BSidesVienna 0x7EA

Ahmed Hassan

Ahmed Hassan is an austrian cybersecurity engineer and penetration tester with over 7 years of experience in offensive security, recognized for speaking at major international conferences including Black Hat Saudi Arabia, Hack Red Con, and the Arab Security Conference. He has identified vulnerabilities for organizations such as United Nations, SAP, NASA, and multiple government institutions worldwide, while also earning 52 CVEs and numerous industry certifications including OSCP and CRTP.

The speaker's profile picture

Sessions

06-27
15:30
30min
Defending Identity Infrastructure of the Active Directory with Deception Technologies
Ahmed Hassan

Active Directory remains the core identity system in most enterprise and governmental environments, making it a primary target for attackers after initial network compromise. Once inside a network, adversaries typically focus on AD reconnaissance, privilege escalation, and lateral movement in order to gain full domain control.

This presentation explores how attackers perform Active Directory enumeration using common tools and techniques, and why traditional security monitoring often fails to detect these early-stage activities. It then introduces deception-based defense strategies as an effective approach for early detection of malicious behavior within identity infrastructures.

The session focuses on the use of Active Directory honeypots and canary tokens as proactive detection mechanisms. These decoy assets are designed to appear legitimate within the environment while acting as high-fidelity tripwires for suspicious activity. Any interaction with these objects can immediately signal potential reconnaissance or compromise attempts.

Through practical examples and a simulated attack scenario, the talk demonstrates how deception techniques can detect attacker behavior during directory enumeration, credential discovery, and privilege mapping. The presentation also highlights how these mechanisms integrate into Purple Team methodologies and support incident response and forensic investigations.

Attendees will gain insight into how deception technologies enhance visibility within Active Directory environments, reduce attacker dwell time, and enable earlier detection of identity-based attacks before they escalate into full domain compromise.

Dachsaal (Track 2 - 190 pax)
Dachsaal (Track 2 )