 So, um, fun fact about this picture here, this was actually the IBM Toronto downtown data center in 1963. Um, but now it's a sushi lounge, I think. So who am I? Uh, my name's Chris Thompson. I'm the red teaming ops lead for IBM X-Force Red or X-Force Rouge as we call it in Canada. Uh, my job involves conducting red teaming ops against defense contractors and some of North America's largest banks. Uh, I'm also on the newly formed Crest USA board that just launched with smart folks like Chris Nickerson and Tom Brennan. Um, and I, uh, I also teach network and mobile pen testing, uh, at a college. So, why am I talking about Microsoft? Well, uh, they're coming out with two new products, or, or they've kind of released them in trial mode right now. Uh, one's known as Microsoft Advanced Analytics and the other is Advanced Threat Protection. Um, so when you're dealing with, in red teaming, when you're dealing with really large Fortune 50s, um, many of these blue teams that we're up against, not so surprisingly have their shit together. Um, I've come up against some really good detection strategies actually, uh, clients recently that have integrated tools like Sysmon and AppLocker and Emet and EventLog Forwarding. Um, they've put in place products like CrowdStrike for host behavior analytics. They've put in tools like Rapid7, User Insights for domain behavior and user behavior analytics. Um, and so I spent a lot of time coming up against these, uh, trying to figure out how to bypass or evade them as a whole. So, aside from being a horrible fucking talk title that drunk me thought up and thought sounded funny on, uh, CFP submission night, uh, I think of tactical nudes because they're intended to be strategically used, uh, forcing adversaries to rapidly react to it and change their tactics. And that's what I think Microsoft is arming the blue team with, uh, with these two new products. So when I saw that they're coming out with the host and domain based behavior analytics and the advanced threat protection was being built directly into Windows 10 Enterprise, uh, I knew this was going to be an area that as red teamers, everyone's going to come up against soon. So I knew as an area we needed some more focus, uh, especially when ATA and ATP are going to be integrated together this fall. Um, so this is the, uh, the first talk I'm aware of on actually evading or bypassing ATP and only the second on ATA, uh, Nikhil, um, did a talk on ATA just on Thursday at Black Hat. Um, and so because we're pretty early in the history of these products, uh, I've withheld a few techniques that I want to cover later at Wild West Hacking Fest. So there's still tickets available, you guys should definitely, uh, get on that bandwagon, come party in, uh, South Dakota. Um, but there's also probably a shitload of techniques that I didn't think of or test or don't, can't even fathom in my limited brain. So hopefully this inspires you to try to rip these technologies apart yourself. So, uh, to set the stage when I developed, uh, IBM X-Force Reds, uh, tactics, techniques and procedures or our TTP, uh, for red teaming, I put a huge emphasis on host and internal recon, uh, as being very distinct phases. A lot of people, they get a shell in a box and they immediately start trying for lateral movement and, and gather information about the domain and all that sort of shit. But what they're not considering is, um, what IOC's they're leaving on the host itself and what detection technologies might be on the host beyond, you know, shitty antivirus that you probably run into all the time and you don't really care about it catching you because the worst that happens is your, your power shell stager doesn't launch and you just have to try it again or something. So, uh, to become better red teamers and operate against these more mature blue teams that we're coming up against at these larger, larger companies, uh, we need to gain a better understanding of what IOC's and tools and techniques we're leaving behind. So what commands might be caught by different script logging, what's flaggable by Sysmon, uh, what's being forwarded by Windows event forwarding and importantly, how can we use different techniques to avoid user behavior analytics? So, uh, with, with AI coming out and more behavioral learning being applied to, uh, IOC's, companies are getting a lot better with actually detecting malicious user behavior instead of just getting spammed in your SIM so you turn your SIM off. Um, so we're going to see a huge rise in this in the future. So here's Microsoft's kill chain as it relates to ATA and ATP. Uh, not shown on the graphic to the left is Office 365 ATP which is a separate product. It's focused on pre-breach. Dave Kennedy