SlideShare a Scribd company logo
1 of 41
Red Team Revenge:
Attacking Microsoft ATA
Nikhil Mittal
About me
• Hacker, Red Teamer, Trainer, Speaker at
http://pentesteracademy.com/
• Twitter - @nikhil_mitt
• Blog – http://labofapenetrationtester.com
• Github - https://github.com/samratashok/
• Creator of Kautilya and Nishang
• Interested in Offensive Information Security, new attack
vectors and methodologies to pwn systems.
• Previous Talks and/or Trainings
– DefCon, BlackHat, CanSecWest, BruCON, DeepSec and more.
Attacking ATA by Nikhil Mittal 244CON 2017
What is Microsoft ATA?
• “Advanced Threat Analytics (ATA) is an on-
premises platform that helps protect your
enterprise from multiple types of advanced
targeted cyber attacks and insider threats.”
https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-
explore/what-is-ata
• ATA detects attacks by reading certain
“interesting” protocols’ traffic to the domain
controller(s), SIEM events and logs.
• Anomaly based and behavior based detection.
44CON 2017 3Attacking ATA by Nikhil Mittal
ATA Architecture
44CON 2017 4Attacking ATA by Nikhil Mittal
Lab Configuration
• Lab used for experiments contains a Lightweight
ATA gateway installed over a Server 2012 R2
Domain Controller with students and
professionals (450+) trying various Active
Directory attacks from various machines.
• ATA 1.8 with the default configuration has been
installed and used as documented here.
https://docs.microsoft.com/en-us/advanced-
threat-analytics/deploy-use/install-ata-step1
44CON 2017 5Attacking ATA by Nikhil Mittal
Detections – Threats of interest which
ATA detects
• Recon
– Account Enumeration
– Session Enumeration
– AD Enumeration
• Compromised Credentials
– Brute Force
– Unusual protocol implementation
– Abnormal Behavior
• Lateral Movement
– Pass the ticket
– Pass the hash
– Overpass-the-hash
– Abnormal behavior
• Domain Dominance
– Golden Ticket
– Malicious replication requests
https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-threats
44CON 2017 6Attacking ATA by Nikhil Mittal
Evading ATA - Recon- Detection
• ATA detects AD based recon by looking for
queries sent to the DC.
• But, ATA doesn’t mind DC giving out useful
information unless invasive recon is done
against the DC!
44CON 2017 Attacking ATA by Nikhil Mittal 7
Evading ATA – Recon - Bypass
• Intelligent Recon is not caught by ATA.
• Not poking the DC is the key! Enumerate the
domain but do not enumerate the DC. For
example, while hunting for DA tokens, get a
list of computers and DAs from the DC but do
not run enumeration tools against the DC.
• Same holds true for other user hunting
activities like enumerating local admins,
looking for local admin access etc.
44CON 2017 Attacking ATA by Nikhil Mittal 8
Evading ATA – Recon - Bypass
Hunting for Domain Admin token
• Avoid searching for DA token on the DC. Local
admin privileges are required to use the token.
• To hunt for those machines where a DA token is
available, we can enumerate Domain Admins
from the DC, get a list of machines using ping
sweep or asking from DC and then run Invoke-
UserHunter (PowerView) on all machines except
the DC.
44CON 2017 Attacking ATA by Nikhil Mittal 9
Evading ATA - Recon
• SPN (Service Principal Name) Scanning doesn’t
get detected.
• SPN is used by Kerberos to associate a service
instance with a service logon account.
https://msdn.microsoft.com/en-
us/library/windows/desktop/ms677949%28v%3Dvs.85%29.aspx
• Tools like PowerView can be used for SPN
scanning.
44CON 2017 10Attacking ATA by Nikhil Mittal
Evading ATA - Overpass-the-hash
• Overpass-The-Hash allows to create Kerberos
tickets from NTLM hashes/AES keys.
• This allows access to resources which need
Kerberos authentication with “just” a hash.
• Explained by Benjamin here:
http://blog.gentilkiwi.com/securite/mimikatz/
overpass-the-hash
44CON 2017 11Attacking ATA by Nikhil Mittal
Evading ATA - Overpass-the-hash -
Detection
• This is what a
normal AS-REQ
packet looks
like. Note the
encryption type
for timestamp.
44CON 2017 12Attacking ATA by Nikhil Mittal
Evading ATA - Overpass-the-hash -
Detection
• This is what an AS-
REQ packet looks
like when using
NTLM hashes for
Over-PTH. Note that
the encryption type
used by timestamp
is downgraded.
Invoke-Mimikatz
–Command
‘”sekurlsa::pth
/user:privservi
ce
/domain:offensi
veps.com
/ntlm:ntlmhash”
’
44CON 2017 13Attacking ATA by Nikhil Mittal
Evading ATA - Overpass-the-hash -
Detection
• ATA looks for anomalies like the one discussed.
• There are two detections for Over-PTH
– One is “Encryption downgrade activity” for which ATA even
conveniently tells the reason for detection.
44CON 2017 14Attacking ATA by Nikhil Mittal
Evading ATA - Overpass-the-hash -
Detection
• There are two detections for Over-PTH
– Second is “Unusual protocol implementation” for which I
_believe_ ATA looks for supported encryption types as well.
If not now, in future?
Normal
NTLM
AES
44CON 2017 15Attacking ATA by Nikhil Mittal
Evading ATA - Overpass-the-hash -
