SOLVED

Azure ATP lateral Movement

%3CLINGO-SUB%20id%3D%22lingo-sub-185817%22%20slang%3D%22en-US%22%3EAzure%20ATP%20lateral%20Movement%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-185817%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20Azure%20ATP%2C%26nbsp%3B%20you%20can%20see%20lateral%20movement%20maps%20giving%20you%20an%20idea%20how%20hackers%20can%20move%20from%20hop%20to%20hop%20to%20reach%20sensitive%20accounts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMy%20question%2C%20how%20can%20Azure%20ATP%20know%20that%20if%20John%20has%20a%20compromised%20identity%2C%20that%20he%20can%20access%20that%20TS%20because%20he%20is%20member%20of%20this%20group.%20How%20Azure%20ATP%20can%20know%20who%20is%20the%20administrators%20group%20on%20servers%20to%20do%20such%20simulation%20and%20map%3F%20because%20when%20John%20gets%20his%20TGT%2C%20it%20has%20list%20of%20what%20groups%20he%20is%20member%20of%2C%20and%20not%20a%20list%20of%20servers%20that%20those%20groups%20are%20set%20as%20administrates.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-185817%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eazure%20atp%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-185828%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20lateral%20Movement%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-185828%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Sensor%20can%20query%20endpoints%20for%20local%20administrators%20group%20membership.%3C%2FP%3E%0A%3CP%3E(Giving%20that%20you%20allowed%20it%20as%20the%20documentation%20requests)%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Finstall-ata-step9-samr%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Finstall-ata-step9-samr%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Ammar Hasayen
MVP

Hi everyone,

 

In Azure ATP,  you can see lateral movement maps giving you an idea how hackers can move from hop to hop to reach sensitive accounts.

 

My question, how can Azure ATP know that if John has a compromised identity, that he can access that TS because he is member of this group. How Azure ATP can know who is the administrators group on servers to do such simulation and map? because when John gets his TGT, it has list of what groups he is member of, and not a list of servers that those groups are set as administrates.

1 Reply
Solution

The Sensor can query endpoints for local administrators group membership.

(Giving that you allowed it as the documentation requests)

https://docs.microsoft.com/en-us/advanced-threat-analytics/install-ata-step9-samr

Related Conversations
Self Service Password Reset - Urls and IP address ranges
Chris Johnston in Azure on
2 Replies
Microsoft Learn
Daniel Martins in Azure on
16 Replies
Conditional Access based on location only?
Jim Kacerguis in Azure on
2 Replies
How to locate storage account belongs to azure VM disk
Suhag Desai in Azure on
7 Replies