Session
Yet Another Walking Dead of Active Directory
Disabled Active Directory accounts are commonly treated as harmless remnants of the past. In reality, many of these “dead” objects still retain dangerous inbound permissions, historical privilege artifacts, inherited ACL relationships, and hidden attack paths that most organizations never investigate.
This talk demonstrates how disabled users, computers, and service accounts can still become active participants in privilege escalation chains through misconfigured DACLs, AdminSDHolder side effects, nested group inheritance, and delegated permissions. Through a real-world inspired case study, attendees will learn how a seemingly low-privileged user leveraged hidden rights over a disabled account to move toward Domain Admin in a mature enterprise environment.
The presentation also introduces LazarusWakeUp, a tool designed to identify and analyze disabled Active Directory principals with dangerous inbound relationships, helping operators uncover hidden privilege escalation paths involving forgotten identities that traditional enumeration techniques and BloodHound analysis may overlook.
Additionally, the talk presents a new perspective on Active Directory Recycle Bin abuse and object resurrection, showing how deleted identities may continue to create security risks even after organizations believe they have been removed entirely.
Nikos Vourdas
Senior Offensive Security Consultant
Chicago, Illinois, United States
Links
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top