Bypass
• So, to bypass this detection, all we need to do is to make the
encryption type same as the one used normally.
• The following mimikatz command can be used for that:
Invoke-Mimikatz -Command '"sekurlsa::pth
/user:privservice /domain:offensiveps.com
/aes256:aes256 /ntlm:ntlm /aes128:aes128"‘
• I have noted that putting all AES256, AES128 and NTLM(RC4)
together reduces chances of detection.
• “AES keys can be replaced only on 8.1/2012r2 or
7/2008r2/8/2012 with KB2871997, in this case you can avoid
NTLM hash.” -
https://github.com/gentilkiwi/mimikatz/wiki/module-~-
sekurlsa44CON 2017 16Attacking ATA by Nikhil Mittal
44CON 2017 17Attacking ATA by Nikhil Mittal
Evading ATA - Overpass-the-hash –
False events/detections
• Interestingly, the “Unusual protocol implementation”
detection for Overpass-the-hash identifies the user with the
username (/user option) used in created ticket.
• This means, we can create failure events for any user in the
domain (even honey token users of ATA) which could be
useful for generating false detections.
44CON 2017 18Attacking ATA by Nikhil Mittal
Evading ATA - Golden Ticket
• We can now use Over-PTH to create tickets of DA
without detection. The next step is to create a
Golden ticket for domain dominance.
• Since Golden ticket is a valid TGT, the action now
is for the TGS-REQ packet.
• Krbtgt hash is required for creating a Golden
ticket.
• Golden Ticket:
https://www.blackhat.com/docs/us-
14/materials/us-14-Duckwall-Abusing-Microsoft-
Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf
44CON 2017 19Attacking ATA by Nikhil Mittal
Evading ATA - Golden Ticket -
Detection
• This is what
a normal
TGS-REQ
packet looks
like. Note
the
encryption
type used for
the ticket.
44CON 2017 20Attacking ATA by Nikhil Mittal
Evading ATA - Golden Ticket -
Detection
• TGS-REQ
packet for a
Golden Ticket
generated
using NTLM
hash. Note
the
encryption
type has
been
downgraded.
Invoke-Mimikatz -Command '"kerberos::golden /User:privservice
/domain:offensiveps.com /sid:S-1-5-21-3270384115-3177237293-604223748
/krbtgt:ntlmhash /id:500 /groups:513 /ptt"'
44CON 2017 21Attacking ATA by Nikhil Mittal
Evading ATA - Golden Ticket -
Detection
• Once again, ATA looks for anomalies like the
encryption type downgrade.
• The detection for Golden ticket is:
– “Encryption downgrade activity” for which ATA informs us
that the “encryption method of the TGT field of TGS_REQ
message has been downgraded”.
44CON 2017 22Attacking ATA by Nikhil Mittal
Evading ATA - Golden Ticket - Bypass
• Once again, to bypass this detection, all we need to do is to
make the encryption type same as the one used normally :)
• The following mimikatz command can be used for that:
Invoke-Mimikatz -Command '"kerberos::golden
/User:privservice /domain:offensiveps.com /sid:S-
1-5-21-3270384115-3177237293-604223748
/aes256:aes256keysofkrbtgt /id:500 /groups:513
/ptt"‘
• A Golden ticket using AES keys can be generated from any
machine unlike restrictions in case of Over-PTH.
44CON 2017 23Attacking ATA by Nikhil Mittal
44CON 2017 24Attacking ATA by Nikhil Mittal
Evading ATA - Golden Ticket - Bypass
• Also, to my surprise, creating a Golden ticket for a non-
existent username doesn’t get detected even with NTLM
hash!! – No need of running DCSync for AES keys!
• The following mimikatz command can be used for that:
Invoke-Mimikatz -Command '"kerberos::golden
/User:nonexistent /domain:offensiveps.com /sid:S-
1-5-21-3270384115-3177237293-604223748
/ntlm:ntlmhashofkrbtgt /id:500 /groups:513 /ptt"‘
• May be because ATA has no such identity
in its database, it can’t detect the action.
44CON 2017 25Attacking ATA by Nikhil Mittal
Evading ATA 1.8 - Golden Ticket -
Bypass
• ATA 1.8 introduces ticket lifetime based detection for
Golden tickets. “If a Kerberos ticket is used for more
than the allowed lifetime, ATA will detect it as a
suspicious activity”.
• While this definitely blunts the attack there are still
couple of ways around it.
• First, Keep the krbtgt hash handy and create a
Golden ticket whenever required –easy and simple.
Keep in mind that it is the krbtgt hash which
provides persistence, not the Golden ticket.
44CON 2017 26Attacking ATA by Nikhil Mittal
Evading ATA 1.8 - Golden Ticket -
Bypass
• Second, while creating a Golden ticket keep in mind
the lifetime of the ticket. Create a ticket which is
valid from a future date with ticket lifetime within
domain settings (default is 10 hours).
• The below ticket is valid for one hour after two hours
from the time of creation:
Invoke-Mimikatz -Command '"kerberos::golden
/User:privservice /domain:offensiveps.com /sid:S-
1-5-21-3270384115-3177237293-604223748 /aes256:
/id:500 /groups:513 /startoffset:120 /endin:60
/renewmax:100800 /ticket:golden.kirbi"‘
• Make sure you purge the tickets from memory once
the activity is over.44CON 2017 27Attacking ATA by Nikhil Mittal
Attacking ATA deployment
• ATA Console (up to 1.7) can be identified with
basic banner grabbing.
• From version 1.8, if banner grabbing is not
