cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Azure ATP lateral Movement

Ammar Hasayen
Iron Contributor

‎Apr 22 2018 11:50 PM - last edited on ‎Nov 30 2021 10:09 AM by

‎Apr 22 2018 11:50 PM - last edited on ‎Nov 30 2021 10:09 AM by

Azure ATP lateral Movement

Hi everyone,

 

In Azure ATP,  you can see lateral movement maps giving you an idea how hackers can move from hop to hop to reach sensitive accounts.

 

My question, how can Azure ATP know that if John has a compromised identity, that he can access that TS because he is member of this group. How Azure ATP can know who is the administrators group on servers to do such simulation and map? because when John gets his TGT, it has list of what groups he is member of, and not a list of servers that those groups are set as administrates.

3,753 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by Ammar Hasayen (Iron Contributor)
Eli Ofek

‎Apr 23 2018 12:54 AM

‎Apr 23 2018 12:54 AM

Solution

Re: Azure ATP lateral Movement

The Sensor can query endpoints for local administrators group membership.

(Giving that you allowed it as the documentation requests)

https://docs.microsoft.com/en-us/advanced-threat-analytics/install-ata-step9-samr

2 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Ammar Hasayen (Iron Contributor)
Eli Ofek

‎Apr 23 2018 12:54 AM

‎Apr 23 2018 12:54 AM

Solution

Re: Azure ATP lateral Movement

The Sensor can query endpoints for local administrators group membership.

(Giving that you allowed it as the documentation requests)

https://docs.microsoft.com/en-us/advanced-threat-analytics/install-ata-step9-samr

View solution in original post

2 Likes
Reply