Hackers of India

0wn-premises: Bypassing Microsoft Defender for Identity

By  Nikhil Mittal  on 29 Sep 2022 @ Brucon


Presentation Material

Abstract

Microsoft Defender for Identity (MDI) is a service that protects on-premises Active Directory identities. MDI analyses network traffic, Windows events, SIEM/Syslog and ETW data on DCs and/or AD FS servers to create user profiles and behaviour baselines that used to detect deviations from baseline and anomalies. MDI can generate alerts across phases of an attack “kill chain” - Reconnaissance, Compromised credentials, Lateral Movements, Domain Dominance and Exfiltration.

MDI detects popular attacks like Kerberoasting, AS-REP roasting, Pass-the-hash, Pass-the-ticket, Overpass-the-hash, Brute Force, DCSync, DCShadow, Golden Ticket, Remote code execution and more.

This talk focuses on TTPs that Red Teams can use to avoid generating anomalies that trigger detections. We will execute high impact attacks across the kill chain with precision to bypass or avoid MDI instance that has sensors configured and enriched in our target environment. Behold the 0wning of on-premises identities!

AI Generated Summarymay contain errors

Here is a summary of the content:

The speaker is discussing the limitations and vulnerabilities of Microsoft Defender for Identity (MDI) in detecting identity-based attacks on-premises. They highlight several issues, to which MDI does not respond with alerts or detections,000

Specifically, . For example:

  1. Silver tickets: These are used to access domain controllers without being detected.
  2. Delegation configuration changes: MDI does not detect changes to unconstrained delegation, constrained delegation, or resource-based constraint delegation.
  3. User account control modifications: Disabling pre-authentication or making other changes to user accounts goes undetected.
  4. AdminSDHolder changes: There is no alert for changes to the AdminSDHolder object.
  5. SSP injection: Injecting new SSPs does not trigger any alerts.
  6. Replication rights additions: Adding replication rights does not generate an alert.

The speaker also mentions that they have tested a response action in MDI, which allows Security administrators to reset passwords or disable users. However, this feature can be exploited by attackers who compromise a Security administrator and use their credentials to escalate privileges.

Finally, the speaker notes some limitations of their research, including only testing alerts related to functionality abuse, not CVEs or patched vulnerabilities, and conducting end-to-end testing in a lab environment with permission.