ripped, ripped it apart and showed some easy bypasses on their email sandbox. These two products are completely separate. Um, so we're focused only on post-breach and Microsoft approach with these two products. So advanced threat protection, advanced threat analytics. So, for simplification purposes you can think of ATP like CrowdStrike and ATA like Rapid 7's user insight or another kind of domain user behavior analytics. So, my laptop real quick, it's not running on a compact Presario. Uh, it's running with multiple 2016, 84, lots of sub-domains, lots of dozens of member servers in Windows 10, 1703 workstations which is the new creator's update that just came out and that's important so keep that in mind in a second. Uh, I ran all these commands against multiple hosts and domains and ATA instances to try to make sure everything I'm recording on is accurate. That said it is a test environment so it's hard to replicate real life prod user behavior analytics. Like it's one thing for me dicking around in my lab versus a huge corporate network where there is real people using specific resources. Um, so a quick overview of ATP. Uh, it's currently, uh, installed on more than 2 million devices. I think most of those are at Microsoft but, uh, it's quite, uh, you know, it's quite prevalent for how it's installed base. Um, so, uh, this is the, uh, I should point that out. So basically you have your behavioral sensors on the left and they send, uh, telemetry data and, and, you know, different data gathered off the host from registry keys that were created, services that created, um, you know, weird, weird commands that you might be running and they send all that raw data to the cloud or, or the portal and, um, once it hits this portal it starts to analyze that and if it's a very easily detectable type of attack you might get an alert within 5 minutes. If it's a very complex attack where you're using, you know, um, different obfuscated power shell cradles and launchers you might take, it might even take up to a full day to get an alert. Um, these sensors are actually embedded in Windows 10 Pro and Enterprise already. To activate them it's just a, uh, like a 5 line activation script. So, um, in 1703 that just came out, that was paired with ATP release 2 and in the fall, the upcoming fall, uh, update that's gonna be ATP release 3 on Windows 10 1709. So, um, because there's a delay in that detection period, if you, if, if you were going for a quick smash and grab against a less mature organization, sure you could probably get in, uh, you know, grab whatever you're after and get out before they even got the alert but we're not talking about those Swiss cheese organizations, we're talking about actual mature companies that have their shit together and they've mostly patched and hardened all their systems and, you know, they've made it a lot more difficult for red teamers. So, uh, in ATP, in addition to that console where you can see, you know, different, uh, attacks that are found, different machines reporting, malware and stuff like that, you can see the process tree, so there's Empire being launched and it's showing the obfuscated commands to do that kind of stuff. Um, you can follow the attack path so if somebody opened it in one process and then launched another malicious command in another process or laterally moved around the network, you can kind of track that. If you want to quarantine a file that you've seen on more than a couple of boxes, it's really simple to do, just point and click. Uh, same with, if you want to isolate a Windows 10 box off your corporate network, it's just a matter of hitting actions and hitting disable and then you can tell them, you know, uh, you shouldn't have opened that phishing email or what have you. So, in release three, that again is coming this fall, um, the fall creators update or the autumn creators update if you're from the Europe, the Europe, uh, the, uh, Defender brand has been expanded and you know, I can't say, you know, I'm a marketing genius but I wouldn't have picked Defender as a brand to kind of expand and go behind but anyways, that aside, you've got, uh, Windows Defender antivirus that we all love, um, and that's their traditional AV, you've now got advanced threat protection or ATP, um, EMIT or EMIT is coming back, uh, as Windows Defender exploit guard and EMIT is, is actually a really good tool. Uh, you've got app guard coming under the Windows Defender brand, device guard, firewall and credential guard and interestingly enough, they're going to start supporting more operating systems. So in the fall, I believe, uh, 2012 and 2016 server are going to support, um, ATP. It's not a full implementation yet, I think in the spring update that's