possible due to SSO. Below can be used from any
domain joined machine:
[System.Net.ServicePointManager]::ServerCertificat
eValidationCallback = {$true};$wc = new-object
System.Net.WebClient;$wc.UseDefaultCredentials=$tr
ue;$wc.DownloadString("https://192.168.1.3").Conta
ins('Microsoft Advanced Threat Analytics')
44CON 2017 28Attacking ATA by Nikhil Mittal
Attacking ATA deployment
• For a non-domain box or Linux box, the
default SSL certificate can be used to identify
ATA:
44CON 2017 29Attacking ATA by Nikhil Mittal
Attacking ATA deployment
• All users/groups added to the local
administrators group of ATA Centre (local
admins, Domain Admins etc.) have admin
access to the console by default!
• Since ATA specifically targets lateral
movement scenarios, this is significant.
https://docs.microsoft.com/en-us/advanced-threat-
analytics/ata-role-groups
44CON 2017 30Attacking ATA by Nikhil Mittal
Attacking ATA deployment
• The backend MongoDB
listens only on localhost but
needs no authentication :)
• With administrative access
on the ATA Center, the
backend MongoDB can be
accessed.
• Interesting collections like
Unique identities for users
and machines, Suspicious
activities, Kerberos traffic
and many more.
44CON 2017 31Attacking ATA by Nikhil Mittal
Attacking ATA deployment
• It is possible to tamper with alerts using access to
this database. No alerts are generated if the
database is tampered.
44CON 2017 32Attacking ATA by Nikhil Mittal
Attacking ATA deployment
• It is also possible (and easier) to set the
visibility of alerts to false by setting the
“IsVisible” property of any entry in the
SuspiciousActivity collection in the ATA
database.
44CON 2017 33Attacking ATA by Nikhil Mittal
Defenses against the Evasions
• ATA even if can’t detect anomalies, provides
interesting insight in the traffic exchanged with
the Domain Controller. Use that to detect the
attackers.
• Limit your DAs to login only to Domain
Controllers. Remember prevention is better than
cure.
• Implement possible architectural changes
suggested here:
https://technet.microsoft.com/en-us/windows-
server-docs/security/securing-privileged-
access/securing-privileged-access
44CON 2017 34Attacking ATA by Nikhil Mittal
Defending ATA
• For securing the ATA deployment, it is better if
the ATA Center is not part of the domain
whose DC(s) it monitors.
• Hopefully, password for the backend DB will
be implemented and logs will be generated if
the backend DB is tampered with in a future
release.
44CON 2017 35Attacking ATA by Nikhil Mittal
ATA - Limitations
• Encrypted traffic (like LDAPS and IPSEC ESP) is
not analyzed but may not affect detection
https://github.com/MicrosoftDocs/ATADocs/blob/
master/ATADocs/ata-technical-faq.md#does-ata-
work-with-encrypted-traffic
• Communication outside protocols monitored
by ATA
https://docs.microsoft.com/en-us/advanced-
threat-analytics/ata-prerequisites
44CON 2017 36Attacking ATA by Nikhil Mittal
ATA - Limitations
• Must have signatures for attack types.
– Constrained Delegation.
– Another very interesting attack which ATA can’t detect
because it does not know the attack is loading an
arbitrary dll using DNS service – elevation to DA from
DNSAdmins membership if DC is also the DNS server.
https://medium.com/@esnesenon/feature-not-bug-
dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
http://www.labofapenetrationtester.com/2017/05/abusing
-dnsadmins-privilege-for-escalation-in-active-
directory.html
44CON 2017 37Attacking ATA by Nikhil Mittal
Evading ATA - Forever
• Avoid the temptation of escalating to Domain
Admin privileges without understanding the
active directory environment and possible
defenses in place.
• Reduce communication to the DC. Go slow and
careful in the lateral movement phase. Don’t
create a Golden Ticket or launch a Skeleton Key
just to brag about it in your report.
• Stay focused on the goal of the assessment. If you
can’t bypass it, avoid it!
44CON 2017 38Attacking ATA by Nikhil Mittal
Limitations
• Focus of all the bypasses is on Anomaly based
detections.
• While attacking the ATA deployment
administrative access to the ATA Center is
required.
• Many behavior based detections could not be
replicated in the lab and are more powerful
and useful in a real environment.
44CON 2017 Attacking ATA by Nikhil Mittal 39
Conclusion
• It is possible to bypass detections by ATA by
modifying well known attacks so that they
appear normal.
• Modification of attack methodologies and
avoiding talking to DC is also effective.
• Despite its limitations, ATA provides effective
visibility and detection for AD attacks.
44CON 2017 40Attacking ATA by Nikhil Mittal
Thank you
• Please leave feedback.
• Follow me @nikhil_mitt
• For questions, training, assessments -
nikhil.uitrgpv@gmail.com
nikhil@pentesteracademy.com
• Slides and blog posts on ATA will be posted on my
blog and Github
http://labofapenetrationtester.com/
https://github.com/samratashok
44CON 2017 Attacking ATA by Nikhil Mittal 41

