BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.troopers.de//tr26-cfp//speaker//8PMVYT
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-tr26-cfp-TPGLJU@cfp.troopers.de
DTSTART;TZID=CET:20260625T131500
DTEND;TZID=CET:20260625T141500
DESCRIPTION:Active Directory reconnaissance tools like BloodHound\, Impacke
 t\, and SOAPHound are the attacker's first move in enterprise compromises\
 , yet detecting their LDAP queries remains one of the hardest problems in 
 security operations. This talk chronicles a six month journey from writing
  my first broken Sigma rule to building a complete\, evasion resistant LDA
 P detection stack.\n\nYou'll learn why traditional signature based detecti
 on fails spectacularly\, how to think like both an attacker and a parser\,
  and how mathematical approaches can outsmart evasion techniques. We'll co
 ver OID transformations that break your rules\, whitespace variations that
  mock your regex\, hidden LDAP parameters that bypass your detections\, an
 d ultimately\, statistical methods that make evasion mathematically imposs
 ible.\n\nThis isn't theory. Every technique is battle tested in production
  environments with working Sigma rules\, real attack logs\, and actual fal
 se positive rates. Leave with detection rules and techniques you can deplo
 y Monday morning.
DTSTAMP:20260510T030037Z
LOCATION:Track 3
SUMMARY:From Code to Coverage: A Detection Engineer's Journey Through the L
 DAP Wilderness - Andrew S.
URL:https://cfp.troopers.de/tr26-cfp/talk/TPGLJU/
END:VEVENT
END:VCALENDAR