coming out, it'll be more ingrained into the operating system. Um, and integration with ATA is also coming in release 3, uh, as well as better correlation of activities, run across multiple processes and all sorts of stuff that they tell me and I look forward to putting that to the test and ripping it to shit but we'll see, we'll see how it goes in the fall. So a little different about the release 3 dashboard than the dashboard you saw before was that you can see all those unique security technologies that I talked about like exploit guard and credential guard being reported on the bottom right. You can see the operating systems bottom left, all sorts of, uh, improvements that bring all of these distinct security technologies that were just being deployed by a group policy or SCOM or SECM and, and not really reporting into anything. Uh, and now everything's talking together and everything's being reported to the cloud. So, um, again with this being built into Windows 10, it comes bundled if you grab the new E-E5 license or the new Microsoft 365 for enterprise. So this isn't some obscure license that nobody's going to bother to grab, it's actually a, a pretty mature, um, integration into the Windows, uh, you know, whatever you want to call it, the, the total Windows suite. So it's very easy for enterprises to get this in place. So as red teamers, we're going to start to see it everywhere, uh, in a few months time, I'd imagine. So let's actually look at ATP in play. So, um, if we start with PowerShell, ADP will detect, uh, PowerShell download, cradles and launchers generated, um, by Empire and COBOL, all the, all the default launchers. Um, it'll also detect heavily obfuscated PowerShell commands and download cradles such as that custom, uh, cradle with, uh, COBOL reverse DNS payload or, uh, quite a lot of the payloads that are created by the obfuscated Empire project specific to PowerShell are, um, uh, also caught. Um, and the reason for this is like Microsoft gave us an amazing attack tool with PowerShell, uh, and we've been favoring using PowerShell EXE or PowerShell core and the underlying Windows management framework for several years due to how flexible it is as a language and as a framework and how easy it is to use. Uh, and as attackers, we see met some amazing tools come out. So we've seen Empire, PowerUp, Unmanaged PowerShell, not PowerShell, Nashang, PowerView, User Hunter and Bloodhound. Um, but now they're going to take away our shiny new PowerShell tools, uh, by building this post exploitation tool that leverages all those security improvements that are kind of built into Windows management framework 5 or PowerShell version 5, uh, to detect these tools and use. So ATP is leveraging all of those technologies you see there before you. Uh, due to time constraints, I won't cover these in detail. If you're already on a red or blue team, chances are you've, you've heard about this being talked for the last couple of years. Um, but now you're going to actually see it, you know, in a lot, leveraged a lot more, um, by Microsoft. So you've got script lock logging, transcription logging. Um, if you use a suspicious string that's built right into PowerShell version 5, there's now constrain language mode, um, which is, uh, activated automatically when you use AppLocker. Uh, there's support for JEE or just enough administration. There's also AMSI or the anti malware scan interface, which covers PowerShell, VBScript and JScript. So a lot of the attacker tools that are common for getting an initial payload on a box. Um, and a typical way to bypass these up to now has just been to, you know, just load PowerShell version 2, um, because it doesn't support any of those. But, um, .NET 2 in, in Windows 1703 or the creator's update isn't, uh, enabled by default because it uses .NET 2.0, so that's not there. Um, and it's not supported, PowerShell version 2 is gone all together coming the fall update in Windows 10. Um, so we can't use that technique to get around all that. Um, there's going to be support for system I transcripts, uh, common techniques, leveraging double scripts shell are also caught, uh, you know, same goes if you use not PowerShell like Ben 10's tool, uh, or those that directly call system management automation.dll because they're forced to use Windows management 5. So they're, you're not getting around it by just blocking PowerShell EXE. All of these are built into the framework core. Um, and we've seen bypasses for a lot of these as individual technologies, but as red teamers, you know, obviously we need to get better at streamlining those techniques and chaining them together and now also taking into consideration, uh, ATP. Um, so as a result of these improvements what I