More Related Content

What's hot

Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Alexander Polce Leary
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 

What's hot (20)

Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 

Similar to Red Team Revenge - Attacking Microsoft ATA

In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoastken_kitahara
 
Symmetric Crypto for DPDK - Declan Doherty
Symmetric Crypto for DPDK - Declan DohertySymmetric Crypto for DPDK - Declan Doherty
Symmetric Crypto for DPDK - Declan Dohertyharryvanhaaren
 
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015CSO_Presentations
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkLeszek Mi?
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Hacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, OsloHacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, OsloYossi Sassi
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Accesseightbit
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Jared Atkinson
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authenticationshytikov
 
I can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKI can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKMITRE ATT&CK
 
What I learned about IoT Security ... and why it's so hard!
What I learned about IoT Security ... and why it's so hard!What I learned about IoT Security ... and why it's so hard!
What I learned about IoT Security ... and why it's so hard!Christoph Engelbert
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
Streaming meetup
Streaming meetupStreaming meetup
Streaming meetupkarthik_krk
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesDEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesFelipe Prado
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Trusted platform module copy
Trusted platform module   copyTrusted platform module   copy
Trusted platform module copyRishi Kumar
 

Similar to Red Team Revenge - Attacking Microsoft ATA (20)

In the Wake of Kerberoast
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoast
 
Symmetric Crypto for DPDK - Declan Doherty
Symmetric Crypto for DPDK - Declan DohertySymmetric Crypto for DPDK - Declan Doherty
Symmetric Crypto for DPDK - Declan Doherty
 
