Teymur Heirhabarov

Head of Monitoring Technologies Research and Development Team, Kaspersky Lab

About speaker

Teymur is engaged in paper and practical cybersecurity for over 6 years. SOC Research & Development group manager at Kaspersky Lab. Former Head of Information Security Department at industrial enterprise, as well as a system administrator with many years of experience. He obtained the Master’s Degree from Siberian State Aerospace University (where he was also giving lectures on information security). Teymur was a speaker at Positive Hack Days and ZeroNights.
November 16
17:00 — 18:00
Main Track
After the initial penetration into the target corporate network, attacker can face a situation when the obtained access is limited by the rights of an unprivileged user account. Such rights are usually not enough for the further development of the attack into the corporate network. So, for example, local administrator rights will be required if the attacker needs to use Mimikatz or any similar tool to dump credentials from the memory of lsass process or from the SAM database in hope to get credentials of privileged users, which have rights on many hosts in corporate network. In such cases, local privilege escalation is required. Here is where attackers have many different opportunities — from exploitation of configuration errors (like abusing weak service or registry permissions) to exploitation of kernel vulnerabilities or third-party drivers.

The speaker will demonstrate a lot of known local privilege escalation vectors in Windows and show, how can you detect these vectors using Windows security audit, Sysmon and ELK stack. Approaches that will be demonstrated during the presentation are used in the work of the real Security Operation Center and are based on more than 2 years of practical threat hunting experience of the speaker.