Presentation Material
Abstract
Microsoft Advanced Threat Analytics (ATA) is a defense platform which reads information from multiple sources like traffic for certain protocols to the Domain Controller, Windows Event Logs and SIEM events. The information thus collected is used to detect Reconnaissance, Credentials replay, Lateral movement, Persistence attacks etc. Well known attacks like Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, Golden Ticket, Directory services replication, Brute-force, Skeleton key etc. can be detected using ATA. Whenever communication to a Domain Controller is done using protocols like Kerberos, NTLM, RPC, DNS, LDAP etc., ATA will parse that traffic for gathering information about not only possible attacks but user behavior as well. It slowly builds an organizational graph and can detect deviations from normal behavior.
Is it possible to evade this solid detection mechanism? What are the threats which ATA misses by design? How do Red Teamers and Penetration Testers can modify their attack chain and methodology to bypass ATA? Can we still have domain dominance?
AI Generated Summarymay contain errors
The speaker is discussing the limitations and trade-offs of using an individual box versus a domain in terms of security, (e.g., patch management) and how having admin access to a box can be beneficial but also poses risks. They highlight the importance of setting up passwords, auditing, and logging for MongoDB to prevent tampering.
The speaker then shifts focus to discussing tactics, techniques, and procedures (TTPs) for avoiding threat analytics (TA) detection during security assessments. They emphasize the need to stick to assessment goals and avoid using attention-grabbing attacks like golden tickets or skeleton keys, which increase detection chances even without a TA. Instead, they recommend making traffic appear normal and refraining from communicating with the domain controller (DC).
The speaker also shares their research on bypassing a specific TA tool, highlighting its limitations, such as focusing solely on anomaly-based detection. They note that user behavior analysis (UBA) can still detect anomalies even if the TA tool is bypassed.
The presentation concludes by emphasizing the importance of staying away from the DC to minimize detection chances and leveraging tools like directory changes in a TA console to gain insights into environmental changes.
Overall, the talk appears to be about security best practices, threat analytics evasion techniques, and responsible disclosure during security assessments.