Hackers can bypass Microsoft ATA




Advanced Threat Analytics, Microsoft's cyber-attack detection platform, can be tricked by hackers to take control of attacked systems.

ATA works by reading information from multiple sources: Windows Event logs, SIEM events, and certain protocols to the Domain Controller. Windows Event Logs, SIEM events, and certain protocols to the Domain Controller. When communication to the Domain Control is done using protocols like Kerberos, NTLM, RPC, DNS, LDAP, etc., ATA parses the traffic to gather data about possible hacker attacks and malicious user behavior. ATA detects known attacks like pass-the-hash, pass-the-ticket, directory services replication, brute-force and skeleton key.

The cybersecurity specialist Nikhil Mattal from the Pentester Academy has discovered how he can bypass ATA and get administrative access.

"In the past couple of years, there have been increasing attacks on how Windows domain works," Mattal said. For example, if someone logs onto a desktop and their credentials are compromised, ATA will sense whether the user is logged on to multiple machines and will send a warning.

ATA is also used to detect lateral movement across machines and throughout the corporate environment, as well as to authenticate to different resources.

If hackers are able to evade the detection capabilities of ATA or completely avoid the system, they can launch dangerous attacks. Through bypassing ATA hackers can receive administrative privileges and access to any resource in the attacked enterprise. Hackers may slightly modify the so-called golden ticket attack to evade ATA detection capabilities and gain administrative privileges.

ATA can detect users trying to launch a golden ticket attack to get this level of access, but hackers can bypass ATA by modifying a package in the Kerberos protocol used to connect to a Domain Controller.

"ATA detects anomalies but by changing the structure of the golden ticket, it is possible to completely bypass it," Mattal explains.
"Consumer records, intellectual property … attackers can persist in that environment using the golden ticket and there would be no detection at all."

Would you like to comment on this article?


Latest news


Necurs botnet distributes Locky ransomware via fake invoices

The campaign uses the same ID as before, but the ransomware has undergone a number of changes.


NY Supreme Court judge scammed out of $ 1 million by hackers

New York Supreme Court judge Lori Sattler has lost over one million dollars.


WikiLeaks unveiled the CIA's Brutal Kangaroo malware

CIA-developed malware is designed for hacking air-gapped networks.

Sign up for our online newsletter!