Presentation Material

Abstract

Microsoft Advanced Threat Analytics (ATA) is a defense platform which reads information from multiple sources like traffic for certain protocols to the Domain Controller, Windows Event Logs and SIEM events. The information thus collected is used to detect Reconnaissance, Credentials replay, Lateral movement, Persistence attacks etc. Well known attacks like Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, Golden Ticket, Directory services replication, Brute-force, Skeleton key etc. can be detected using ATA. Whenever communication to a Domain Controller is done using protocols like Kerberos, NTLM, RPC, DNS, LDAP etc., ATA will parse that traffic for gathering information about not only possible attacks but user behavior as well. It slowly builds an organizational graph and can detect deviations from normal behavior.

Is it possible to evade this solid detection mechanism? What are the threats which ATA misses by design? How do Red Teamers and Penetration Testers can modify their attack chain and methodology to bypass ATA? Can we still have domain dominance?

The talk will be full of live demonstrations.

AI Generated Summary^{may contain errors}

Here is a summarized version of the content:

Title: Bypassing ATA (Advanced Threat Analytics) Detections in Active Directory Environments

Main Idea: It’s possible to bypass ATA detections by modifying well-known attacks, . This can be done by exploiting linked databases, and brute forcing SA accounts or using Thor sequel injection.

ATA Limitations:

• ATA only looks at certain protocols, such as LDAP and IPSec ESB.
• If there is no detection signature for an attack, it won’t get detected.
• Attackers can identify ATA by a simple banner grab.
• With admin access to the ATA system box, attackers can access the TA console.

Exploiting ATA:

• The backend MongoDB database used by ATA has no password and only listens on the local loopback.
• Attackers can read user profiles, detect things, and store data.
• Alerts can be modified or hidden without leaving a trace.

Defenses Against Evasions:

• Upgrade ATA to fix vulnerabilities.
• Implement normal defenses, such as securing privileged access.
• Avoid allowing domain admins to log into any box they wish.
• Architectural changes can help secure the environment.

Best Practices:

• Be mindful of deception and honey tokens/users.
• Reduce communication with the DC (Domain Controller).
• Avoid creating a golden ticket unnecessarily.
• Follow terms of engagement and only escalate privileges when necessary.

Research Limitations:

• The research focused on bypassing ATA detections for animal-based detections.
• User behavior detection was not tested, but avoidance techniques can be used to evade detection.

Conclusion:

• It’s possible to bypass ATA detections by modifying attacks and staying focused on assessment goals.
• Despite limitations, ATA still provides valuable insights into Active Directory environments.
• The presentation materials will be available on the speaker’s blog and GitHub.