Home
ATA: from overpass-the-hash to Pass-the-ticket

ATA: from overpass-the-hash to Pass-the-ticket

April 10, 2018

Cybersecurity is a constantly evolving field. Working in this area involves continuous improvement based on the analysis of threats, risks, and vulnerabilities. The goal is to reduce the attack surface for cybercriminals. Motivated by financial gain, the desire for notoriety, the urge to destroy, or simply for the fun of it, cybercriminals generally follow an approach that can be broken down into five main steps:

Reconnaissance: this step involves identifying the target and gathering as much information about it as possible.
Intrusion: the attacker enters the victim's computer system through identity theft, an unpatched vulnerability, a phishing campaign, etc. Then, if possible, they set up permanent access from the target's environment to their servers.
Lateral movement: after gaining access, this phase allows the attacker to move around the victim's computer network in order to compromise other systems and additional accounts.
Privilegeescalation: the goal is to build on the previous steps to search for and obtain accounts that have privileges (e.g., the administrator account).
Exfiltration, corruption, and disruption: this is the final stage of a cyberattack. Sensitive data is "stolen" (or rather copied), corrupting the information system and/or causing disruptions and interruptions to an information system.

As you can see, it is necessary to implement a defense-in-depth mechanism. In other words, the security of an IT system should not rely on a single element, but on a set of security tools and procedures. There are several solutions on the market that can help achieve this goal. In this article, we will present Microsoft Advanced Threat Analytics (ATA).

Advanced Threat Analytics

Advanced Threat Analyticsis a tool developed by AORATO, which was acquired by Microsoft. This solution enables network analysis and the search for three main types of attacks:

Malicious attacks: Pass-the-ticket, Pass-the-hash, Overpass-the-hash, Golden ticket, Reconnaissance, Brute force, Remote execution.
Abnormal behavior: ATA relies on behavioral analysis to detect abnormal connections, changes in sensitive groups, and lateral movement.
Security risks and issues:for example, the broken trust relationship between a computer and a domain controller.

ATA architecture is based on two main elements:ATA CenterandATA GatewayorATA Lightweight gateway:

ATA Center:this is the engine of this solution; it receives data sent by ATA gateways.
ATA Gateway:dedicated server that collects data usingport mirroring^[1],events from one or more domain controllers.
ATA Lightweight Gateway:an alternative to the ATA Gateway, this tool is installed directly on the domain controller;port mirroringis no longer necessary in this case.

^[1] A technique that allows traffic from one or more ports to be copied to a destination port.
The ATA database is based on MongoDB. In addition, there is an option to send notifications by email. It is also possible to schedule the automatic generation of reports and their delivery by email.

ATA allows communication with a SIEM and/or Syslog server. Currently supported solutions are: HP Arcsight, Splunk, Qradra, and RSA.

If a company offers VPN coupled with RADIUS to its users, RADIUS accounting events can be analyzed on ATA. Three VPN solutions are supported: Cisco ASA, F5, and Microsoft.

Proof of Concept

In this section, the solution will be evaluated using an attack scenario, the context of which is presented below. For information, the following tests were performed on ATA 1.8.

Environment

Accounts

Group

Background and assumptions

Romanela Alcantar uses the "PC Admin" position.
TheService Deskis added to the local administrators group for domain PCs.
Manuel Austin is a member of the local administrators for his workstation.
AService Deskuser (Kimberly Brian) logged into Martin Austin's PC to debug an application that was no longer working. Once Kimberly had finished, she clicked on "Switch User" to allow Martin to test the application and see if everything was working again.
Personal antivirus software and firewalls on PCs are disabled.

Administration interface

After installing the ATA solution, we receive a notification from the administration interface about the number of entities (accounts, computers, groups, etc.) present in thehacorp.local domain.

Searching for an account (e.g., Kimberly Brian) is also possible from this interface:

Figure 2: Kimberly's groups via the "About" tab

Figure 3: Tracking changes to your account

Start of the scenario

Manuel Austin has some knowledge of hacking and will try to obtain administrator rights for thehacorp.local domain.

List of accounts and groups

Manuel begins by listing accounts and groups. Any user authenticated on the domain can execute these commands. This option can be disabled. For more details, see [17].

Users present in the hacorp.local domain: net user /domain

We can find all the accounts. For your information, krbtgt is a service account used by the KDC (Key Distribution Center) to generate the Kerberos tickets required to access the resources of a domain controller.

Manuel subodore que kbrian pourrait correspondre à kimberly Brian, qui était connectée sur son poste. La commande net user /domain <login> permet d’afficher entre autres les groupes d’un utilisateur.

kbrianis a member of theServiceDeskandDomain Users groups. This information does not seem interesting to Manuel, who continues his investigation.

Which groups are present in hacorp.local?

Manuel will now go through a few sensitive groups (Domain AdminsandEnterprise Admins) to match users to groups:

He deduces thatralcantaris an administrator of the hacorp.local domain and thatadministratoris a member of "enterprise admins."

We can see that, according to ATA documentation, this recognition stage can be detected after four weeks. We have not been able to verify this information, and furthermore, one month seems a little long to raise this type of alert.

SMB enumeration

Manuel is beginning to get an overview of the user-group relationship in hacorp.local. Would it be possible to get the IP addresses of recently authenticated users?

