Jagadeesh Parameswaran, Microsoft
Rahul Sachan, Microsoft
Windows Defender Advanced Threat Protection (WDATP) gives defenders unparalleled visibility into the enterprise. And Azure Advanced Threat Protection (AATP) gives the power to monitor attacks on the Domain Controllers and user identities. Come spend an hour with us as we pull back the covers and go through detailed examples of real attacks that we saw as we defended the Microsoft corporate environment using WDATP & AATP.
2024: Domino Containers - The Next Step. News from the Domino Container commu...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp and windows defender atp
1.
2.
3. Screenshots present in this session are either from the
Production environments (with obfuscated contents) or
from the Demo environments
4. Digital Crimes Unit (DCU)
Microsoft Azure (C+AI Security)
Microsoft Security Response Center (C+AI Security)
Cyber Security Services Engineering
Microsoft Threat Intelligence Center (MSTIC)
Office 365 Security
Data & Intelligence (DI)
Cyber Defense Operations Center (CDOC)
6. How does Windows Defender Advanced Threat
Protection (WDATP) helps us?
Windows Defender ATP (WDATP) works behind the scenes
to better detect threats on the network and helps the SOC
investigate and respond to data breaches.
12. Abnormal resource access
Account enumeration
Net Session enumeration
DNS enumeration
SAM-R Enumeration
LDAP Enumeration (Roadmap)
Brute force using NTLM, Kerberos, or LDAP
Honey Token account suspicious activities
Unusual protocolimplementation
Malicious Data Protection Private
Information (DPAPI) Request
Suspicious VPN Connections
Abnormal authentication
requests
Remote Execution
Pass-the-Ticket
Pass-the-Hash
Overpass-the-Hash
Malicious service creation
MS14-068 exploit
(Forged PAC)
MS11-013 exploit
(Silver PAC)
Skeleton key malware
Golden ticket non-existent account
Remote execution
Malicious replication requests
Abnormal Modification of Sensitive
Groups
Suspicious domain controller
promotion & replication (potential
DCShadow attack)Compromised
Credential
!
Reconnaissance
!
!
!
Lateral
Movement
Privilege
Escalation
Domain
Dominance
Azure ATP (AATP) detects a WIDE RANGE of Suspicious
Activities on the AD & UEBA Monitoring perspectives
Covers various Active Directory and User accounts related attacks across the Kill-Chain phases
26. A real attack by an
adversary
A service / application
that leverages LDAP
Simple Binds rather
LDAPS
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39. Changed
passwords of the
compromised users
Checked WDATP
events in the victim
machines to
identify any
suspicious process
executions later the
attack
Asked them to use
Strong Passwords
to prevent
Bruteforce attacks
Checked any
suspicious login for
the user accounts
using MCAS to
identify any
possible
compromise /
access of Exchange
Online / SharePoint
Online Data
40.
41.
42.
43.
44. Attacker was contacted
to identify the
necessary reasons for
the attack
This was done for
experimental purposes
by the attacker – as a
Script kiddie
Attacker was educated
NOT to use any
malicious activities
using Tools or Scripts
from the Microsoft
CORP domain joined
machines
45.
46.
47.
48. LDAP Simple
Bind Bruteforce
attacks are
simple, but are
difficult to
track
Using AATP &
WDATP, BF
attack can be
quickly
detected
Complex,
Strong
passwords help
to prevent
Bruteforce
attacks
49.
50.
51.
52.
53.
54. Compromised Acc
1
2
Victim User 1
Victim User 2
Domain Admin
DC
ATTACKER
BRUTE FORCE
COMPROMISED ACCOUNT
MOVE LATERALLY
1
2
Attack Workflow
55.
56.
57.
58.
59.
60.
61.
62.
63.
64.
65.
66.
67. In less than two hours
of successfully
achieving access to the
permanent domain
admin account,
Attacker used its hash
to replicate the
directory to their
machine: Desktop-xxxx
…. a non domain joined
box…… a rogue
Domain Controller …
68.
69.
70.
71. Compromised
account + Non
DJ machine +
Mimikatz can
bring troubles
to the AD
AATP provides
visibility to the
attack targeting
AD environment
Rich time lines
of WDATP helps
to pinpoint
anomalies of
Domain joined
machines
72.
73.
74.
75.
76. Securing Privileged Access
Office 365 Security
Rapid Cyberattacks
(Wannacrypt/Petya)
https://aka.ms/MCRA Video Recording Strategies
SQL Encryption &
Data Masking
Office 365
Dynamics 365
+Monitor
Data Loss Protection
Data Governance
eDiscovery