Join Pete Zerger for an in-depth discussion in this video Working with suspicious activities, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
- [Instructor] Now we're going to take a look at investigating suspicious activities with Microsoft Advanced Threat Analytics. But before we do, we're going to take a quick look at a vulnerable Windows 10 workstation and talk about how such an attack might take place that leads to the need for a post-breach tool such as Advanced Threat Analytics. So I'm on a Windows 10 workstation without proper protection here. I'm going to take a look at MS Info 32 which is the system information utility.
And I notice here that virtualization-based security is not enabled. Credential guard is not in place, so I have a workstation where credentials are stored in clear text. Perhaps we don't have good protection against phishing attacks with something like Exchange Online Advanced Threat Protection. And a user clicks on a suspicious email and unintentionally installs malware, like mimikatz for example, the tool commonly associated with credential theft. So now our attacker has a foothold and they can execute a pass the hash attack.
So I'll just type out some of the commands here to execute pass the hash to show you what this looks like. Incidentally, the commands for this pass the hash will be included in the downloadable content related to this course. So I've elevated my permission at this point and now I'm going to dump the credentials. I'll dump the passwords, the hashes on this system. And again you don't need to remember these commands, they'll be available to you. So you can explore this same sort of attack on your own.
But what I'm going to do now is just go up the list of the credentials that I've just dumped from memory here to see what I can find. And look what I see at the top of my list here. I have Administrator for the Kinetecoenergy domain and there is the NTLM hash for that account. So without credential guard in place I have access to that hash. That hash is what we need to execute commands and authenticate against other systems in the environment to move laterally. So now the attacker has everything they need to take that next step.
So I have some of the commands right here. All I have to do is put together the right command with a user, a domain name and that hash, along with the command I'd like to run. So let's just say I want to run an elevated command prompt. So I'll just clear my screen here. And I'll paste that in, so I'm simply passing in a username and password the hash and I'm going to launch an elevated command prompt. And there we go. So now I have an elevated command prompt, I can now map a drive so I can just go to the kinetecoenergy.com domain.
And let's map to sysvol. And so, that easily, I've now gotten right there to the heart of a domain controller. So, this is a really common attack as well. Perhaps the most common attack. So let's have a look now at the after. I'm looking at an Advanced Threat Analytics installation that's been running for a while here. So we can get a sense of the events that are being read and how these are surfaced by Advanced Threat Analytics. So, when I go to my ATA portal, my ATA console, I'll click on my timeline icon.
This one right here in the upper right. This shows me events from the most recent date down. And if I just cycle through some of these I can see some remote execution with legacy protocols I can see that ATA has spotted some sensitive credentials exposed through an LDAP bind. And as I keep scrolling here I see brute force attack. And all the way down to what looks to be potentially a pass the hash attack.
This unusual protocol implementation. And I can click on that event, and you see that ATA shows me information about all of the entities involved so that domain synchronization role which is bringing over information about my entities, my users, my groups, my computers, it shows me that David Zazzo has some unusual activity going on from his Windows 8 workstation here. Windows 8 being a note that I can't even protect with Credential Guard and other motivation to get my environment up to Windows 10 so I have those modern protections.
And I see the details of all the entities and I can pivot here from the user to the client. And see some information about the client itself. So I can see here who's recently accessed this system and what resources have been accessed from this system. So, with Advanced Threat Analytics, I get a lot of detail and you couple this with another post-breach tool like Windows Defender ATP which is going to give us process level detail from the systems we have two separate engines processing information about our environment, giving us complimentary views.
And you see in the ATA console here it shows me some information about also the health of my environment, it tells me that it recently learned about a computer. Likely through that domain synchronization process. I can search for any of these right here in the search box at the top of my screen. I simply need to type what I'd like to search on. So I wanted to find David Zazzo, you see I can find all the Davids here. And it's going to show me a lot of information about any specific entity, but I can pivot in to look at a user or a computer or I can step back and look at the larger picture of potential breaches in my environment.
So as you can see there's a lot of functionality with Advanced Threat Analytics, and if there's anything worse than being breached by a malicious actor, it's not having visibility into what the impact is. So, ATA is a must-have as one of the layers in your defense in depth with the Microsoft Cyber Security Stack.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure