Hackers can bypass Microsoft ATA

19.06.2017

Advanced-Threat-Analytics-hacked

 

Advanced Threat Analytics, Microsoft's cyber-attack detection platform, can be tricked by hackers to take control of attacked systems.

ATA works by reading information from multiple sources: Windows Event logs, SIEM events, and certain protocols to the Domain Controller. Windows Event Logs, SIEM events, and certain protocols to the Domain Controller. When communication to the Domain Control is done using protocols like Kerberos, NTLM, RPC, DNS, LDAP, etc., ATA parses the traffic to gather data about possible hacker attacks and malicious user behavior. ATA detects known attacks like pass-the-hash, pass-the-ticket, directory services replication, brute-force and skeleton key.

The cybersecurity specialist Nikhil Mattal from the Pentester Academy has discovered how he can bypass ATA and get administrative access.

"In the past couple of years, there have been increasing attacks on how Windows domain works," Mattal said. For example, if someone logs onto a desktop and their credentials are compromised, ATA will sense whether the user is logged on to multiple machines and will send a warning.

ATA is also used to detect lateral movement across machines and throughout the corporate environment, as well as to authenticate to different resources.

If hackers are able to evade the detection capabilities of ATA or completely avoid the system, they can launch dangerous attacks. Through bypassing ATA hackers can receive administrative privileges and access to any resource in the attacked enterprise. Hackers may slightly modify the so-called golden ticket attack to evade ATA detection capabilities and gain administrative privileges.

ATA can detect users trying to launch a golden ticket attack to get this level of access, but hackers can bypass ATA by modifying a package in the Kerberos protocol used to connect to a Domain Controller.

"ATA detects anomalies but by changing the structure of the golden ticket, it is possible to completely bypass it," Mattal explains.
"Consumer records, intellectual property … attackers can persist in that environment using the golden ticket and there would be no detection at all."

Would you like to comment on this article?

Share

Latest news

23.08.2017

Industrial cobots can be hacked

IOActive`s cybersecurity specialists have discovered how a remote hacker can hack industrial collaborative robots.

23.08.2017

2 infected apps are available for download via the Google Play Store

Cybersecurity experts have discovered two malware-infected apps on the official Google Play Store that are still available for download.

23.08.2017

Cybersecurity company warns of new cyber-attacks against Ukraine

Ukraine could be a target of a NotPetya-style attack aimed at destabilizing the country just as it celebrates its 1991 independence from the Soviet Union.

Sign up for our online newsletter!