New Blog: Azure Advanced Threat Protection - CredSSP Exploit Analysis

%3CLINGO-SUB%20id%3D%22lingo-sub-184502%22%20slang%3D%22en-US%22%3ENew%20Blog%3A%20Azure%20Advanced%20Threat%20Protection%20-%20CredSSP%20Exploit%20Analysis%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-184502%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2018%2F03%2F01%2Fintroducing-azure-advanced-threat-protection-2%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Eannouncing%20the%20release%20of%20Azure%20Advanced%20Threat%20Protection%20(Azure%20ATP)%3C%2FA%3E%26nbsp%3Blast%20month%2C%20we%20are%20excited%20to%20provide%20details%20on%20how%20Azure%20ATP%20has%20been%20updated%20to%20better%20protect%20customers%20against%20a%20new%20exploit%20by%20including%20the%20identity%20theft%20technique%20used%20in%20the%20Credential%20Security%20Support%20Provider%20(CredSSP)%20Protocol%20exploit%20as%20a%20flavor%20of%20the%20Pass-The-Ticket%20detection.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20the%20blog%2C%20the%20Azure%20ATP%20team%20provides%20network%20behavior%20analysis%20of%20the%20CredSSP%20exploitation%20of%20this%20vulnerability%20and%20the%20techniques%20it%20uses%20to%20propagate%20in%20the%20network.%20They%20also%26nbsp%3Bhighlight%20how%20you%20can%20use%20Azure%20ATP%20to%20detect%20and%20investigate%20a%20variety%20of%20advanced%20cyberattacks.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20read%20the%20blog%20post%20%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2018%2F04%2F18%2Fazure-advanced-threat-protection-credssp-exploit-analysis%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-185829%22%20slang%3D%22en-US%22%3ERe%3A%20New%20Blog%3A%20Azure%20Advanced%20Threat%20Protection%20-%20CredSSP%20Exploit%20Analysis%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-185829%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Advanced-Threat%2FAzure-ATP-lateral-Movement%2Fm-p%2F185817%23M209%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Advanced-Threat%2FAzure-ATP-lateral-Movement%2Fm-p%2F185817%23M209%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-185819%22%20slang%3D%22en-US%22%3ERe%3A%20New%20Blog%3A%20Azure%20Advanced%20Threat%20Protection%20-%20CredSSP%20Exploit%20Analysis%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-185819%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20Azure%20ATP%2C%26nbsp%3B%20you%20can%20see%20lateral%20movement%20maps%20giving%20you%20an%20idea%20how%20hackers%20can%20move%20from%20hop%20to%20hop%20to%20reach%20sensitive%20accounts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMy%20question%2C%20how%20can%20Azure%20ATP%20know%20that%20if%20John%20has%20a%20compromised%20identity%2C%20that%20he%20can%20access%20that%20TS%20because%20he%20is%20member%20of%20this%20group.%20How%20Azure%20ATP%20can%20know%20who%20is%20the%20administrators%20group%20on%20servers%20to%20do%20such%20simulation%20and%20map%3F%20because%20when%20John%20gets%20his%20TGT%2C%20it%20has%20list%20of%20what%20groups%20he%20is%20member%20of%2C%20and%20not%20a%20list%20of%20servers%20that%20those%20groups%20are%20set%20as%20administrates.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Microsoft

After announcing the release of Azure Advanced Threat Protection (Azure ATP) last month, we are excited to provide details on how Azure ATP has been updated to better protect customers against a new exploit by including the identity theft technique used in the Credential Security Support Provider (CredSSP) Protocol exploit as a flavor of the Pass-The-Ticket detection.

 

In the blog, the Azure ATP team provides network behavior analysis of the CredSSP exploitation of this vulnerability and the techniques it uses to propagate in the network. They also highlight how you can use Azure ATP to detect and investigate a variety of advanced cyberattacks.

 

You can read the blog post here

2 Replies
Highlighted

In Azure ATP,  you can see lateral movement maps giving you an idea how hackers can move from hop to hop to reach sensitive accounts.

 

My question, how can Azure ATP know that if John has a compromised identity, that he can access that TS because he is member of this group. How Azure ATP can know who is the administrators group on servers to do such simulation and map? because when John gets his TGT, it has list of what groups he is member of, and not a list of servers that those groups are set as administrates.