Advanced Threat Analytics, Microsoft's cyber-attack detection platform, can be tricked by hackers to take control of attacked systems.
ATA works by reading information from multiple sources: Windows Event logs, SIEM events, and certain protocols to the Domain Controller. Windows Event Logs, SIEM events, and certain protocols to the Domain Controller. When communication to the Domain Control is done using protocols like Kerberos, NTLM, RPC, DNS, LDAP, etc., ATA parses the traffic to gather data about possible hacker attacks and malicious user behavior. ATA detects known attacks like pass-the-hash, pass-the-ticket, directory services replication, brute-force and skeleton key.
The cybersecurity specialist Nikhil Mattal from the Pentester Academy has discovered how he can bypass ATA and get administrative access.
"In the past couple of years, there have been increasing attacks on how Windows domain works," Mattal said. For example, if someone logs onto a desktop and their credentials are compromised, ATA will sense whether the user is logged on to multiple machines and will send a warning.
ATA is also used to detect lateral movement across machines and throughout the corporate environment, as well as to authenticate to different resources.
If hackers are able to evade the detection capabilities of ATA or completely avoid the system, they can launch dangerous attacks. Through bypassing ATA hackers can receive administrative privileges and access to any resource in the attacked enterprise. Hackers may slightly modify the so-called golden ticket attack to evade ATA detection capabilities and gain administrative privileges.
ATA can detect users trying to launch a golden ticket attack to get this level of access, but hackers can bypass ATA by modifying a package in the Kerberos protocol used to connect to a Domain Controller.
"ATA detects anomalies but by changing the structure of the golden ticket, it is possible to completely bypass it," Mattal explains.
"Consumer records, intellectual property … attackers can persist in that environment using the golden ticket and there would be no detection at all."