>> So, um, fun fact about this picture here, this was actually the IBM Toronto Downtown Data Center in 1963. Um, but, but now it's a sushi lounge I think... [Laughter] So, who am I, uh, my name is Chris Thompson, I'm the Red team and opps lead for IBM X-Force Red, or X-Force Rouge as we call it in Canada. Uh, my job involves conducting red teaming ops against defense contractors and some of North America's largest banks. Uh, Im also on the newly formed CREST USA Board that just launched with smart folks like Chris Nickerson, and Tom Brennan. Um, and, I, uh- I also teach network and mobile penn testing at, at a college. So, why am I talking about Microsoft? Well, uh, they're coming out with two new products, or, or they’ve kinda released them in trial mode right now. Uh, one's known as Microsoft Advanced Threat Analytics, and the other is Advanced Threat Protection. Um, so when you're dealing with, in red teaming, when you're dealing with really large fortune-fifties, um, many of these blue teams that we are up against, not so surprisingly, have their Sh*t together. Um, I've come up against some really good detection strategies actually uh at clients recently that have integrated tools like Sysmon and App Blocker, and ENet, and Event Log Forwarding. Um and they've put in place products like crowdstrike for host behavior analytics, they've put in tools like rapid 7 user insights for domain behavior and user behavior analytics. Um, and so I've spent a lot of time coming up against these, um, trying to figure out how to bypass or evade them at- as a whole. So, aside from being a horrible f*cking talk title that drunk me thought up and thought sounded funny on uh CFP submission night, I think of tactical nukes because they are intended to be strategically used uh forcing adversaries to rapidly react and change their tactics. And that's what I think Microsoft is arming the Blue team with, uh, with these 2 new products. So when I saw that they were coming out with the host and domain based behavior analytics and that advanced threat protection was being built directly into Windows 10 enterprise, uh, I knew this was going to be an area that as red teamers, everyone is going to come up against soon. So I knew it was an area we needed some more focus. Uh, especially when ATA and ATP are gonna be integrated together this fall. Um, so this is the uh first talk I'm aware of on actually evading or bypassing ATP and only the second on ATA. Uh, Nick Hail did a talk on ATA just on Thursday at Black Hat. Uh, and so because we're pretty early in the history of these products, uh, I've withheld a few techniques that I wanna cover later at Wild West Hacking Fest. So there's still tickets available, you guys should definitely get on that bandwagon and come party in uh South Dakota. Um, but there's also probably a sh*tload of techniques that I didn't think of or test or don’t- can't even fathom in my limited brain, so, hopefully this inspires you to try to rip these technologies apart yourself. So, Uh, to set the stage, when I developed uh, IBM X-Force reds, uh, tactics, techniques, and procedures or RTTP uh, for Red teaming, I put a huge emphasis on host and internal recon uh, as being very distinct phases. A lot of people, they get a shell in a box and they immediately start trying for lateral movement an- and gathering information about the domain and all that sort of sh*t, but, what they’re not considering is um, what IOCs their leaving on the host itself and what detection technologies might be on the host beyond, you know, sh*tty antivirus that you probably run into all the time and you don't really care about it catching you because the worst that happens is your, your powershell stager doesn't launch and you just have to try it again or something. So, uh, to become better red teamers and operate against these more mature blue teams that we’re coming up against at these larger, larger companies, we need to gain a better understanding of what IOCs and tools and techniques we're leaving behind. So, what commands might be caught by different script logging, and what's flaggable by Sysmon, uh, what's being forwarded by Windows event forwarding and importantly, how can we use different techniques to avoid user behavior analytics. So, uh, with, with AI coming out and more behavioural learning being applied to uh, IOCs, companies are getting a lot better with actually detecting malicious user behaviour instead of just getting spammed in your SIM so you turn your SIM off. Um, So we, we're going to see a huge rise in this in the future. So, here's Microsoft's Kill chain as relates to you ATA and ATP, um not shown on the graphic to the left is Office 365 ATP which is a separate product, it's focused on pre breach, Dave Kennedy ripped the, ripped it apart and showed some easy bypasses on their email send box. These 2 products are completely separate. Um, so we're focused only on post breach and Microsoft approach with these two products. So Advanced Threat Protection and Advanced Threat Ana- Analytics. So, for simplification purposes, you can think of ATP like crowdstrike and ATA like