities to detect them before the first ticket was passed.

Common attacks on Windows infrastructure and their detection:
1. Initial reconnaissance
2. Password spraying/LLMNR/NBT-NS/mDNS
3. Kerberoasting/AS-REProasting
4. Pass-the-hash/Pass-the-ticket/Overpass-the-hash
5. SilverTicket/GoldenTicket
6. Constrained and Unconstrained delegation
7. DCSync and DCShadow

  • Security researcher for last 5 years
  • Started my career as penetration tester at UnderDefense
  • Malware analyst in the past
  • Splunk enthusiast
  • Maintaining blog about Threat hunting and Malware Analysis in my free time (
This speaker also appears in: