top of page

Trimarc Presents:
TRICON

OUR INAUGURAL SECURITY CONFERENCE

TRICON is a one-day, remote conference showcasing talks and panels from industry experts in Active Directory, Microsoft Cloud, and Identity Security.

KEYNOTE SPEAKERS

1517670879141_e=1725494400&v=beta&t=Aduz3m3DveNoN51nbBdHYYWscUR_qrFTi8WNwiq7BcQ.jpg

Sean Metcalf

Founder & CTO
Trimarc Security
@PyroTek3

1516738246965_e=1725494400&v=beta&t=OJa294_NAVe6MAl3HFqOpzPYUdbPGRzHhDOydrfQ36w.jpg

Dr. Cathy Ullman

Principal Technology Architect, Security
University at Buffalo
@investigatorchi

FREE to register!

Join us at TRICON, a remote conference focused on Active Directory, Microsoft Cloud, and Identity Security. Register at bit.ly/TRICONReg

Tricon Sessions

spencer-bluebackground.png

Nightmare in SYSVOL: Dangerous and misconfigured logon scripts

Spencer Alessi

Internal networks are rife with lurking threats that often manifest in unexpected ways. Among these, logon scripts, a seemingly innocuous component of user and computer management, are one of the most subtle potential attack vectors. These scripts, intended to streamline user access and automate various tasks during login, can inadvertently become the Achilles’ heel of an organization’s security posture if not properly managed. It seems counterintuitive, but in an age where cyber threats continue to evolve, and adversaries continue to develop novel attack methods, it’s never been more important to get the basics right. Because of the “path of least resistance,” these and many other seemingly benign vulnerabilities could be the difference between an attacker fully compromising your environment versus deciding to move on to an easier target.

In this presentation, we will:

  • Describe four logon script misconfiguration categories 

  • Detail how they can be used as an attack platform

  • And offer recommendations for remediating and mitigating these issues

  • Present a convenient, easy to use, and free tool for identifying these issues

john2.jpeg

FAST Times at Contoso High

John Askew

It's a classic coming-of-age tale... free-wheeling plans predictably go sideways in an awkward, humorous manner, as we gain wisdom and become more resilient to the demands of the "real world". At least, for the more fortunate characters in the story. In this fast-paced session, you will learn how inherent weaknesses of 1980s cryptographic design still exist in most modern Active Directory environments, and how you can potentially fix them. FAST is a Kerberos extension for armoring and protecting your Active Directory authentication traffic that you may not have even realized was vulnerable. Isn't it nice when the solution is right there in front of you before you even recognize there is a problem? Of course, the hard part - the part that takes the latter half of the movie to actualize - is the work of putting it into action. In the flash-forward epilogue, will you end up as a hopeful protagonist that overcomes their weakness to move forward, or a tragic side character that remains stuck in the past?

suril_photo.jpeg

Mitigating the identity attack surface: honeytokens to deflect identity threats

Suril Desai

Mitigating the Active Directory security findings is challenging for administrators. Service accounts are tied to critical services and applications, reducing the attack surface can result in impact to the business. For the identity attack surface that cannot be mitigated, honeytokens serve as an effective countermeasure. Honeytokens provide the benefit of detecting, and more importantly, diverting/deflecting the attacker away from the real service accounts and privileged admin accounts. While this has been known to be a mitigation measure, organizations need assistance on a strategy for the optimal count, placement, types of honeytokens. This talk discusses the evolution in identity threats, the need for reducing the identity attack surface, and the countermeasures based on honeytokens as a detection and diversion approach. Recommendations and best practices for an effective strategy for honeytokens will be shared with the community.

IMG_20210209_104411.jpg

The (almost) complete LDAP guide

Sapir Federovsky

Many blue teams avoid using LDAP for detections and sometimes do not understand the significant detection capabilities that can only be achieved using LDAP. There is very few information about decrypting encrypted LDAP (for example with NTLM GSS-API) and therefore many teams simply do not check encrypted queries and miss significant attacks. Attacks and information on Kerberos and NTLM are very common, and sometimes LDAP is pushed into a corner. It’s time to put it in the spotlight! In this talk, i will cover the following:

  • Implementation with winAPI

  • Authentication types

  • Encryption and decryption of LDAP sessions

  • Signature of attack tools based on the LDAP queries they create (this will be the main part)

  • LDAP attacks such as injection and obfuscation and various identification methods (this will be the main part)

  • Using LDAP to identify a dangerous configuration in the environment

  • LDAP in Active Directory Web Services

ViktorHedberg.jpg

Oops! I can read your Conditional Access Policies without being an admin?

Viktor Hedberg

During my work to make a PowerShell module to perform Entra ID Healtchecks, I stumbled onto something worrying. Regular user access is the bare necessity to dump Conditional Access Policies from any tenant using AAD Graph API. Now, those APIs are going out of business, but this way of exfiltrating the CA Policies allows an attacker today to identify any gaps in your policy structure. This session will look at how this is possible, and of course how to mitigate this in your tenant.

HermonKidane.jpg

AD security for Jr. SMB sys admins

Hermon Kidane

Securing Active Directory (AD) can be challenging for SMB administrators, especially when budget constraints limit access to advanced tools. However, there are proven strategies available to internal administrators to strengthen AD security without additional costs. This presentation explores practical measures such as reviewing password policies, authentication protocols, auditing best practices, AD security and hardening techniques, and the implementation of cyber deception tactics. These strategies are aimed at protecting SMBs from attackers and doing so in an effective and affordable manner.

MattKiely.jpg

Identity crisis: Combating Microsoft 365 account takeovers at scale

Matt Kiely

Every day in the United States, about $8 million is siphoned from individuals, small businesses, large corporations, and non-profit organizations as a result of business email compromise attacks. These attacks are the symptom of a new rising tide of cloud attack tradecraft. In the cloud, proof of identity is all that you need to access private resources, even if that proof is stolen. Welcome to the identity crisis! How wide is the attack surface for these identity attacks? In the case of Microsoft 365, it is about 345 million identities and counting! M365 remains a tantalizing target for cybercriminals who want to cash in on the relative simplicity of these attacks. This talk focuses on how we can cut off attackers during one of the most critical phases of their attacks: initial access. Through technical demonstration of three common initial access attacks, this presentation will cover how we can better approach detection, response, and deterrence of account takeovers. First, we will explore the problem statement when it comes to defending M365 from account takeovers. We will cover the high-level landscape of attacks and how they differ from their on-premise analogs. We will also cover some of the differences in our strategic approach to identity attacks compared to their predecessors. Then, we will step into the attack lab and learn three common M365 attacks that grant initial access when successful. For each attack, we cover the technical steps required to execute it. Then, we cover detections and mitigations for the attack, paying special attention to the best telemetry sources that allow effective threat hunting against the attack. By the end of this presentation, attendees will have a better understanding of the specifics of some of the most common and dangerous identity attacks that result in account takeover. But more importantly, they will see the clear shift in philosophy between how we should approach legacy threats and identity threats.

KiranKumar.jpg

DFIR on Azure Cloud

Kiran Kumar

In this talk, I'm going to cover some of the top attacks within Azure AD and methods you can use to detect those attacks. I'll cover attacks such as:

  • Password spraying

  • Session cookie theft using Evilginx2

  • Token theft and replay using PTR and hunting for this attack in Azure Graph logs.

I'll also discuss the kinds of logs and policies useful in DFIR in Azure AD. When facing an incident, would you know what type of logs that you need to look into? Are you taking your storage policies for granted? For instance, depending upon licensing  for things like E3 and E5, not all logs are stored more than 30 days. What's more, do you know where to look for specific type of attacks such as initial access?

Muxx.jpg

Nightmare misconfigurations of Active Directory

Muxx

Nightmare misconfigurations of Active Directory's will focus on how certain configurations of AD have granted way more than appropriate access to the incorrect entities. This talk will go into talking about stories of incidents, how this was corrected, the mitigation process and how this could have been prevented in the first place. 

JustinPalk.jpg

Stay on the path: An introduction to exploiting Active Directory

Justin Palk

Mitigating the Active Directory security findings is challenging for administrators. Service accounts are tied to critical services and applications, reducing the attack surface can result in impact to the business. For the identity attack surface that cannot be mitigated, honeytokens serve as an effective countermeasure. Honeytokens provide the benefit of detecting, and more importantly, diverting/deflecting the attacker away from the real service accounts and privileged admin accounts. While this has been known to be a mitigation measure, organizations need assistance on a strategy for the optimal count, placement, types of honeytokens. This talk discusses the evolution in identity threats, the need for reducing the identity attack surface, and the countermeasures based on honeytokens as a detection and diversion approach. Recommendations and best practices for an effective strategy for honeytokens will be shared with the community.

JulianStephan.jpg

Driving security through Active Directory consolidation

Julian Stephan

In today's complex IT environments, organizations face the challenge of managing identities and access across multiple platforms while ensuring robust security measures are in place. This presentation explores the advantages and methodologies of performing Active Directory and Entra ID consolidations as measures to reduce your AD and Entra ID attack surface that have arisen over the years due to M&As or leaving directories in place for applications that are deemed to not be migrated due to business risk.

WHEN: Sunday, July 28 at 9 AM PT / Noon ET

WHERE: VIRTUAL on Zoom + Discord

HOW TO REGISTER:

  1. Register via Zoom at bit.ly/TRICONReg

  2. Join the conversation on the Trimarc Discord server (a link to join the Discord server will be sent post-registration)

TRICON SPEAKER LINEUP

spencer-bluebackground.png

Spencer Alessi

Sr. Penetration Tester
SecurIT360
@techspence

unnamed (4).jpg

Viktor Hedberg

Sr. Technical Architect
Truesec
@headburgh

unnamed (3).jpg

Muxx

IT Security Analyst
CISO Global
@muxluxx

john2.jpeg

John Askew

Owner
Terrapin Labs
sk3w@infosec.exchange

1710166241042_e=1726099200&v=beta&t=OzAEbIlifjobXpZmk419Yb767cmNOyLNO84Rwe1v-wE.jpg

Hermon Kidane

Systems Administrator
Nefas Silk Paints Factory
@hermon-kidane-w

Justin_Headshot-1.jpg

Justin Palk

Security Consultant
Red Siege
@thekilt@pixel.infosec.exchange

suril_photo.jpeg

Suril Desai

VP of Engineering
Acalvio Technologies
@suril-r-desai

GAOQC3sK_400x400.jpg

Matt Kiely

Prin. Security Researcher
Huntress
@huskyhacksMK

image001.jpg

Julian Stephan

Sr. Security Architect
Quest Software
@JulianSStephan

IMG_20210209_104411.jpg

Sapir Federovsky

Security Researcher
CrowdStrike
@sapirxfed

IMG_3267-EDIT.jpg

Kiran Kumar

Cybersecurity Professional
Threat Hunting &Threat Intelligence

bottom of page