Rapid7's user insider, another kinda like domain user behaviour analytics. So, my labs set up real quick, it's not running on a Compaq Presario,uh, it's running, uh, with multiple 2016 84s, lots of subdomains, lots of dozens of member servers and Windows 10, Uh, 1703 workstations which is the- the new creators update that just came out, and that's important. So keep that in mind in a second. Uh, I ran all these commands against multiple hosts and domains and ASTA instances so to try and make sure everything I'm reporting on is accurate. That said it is a test environment so it's hard to replicate real-life, prod user behavior analytics. Like it's one thing for me d*****g around in my lab versus a huge corporate network where there is real people using specific resources. Uhm, so a quick A, overview of ATP - uh, it's currently, uh, installed on more than two million devices - I think most of those are at Microsoft. [laughter] But, uh, it's a, uh, you know, it's quite prevalent for how, uh, its install base. Uhm, so, uh, this is the, uh, I should point that out, so basically you have your behavioral sensors on the left and they send, uh telementry data and, and, you know, different data gathered, gathered off the host from registry keys that were created; services that created. You know, weird, weird commands that you might be running and they send all that raw data to the cloud; or, or the portal. And, uh, once it hits this portal it's starts to analyze that and if it's a very easily detectable type of attack you might get an alert within five minutes. If it's a very complex attack where you're using, you know, uhm, different obfuscated PowerShell cradles and launchers. You might take; uh, it might even take, it might even take up to a full day to get an alert. Uhm, these sensors are actually embedded in Windows 10 Pro and Enterprise already. To activate them is just, uh, like a five line activation script. So, uhm, in 1703 that just came out - that was pared with ATP Release 2 and in the fall with the upcoming fall, uh, update - that's going to be ATP Release 3 on Windows 10 1709. So, uhm... Because there's a delay in that detection period, if you, if, if you are going for a quick smash-and-grab against a less mature organisation, sure you could probably get in, uh, you know, grab whatever you're after and get out before they even got the alert. But we're not talking about those Swiss cheese organisations - we're talking about actual mature companies that have their s**t together and they've mostly patched and hardened all their systems and, you know, they've made it a lot more difficult for red-teamers. So, uh, in ATP, in addition to that prompt tool where you can see, you know, different, uh, execution, uh, attacks that are found; different machines reporting malware and stuff like that. You can see the process tree - so there's empire being launched - it's showing the obfuscated commands to that kind of stuff. Uhm, you can follow the attack path so if somebody opened it in one process and then launched another malicious command in another process or laterally moved around the network you can kind of track that. Uhm, if you want to quarantine a file that you've seen on more than a couple of boxes it's really simple to do. Just point and click; uh, same with if you wanna isolate a Windows 10 box off your corporate network. It's just a matter of hitting actions and hitting disable and then you can tell them, you know, uh, you shouldn't have opened that phishing email or what have you. So, in Release 3, that, again, is coming this fall, uh, is the fall creator's update or the autumn creators' update if you're from the Europe, the Europer, uhm... [laughter] Uh, the, uh, defender brand has been expanded and, you know, I, I can't say, you know, I'm a marketing genius but I wouldn't picked 'Defender' as a brand to, kind of expand and go behind but, anyways... [laughter] That aside... You've got, uh, Windows Defender anti-virus that we all love. Uhm, and that's their traditional AV. You've now got advance threat protection or 'ATP'. Uhm, emit, or emit, is coming back, uh, as 'Windows Defender exploit guard'. And emit is actually a really good tool. Uh, you've got app-guard coming under the windows defender brand; Device guard, firewall and credential guard. And interestingly enough, they're going to start supporting more operating systems. So, in the fall I believe, uh, twenty-twelve and twenty-sixteen server are gonna support, uhm, ATP. It's not a full implementation yet, I think in the spring update that's coming out it'll be more ingrained into the operating system. Uhm, and iteration with ETA is also coming in Release 3. Uh, as well as better correlation of the activities run across multiple processes and sorts of stuff that they tell me and I look forward to putting that to the test ripping it to s**t - but we'll see, we'll see how it goes in the fall. So, a little different about the Release 3 dashboard than the dashboard you saw before was that you could see all those unique security technologies that I talked about like exploit guard and credential guard