Microsoft ATA - Detecting ''Passwordless'' attacks

%3CLINGO-SUB%20id%3D%22lingo-sub-768270%22%20slang%3D%22en-US%22%3EMicrosoft%20ATA%20-%20Detecting%20''Passwordless''%20attacks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768270%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20taking%20a%20look%20at%20the%20Microsoft%20ATA%20suspicious%20activity%20guide.%20I%20had%20some%20questions%20about%20some%20malicious%20use-cases%20and%20I%20was%20mainly%20curious%20if%20you%20guys%20do%20detect%20these%20kind%20of%20activities.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Fsuspicious-activity-guide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Fsuspicious-activity-guide%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20the%20answer%20is%20''no''%2C%20which%20is%20fine.%20It%20means%20that%20we%20can%20work%20together%20on%20improving%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E-%20Password%20Downgrading%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EMicrosoft%20ATA%20has%20a%20section%20called%20''Encryption%20Downgrade''%3C%2FP%3E%3CP%3EDo%20you%20guys%20also%20detect%20when%20someone%20is%20downgrading%20the%20password%20length%20by%20modifying%20the%20%3CEM%3EminpwdLength%3C%2FEM%3Eattribute%20at%20the%20AD%20Root%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20384px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F124083i3887808A3610257B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%221.png%22%20title%3D%221.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20this%20case%20everyone%20could%20create%20an%20AD%20account%20without%20a%20password%20or%20reset%20their%20password%20to%20%3CBLANK%3E%3C%2FBLANK%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%26nbsp%3B%20%3CSTRONG%3E(Service)%20%3C%2FSTRONG%3E%3CSTRONG%3EAccount%20with%20no%20password%20required%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EWell%2C%20service%20account%20is%20just%20an%20example.%20This%20can%20also%20be%20a%20normal%20user%20account%2C%20but%20back%20to%20the%20case%20study.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EService%20accounts%20barely%20get%20a%20password%20reset%2C%20but%20do%20(often)%20contain%20high-privileges%20in%20the%20domain.%3C%2FP%3E%3CP%3EAccount%20Operators%20is%20a%20group%20that%20is%20used%20a%20lot%20and%20has%20wide%20permissions%20in%20the%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20if%20we%20%3CSTRONG%3EDENY%20%3C%2FSTRONG%3E%3CEM%3ERead%20userAccountControl%20%3C%2FEM%3Efor%20%3CSTRONG%3EEveryone%20%3C%2FSTRONG%3Ein%20the%20domain%20and%20then%20just%20decide%20to%20modify%20the%3CEM%3EuserAccountControl%20%3C%2FEM%3Evalue%20to%20%3CSTRONG%3E544%3C%2FSTRONG%3E%2C%20which%20is%20equal%20to%20%3CEM%3EPASSWD_NOTREQD.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20when%20looking%20in%20ADUC%20or%20through%20PowerShell%2C%20we%20won't%20find%20the%20output%20of%20the%20user%20XYZ%20has%20a%20%3CEM%3EPASSWD_NOTREQD%20%3C%2FEM%3Evalue.%20So%20now%20someone%20can%20reset%20the%20password%20to%20%3CBLANK%3E%20and%20authenticate%20without%20password.%3C%2FBLANK%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEven%20from%20a%20Domain%20Admins%20perspective%2C%20we%20don't%20see%20any%20value%20on%20the%20%3CEM%3EuserAccountControl%3C%2FEM%3Eattribute%2C%20which%20can%20make%20it%20incredible%20difficult%20to%20find%20users%20without%20password%2C%20if%20ATA%20can't%20detect%20this%20of%20course.%20But%20it%20actually%20has%20the%20544%20value.%20Password%20not%20required!%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20386px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F124086iD0545B73C3A6556B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222.png%22%20title%3D%222.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20you%20guys%20detect%20users%20logging%20in%20without%20any%20password%3F%20-%20You%20can%20detect%20this%20in%20the%20Windows%20Event%20Logs%2C%20but%20it%20is%20pretty%20difficult%20to%20monitor%20on%20it%2C%20if%20you%20don't%20really%20have%20the%20resources%20for%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20what%20about%20hiding%20the%20%3CEM%3EuserAccountControl%20%3C%2FEM%3Evalue%20for%20everyone.%20How%20would%20you%20detect%20this%20kind%20of%20stuff%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20%3CSTRONG%3EGranting%20user%20permissions%20to%20modify%20password%20policy%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EGranting%20an%20unauthorized%20user%20on%20the%20AD%20Root%20and%20give%20him%20the%20following%20permissions.%3C%2FP%3E%3CP%3EAllows%20the%20user%20to%20change%20his%20password%20to%20%3CBLANK%3E%20or%20modify%20the%20password%20policy%2C%20so%20it%20can%20downgrade%20the%20password%20length%20for%20example%20or%20disable%20the%20lockout%20policy.%20Would%20Microsoft%20ATA%20flag%20this%20as%20well%3F%3C%2FBLANK%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20391px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F124094i0A4618C56C0CB09F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%223.png%22%20title%3D%223.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThese%20were%20my%20questions%20about%20the%20''passwordless''%20attacks%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20to%20hear%20back%20from%20you%20guys%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EH%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769177%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20ATA%20-%20Detecting%20''Passwordless''%20attacks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769177%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F380287%22%20target%3D%22_blank%22%3E%40huy_kha%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20am%20suggesting%20you%20to%20look%20at%20Azure%20ATP%2C%20as%20it%20is%20the%20new%20updated%20service%20for%20ATA.%3C%2FP%3E%0A%3CP%3EAnd%20most%20of%20our%20new%20detections%20and%20capabilities%20are%20inserted%20into%20Azure%20ATP.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%20very%20much%20for%20the%20interesting%20ideas%2C%20I%20think%20most%20of%20it%20is%20related%20to%20security%20admins%20and%20can%20be%20monitored%20as%20part%20of%20our%20identity%20security%20posture%20reports%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F215466%22%20target%3D%22_blank%22%3E%40Or%20Tsemah%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWill%20check%20about%20identifying%20a%20user%20logon%20without%20a%20password%2C%20if%20it%20will%20be%20relevant%20and%20possible%20to%20detect%20will%20add%20it%20to%20the%20backlog.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3ETali%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769193%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20ATA%20-%20Detecting%20''Passwordless''%20attacks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769193%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20the%20closet%20event%20that%20will%20be%20generated%20when%20users%20authenticate%20without%20password.%3C%2FP%3E%3CP%3EI%20think%20you%20definitely%20should%20take%20a%20look%20at!%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20574px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F124167iE703D969C4939A4B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%224624.png%22%20title%3D%224624.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Deleted
Not applicable