Coporate Espionage
Coporate EspionageCoporate Espionage
Coporate Espionage
 
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
 
Aster getting started
Aster getting startedAster getting started
Aster getting started
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Hacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, OsloHacktive Directory Forensics - HackCon18, Oslo
Hacktive Directory Forensics - HackCon18, Oslo
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authentication
 
I can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKI can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CK
 
What I learned about IoT Security ... and why it's so hard!
What I learned about IoT Security ... and why it's so hard!What I learned about IoT Security ... and why it's so hard!
What I learned about IoT Security ... and why it's so hard!
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Streaming meetup
Streaming meetupStreaming meetup
Streaming meetup
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesDEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
 
Trusted platform module copy
Trusted platform module   copyTrusted platform module   copy
Trusted platform module copy
 

More from Nikhil Mittal

Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersNikhil Mittal
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossNikhil Mittal
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using KautilyaNikhil Mittal
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HIDNikhil Mittal
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devicesNikhil Mittal
 

More from Nikhil Mittal (13)

Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a Boss
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
 

Recently uploaded

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 

Recently uploaded (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 

Red Team Revenge - Attacking Microsoft ATA

  • 1. Red Team Revenge: Attacking Microsoft ATA Nikhil Mittal
  • 2. About me • Hacker, Red Teamer, Trainer, Speaker at http://pentesteracademy.com/ • Twitter - @nikhil_mitt • Blog – http://labofapenetrationtester.com • Github - https://github.com/samratashok/ • Creator of Kautilya and Nishang • Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. • Previous Talks and/or Trainings – DefCon, BlackHat, CanSecWest, BruCON, DeepSec and more. Attacking ATA by Nikhil Mittal 244CON 2017
  • 3. What is Microsoft ATA? • “Advanced Threat Analytics (ATA) is an on- premises platform that helps protect your enterprise from multiple types of advanced targeted cyber attacks and insider threats.” https://docs.microsoft.com/en-us/advanced-threat-analytics/understand- explore/what-is-ata • ATA detects attacks by reading certain “interesting” protocols’ traffic to the domain controller(s), SIEM events and logs. • Anomaly based and behavior based detection. 44CON 2017 3Attacking ATA by Nikhil Mittal
  • 4. ATA Architecture 44CON 2017 4Attacking ATA by Nikhil Mittal
  • 5. Lab Configuration • Lab used for experiments contains a Lightweight ATA gateway installed over a Server 2012 R2 Domain Controller with students and professionals (450+) trying various Active Directory attacks from various machines. • ATA 1.8 with the default configuration has been installed and used as documented here. https://docs.microsoft.com/en-us/advanced- threat-analytics/deploy-use/install-ata-step1 44CON 2017 5Attacking ATA by Nikhil Mittal
  • 6. Detections – Threats of interest which ATA detects • Recon – Account Enumeration – Session Enumeration – AD Enumeration • Compromised Credentials – Brute Force – Unusual protocol implementation – Abnormal Behavior • Lateral Movement – Pass the ticket – Pass the hash – Overpass-the-hash – Abnormal behavior • Domain Dominance – Golden Ticket – Malicious replication requests https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-threats 44CON 2017 6Attacking ATA by Nikhil Mittal
  • 7. Evading ATA - Recon- Detection • ATA detects AD based recon by looking for queries sent to the DC. • But, ATA doesn’t mind DC giving out useful information unless invasive recon is done against the DC! 44CON 2017 Attacking ATA by Nikhil Mittal 7
