Presentation Material

Abstract

Microsoft Advanced Threat Analytics (ATA) is a defence platform which reads information from multiple sources like traffic for certain protocols to the Domain Controller, Windows Event Logs and SIEM events. The information collected is used to detect Reconnaissance, Credentials replay, Lateral movement, Persistence attacks etc. Well known attacks like Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, Golden Ticket, Directory services replication, Brute-force, Skeleton key etc. can be detected using ATA. Whenever communication to a Domain Controller is performed using protocols like Kerberos, NTLM, RPC, DNS, LDAP etc., ATA will parse that traffic for gathering information about not only possible attacks but user behaviour as well. It slowly builds an organizational graph and can detect deviations from normal behaviour.

This talk focuses on identifying and attacking ATA installations. Can ATA be attacked to suppress alerts? How noisy is it to attack ATA? How can alerts related to a particular identity (user and computer) be exempted? How can ATA be controlled and crippled remotely?

The talk will be full of live demonstrations

AI Generated Summary^{may contain errors}

Here is a summarized version of the content:

Main Topic: Evasion and Bypass Techniques for ATA (Advanced Threat Analytics) in Active Directory Environments

Key Points:

1. ATA provides security benefits, such as requiring passwords for backend DB access, logging tampering attempts, and generating alerts.
2. However, there are limitations to ATA’s detection capabilities, including only reading specific protocols and requiring normal traffic and anomalies to detect attacks.
3. Attackers can use evasion techniques like constrained delegation attacks, DNS admins group abuse, and Silver Ticket/Kerberos attacks, which may not be detected by ATA.
4. Red teamers should avoid escalating to domain admin privileges unnecessarily and focus on their assessment goals.
5. ATA allows for the creation of honey tokens, which can detect rogue account usage.
6. The speaker emphasizes the importance of staying focused on assessment goals and avoiding unnecessary actions that may trigger detection.

Limitations:

1. The research only focused on anomaly-based detection, not behavior-based detection.
2. Local admin privileges are assumed to be required for attacking an ATA deployment.

Conclusion:

While it is possible to bypass ATA using various techniques, it still provides security benefits and can detect certain types of attacks. Modifying attack methodologies and the work culture of red teams can help avoid detection and reduce risks.