Microsoft’s Advanced Threat Analytics (ATA) platform for detecting cyberattacks can be evaded by attackers to achieve organizational control, a security researcher has discovered.
ATA works by reading information from multiple sources: Windows Event Logs, SIEM events, and certain protocols to the Domain Controller. When communication to the Domain Control is done using protocols like Kerberos, NTLM, RPC, DNS, LDAP, etc., ATA parses the traffic to gather data about possible attacks and user behavior. ATA can detect known attacks like pass-the-hash, pass-the-ticket, Directory Services replication, brute-force, and skeleton key, for example.
But Nikhil Mattal, hacker for the Pentester Academy, found a way to bypass ATA and gain administrative access, which he will detail next month at Black Hat USA in Las Vegas in his session there, “Evading Microsoft ATA for Active Directory Domination.”