Active Directory Security - Truth is Stranger than Fiction

中文In-PersonBlue Team

For decades, Windows AD has been something that every analyst has loved and hated. Used in over 90% of enterprises, various manufacturers and software developers prioritize being compatible. On the other hand, many old services still heavily rely on AD. Decoupling an AD environment is difficult when maintenance and operation personnel are overly dependent, resulting in some uncomfortable security settings with maintenance and operations. Due to these problems and other historical factors, numerous underground network administrators (or Shadow Admins) have often taken advantage of improper AD configurations. With the rising number of cyberattacks targeting and exploiting AD, enterprises can no longer afford to ignore AD security issues and the business-altering risk they can produce.

In this presentation, we will discuss different AD security topics from previous years, explore exaggerated errors from real-world cases, share security tips, and look at the challenges faced by AD analysts today, such as permission inventory, neglected core assets, and security problems due to the implementation of permission separation. Finally, we will provide the audience with a deeper understanding of their own AD, how to define their acceptable level of risk, and how to approach their AD security.

John Jiang

John Jiang

John Jiang focuses on Incident Response (IR), endpoint security, and Active Directory (AD) security as a senior cyber security researcher at CyCraft Technology. He has investigated multiple domestic and foreign APT-level security incidents and continues to perform in-depth analyses of attacker techniques and detection methods. He is an active member of the international cyber security community and has spoken at multiple conferences, including Black Hat USA, HITCON, and HITB. He is also the co-founder of the Taiwan cyber security organization UCCU Hacker.
Boik Su

Boik Su

Boik Su currently focuses on cloud security, AD security, web security, and threat hunting as a senior cyber security researcher at CyCraft Technology. He takes an active role in the cyber security community and has lectured at multiple cyber security conferences across the globe including HITCON, ROOTCON, and HackerOne. He still participates in CTF competitions including SECCON CTF in Japan and HITCON CTF in Taiwan. In addition, Boik has submitted multiple reports to bug bounty programs and open-source projects.

English interpretations will be provided for all sessions not presented in English.

Agenda Table

Use event local timezone


  • Attendant Registration Time


  • Welcome Speech & Event Introduce



  • Break



  • Lunch



  • Break



  • Tea Time




  • Break



  • Closing