  • 8. Evading ATA – Recon - Bypass • Intelligent Recon is not caught by ATA. • Not poking the DC is the key! Enumerate the domain but do not enumerate the DC. For example, while hunting for DA tokens, get a list of computers and DAs from the DC but do not run enumeration tools against the DC. • Same holds true for other user hunting activities like enumerating local admins, looking for local admin access etc. 44CON 2017 Attacking ATA by Nikhil Mittal 8
  • 9. Evading ATA – Recon - Bypass Hunting for Domain Admin token • Avoid searching for DA token on the DC. Local admin privileges are required to use the token. • To hunt for those machines where a DA token is available, we can enumerate Domain Admins from the DC, get a list of machines using ping sweep or asking from DC and then run Invoke- UserHunter (PowerView) on all machines except the DC. 44CON 2017 Attacking ATA by Nikhil Mittal 9
  • 10. Evading ATA - Recon • SPN (Service Principal Name) Scanning doesn’t get detected. • SPN is used by Kerberos to associate a service instance with a service logon account. https://msdn.microsoft.com/en- us/library/windows/desktop/ms677949%28v%3Dvs.85%29.aspx • Tools like PowerView can be used for SPN scanning. 44CON 2017 10Attacking ATA by Nikhil Mittal
  • 11. Evading ATA - Overpass-the-hash • Overpass-The-Hash allows to create Kerberos tickets from NTLM hashes/AES keys. • This allows access to resources which need Kerberos authentication with “just” a hash. • Explained by Benjamin here: http://blog.gentilkiwi.com/securite/mimikatz/ overpass-the-hash 44CON 2017 11Attacking ATA by Nikhil Mittal
  • 12. Evading ATA - Overpass-the-hash - Detection • This is what a normal AS-REQ packet looks like. Note the encryption type for timestamp. 44CON 2017 12Attacking ATA by Nikhil Mittal
  • 13. Evading ATA - Overpass-the-hash - Detection • This is what an AS- REQ packet looks like when using NTLM hashes for Over-PTH. Note that the encryption type used by timestamp is downgraded. Invoke-Mimikatz –Command ‘”sekurlsa::pth /user:privservi ce /domain:offensi veps.com /ntlm:ntlmhash” ’ 44CON 2017 13Attacking ATA by Nikhil Mittal
  • 14. Evading ATA - Overpass-the-hash - Detection • ATA looks for anomalies like the one discussed. • There are two detections for Over-PTH – One is “Encryption downgrade activity” for which ATA even conveniently tells the reason for detection. 44CON 2017 14Attacking ATA by Nikhil Mittal
  • 15. Evading ATA - Overpass-the-hash - Detection • There are two detections for Over-PTH – Second is “Unusual protocol implementation” for which I _believe_ ATA looks for supported encryption types as well. If not now, in future? Normal NTLM AES 44CON 2017 15Attacking ATA by Nikhil Mittal
  • 16. Evading ATA - Overpass-the-hash - Bypass • So, to bypass this detection, all we need to do is to make the encryption type same as the one used normally. • The following mimikatz command can be used for that: Invoke-Mimikatz -Command '"sekurlsa::pth /user:privservice /domain:offensiveps.com /aes256:aes256 /ntlm:ntlm /aes128:aes128"‘ • I have noted that putting all AES256, AES128 and NTLM(RC4) together reduces chances of detection. • “AES keys can be replaced only on 8.1/2012r2 or 7/2008r2/8/2012 with KB2871997, in this case you can avoid NTLM hash.” - https://github.com/gentilkiwi/mimikatz/wiki/module-~- sekurlsa44CON 2017 16Attacking ATA by Nikhil Mittal
  • 17. 44CON 2017 17Attacking ATA by Nikhil Mittal
  • 18. Evading ATA - Overpass-the-hash – False events/detections • Interestingly, the “Unusual protocol implementation” detection for Overpass-the-hash identifies the user with the username (/user option) used in created ticket. • This means, we can create failure events for any user in the domain (even honey token users of ATA) which could be useful for generating false detections. 44CON 2017 18Attacking ATA by Nikhil Mittal
  • 19. Evading ATA - Golden Ticket • We can now use Over-PTH to create tickets of DA without detection. The next step is to create a Golden ticket for domain dominance. • Since Golden ticket is a valid TGT, the action now is for the TGS-REQ packet. • Krbtgt hash is required for creating a Golden ticket. • Golden Ticket: https://www.blackhat.com/docs/us- 14/materials/us-14-Duckwall-Abusing-Microsoft- Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf 44CON 2017 19Attacking ATA by Nikhil Mittal
  • 20. Evading ATA - Golden Ticket - Detection • This is what a normal TGS-REQ packet looks like. Note the encryption type used for the ticket. 44CON 2017 20Attacking ATA by Nikhil Mittal