found that we kind of have to go back to living off the land, uh, selectively running PowerShell when we're confident we've disabled or can silently evade these new security, uh, capabilities that are, that are kind of standard in Windows 10 now. Um, so ATP is also pretty good at detecting, um, using like sign binaries to launch malicious executables based on, uh, ignoreable behaviors. So if you launch something all of a sudden it's calling out over HTTP or Tor, uh, using VBScript and a macro-enabled document or something like that, it's going to be flagged. Um, you can see based on some of those alert examples that many of the initial kind of host, uh, recon or initial execution or privilege escalation activities are going to be flagged due to the common underlying techniques that are used. Um, so Tavis has been doing some amazing work ripping traditional Defender antivirus to shit lately. Um, and a lot of that is due to Defender running as local system. So ATP is also running as local system because it's embedded into Windows 10. But the problem with this is that because Defender auto updates, by the time any of you guys saw his tweets, probably your Defender instances were already auto patch. So, um, if a volume is responsibly disclosed, we're not going to be able to use it a week later cause most of the organizations that were vulnerable to it are already patched. So do similar bugs exist in ATP more than likely, but who's really burning their O-days? And if somebody does, it'll just get auto-patched and, you know, the rest of us script kiddies won't get to use it. So, well, you can get on the box initially using all those, uh, you know, cradles. The name of the game is to not get caught. You don't want to, you know, oh yeah, we got a shell. Oh yeah, we kicked you off the box immediately. Good, good for you. Good red teaming, right? It's, it's about not getting caught so early. So we want to get on this box initially undetected. And a couple of ways I found to do that. Um, so, uh, Vincent put out a cactus torch. It doesn't call the kernel 32 API directly. And as a result, um, it's, it's not detected. Um, using signed executables to load like a cobalt stage list, stage list DNS, uh, base reverse payload. So it will catch, uh, HTTP but, but not DNS at this time. Uh, or executables that use AV by tech, by past techniques created with like veil, um, using go or shelter. Um, as long as they're not like connecting out to newly registered domains or, or connecting out to tour. Um, so the, the challenge doesn't stop again by, by getting on the box undetected initially. That's the easy part. The problem with, uh, the problem is detection of the activities that we perform or commands that we'd run after we get on initial foothold. So, you know, creating new processes, doing host recon of the environmental settings or local groups and attempts to bypass all those kinds of security controls that we're talking about or trying to do local privilege escalation or trying to go out and enumerate information about the domain. That's what we're, we're worried about getting caught on. So those commands should probably be pretty, um, standard to most red teamers. Um, they're all out at like MITRE's attack framework and JSTIRT laws and stuff. Um, they're pretty much all caught if they're issued in the same 24 hour period. So, um, depending on the method you use to create new processes to run these commands individually, they might also be flagged. So instead of waiting 24 hours to put these commands in, we need a faster way to collect info. At this point in time, WMI is not detected. Um, though it reportedly in release three and, uh, a lot more in release four, they, they should be. Um, because WMI logging, while it's not enabled by default, um, it's really easy to enable and start to do the same sort of detection on it. Um, so you, you can, you know, use WMI or you can use, uh, command lets or you can, you know, use a lot of different techniques with WMI. Uh, preferred method is, is to use, uh, directly use the Windows APIs. So going back to kind of living off the land and not relying on Empire or another scripts immediately. Um, you can, uh, you, if you use Metasploit modules, you want to make sure they're only doing local APIs through Railgun. Uh, you don't want to use, uh, different modules like local minsearch, which uses command exec and communicates with DCs and whatnot. And Cobalt's got a lot of stuff that's API only as well. So if we look at more common, uh, bypass techniques, most of these won't work. Um, as an admin, you could modify the registry and disable the, the service, which is called sense, but it won't take effect until the next reboot. Um, you could probably also modify