Howdy,

 

After taking a look at the Microsoft ATA suspicious activity guide. I had some questions about some malicious use-cases and I was mainly curious if you guys do detect these kind of activities.

https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide

 

If the answer is ''no'', which is fine. It means that we can work together on improving it.

 

- Password Downgrading

Microsoft ATA has a section called ''Encryption Downgrade''

Do you guys also detect when someone is downgrading the password length by modifying the minpwdLength attribute at the AD Root?

 

1.png

 

In this case everyone could create an AD account without a password or reset their password to <blank>

 

(Service) Account with no password required

Well, service account is just an example. This can also be a normal user account, but back to the case study.

 

Service accounts barely get a password reset, but do (often) contain high-privileges in the domain.

Account Operators is a group that is used a lot and has wide permissions in the domain.

 

What if we DENY Read userAccountControl for Everyone in the domain and then just decide to modify the userAccountControl value to 544, which is equal to PASSWD_NOTREQD.

 

Now when looking in ADUC or through PowerShell, we won't find the output of the user XYZ has a PASSWD_NOTREQD value. So now someone can reset the password to <blank> and authenticate without password.

 

Even from a Domain Admins perspective, we don't see any value on the userAccountControl attribute, which can make it incredible difficult to find users without password, if ATA can't detect this of course. But it actually has the 544 value. Password not required!

2.png

 

Would you guys detect users logging in without any password? - You can detect this in the Windows Event Logs, but it is pretty difficult to monitor on it, if you don't really have the resources for it.

 

And what about hiding the userAccountControl value for everyone. How would you detect this kind of stuff?

 

- Granting user permissions to modify password policy

Granting an unauthorized user on the AD Root and give him the following permissions.

Allows the user to change his password to <blank> or modify the password policy, so it can downgrade the password length for example or disable the lockout policy. Would Microsoft ATA flag this as well?

 

3.png

 

These were my questions about the ''passwordless'' attacks ;)

 

Hope to hear back from you guys,

 

Regards,

H

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2 Replies
Highlighted

Hi @Deleted,

 

I am suggesting you to look at Azure ATP, as it is the new updated service for ATA.

And most of our new detections and capabilities are inserted into Azure ATP.

 

Thank you very much for the interesting ideas, I think most of it is related to security admins and can be monitored as part of our identity security posture reports - @Or Tsemah 

 

Will check about identifying a user logon without a password, if it will be relevant and possible to detect will add it to the backlog.

 

Thanks,

Tali

Highlighted

@Tali Ash 

This is the closet event that will be generated when users authenticate without password.

I think you definitely should take a look at!

4624.png