Attackers love credentials. Creds are often the key to objectives - the long-fought initial foothold, that much-needed lateral movement, or the final privilege escalation that can mean the difference between a lucrative return-on-investment, or burned time, effort, and resources. And as defenders, it isn't always easy to tell who is behind the credential. After all, all we have are logs, right...?

But logs can be extremely valuable, and we know a lot about credentials; from their creation, to their usage, and subsequent invalidation. And we know a lot about how they are issued, where they are (or should be) stored, and to which systems they are provided. So how do we pull the badness from the noise, and detect/prevent those we defend from being pwned?

This talk will discuss core detection concepts targeting credential abuse, including useful detection patterns, the Impossible Travel problem, and credential binding violations. We will also contemplate the trade-offs in controls, the challenges in pulling the needle from the haystack, and the need to consider the user when hardening or responding to suspected credential abuse.

Attackers never stop at initial compromise; there is always an end goal objective which often requires privileged access to specific devices or systems. Identifying the correct privilege escalation vector can often feel like looking for a needle in a haystack, however with the right approach and understanding of the various controls in play, gaining full control can often be a safe assumption in many instances following initial foothold.

This workshop aims to equip those likely to find themselves with an initial foothold, with the skills to practically exploit a given privilege escalation vector on the target Linux system.