Andrew S.
Andrew Schwartz is a Principal Detection Engineer at Huntress. Energetic and driven, Andrew brings strong technical knowledge and experience in defensive and offensive security, vulnerability management, and the development of transformational strategies that help organizations enhance their security postures to detect and stop adversaries before they succeed.
Andrew has published extensively on Active Directory security, with a particular focus on Kerberos and DACL based attack detection. He is the co-author of the Kerberos Diamond Ticket attack.
When Andrew's not building detections or researching new attack techniques, Andrew enjoys chess, cheering on Tottenham Hotspur, and crafting the perfect old fashioned or boulevardier.
Session
Active Directory reconnaissance tools like BloodHound, Impacket, and SOAPHound are the attacker's first move in enterprise compromises, yet detecting their LDAP queries remains one of the hardest problems in security operations. This talk chronicles a six month journey from writing my first broken Sigma rule to building a complete, evasion resistant LDAP detection stack.
You'll learn why traditional signature based detection fails spectacularly, how to think like both an attacker and a parser, and how mathematical approaches can outsmart evasion techniques. We'll cover OID transformations that break your rules, whitespace variations that mock your regex, hidden LDAP parameters that bypass your detections, and ultimately, statistical methods that make evasion mathematically impossible.
This isn't theory. Every technique is battle tested in production environments with working Sigma rules, real attack logs, and actual false positive rates. Leave with detection rules and techniques you can deploy Monday morning.