Executive brief on how PCI DSS 4.0 affects offensive security practices, penetration testing, and segmentation testing. Watch Now

Sliver Mastery: Dominating Active Directory Through Advanced Trust Exploitation

Senior security expert Jon Guild demonstrates how to use the Sliver C2 framework to develop advanced offensive security skills. Arm yourself with the knowledge and skills of enumeration, lateral movement, and escalation techniques from first-hand experience in a vulnerable lab environment.

Mastering the art of adversarial emulation with the most cutting-edge and advanced techniques is one of the keys to success for penetration testers. A definitive hallmark of an experienced ethical hacker is a meticulously crafted toolkit. But with an overwhelming array of tools at your disposal, how do you determine where to focus your efforts?

In this advanced technical demonstration, Bishop Fox Senior Security Consultant John Guylde showcases a complete domain compromise workflow using the Sliver command and control framework. Building on previous training sessions, Guylde demonstrates how to escalate from initial access to full enterprise dominance by exploiting often-overlooked Active Directory misconfigurations.

Session Summary

The session focuses on two critical attack phases: first leveraging Kerberos Relay and Resource-Based Constrained Delegation (RBCD) to gain domain admin access, then exploiting bidirectional trust relationships and SID history to pivot from the compromised "Marine" domain controller to the "King's Landing" enterprise domain. Throughout the demonstration, Guylde explains the underlying mechanics of each technique—from creating rogue computer accounts and manipulating delegation settings to crafting golden tickets with extra SIDs to bypass trust boundaries.

What makes this session particularly valuable is its emphasis on practical tradecraft rather than just theoretical concepts. Guylde demonstrates real-world challenges like character limits in command execution, troubleshooting ticket delegation issues, and proper operational security considerations when choosing between RC4 and AES256 encryption for Kerberos tickets. The demonstration concludes with proper cleanup procedures to remove evidence of the attack, reinforcing the importance of responsible testing methodology. By integrating tools like Bloodhound for visualization, LDAP queries for reconnaissance, and Rubeus for Kerberos manipulation, the session provides a comprehensive framework for understanding and executing sophisticated Active Directory attacks within a controlled testing environment.

Who Should Watch

This advanced technical session is ideal for penetration testers seeking to enhance their Active Directory attack capabilities, red team operators developing multi-stage attack campaigns, security engineers responsible for hardening domain environments, and security architects designing trust relationships between domains. Viewers should have foundational knowledge of Active Directory concepts and basic familiarity with offensive security tooling.

Jon Guild

About the speaker, Jon Guild

Former Fox

Previously a senior penetration tester at Bishop Fox, Jon Guild focused on application security and external penetration testing in Consulting Managed Services at Bishop Fox. Jon holds many cybersecurity certifications including: CISSP, OSEP, OSCP, GCIH, GWAPT, and CRTO. A veteran of the United States Air Force from 2013-2017, Jon served as a Cyberspace Operations Officer, tasked with managing and protecting one of the world's largest active directory networks. When he's not consulting or protecting critical data systems from digital threats, Jon also actively participates in CTFs and vulnerable lab training. Jon graduated with honors from Penn State in 2013.

More by Jon

Extend Your Knowledge

Check out these related resources.

Dark purple background. Headshot of Jon Guild on left with teal background. OSEP and Sliver icons on right.
Technical

Sep 21, 2023

Passing the OSEP Exam Using Sliver

By Jon Guild

Training session title: Swagger Jacker Training about improved auditing of OpenAPI Definition Files with the headshot os security consultant Tony West, a Bishop Fox adversarial operator.
Workshops & Training

Swagger Jacker: Improved Auditing of OpenAPI Definition Files

Discover the power of Swagger Jacker, an open-source audit tool designed to improve inspection of unintentionally exposed OpenAPI definition files for penetration testers.

Learn More
Black background with purple neon, turquoise, and white letters. Photo of speaker, Tom Hudson.

Tool Talk: jsluice

Tune in to the eleventh episode of our Tool Talk series to hear Tom Hudson speak about jsluice, an open-source, Go package and command-line tool used to extract information from JavaScript files and code.

Learn More

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.