being reported, uh, at the bottom right. You can see the operating system's bottom left - all sort of, uh, improvements that bring all of these distinct security technologies that we're just being deployed by a group policy or SCOM or C, SCCM, and, and not really reporting into anything. Uh, and now everything's talking together and everything's being reported to the cloud. So, uhm, again, with this being built into Windows 10 it's comes bundled if you grab the new E, E5 license or the new Microsoft 365 for enterprise. So, this isn't some obscure license that nobody's gonna bother to grab; it's actually a, a pretty mature, uhm, integration into the Windows uh, you know, whatever you wanna call it - the, the total Windows suite. So, it's very easy for enterprises to get this in place so, as red-teamers we're gonna start to see it everywhere, uh, in a few months' time, I'd imagine. So, let's actually look at ATP in play. So, uhm, if we start with Powershell - ATP will detect, uh, PowerShell download cradles and launchers gen, generated, uhm, by empire and Cobalt - all the, all the default launchers. Uhm, it'll also detect heavily obfuscated PowerShell commands and download cradles such as that custom, uh, cradle with, uh, Cobalt reverse DNS payload or, uhm, quite a lot of the payloads that are created by the obfuscated empire project. Specific to PowerShell are, uhm, are also caught. Uhm, then the reason for this is, like, Microsoft gave us an amazing attack tool with PowerShell, uh, and we've been favouring using PowerShell .exe or PowerShell core and the underlying windows management framework, for several years, due to how flexible it is as a language and as a framework and how easy it is to use. Uh, and as attackers we seen emit some amazing tools come out. So, we've seen Empire, Powerup, unmanaged PowerShell , nopPowerShell , Nishang, Powerview, UserHunter and Bloodhound. Uhm, but now they're gonna take away our shiny new PowerShell tools, uh, by building this post-exploitation tool that leverages all those security improvements that are kind of built into Windows management framework five PowerShell version five. Uh, to detect these tools in use. So, ATP is leveraging all of those technologies you see there before you. Uh, due to time constraints, I won't cover these in detail. If you're already on red or blue team - chances are you've, you've heard about this being talked for the last couple of years. Uhm, but now you're gonna actually see it, you know, in a lot, leveraged a lot more, uhm, by Microsoft. So, you've got script-blocked login; transcription-login; if you use a suspicious string that's built right into PowerShell version five there's now constrained language mode - uhm, which is, uh, activated automatically when you use app-blocker. Uh, there's support for J, uh, JEA or 'Just Enough Administration'. There's also AMSI or the 'Anti-malware Scan Interface' which cover PowerShell , vbscript and jscript. A lot of the attacker tools that are common for getting an initial payload - on a box. Uhm, and a, a typical way to bypass these up to now is just been to, you know, load PowerShell version two. Uhm, cause it doesn't support any of those. But, uhm, dot net two in, in Windows 1703 or the creators of that isn't, uh, enabled by default because it uses dot net 2.0, so, that's not there. Uhm, and it's not supported - PowerShell version two is gone altogether coming the, uh, fall update in Windows 10. Uhm, so, we can't use that technique to get around all that, uhm, there's going to be some more persistent wide transcripts, uh, common techniques leveraging double script shells are also caught, uh, you know, saying those if you use nopPowerShell - like Ben Ten's tool, uh, or those that directly call system management automation dot DLL - because they're forced to use Windows management five. So, they're, you're not getting around it by just blocking PowerShell exe. All of these are built into the framework core. Uhm, and we've seen bypasses for a lot of these as individual technologies but as red-teamers, you know, obviously we need to get better at streamlining those techniques and chaining those techniques and chaining them together and now also taking into consideration, uh, ATP. Uhm, so, as a result of these improvements what I found that, we kinda have to go back to living off the land - uh, selectively running PowerShell when we're confident we've disabled or can silently evade these new security, uh, capabilities that are, that are kind of standard in Windows 10 now. Uhm, so ATP is also pretty good at detecting, uhm, using like signed binaries to launch malicious executables based on, uh, normal behaviours. So, if you launch something and all of a sudden it's calling out over HTTP, or TOR, uh, using vbscript in a macro-enabled document or something like that it's going to be flagged. Uhm, you can see based on some of those alert examples that many of the initial, kind of host, uh, recon or initial execution or privilege escalation activities are gonna be flagged due to the common underlying techniques that are used. Uhm, so, Tavis has been doing