Red Team Techniques for Evading, Bypassing, and Disabling MS Advanced Threat Protection and Advanced Threat Analytics

Presented at Black Hat Europe 2017, Dec. 7, 2017, 10:15 a.m. (60 minutes).

Windows Defender Advanced Threat Protection is now available for all Blue Teams to utilize within Windows 10 Enterprise and Server 2012/16, which includes detection of post breach tools, tactics and techniques commonly used by Red Teams, as well as behavior analytics. Combined with Microsoft Advanced Threat Analytics for user behavior analytics across the Domain, Red Teamers will soon face a significantly more challenging time maintaining stealth while performing internal recon, lateral movement, and privilege escalation in Windows 10/Active Directory environments.

This talk highlights challenges to red teams posed by Microsoft's new tools based on common hacking tools/techniques, and covers techniques which can be used to bypass, disable, or avoid high severity alerts within Windows Defender ATP and Microsoft ATA, as well as TTP used against mature organizations that may have additional controls in place such as Event Log Forwarding and Sysmon.


Presenters:

  • Chris Thompson / @retBandit - Red Team Ops Lead, IBM X-Force Red   as Chris Thompson
    Chris Thompson is Red Team Operations Lead at IBM X-Force Red. He's responsible for planning, overseeing, and conducting red teaming engagements at X-Force Red. He has extensive experience performing penetration testing and red teaming for clients in a wide variety of industries. He's led red teaming operations against defense contractors and some of North America's largest banks. Chris on the board for CREST USA (crest-approved.org), working to help mature the testing industry. Chris also teaches Network & Mobile Pentesting at one of Canada's largest technical schools, SAIT. He will be speaking at a number of security conferences this year, including at SecTor, Wild West Hacking Fest, BSides YCC, and Defcon.

Links:

Similar Presentations: