Evading Microsoft ATA for Active Directory Domination

Presented at Black Hat USA 2017, July 27, 2017, 9:45 a.m. (50 minutes)

Microsoft Advanced Threat Analytics (ATA) is a defense platform which reads information from multiple sources like traffic for certain protocols to the Domain Controller, Windows Event Logs and SIEM events. The information thus collected is used to detect Reconnaissance, Credentials replay, Lateral movement, Persistence attacks etc. Well known attacks like Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, Golden Ticket, Directory services replication, Brute-force, Skeleton key etc. can be detected using ATA. Whenever communication to a Domain Controller is done using protocols like Kerberos, NTLM, RPC, DNS, LDAP etc., ATA will parse that traffic for gathering information about not only possible attacks but user behavior as well. It slowly builds an organizational graph and can detect deviations from normal behavior.

Is it possible to evade this solid detection mechanism? What are the threats which ATA misses by design? How do Red Teamers and Penetration Testers can modify their attack chain and methodology to bypass ATA? Can we still have domain dominance?

The talk will be full of live demonstrations.

Presenters:

• Nikhil Mittal - Hacker, PentesterAcademy
  Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 8+ years of experience in Penetration Testing for his clients which include many global corporate giants. He is also a member of Red teams of selected clients. He specializes in assessing security risks at secure environments which require novel attack vectors and "out of the box" approach. He has worked extensively on using Human Interface Device in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use HIDs in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks. He has trained and spoken multiple times at conferences like Defcon, BlackHat, CanSecWest, ShakaCon, Troopers, DeepSec, PHDays, Hackfest, ClubHack, HITB and more. He blogs at http://www.labofapenetrationtester.com/

Links:

• https://www.blackhat.com/us-17/briefings/schedule/#evading-microsoft-ata-for-active-directory-domination-6251
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2017/Evading Microsoft ATA for Active Directory Domination.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2017/Evading Microsoft ATA for Active Directory Domination.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=bHkv63-1GBY
• https://www.blackhat.com/docs/us-17/thursday/us-17-Mittal-Evading-MicrosoftATA-for-ActiveDirectory-Domination.pdf

Similar Presentations:

• Black Hat Europe 2017 / Red Team Techniques for Evading, Bypassing, and Disabling MS Advanced Threat Protection and Advanced Threat Analytics
• BruCON 0x09 (2017) / Evading Microsoft ATA for Active Directory Domination
• 44CON 2017 / Red Team Revenge : Attacking Microsoft ATA