file permissions on the executables or folders, but that's really noisy. Um, unlike CrowdStrike, you can't just uninstall it as an elevated admin. You need a shot 256, uh, signed key, uh, with, that's unique to your organization and the certificate to uninstall it. Uh, and the off-boarding scripts are only valid 10 days, so if you find an off-boarding script on a Windows share, uh, chances are you won't be able to use it. The reason for this is because of protected process light. So you'll see that there's an additional value in that certificate, uh, called the PPL verification. Uh, that means that, uh, many of the security restrictions that were applied to the system process can now be applied to user mode processes. Uh, it's basically binary signing and verification with a Windows cert. Um, after the services launch is protected, you, uh, can't kind of, um, do code injection into it or from other admin processes. So even if you're running as system, you can't read or inject into a PPL process, uh, even if you have debug privileges enabled. Um, Windows Defender AV started using, uh, anti-mower PPL, which is a lower version. And so you can use Trusted Installer, uh, with, uh, Google's Project Zero's bypass to, to uninstall and delete Windows Defender AV. But, uh, since RS2, for whatever reason, Microsoft started using, uh, the Windows PPL, which is, um, makes the process configured as non-stoppable, so we can't use the same technique, uh, at least that, that I've seen so far. So, uh, the ATP sensor uses Windows Telemetry or DiagTrack to report sensor data and communicate with the ATP cloud. Uh, unlike ATA, all the comms are directly to the cloud. There's no local ATP console or, or event log forwarding. So, believe it or not, that's, that's actually, uh, an advantage to us, um, because these are static cloud addresses. So, um, the Windows HP API, which, uh, DiagTrack uses, um, can actually be configured by any user, um, on, on the box. And, um, it'll statically set, follow any proxy settings that, that we set. So if we, um, use just these two quick registry keys to, to turn off auto detect and then to give us an attacker's, uh, proxy auto config file, uh, which, which is there. Basically, we just say, um, if traffic's going to any of those ATP domains, just sync hold them and return, uh, directly out to the internet or to, you could configure the corporate proxy there for all other traffic. So really, really easy way to sync hold all that traffic. If you are using Responder or, uh, InVlay on the, uh, internal network, you could probably serve up that WPAD file to other Windows 10 boxes on the internal network and shut down Windows 10 across the, the network, um, or at least the local subnet, uh, before you laterally move to those boxes. Uh, I spoke with the team at Microsoft, they are really communicative, um, they're actively pursuing implementing some backup comm channels, uh, which you can't use this technique for anymore, but, uh, for now, uh, go nuts. DiagTrack or telemetry is not a protected PPL process, so as an admin we can just shut it down. Um, so you can see that, that, that telemetry service is really the Achilles heel for, uh, ATP. So this is a quick snippet of, uh, PowerShell tool that I'll, um, put on my get. Um, basically it resolves the ATP cloud host and then uses Windows built in firewall to block outbound traffic or inbound traffic to any of those, uh, domains. So, um, because this requires elevated privileges, you'd first use the previous unprivileged block and then you'd put something more f- permanent in place here. Maybe you'd run, uh, PowerShell tools like PowerUp to quickly elevate your permissions on the box and then, uh, implement these firewall rules. Um, interestingly enough, uh, you could use the same technique to block all Windows event log forwarding for Sysmon or what have you. So if you're worried about Sysmon reporting different techniques you're running on the box, well, it relies on Windows event forwarding to send it out so we can just block Windows event log forwarding now. Uh, so why would we block instead of disable or try to look for a, a one-time exploit in this? It's just, it's very quick. It doesn't require escalating the system to modify file permissions or we don't have to find some new PPL bypass. Um, when we block comms from a Windows 10 box to the ATP cloud, it actually doesn't show up as an issue for like four or five days. Because, you know, people go on vacation, if they started flagging that, you can imagine the amount of, you know, spam that, that, uh, Blue Teamers would get. So, you know, nobody's gonna enable as soon as it doesn't communicate for five minutes and an alert, right? So, I don't see that being, you know, too