What is Microsoft Advanced Threat Analytics (MS ATA) and How to ByPass?
MS ATA is a cyber security solution announced by Microsoft that performs analysis based on security issues in the Active Directory environment and helps to prevent attacks by malicious hackers according to the results of this analysis.
How MS ATA Works?
Before bypassing a target, the first step is to understand what the target is, how it works, and its logic. If we can know our target well, we can create scenarios to neutralize it.
After MS ATA is installed in Active Directory, it collects information such as objects, event logs and network traffic. Then, in the light of this gathered information, the steps shown in the image below are applied.
MS ATA determines the normal of the working system during the Learning phase and generates an alarm when it encounters an anomaly. It also provides a comprehensive report with this alarm.
What Does MS ATA Detect?
1. Configuration-related issues
It scans the system using world-class security configurations and identifies configuration problems contrary to these definitions. Generates a report as a result.
2. Problems with user behavior
With the Machine Learning feature in MS ATA, the behaviors of the users are constantly monitored and thus a pattern of the user behavior is created. When a behavior contrary to this pattern is displayed, an alarm and report is generated.
3. Advanced technical attack issues
MS ATA instantly makes continuous rule-based analysis. In this way, it is alert against the attacks mentioned below.
• Pass the ticket
• Pass the hash
• Overpass the hash
• Forged PAC (MS14-068)
• Remote execution
• Golden ticket, Skeleton key malware
• Brute Force
How to ByPass MS ATA?
When Nikhil Mittal examined the alarms generated by MS ATA, he noticed a situation. MS ATA is checking the Domain Controller while doing Recon operation. He discovered that MS ATA's control mechanism is possible to bypass if an attempt is made to gather information from the Domain Controller without running User Hunting on it. For this, bypass is performed when the following parameters are used.
We can say that the lower we keep communication with the Domain Controller, the lower our risk of getting caught. With the above command, we can pull the user list without communicating with DC.
Now that we have drawn the user list, we can now attack it as a Brute Force.
We attack the user list we pulled with the above command with only one password, by making only one attempt to each user. As a result, this attack also manages to escape from MS ATA.
This method is called Overpass the hash. Under normal conditions, MS ATA can easily detect Overpass the hash attacks. However, as a result of different attack attempts, a way was found to overcome this.
An Encryption type downgrade occurs during overpass the hash attack. This is a great opportunity for MS ATA to catch up with us. Well, if we could prevent this downgrade from being done, would we be able to attack without getting caught?
It is possible to avoid this downgrade by using AES Keys. The following commands can be used to extract AES keys from a remote computer.
As a result, when Overpass the hash attack is applied, an elevated privilege is obtained and is not detected by MS ATA.
As long as you have DA, various methods can be tried to be permanent within the domain. For this, we can create a Golden Ticket. When we create a Golden Ticket and inject it into memory, MS ATA checks the encryption downgrade, just like Overpass the hash attack. Therefore, we get caught.
Again, as in the previous method, we can bypass with AES. Since we already have the AES key, we can create a golden ticket and perform a bypass without being caught.