some amazing work ripping traditional defender anti-virus to s**t lately. Uhm, and a lot of that is due to defender running as localsystem. So, ATP is also running as local system because it's embedded into Windows 10. But the problem with this is that because defender auto-updates - by the time any of you guys saw his tweets, probably your defender instances were already auto-patched. So, uhm, if a vuln is responsibly, dis, disclosed - we're not going to be able to use it a week later cause most of the organisations that were vulnerable to it already patched. So, do similar bugs exist in ATP? More than likely but who's really burning their 0-days? And if somebody does it's just get it patched and, you know, the rest of us script kiddies won't get to use it. [laughter] So... Well, you can get on the box initially using all those, uh you know, cradles, the name of the game is to not get caught. You don't wanna, you know 'Oh, yea, we got a shell, oh yea, we, we kicked you off the box immediately - good, good for you.' Good red-teaming, right? It's, it's about not getting caught so early - so, we want to get on this box initially undetected and a couple of ways I found to do that, uhm, so, uh, Vincent put out a cactus torch - doesn't call the Kernel32 api directly and as a result, uhm, it's not, it's not detected. Uhm, using signed executables to load like a Cobalt stage-less, stageless DNS, uh, based reversed payload. So, uh, it will catch, uh, HTTP but, but not DNS at this time. Uh, or executables that use ATP by, by tech, bypass techniques created with, like, veil, uh, using Go or shelter. Uhm, as long as they're not, like, connecting out to newly registered domains or, or connecting out to tort. Uhm, so, the, the challenge doesn't stop, again by, by getting on the box undetected initially - that's the easy part. The problem with, uh, the problem is detection of the activities that we perform or the commands that we run after we get out initial foothold. So, you know, creating new processes, doing host recon in the environmental settings or local groups and attempts to bypass all those kind of security controls that we're talking about. Or trying to do local privilege escalation; or trying to go out and, and innumerate information about the domain - that's what we're we're worried about getting caught on. So, those commands should probably be pretty, uhm, standard to most red-teamers, uhm, they're all a lot of like miners attack framework in jscripts laws and stuff. Uhm, they're pretty much all caught if they're issued in the same 24-hour period. So, uhm, depending on the method you use to create new processes, to run these commands individually that might also be flagged. So, instead of waiting 24-hours to put these commands in, we need a faster way to collect info. At this point in time, WMI is not detected, uhm, though it reportedly in Release 3 and, uh, a lot more in Release 4 - they, they should be, uh, because WMI logging - while it's not enabled by default, uhm, it's really easy to enable and start to do the same sort of detection on it. Uhm, so, you, you, you can, you know, use wmic or you can use command let or you can, you know use a lot of different techniques with WMI. Uh, preferred method is, is to use, uh, directly use the Windows APIs - so, going back kind of living off the land and not relying on empire and other scripts immediately, uhm, you can, uh, if you use Metasploit modules you wanna make sure they're only doing local APIs through railgun. Uh, you don't wanna use, uh, different models like local admin search which uses command exact and, and communicates with DCs and what not. And Cobalt's got a lot of stuff that's API only as, as well. So, if you look at more common, uh, bypass techniques - most of these won't work. As an admin you could modify the registry and disable the service which is called 'sense' - but it won't take effect until the next reboot. Uhm, you could probably also modify file permissions on the executables or, or folders but that's really noisy. Uhm, unlike crowdstrike, you can't just uninstall it as an elevated admin. You need a SHA 256 uh, assigned key, uh, with, that's unique to your organisation and the certificate to uninstall it. Uh, and the opcoding scripts are only valid ten days - so, if you find an opcoding script on a Windows share, uh, chances are you won't be able to use it. The reason for this is because of protective process light - so, you'll see that there's an additional value in that certificate called, uh, 'PPL verification', uh, that means that, uh, many of the, the security restrictions that were applied to the system process can now be applied to user-mode processes. It's, uh, basically binary signing and verification with, uh, Windows cert. Uhm, after the services launch is protected you, uh, can't, kind of, uhm, decode injection into it or from other admin processes or even if you're running as 'system' - you can't read or inject into a PPL process. Uh, even if you have debug privileges enabled. Uhm, Windows defender AV started using, uh, anti-malware PPL which is a lower version. Uhm, so you can use trusted installer, uh, with, uh, Google's project zero's bypass to, to uninstall and delete Windows defender AV but, uh, RS 2 for whatever reason Microsoft started using, uh, the Windows PPL which is, uhm, makes the process configured as not-stoppable. So, we can't use the same technique. Uh, at least that I've, I've seen so far. So, uh, the ATP sensor uses Windows telemetry or DiagTrack track to report sensor data and communicate with the ATP cloud. Uh, unlike ATA all the 'coms' are directly to the cloud - there's no local ATP console orm or event log forwarding. So, believe it or not, that's, that's actually, uh, an advantage to us, uh, because these are static cloud address. So, uhm, the WIndows HTTP API which, uh, DiagTrack uses, uhm, can actually be configured by any user, uhm, on, on the box. And, uhm, it will statically set and follow any proxy settings that, that we set. So, if we, uhm. Use just these two registry keys to, to turn off auto-detect and then to give us an attackers, uh, auto-config file, uh, which is, which is there. Basically we just say, uhm, if traffic's going to any of those ATP dep, domains - just sinkhole them. And we turn, uh, directly onto the internet or to you could configure the corporate proxy there for all other traffic, so really, really easy way to sinkhole all that traffic. If you were using responder or uh, 24:47 [invley]? on the, uh, internal network you could probably serve up that WPAD file to other Windows 10 boxes on the internal network and shut down Windows 10 across, the, the network. Uh, at least the local subnet before you laterally move to those boxes. Uh, I spoke with the team at Microsoft - they were really communicative, uh, they're actively pursuing implementing some backup comm channels, uh, which you can't use this technique for anymore but, uh, for now, uh, go nuts! [laughter] Uhm, DiagTrack or telemetry is not a protected PPl process, s, as an admin we can just shut it down. Uhm, so you can see that, uh, that telemetry service is really the Achilles heel for, uh, ATP. So, this is a quick snippet, of, a PowerShell tool that I'll, uhm, put on my Git. Uhm, basically it resolves the ATP cloud hosts and then uses Windows built-in firewall to block outbound traffic or inbound traffic to, uh, any of those domains. So, uhm, because this requires elevated privileges you first use the previous unprivileged block and then you put something more, more per, per, permanent in place here. Maybe you'd run, a, PowerShell tools like power up to quickly elevate your permissions on the box and then, uh, implement these firewall rules. Uhm, interestingly enough, uh, you could use the same technique to block all Windows event log forwarding Sysmon or what-have-you. So, if you're worried about Sysmon reporting different techniques running on the box - well, it relies on Windows event forwarding to send it out - so we can just block Windows event log forwarding now. Uh, so why would we block instead of disable or try to look for, uh, a one-time exploit in this? It's just, it's very quick - doesn't require escalating the system to modify file permissions or we don't have to find some new PPL bypass. Uhm, when we block coms from a Windows 10 box to the ATP cloud, it actually doesn't show up as an issue for like four or five days. [laughter] Because, you know, people go on vacation - if they started flagging that, can you imagine the amount of, of, you know, spam that, that, uh, blue-teamers would get? So, you know, nobody's gonna enable as soon as it does not communicate for five minutes - send an alert, right? So, I don't see that being, you know, too easily fixed. Uhm, so that gives you quite a few days to, to mess around from that box. Uhm... So, so now that we've blocked ATP, uhm, we can start to look at comfortably running commands without being flagged by that local ATP instance. Uh, so, let's have a look at advanced threat analytics now. Uhm, it's intended to detect typical active directory domain recon and credential attacks, uh, and as if this fall it's actually gonna be, uh, integrated with ATP. Uhm, and version 1.8 actually came out a couple of weeks ago - so then I had to redo all of my research. Uhm, to make sure that it's still relevant, so. I think they intended just to screw Killian and myself up, but... Uhm, so, if we go over ATA real quick - there's four main components. Uh, you've got the ATA council which is the, the UI; it's running on top of the ATA center. You've got ATA-gateways and those can either be full gateways that are grabbing, uh, mirrored poor traffic. Uhm, or you can install a lightweight gateway directly on a domain controller and yes, it'll grab all the events directly, uh, from the box. Uhm, a mongo database stores all the data., uh, from the different gateways, uh, on the ATA center. Uhm, and interestingly enough if you wanted to screw with ATA coms, while I was troubleshooting that upgrade from 1.7 to 1.8, I found that, uh, there's no roll-based to that mongodb. So, if you got on the ATA, uh, center, you can modify, delete events; you can white-list certain events so they're never