  • 21. Evading ATA - Golden Ticket - Detection • TGS-REQ packet for a Golden Ticket generated using NTLM hash. Note the encryption type has been downgraded. Invoke-Mimikatz -Command '"kerberos::golden /User:privservice /domain:offensiveps.com /sid:S-1-5-21-3270384115-3177237293-604223748 /krbtgt:ntlmhash /id:500 /groups:513 /ptt"' 44CON 2017 21Attacking ATA by Nikhil Mittal
  • 22. Evading ATA - Golden Ticket - Detection • Once again, ATA looks for anomalies like the encryption type downgrade. • The detection for Golden ticket is: – “Encryption downgrade activity” for which ATA informs us that the “encryption method of the TGT field of TGS_REQ message has been downgraded”. 44CON 2017 22Attacking ATA by Nikhil Mittal
  • 23. Evading ATA - Golden Ticket - Bypass • Once again, to bypass this detection, all we need to do is to make the encryption type same as the one used normally :) • The following mimikatz command can be used for that: Invoke-Mimikatz -Command '"kerberos::golden /User:privservice /domain:offensiveps.com /sid:S- 1-5-21-3270384115-3177237293-604223748 /aes256:aes256keysofkrbtgt /id:500 /groups:513 /ptt"‘ • A Golden ticket using AES keys can be generated from any machine unlike restrictions in case of Over-PTH. 44CON 2017 23Attacking ATA by Nikhil Mittal
  • 24. 44CON 2017 24Attacking ATA by Nikhil Mittal
  • 25. Evading ATA - Golden Ticket - Bypass • Also, to my surprise, creating a Golden ticket for a non- existent username doesn’t get detected even with NTLM hash!! – No need of running DCSync for AES keys! • The following mimikatz command can be used for that: Invoke-Mimikatz -Command '"kerberos::golden /User:nonexistent /domain:offensiveps.com /sid:S- 1-5-21-3270384115-3177237293-604223748 /ntlm:ntlmhashofkrbtgt /id:500 /groups:513 /ptt"‘ • May be because ATA has no such identity in its database, it can’t detect the action. 44CON 2017 25Attacking ATA by Nikhil Mittal
  • 26. Evading ATA 1.8 - Golden Ticket - Bypass • ATA 1.8 introduces ticket lifetime based detection for Golden tickets. “If a Kerberos ticket is used for more than the allowed lifetime, ATA will detect it as a suspicious activity”. • While this definitely blunts the attack there are still couple of ways around it. • First, Keep the krbtgt hash handy and create a Golden ticket whenever required –easy and simple. Keep in mind that it is the krbtgt hash which provides persistence, not the Golden ticket. 44CON 2017 26Attacking ATA by Nikhil Mittal
  • 27. Evading ATA 1.8 - Golden Ticket - Bypass • Second, while creating a Golden ticket keep in mind the lifetime of the ticket. Create a ticket which is valid from a future date with ticket lifetime within domain settings (default is 10 hours). • The below ticket is valid for one hour after two hours from the time of creation: Invoke-Mimikatz -Command '"kerberos::golden /User:privservice /domain:offensiveps.com /sid:S- 1-5-21-3270384115-3177237293-604223748 /aes256: /id:500 /groups:513 /startoffset:120 /endin:60 /renewmax:100800 /ticket:golden.kirbi"‘ • Make sure you purge the tickets from memory once the activity is over.44CON 2017 27Attacking ATA by Nikhil Mittal
  • 28. Attacking ATA deployment • ATA Console (up to 1.7) can be identified with basic banner grabbing. • From version 1.8, if banner grabbing is not possible due to SSO. Below can be used from any domain joined machine: [System.Net.ServicePointManager]::ServerCertificat eValidationCallback = {$true};$wc = new-object System.Net.WebClient;$wc.UseDefaultCredentials=$tr ue;$wc.DownloadString("https://192.168.1.3").Conta ins('Microsoft Advanced Threat Analytics') 44CON 2017 28Attacking ATA by Nikhil Mittal
  • 29. Attacking ATA deployment • For a non-domain box or Linux box, the default SSL certificate can be used to identify ATA: 44CON 2017 29Attacking ATA by Nikhil Mittal
  • 30. Attacking ATA deployment • All users/groups added to the local administrators group of ATA Centre (local admins, Domain Admins etc.) have admin access to the console by default! • Since ATA specifically targets lateral movement scenarios, this is significant. https://docs.microsoft.com/en-us/advanced-threat- analytics/ata-role-groups 44CON 2017 30Attacking ATA by Nikhil Mittal
  • 31. Attacking ATA deployment • The backend MongoDB listens only on localhost but needs no authentication :) • With administrative access on the ATA Center, the backend MongoDB can be accessed. • Interesting collections like Unique identities for users and machines, Suspicious activities, Kerberos traffic and many more. 44CON 2017 31Attacking ATA by Nikhil Mittal