easily fixed. Um, so that gives you quite a few days to, to mess around from that box. Um, so, so now that we've blocked ATP, um, we can start to look at comfortably running commands without being flagged by that local ATP instance. Uh, so let's have a look at advanced threat analytics now. Um, it's intended to detect typical active directory domain recon and credential attacks. Uh, and as this fall, it's actually gonna be, uh, integrated with ATP. Um, and version 1.8 actually came out a couple weeks ago, so that I had to redo all my research, um, to make sure it was still relevant. So, I think they intended to do that just to screw in a killin myself up. But, um, so if we go over ATA real quick, there's four main components. Uh, you've got the ATA console, which is the, the UI. It's running on top of the ATA center. You've got ATA gateways, and those can either be full gateways that are grabbing, uh, mirrored port traffic. Um, or you can install a lightweight gateway directly on a domain controller and just, it'll grab all the events directly, uh, from the box. Um, a Mongo database stores all the data, uh, from the different gateways, uh, on the ATA center. Um, and interestingly enough, if you wanted to screw with ATA comms, while I was troubleshooting that upgrade from 1.7 to 1.8, I found that, uh, there's no role-based access control to that Mongo DB. So if you got on the ATA, uh, center, you can modify, delete events. You can whitelist certain events so they're never flagged, uh, and you, you know, you could do that all in the background without, you know, anyone who's monitoring the logs finding out about it. Um, you can also integrate it with, uh, SIM, uh, with Syslog, or maybe your VPN, uh, with Radius so you can see different authentication events and what not from there. Um, lightweight gateway actually used, uh, vent log forwarding before 1.8, which I had a little, a nice little block for, but now all those events are red locally. So there's the, uh, ATA console. It shows a timeline of events, uh, and alerts, uh, and there's a quick notification bar on the right, so any new alerts popping up. You'll see them if you're monitoring that console. Obviously you can do, you know, email alerts based on severity and whatnot. Um, there's an example alert where you can see, you know, as an attack, or as a blue teamer you can dive into some of these attacks and kind of see not only what box it's coming from, but what client, what resources that person access with their past the ticket attack. So it's, you know, it's pretty, um, pretty robust tool in that sense. Uh, you can see history of the user, history of the box, history of the, the workstation, um, to see, you know, if there's any suspicious queries or, or commands going on. And then when, uh, ATP integration comes, you know, that's going to be very useful because you can use this, this domain information as much as possible and then see it integrated with ATP and dive deeper. So, uh, ATA requires a learning period of a month for their user behavior analytics. Uh, and one week to detect encryption downgrades and, and skeleton keys and golden tickets according to Microsoft. Um, so just to recap, you know, testing in my lab isn't like testing in a real corporate, uh, network. So it's hard to accurately detest, or to test user behavior analytics. So, um, I'd, I'd say whenever possible, you want to perform as much as your attacks from, uh, like help desks or privileged user boxes. So target the help desk users because they're often RDPing around and using PowerShell and you can read all their RDP history and session history and PowerShell history and their bookmarks and you can know where they're going around the network and where you'd expect their behavior to be. Um, so that, that's, you know, one obvious technique to help, uh, unusual or abnormal behavior from being flagged. So, uh, let's look at some of the, the commands that we typically perform next now that we're pretty confident that, you know, we've disabled ATP and we can start to look around the, the network. So typically we do some internal recon and identify subnets and VLANs we want to go after. Um, you know, look at AD recon, so looking at what domains and forest trusts and group memberships, what users are out there, what admins are out there. Uh, also look at, uh, asset recon, so you want to, you know, look for those cyber arc password vaults, you want to look for SharePoint, um, you know, all those targets of value, places where they have pie or intellectual property, you want to discover what IPS is or web filtering or proxies or behavior analytics or DLP is in use before you start going buck wild on the internal network. Um, so, uh, you know, often people