First published on CloudBlogs on Jan 24, 2017 by Microsoft Advanced Threat Analytics Teams Cyber attackers have many tools available to them to infiltrate an enterprise network, find that sensitive piece of data they’re looking for, and exfiltrate it from your enterprise. In conversations with customers, I’ve found that some are familiar with these tools; however, many aren’t, or they are not fully aware of how powerful these tools are. My aim with this blog post is to help level the playing field, and help the good guys understand what attack tools the adversaries are using. More importantly, I want to explain how you can detect the use of those tools on your network with Microsoft’s Advanced Threat Analytics (ATA). ATA is an on-premises product that detects advanced persistent threats by focusing on the post-infiltration phase of an intrusion. Tools that are designed to protect your perimeter—including firewalls, antivirus software, and intrusion prevention/detection services—all focus on the initial moment of infiltration. But, they’re of little assistance once the adversary gets in or if you’re battling an insider threat. This is where ATA can help.
The tools of the attacker trade – research
With an assumed-breach mindset, we assume the attacker has already breached the perimeter and is on the network. Unfortunately, this is when the adversary goes dark to the defender, as the attacker has already breached network defenses as well as antivirus. However, the adversary is anything but inactive. Once the attacker has compromised a host, they’ll start the internal reconnaissance phase by mining any accessible DNS servers or domain controllers, for example, by using the built-in nslookup tool. On the accounts side, recon usually starts by enumerating the users and groups via built-in tools such as the “net user” or “net group” commands, or via external tools (usually controlled from the attacker’s command&control servers) like PowerSploit’s Get-NetUser command. This phase is all about discovery for the adversary – they are hunting for users with ample permissions and privileged accounts with the goal of getting to domain admin credentials and eventually reaching domain dominance.
Recon doesn’t stop there, though. Using tools like NetSess and PowerSploit’s Get-NetSession , they’ll start the process of identifying which accounts are active and where. This is technically achieved by enumerating the authenticated Server Message Block (SMB) sessions in use against the domain controllers. This is particularly powerful against the most popular SMB Share in the forest, the Domain Controller’s SYSVOL as every machine needs to connect to it to pull and process Group Policy.
The attacker now knows your groups, your users, and where specific users’ credentials are exposed, effectively triangulating where they need to get to achieve “domain dominance”. An attacker will use this technique to identify those accounts that have admin rights in the organization and the path to successfully compromise their credentials. Now the attacker has full visibility into relationships between the regular users, the administrators’ (privileged) accounts and the devices (servers and endpoints) in the organization. An easy way to visualize that is to think in terms of a social network, or the six degrees of separation, and ask “How can I be ‘introduced’ to a domain admin account?” John Lambert, who works at the Microsoft Threat Intelligence Center, has previously explained how defenders think in lists and attackers think in graphs .
Publicly available tools like BloodHound actually automate this process end to end making it very smooth and easy for the attacker to build the graph view of the organization.
The tools of the attacker trade – post-infiltration
Now, with an identified path to get to where they want to go, the attacker will start the process of moving laterally in your network. On the way to the admin credentials the attackers are constantly harvesting additional credentials. This can be done by leveraging known loopholes in widely used authentication protocols, such as passing the NTLM hash or the Kerberos ticket , and going from machine to machine to compromise users. Often within a matter of days the attackers manage to obtain the credentials of a domain administrator or an enterprise administrator which are then leveraged to gain persistence on the network. Attackers can easily harvest credentials by leveraging a tool called Mimikatz to steal credentials that are sitting in memory on the endpoints and servers in your network. Once the adversary has compromised the credentials of privileged users, they’ll often work to gain persistence and domain dominance by stealing the Kerberos’ ticket granting ticket (KRBTGT) hash used by the Active Directory Domain Controllers. Owning the krbtgt credentials allows the attackers to generate any kind of authentication ticket they wish, as any account or member of any group in your network—this is known as the golden ticket attack. They can accomplish this by using Mimikatz once again, this time to maliciously synchronize with the domain controllers using DCSync to steal the krbtgt credentials.
ATA is a user entity behavioral analytics (UEBA) product that detects advanced persistent threats in your network. It will issue alerts if it sees suspicious activities including recon, lateral movement, re-use of compromised credentials, privilege escalation and domain dominance. It is one of the only tools to concentrate on detecting the adversary in their post-infiltration phase; that is, detecting them after they’ve already established a foothold . ATA can detect DNS recon, SMB session enumeration, SAMR enumeration, pass the ticket, pass the hash, overpass the hash, golden ticket, and skeleton key malware, as well as detect abnormal behavior of users and devices!
Having this level of visibility into the suspicious activity of your users, entities, and machines is critical for any enterprise. ATA provides relevant, timely, and critical information to aid defenders and blue teams in discovering post-infiltration activities in near real-time. Advanced Threat Analytics is part of the Microsoft Enterprise Mobility + Security Suite (E3) or the Microsoft Enterprise CAL Suite (ECAL). Start a trial or deploy it now by downloading an Advanced Threat Analytics 90-day evaluation . Ask your questions and join the discussion with our team on the Microsoft Advanced Threat Analytics Tech Community site ! All the best, Hayden Hainsworth (@cyberhayden) Customer & Partner Experience Program Leader, Cybersecurity Engineering Microsoft Cloud + Enterprise Division