In a domain controller, when users log in, their profile data (login scripts, group policy objects (GPOs)) is retrieved from SYSVOL. This means that client workstations establish a connection to the domain controller in order to retrieve these profiles. Martin uses theNetSesstool on the domain controller to search for recent connections:

It appears that the administratorralcantaris currently connected from machine 172.16.20.3. Martin also finds his IP address: 172.16.20.4.

ATA detects this attempt and raises an alert (see below). This allows us to understand Manuel's actions and the accounts exposed.

The solution then allows you to classify (see options below) this alert as a false or true positive:

Searching for information on a PC

Manuel knows the IP address of the administrator of the hacorp.local domain: 172.16.20.3. He will therefore try to obtain more information about this user's PC. To do this, he will usePowerSploit, which is a list of PowerShell modules. He opens a PowerShell terminal as an administrator (remember that Manuel is the local administrator of his PC).

PowerSploitcan be run to retrieve information about a remote PC (in this case, that of userralcantar):

Loading the powersploit module: Import-Module .\PowerSploit.psm1
Retrieving information about 172.16.20.3: Get-NetLocalGroup 172.16.20.3

This analysis reveals some interesting information:

TheAdministratorandTestaccounts are configured on this PC.
The domain name of this computer isADMIN-PC.
Domain AdminsandServiceDeskare members of theAdministrators group. This means that Kimberly, aServiceDesk user, is a member of theAdministrators group. The same applies toralcantar(information already learned previously).

We note that the use of this command was not detected by ATA and that this command only worked after the personal firewall on the PCs was disabled.

Memory dump

Based on the previous step, Kimberly Brian is a member of theAdministrators group. Martin wonders if she might have left her login information in memory (when she logged out without closing her session, see context). He will therefore try to export this memory usingMimikatz(run as administrator):

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords” “exit” >> c:\cred_dump.txt

Thecred_dump.txtfile contains information aboutmaustin,VICTIM-PC, andkbrian. We can see that the WDigest option has not been disabled. When enabled, user passwords are stored in plain text in memory.

Figure 5: Memory extract from Martin Austin's PC

Manuel therefore obtainskbrian'spassword and the NTLM hash for that password. He attempts to connect toAdmin-PCvia RDP, but this option is disabled.

Figure 6: Attempted RDP connection by Manuel on Admin-PC

To avoid arousing suspicion, he will impersonatekbrianwhen connecting toAdmin-PC. To do this, the Over-Pass-the-hash attack will be used viaMimikatz(run as administrator by Manuel). We will therefore use the NTLM hash retrieved previously.

For your information, before execution, the path \\admin-pc\c$ is not accessible:

Command execution: .\mimikatz.exe "privilege::debug" "sekurlsa::pth /user:kbrian /domain:hacorp.local /ntlm:ab56e43a90223bfc35cf2851183ef3a9" "exit"

A command prompt opens automatically in parallel. The directory \\admin-pc\c$ is now accessible:

Figure 7: Execution of Over-pass-the-hash

In parallel with this attack, an ATA alert is lifted:

If Manuel were an administrator

Manuel has access to theAdmin-PC workstation. The next step will be to retrieve the Kerberos tickets belonging to Romanela Alcantar, who is logged in to this computer. These tickets will then be re-injected into the domain controller, thereby executing the pass-the-ticket attack.

Let's start by remotely copyingMimikatztoAdmin-PC:

Remote execution of mimikatz via thepsexec tool:

C:\Users\maustin\PSTools\PsExec.exe \\admin-pc -accept cmd /c (cd c:\temp ^& mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" "exit")

Recovery ofralacantartickets and local storage inC:\Dump\

Deleting files generated onAdmin-PC

rmdir \\admin-pc\c$\temp /s /q

Before injecting tickets, the attempt to access \\SrvDC.hacorp.local\c$ is unsuccessful:

Themimikatzklistcommand shows that the Kerberos tickets belong tomaustin.

Now, let's inject the two Kerberos tickets fromralcantarthat are inC:\Dump:

mimikatz.exe "privilege::debug" "kerberos::ptt c:\Dump\[0;b2681]-2-1-40e10000-ralcantar@krbtgt-HACORP.LOCAL.kirbi" "exit"

mimikatz.exe "privilege::debug" "kerberos::ptt c:\Dump\[0;b2681]-2-0-60a10000-ralcantar@krbtgt-HACORP.LOCAL.kirbi" "exit"

Verify that the tickets are imported correctly with klist:

Attempt to access \\SrvDC.hacorp.local\c$:

From this moment on, Manuel Austin has the same rights as Romanela Alcantar, who is the administrator of the hacorp domain.

This attack was detected by ATA:

In conclusion, we briefly presented the ATA solution through an intrusion scenario. We note that attacks were detected. Here, we were unable to evaluate behavioral analysis because this requires waiting approximately four weeks after installation.

We also found that the rules database cannot be configured. It is therefore not possible to customize a detection threshold.

In short, ATA can be used in conjunction with other network detection and security tools. Once again, defense in depth should be the preferred method.

You can consult [13], which presents, among other things, the various stakeholders and the prerequisites for a POC.
You can refer to [21] for sizing based on a company's architecture.
You can refer to [20] for a silent installation in an environment where there are multiple domain controllers.
You can consult [22], which provides some recommendations for securing ATA and whether or not to attach ATA to a domain.

Finally, there is an FAQ on the ATA solution [23]. We hope this article has given you an overview ofMicrosoft Advanced Threat Analyticsand an explanation of how cybercriminals operate.