A New Era of Brute Forcing in Active Directory

Active Directory Domain Services recently celebrated 25 years, making it far from a young technology, yet it is not going anywhere anytime soon. Most companies still rely on Active Directory as their primary identity provider and management solution. One might assume that after all these years, we have ve already mastered securing Active Directory with best practices. However, the reality is quite the opposite and Active Directory environments are often poorly secured, making them one of the main targets for attackers.

In this talk, I will explain some fundamental yet not always known concepts of Account Policies, Replication, and related best practices. More importantly, I will demonstrate a technique to bypass the Account Lockout Policy, allowing almost limitless brute-force attacks on Active Directory accounts. This brute-forcing technique is rarely documented—in fact, I had never heard of it myself until I stumbled upon it by “accident”.

By the end of this session, you will leave with a few key Active Directory configurations to enhance security and most importantly, the knowledge to defend against this brute-force technique.