First published on CloudBlogs on Dec 12, 2016 by the Microsoft Advanced Threat Analytics Team A frequent question I get from customers is, will Microsoft’s Advanced Threat Analytics (ATA) help me detect suspicious activity on my network, regardless of the operating systems in my environment? “YES!” is the short answer. Any user or entity that connects to the network via Active Directory (AD), queries the DNS servers, or authenticates with AD is inspected for anomalous activities, regardless of the operating system. And the approach is agentless. Linux, or for that matter any *nix operating system, can use Active Directory credentials to run line of business (LOB) applications. Individuals and entities use their endpoint to authenticate to resources they need on the servers, through NTLM or Kerberos authentication protocols whether it’s Windows or Linux or another *nix operating system. Identity, therefore, is fundamental to all environments, and ATA takes advantage of this fundamental need for an identity solution to help you detect anomalous activities regardless of the operating system upon which your network runs. It can transcend the respective operating systems in that environment (including domain joined routers and switches). Windows and *nix machines are simply endpoints. The screenshot below shows an attack. Attackers will compromise a user’s credentials, whether from a Mac or Windows endpoint and move laterally, hunting for elevated privileges or users with privileged credentials (e.g., administrators). The tool being used for this malicious activity is PSEXEC. PSEXEC was originally designed to be used by systems administrators to aid them in their work. It’s a command line remote administration tool to allow for remote execution of processes to help admins. As is the case with a lot of tools, it can also be used for malicious activity by adversaries.
The adversary set up a PSEXEC session through SMB (a protocol frequently used for authentication for file shares), using the user’s legitimate credentials. They established the SMB authentication and then stole the hash. The NTLM hash has been injected into a PSEXEC session through an SMB password.
This is a typical scenario from attackers: they harvest a set of credentials (on a system) and use it to move laterally. The command-and-control (C2) of the attacker can give them legitimate access across operating systems through this Identity layer. With ATA’s machine learning user/entity behavioral analytics, as well as detections such as the PSEXEC activities against a Domain Controller described above, network defenders can be alerted on this suspicious activity and act quickly and decisively. ATA is a User-Entity-Behavioral Analytics (UEBA) detect product that identifies Advanced Persistent Threats (APTs) on your network. It will issue alerts if it sees suspicious activities including recon, lateral movement, re-use of compromised credentials, privilege escalation and domain dominance and is one of the only tools to concentrate on detecting the adversary in their post-exploit phase, that is, detecting them after they’ve already established a foothold . Having this level of visibility to the suspicious activity of your users, entities, and machines is critical for any enterprise. Start a trial or deploy it now by downloading a 90-day evaluation version . Ask your questions and join the discussion with our team on the Microsoft Advanced Threat Analytics Tech Community site! Advanced Threat Analytics is part of the Enterprise Mobility + Security Suite . All the best, Hayden Hainsworth (@cyberhayden) Customer & Partner Experience Program Leader, Cybersecurity Engineering Cloud + Enterprise Division Microsoft