Microsoft’s Azure Advanced Threat Protection (ATP) is useful for detecting a range of attacks on Active Directory. But it has some serious shortcomings. Here are five ways attackers can bypass ATP to wreak havoc.
Microsoft’s Azure Advanced Threat Protection (ATP) is a relatively new and increasingly common security solution that can spot common reconnaissance methods and attack on Active Directory and other critical control infrastructure (CCI). Microsoft notes that such analysis is critical as Windows Event Logs and Domain Controller logs provide inadequate visibility for modern security programs.
ATP can capture and analyze network authentication and authorization traffic using protocols like Kerberos, DNS, RPC, NTLM and more to provide limited heuristic insight. The ATP technology can parse that traffic to sometimes detect a wide range of reconnaissance and information gathering techniques as well as common attacks on CCI including brute force attacks, remote code execution and Active Directory attacks like Pass-the-Ticket (PtT), Pass-the-Hash (PtH), Golden Ticket and so on.
But ATP is no silver bullet. Attackers can and do bypass its protections to launch devastating malware attacks, deploy ransomware and steal data. In recent years, security researchers have called attention to some of the commonly used methods for fooling ATP. Here are five methods that adversaries use to escape ATP’s notice and persist in ATP-protected environments.
They avoid the Domain Controller
Azure Advanced Threat Protection contains tools for detecting suspicious or malicious activity on a Windows domain. But researchers and attackers alike have noted that many of those detection tools are focused on one particular asset: the domain controller. To a degree, that makes sense - the domain controller is the jewel in the crown for any attacker: the destination for lateral movement. But domain controllers aren’t the only avenue by which attacks play out. And attackers can persist in ATP environments simply by avoiding interactions with the domain controller. As an example, both Silver Ticket and Kerberoasting attacks allow adversaries to elevate their privileges within target environment with minimal and unremarkable interactions with the domain controller. These attacks and others enable lateral movement but are unlikely to trigger detection by ATP.
They use Brute Force Attacks
Microsoft’s ATP can easily spot traditional brute force password attacks in which adversaries make numerous attempts to crack an account’s password. However, as Nikhil Mittal noted in his 2017 Black Hat talk “Evading Microsoft ATP for Active Directory Domination” (PDF), ATP has a harder time spotting brute force attacks in which the same password is tried across AD accounts. In these so-called “Pillage the Village” and password spraying attacks, attackers use automated scripts and tools like PowerShell to enumerate AD users and try to crack their password. This distributed brute force activity does not get flagged by ATP and is a reliable method to gain a foothold within an environment.
They use Overpass-The-Hash Attacks
Overpass-the-Hash Attacks are a common form of attack on Active Directory and Kerberos that combine elements of both Pass the Hash and Pass the Ticket attacks. Attackers begin by conducting a “pass the hash” attack: using an Active Directory user’s NTLM hash (or AES keys) to enable a “pass the ticket” attack: obtaining a Kerberos ticket that can be used to access network resources. Microsoft ATP can spot both those attacks separately by looking for tell-tale signs, such as forcing the use of less-secure encryption protocols like MD5. However, researchers have noted that simply forcing the use of more standard encryption protocols like
AES256, AES128 and NTLM(RC4) in conjunction with Overpass-the-Hash attacks is often adequate to avoid ATP detection.
They use Constrained Delegation Attacks
Many Active Directory environments support some form of constrained delegation, in which a machine or user account is given permission to impersonate another user. Constrained delegation has many practical uses - such as seamlessly connecting a Web service to a back end database. Microsoft has enabled these types of connections via the “Service for User” (S4U) Kerberos extensions, which allow administrators to name select services for delegation with a particular account. However, researchers have noted that knowledgeable attackers can use enumeration to identify accounts for which constrained delegation has been enabled. They can then target those accounts and take advantage of features of the S4U “constrained delegation” extensions to facilitate lateral movement and privilege escalation within a targeted environment. With access to a constrained delegation account and that account’s plaintext password or NTLM hash, for example, attackers can use tools such as Kekeo to request a Kerberos TGT, execute a S4U TGS request and access the target service. While Microsoft has added features to limit these attacks for sensitive accounts, it cannot otherwise detect attacks that take advantage of constrained delegation.
They attack SQL Server
While ATP is capable of spotting a wide range of attacks on Active Directory, attackers need not target Active Directory in order to move laterally or elevate their permissions within compromised environments. For many attackers, targeting privileged IT assets like SQL server directly provides a way to gain privileged access to sensitive data and intellectual property and even to elevate privileges up to and including domain administrator, while avoiding ATP entirely. Common attacks such as SQL injection and brute force password attacks can provide attackers with user-level account access. (Account lockouts are often not enabled on non-production SQL Server databases.) From there, attackers can move laterally in the database layer via linked databases to explore an Active Directory Forest or Forest Trust. The goal is to identify SQL server services that run with domain administrator permissions, gain access to those assets and escalate permissions on them to eventually achieve command execution.
Microsoft’s Advanced Threat Analytics provides substantial threat and attack detection features for Active Directory environments. But the technology is not fool-proof. Organizations that want comprehensive threat detection should understand the gaps in ATP detection and take steps to mitigate the risks they pose. Technologies like QOMPLX’s Q:CYBER can help spot attacks on Active Directory that Microsoft ATP misses including Overpass-The-Hash, Silver Ticket and more. QOMPLX’s use of stateful validation for Kerberos also allows for much more accurate (i.e. less noise) detections for critical attacks like Golden Ticket attacks where confidence is key. For more information visit our website.