flagged. Uh, and you know, you can do that all in the background without, you know, anyone who's monitoring the logs finding out about it. Uhm, you, you can also integrate it with, uh, sim, uh, wit Syslog or, maybe your VPN, uh, with radius so you can see different authentication events and what not from there. Uhm, lightweight gateway actually used, uh, event log forwarding before 1.8 which I had, had a nice little block for but now all those events are read locally. So, there's the, uh, ATA console - shows the timeline of events, uh, and alerts, uh, and there's a quick notification bar on the right so any new alerts popping up - you can see them if you're monitoring that console. Obviously you, you know, can do email alerts based on security and what not. Uh, there's an example alert where you can see, you know, as attack, as a blue-teamer you can dive into some of these attacks and kind of see not only what box it's coming from but what client; what resources that person access with their pass-the-ticket attack. So, it's, you know, it's pretty, uh, pretty robust tool in that sense. Uh, you can see history of the user; history of the box; history of the, uh, the workstation; uhm, to see, you know, if there's any suspicious queries or, or commands going on. And then when, uh, ATP integration comes, you know, that's gonna be very useful because you can use this, this domain information as much as possible and then see it integrated with ATP and dive deeper. So, uh, ATA requires a learning period of a month for their user behavior analytics. Uh, and one week to detect encryptions and, and skeleton keys and vuln tickets - according to Microsoft. Uhm, so, just a recap, you know, testing in my lab isn't like testing in a real corporate, uh, network - so it's hard to accurately test, or to test user behavior analytics. So, uhm, I'd, I'd say whenever possible you wanna perform as much as you're attacks from, uh, like help desks or privileged user boxes - so target the help-desk users because they're often RDP-ing around and using PowerShell and you can read all their RDP history and session history and PowerShell history and it bookmarks and you can know where they're going around the network and where you'd expect their behaviour to be. Uhm, so that, that, that's, you know, one obvious technique to help, uh, unusual or abnormal behaviour from being flagged. So, uh, let's look at some the uh, uh, commands that we typically perform next now that we're pretty confident that, you know, we've disabled ATP and we we can start to look, to look around the, the network. So, typically we do some internal recon and id, identify subnets and v-lines we wanna go after. Uhm, you know, look at ad-recon - so looking at what domains and forest trusts and group memberships; what users are out there; what admins are out there. Uh, also look at, uh, acid recon so you wanna, you know, look through those cyber arch password vaults. You wanna look for sheer-point uhm, you know, all those targets of value, places where they have high- or intellectual property. You wanna discover what IPSs or web-filtering or proxies or behavior analytics or DLPs is in use before you start going buck-wild on the internal network. Uhm, so, uh, you know, often people do a lot DNS lookups you try and map out the internal network - a lot of these, especially if you're doing DNS brooding there're gonna be flags, so, if you're using a tool like Fierce and you're trying to do some zone transfers and brute force, internal names - a lot of that is going to be caught. Uhm, you can cut down on this by, by, you know, minimizing the frequency of, of how many, uhm, records you're trying to, to grab but there's obviously easier ways to get information about the internal network. Uhm, a lot of AD-recon techniques are caught because they remotely connect to the DC where a, uh, you know, ATA is running on. And enumerate info using the SAMR protocol. Uh, sorry, the SAM-remote protocol. So, commands like, uh, 'net user slash domain' to grab a list of all the main users, for example. Performs directories services queries and by default ask a lot of, ask for a lot of account properties and information that's pretty easy to flag on it if ATA is monitoring the, uh, the event logs. Uhm, ATA applies a learning period to this alert in particular to cut down on false positives, so, uhm, it;s normally in place after about a month. Uhm, with that being said, uh, we can use, uh, we, we can query LDAP via power group, uh, power, power view to grab a list of, uh, computers and group members which is pretty normal, uh, user traffic on a domain. It's, it's gonna be pretty hard to flag on that and, and not get a lot of false positives. Uhm, another, uh, technique I like to use because it doesn't communicate with, uh, active directory at all is to, uhm, just do, uh, WMI sim queries - they're run directly against the user's' local WMI namespace and ah, not communicating with the domain control at all. So, uh, Windows, uh, WMI command let's PowerShell and PowerShell version 2 plus send commandlets or PS3, PS version 3 only but they both accomplish