Alexander Rodchenko
Senior SOC analyst, Kaspersky
Moscow, Russia
Actions
Rodchenko Alexander is a Senior SOC Analyst at the SOC Security Research Group at Kaspersky. He began his career at OJSC Rosneft, focusing on industrial safety, troubleshooting, and audits. Currently, he investigates industry events and trends with the primary goal of integrating these insights into monitoring and threat hunting practices. Leveraging his extensive expertise, Alexander advises customers and threat detection/hunting teams on the optimal response to emerging threats and trends. In addition to speaking at Positive Hack Days (twice) and BSides Zurich 2023, he has also been a speaker at CodeBlue and BlackHat MEA 2024 and DefCamp 2025.
Area of Expertise
Topics
C2 by Microsoft: What can go wrong if SCCM ends up in the wrong hands
SCCM is a critical infrastructure component used in many corporate environments for centralized software deployment, patching, and endpoint configuration. But what happens when attackers turn this powerful tool against you?
In this talk, we’ll explore SCCM from the perspective of both defenders and adversaries. We’ll explain its architecture, key components, and why it represents such an attractive target for attackers aiming for domain-wide persistence, privilege escalation, and lateral movement. We’ll demonstrate how SCCM can be abused as a stealthy Command & Control (C2) channel and examine real-world techniques used to compromise both SCCM servers and clients.
The presentation will also cover detection and monitoring strategies tailored for SCCM, including event logging, behavioral indicators, and configuration weaknesses. We'll share our practical experience, tools, and methods that can help you proactively secure and audit this often-overlooked service.
Golden Mistake
Golden Ticket attacks allow an adversary who has compromised the KRBTGT key to mint arbitrary Kerberos TGTs, complete with forged PAC data, that are cryptographically valid and therefore trusted by domain controllers and services. Most existing detections hunt the tickets themselves or their logs (unusual lifetimes, legacy ciphers, noisy DC behavior). In this talk, I flip the perspective and hunt the artifacts that forged tickets produce: logon sessions and access tokens on Windows systems.
I will show how to treat the security token as a concrete, observable "shadow" of the PAC and use it to expose Golden Ticket misuse. The core idea is simple: enumerate active sessions, extract their tokens, and compare the user SID and group SIDs in each token against the "ground truth" in Active Directory. In a large, messy enterprise with multiple domains and nested groups, forged PACs almost always make logical mistakes: impossible usernames for a given SID, disabled or non-existent accounts with active sessions, user SIDs appearing in the group list, or tokens whose group topology is far too simple for a real high-privilege account.
I will present FindGT, a tool that automates this token-level anomaly detection using documented Windows APIs and 'real-world lab' results showing how it reliably flags Golden Ticket abuse without relying on brittle log heuristics. Attendees will walk away with both the mental model and practical code to apply this technique in their own environments.
Modern SOC: Less Than One and More Than Infinity
This presentation highlights the indispensable role of SOCs in modern cybersecurity by demonstrating their ability to address complex threat landscapes that traditional security tools cannot, and provides practical tools to enhance SOC effectiveness. By sharing insights into contemporary challenges and offering actionable tools, this presentation aims to empower the cybersecurity community to improve SOC operations and better protect enterprise environments. Additionally, I seek to initiate a discussion not just about the goals and objectives of modern SOCs, but about effective solutions (also offering some tools/PoCs) to the current problems facing the cybersecurity industry.
Security BSides Athens 2026 Sessionize Event Upcoming
DefCamp 2025 Sessionize Event
CODE BLUE 2024 Sessionize Event
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top