  • 32. Attacking ATA deployment • It is possible to tamper with alerts using access to this database. No alerts are generated if the database is tampered. 44CON 2017 32Attacking ATA by Nikhil Mittal
  • 33. Attacking ATA deployment • It is also possible (and easier) to set the visibility of alerts to false by setting the “IsVisible” property of any entry in the SuspiciousActivity collection in the ATA database. 44CON 2017 33Attacking ATA by Nikhil Mittal
  • 34. Defenses against the Evasions • ATA even if can’t detect anomalies, provides interesting insight in the traffic exchanged with the Domain Controller. Use that to detect the attackers. • Limit your DAs to login only to Domain Controllers. Remember prevention is better than cure. • Implement possible architectural changes suggested here: https://technet.microsoft.com/en-us/windows- server-docs/security/securing-privileged- access/securing-privileged-access 44CON 2017 34Attacking ATA by Nikhil Mittal
  • 35. Defending ATA • For securing the ATA deployment, it is better if the ATA Center is not part of the domain whose DC(s) it monitors. • Hopefully, password for the backend DB will be implemented and logs will be generated if the backend DB is tampered with in a future release. 44CON 2017 35Attacking ATA by Nikhil Mittal
  • 36. ATA - Limitations • Encrypted traffic (like LDAPS and IPSEC ESP) is not analyzed but may not affect detection https://github.com/MicrosoftDocs/ATADocs/blob/ master/ATADocs/ata-technical-faq.md#does-ata- work-with-encrypted-traffic • Communication outside protocols monitored by ATA https://docs.microsoft.com/en-us/advanced- threat-analytics/ata-prerequisites 44CON 2017 36Attacking ATA by Nikhil Mittal
  • 37. ATA - Limitations • Must have signatures for attack types. – Constrained Delegation. – Another very interesting attack which ATA can’t detect because it does not know the attack is loading an arbitrary dll using DNS service – elevation to DA from DNSAdmins membership if DC is also the DNS server. https://medium.com/@esnesenon/feature-not-bug- dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 http://www.labofapenetrationtester.com/2017/05/abusing -dnsadmins-privilege-for-escalation-in-active- directory.html 44CON 2017 37Attacking ATA by Nikhil Mittal
  • 38. Evading ATA - Forever • Avoid the temptation of escalating to Domain Admin privileges without understanding the active directory environment and possible defenses in place. • Reduce communication to the DC. Go slow and careful in the lateral movement phase. Don’t create a Golden Ticket or launch a Skeleton Key just to brag about it in your report. • Stay focused on the goal of the assessment. If you can’t bypass it, avoid it! 44CON 2017 38Attacking ATA by Nikhil Mittal
  • 39. Limitations • Focus of all the bypasses is on Anomaly based detections. • While attacking the ATA deployment administrative access to the ATA Center is required. • Many behavior based detections could not be replicated in the lab and are more powerful and useful in a real environment. 44CON 2017 Attacking ATA by Nikhil Mittal 39
  • 40. Conclusion • It is possible to bypass detections by ATA by modifying well known attacks so that they appear normal. • Modification of attack methodologies and avoiding talking to DC is also effective. • Despite its limitations, ATA provides effective visibility and detection for AD attacks. 44CON 2017 40Attacking ATA by Nikhil Mittal
  • 41. Thank you • Please leave feedback. • Follow me @nikhil_mitt • For questions, training, assessments - nikhil.uitrgpv@gmail.com nikhil@pentesteracademy.com • Slides and blog posts on ATA will be posted on my blog and Github http://labofapenetrationtester.com/ https://github.com/samratashok 44CON 2017 Attacking ATA by Nikhil Mittal 41

Editor's Notes

  1. Invoke-Mimikatz -Command '"lsadump::lsa /name:krbtgt /inject"' -ComputerName ops-dc
  2. [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$wc = new-object System.Net.WebClient;$wc.UseDefaultCredentials=$true;$wc.DownloadString("https://192.168.1.3").Contains('Microsoft Advanced Threat Analytics')
  3. https://blogs.technet.microsoft.com/enterprisemobility/2016/06/10/best-practices-for-securing-advanced-threat-analytics/
  4. SourceAccountId can be retrieved from the UniqueEntity collection: db.getCollection('UniqueEntity').find({"Name" : "term admin"})