the same thing. You can use, use wmic if you want to do that. So, in that example, you know, we're, we're trying to find, uh, admin, admins within the depth of, you know, another example we're looking for, uh, domain group, uh, memberships, uh, or we could even identify AT in use if we just query for the default, uh, group name which, uh, isn't changeable at the moment. So, uhm, a lot of people have shifted to using UserHunter and bloodhound as, you know, the fancy, uh, tools which query all the servers and try to find active SMB sessions on those boxes to map out, you know, who's using the box; who has an active session and, uhm, you know, when you know the, the, uh,group members are domain admins and what not, you'll see how valuable these techniques are because you can quickly map out an attack path to go after, after domain admins by, you know, bloodhound telling you to pop box A, box B, box C - grab these credits in your domain admin. Uhm, by default, uh, the UserHunter first queries the domain controller for a list of domain member computers which obviously includes the domain controllers themselves so, uhm, you know, that's gonna be flagged and you'll see in the bottom right - if you can see, uhm, the alerts - because we communicated to the domain controller to get that list of, uh, computers. But we, we can easily, just, just as easily exclude domain controllers from this, uh, list - so, if we manually give it, uhm, a host target file, uh, which doesn't have any domain controllers involved we can still do all that SMB, uh, session enumeration and find where our admins are and where that privileged users are and, and find who we have to go after and attack. So, now that we've got info on potential targets such as privileged users let's look at lateral movement. So, you know. this typically involves leveraging that gathered SMB session information or SPN info and any group info to go start to target those privileged accounts. Uh,.and you know we perform several remote code execution or something to, to get on those boxes. So, ATA is decent at, uh, detecting PS-exec, uh, cause binaries are dropped to this and processes are started and WMI exec cause, uh, it's running directly against the AT - uh, sorry, directly against the domain controller and because ATA is monitoring the main controllers logs its', it's very easy to detect it. Uhm. It may be able to detect, uh, abnormal user behavior against all the main workstations and servers, uh, but again, that's based on user behavior analytics. So, if you're going after a lot of boxes that you've, you've never touched before from that user account it's going to see that as suspicious because you successfully authenticated to a lot of different boxes. Uhm, but there's definitely a gap in detection for lateral movement for ATA, but, uhm, I think that's going to be narrowed down quite a bit when the ATP integration comes down the line. Uhm, if you wanted to perform, uh, overpass the hash attack, so, pass the hash attacks are really feasible detected. Uhm, and I'll tell you why in a minute but if we want to use an over, uh, pass the, uh, hash technique, uhm, its flags does encryption downgrade because, uhm, we're using, uh, an NTLM hash and that uses, uh, des cbc MB5 and so, uh, in authentication logs it's really easy to see that only those, uhm, type, encryption types are being used. But if we instead use the, uh, AES 256 key, uhm, it's still gonna detect it because it doesn't see the right values in the AS rec but if we also give it the AS 128 value and the MB5 or the NTLM hash it's not gonna flag it as suspicious activity. Uh, it's, I I find it's really hard to get the AES 128 key, uh, I don't know enough about it to, to figure out why but, I look all through the, you know, the main mimikatz documentation and I couldn't see why, so instead I was like 'Well, what if I just gave it all zeros?'. Yea, it's fine... So... [laughter] You don't, you don't have to find AES key in, in grab it, uh, for the ticket. It, it's just, you throw whatever 32 characters you want in there. Uh, silver tickets aren't going to be detected , uh, so if you're familiar with golden tickets and silver tickets, uh, golden tickets arem you know, that forge Kerberos DGT, uhm, which is valid to getting access to anything that is running Kerberos but the silver ticket is a forged TGS. So, this means that the silver ticket scope is limited to whatever services is targeted on the specific server. So, it's not, uh, when we forge a silver ticket we don't have to communicate t a domain controller because we're not communicating to a domain controller, uh, AT has no idea that, that, that this attacks is happening. Uhm, and, you know, you can read, uh, on Sean Metcalf's, uh, awesome ad security dot org's site about all, you know, golden tickets and so silver tickets. Uhm, lateral movement: the sql auth isn't detected as well because because it's sql auth so, uh, the domain controllers aren't monitoring, uhm, that. So, if you target an SA box or you can perform sql injections successfully on a sql box you can move between different sql servers and, uhm, and find one of those boxes that might have a privileged active dir, directory user logged in. You know - steal his token, steal his hash... Uh, impersonate that user and go from there. Nikhil, uhm, you know, demonstrate in a lot of those techniques, uhm, on that link if you wanna learn more. Uhm, so once you have access to privileged user it's time to, time to move towards actually achieving the primary goals of a red-team engagement. So, that, those might include, uh, gaining dominance over the network so, you may or may not need to grab the active directory database or the ntds dot debt, uhm, but it sure comes in handy and if you can do it without getting detected why not, right? Uhm, you might need to access sensitive information such as financial records or IP, uhm, or you might need to gain privileged access to certain systems that, that are in scope. So, uh, a common technique, uh, to grab the AD database is to use DC-sync which effectively impersonates a domain controller and says 'Hey, I'm a, I'm a DC as well. Send me a full replication of your, your, your credentials' - basically. Uhm, so as you can imagine this is super easy to detect on because, you know, why is a Windows 10 workstation saying that it wants all the creds, right? So, it's super easy to detect upon. Uhm, so if you run DC-sync, within the same forest it's definitely going to be detected, across forest, uh, it might not be. Uh, you can, you can use the WMI Windows 32 shadow copy class to dump the empty ntds dot dit via shadow, shadow copies and you can use that without directly calling the sys, uh, admin, Uhm, so it's a lot stealthier, uhm, but as of ATA one-point-eight this is now flagged a low severity event - not, not, you know, critical. We, we just grab all the AD creds but, but it's a low severity event. [laughter] Uhm, but it's not because we did volume shadow copy, it's because it's on a Windows 32 process create - so, that's probably an area that you can spend some time with and, and bypass using that all together. Uh, ATA 1.8 all, may also detect WMI exact methods but I, I couldn't replicate it in a lab environment. Uhm, not detected if you want to, uh, user powersploit and, uh, use psremoting to inject mimikatz to memory and do LSATS injection you can just, uh, grab the NTDS that is there. Uhm, there are ways to harden WMRM and ps-remoting, uh, via restricting, you know, ps-remoting access via groups and what not if you're a blue-teamer out there. Uhm, you can also use ninja copy because it does raw disc-access so instead of doing LSATS injection or, or doing volume shadow copy - we're just gonna directly do a raw disc access. So, you know, sometimes when you copy the, the NTDS dot div there a couple of areas there that you might need to clean up, uh, but, but it's super easy to do. Or, or you can just try and grab it again and get a clean file. Uhm, and if you're a blue-temaer out there, you can detect else, our raw disc access and LSATS injection fairly easily with sys 1 and then, you know, using Windows event forwarding to, to alert. Uhm, if you grabbed that NTD dot dit a while ago and you have the KB, KB, KRBGTD or the 'Kerberos ticket granting ticket service', uhm, and you wanna come back three months later, uh, to create a golden ticket... [background noise] If you use the MTLM hash, uh, just like in an overpass, that hash attack uhm, we're gonna get flagged, uh, as an encryption downgrade as we're using rc4 and, uhm, the TGS rep thinks that those, uh, properties should also include the AES key. Uhm, so if you just use the AES key you, you can, uh, generate a golden ticket no problem. You don't have to include the MTLM hash or the AES 128 key - I don't know why but, uhm, easy enough. [laughter] So, uhm, blue-team take aways, uhm, how am I doing for time? I need sunglasses up here. Good? Two? Allright. Uh, take a picture. [chuckle] [laughter] Uh, yea, alright, I'll leave it up for a minute. So, you wanna harden sql boxes; forest trust; uhm, you wanna, uh, use windows event log forwarding, uhm, you wanna integrate all those new defender ATP tools that we talked about and roll that across to your different servers. Uhm, the spring update's gonna come probably with some good WMI detection so you gotta return, uh, to different sysmon detection techniques. Uhm, if you're a red-teamer you gotta go back to living off the land and directly calling those windows APIs. Make sure you're leveraging those awesome PowerShell tools only after you've disabled ATD, ATP. Uh, and make sure you're, you're running locals ones that aren't directly communicating with, with the DC. You wanna look at RDP and PS session history to help avoid user behavior analytics by also connecting to those same, uh, uh, systems and, and resources. Uh, you wanna look at blocking Windows event logs forwarding cause that's one of the biggest techniques that people are using right now - with sysmon and what not. Uhm, so thanks a lot for, for all your time. Uh, and thank you to all these, awesome people and the Microsoft ATA and ATP team. [applause] And thanks to Simon for his art. [applause] Thanks guys!