do a lot of DNS lookups to try to map out the internal network. A lot of these, especially if you're doing DNS brooding are going to be flagged, so if you're using a tool like Fierce and trying to do some zone transfers and brute force internal, uh, names, a lot of that's going to be caught. Um, you can cut down this by, by, you know, minimizing the frequency of, of how many, um, records you're trying to, to grab, but there's obviously easier ways to get more information about the internal network. Um, a lot of AD recount techniques are caught because they remotely connect to the DC where AT, you know, ATA is running on, uh, and enumerate info using the SAMR protocol. Uh, so the SAMRemote protocol. So commands like, uh, net user slash domain to grab a list of all domain users, for example, performs directory services queries and by default asks a lot of, for a lot of account properties and information that's pretty easy to flag on if, if AT is monitoring the, the event logs. Um, ATA applies a learning period to this alert in particular to cut down on false positives. So, um, you know, it's normally in place after about a month. Um, with that being said, uh, we can use, uh, we, we can query LDAP via PowerGrew, Power, PowerView to grab a list of, uh, computers and group members, which is pretty normal, uh, user traffic on a domain. It's, it's gonna be pretty hard to flag on that and, and not get a lot of false positives. Um, another, uh, technique I like to use because it doesn't communicate with, uh, active directory at all is to, um, just do, uh, WMI or SIM queries that run directly against the computer's local WMI name space and, um, not communicating with the domain control at all. So, uh, Windows WMI commandlets, uh, in PowerShell or PowerShell version 2 plus, SIM commandlets are PS3, PS version 3 only, but they both accomplish the same thing. You can use WMIC if you, if you want to. So in that example, you know, we're, we're trying to find, uh, admin, uh, admins within the, uh, dev domain. You know, another example, we're looking for, uh, domain group, uh, memberships, uh, or we can even identify ATA and use if we just query for the default, uh, group name, which, uh, isn't changeable at the moment. So, um, a lot of people have shifted to using User Hunter and Bloodhound as the, you know, fancy, uh, tools which query all the servers and try to find active SMB sessions on those boxes to map out, you know, who's using the box, who has an active session, and, um, you know, when you know the, the, uh, group members of domain admins or whatnot, you'll see how valuable these techniques are because you can quickly map out an attack path to go after domain admins by, you know, Bloodhound telling you to pop box A, box B, box C, grab these crads in your domain admin. Um, by default, uh, User Hunter first queries the domain controller for a list of domain member computers, which obviously includes the domain controllers themselves. So, um, you know, that's going to be flagged and you'll see in the bottom right, if you can see, um, the alerts because we communicated to the domain controller to get that list of, uh, computers. But we, we can easily just, just as easily exclude domain controllers from this, uh, list. So if we manually give it, um, a host target file, uh, which doesn't have any domain controllers involved, we can still do all that SMB, uh, session enumeration and find where our admins are and where those privileged users are and, and find who we have to go after an attack. So, now that we've got info on potential targets such as privileged users, let's look at lateral movement. So, you know, this typically involves leveraging that gathered SMB session information or SPN info and AD group info to go, start to target those privileged accounts. Um, then, you know, we perform some remote code execution or something to, to get on those boxes. So, ATA is decent at, uh, detecting PS exec, uh, because binaries are dropped to this and processes are started and WMI exec because, uh, it's running directly against the AT, er, sorry, directly against the domain controller. And because ATA is monitoring domain controllers logs, it's, it's very easy to detect it. Um, it may be able to detect, uh, of normal user behavior against all domain work stations and servers. Um, but again, that's based on user behavior analytics. So, if you're going after a lot of boxes that you've, you've never touched before from that user account, it's gonna see that as suspicious because you successfully authenticated to a lot of different boxes. Um, but there's definitely a gap in detection for lateral movement for ATA. But, um, I think that's gonna be narrowed down quite a bit when the ATP integration comes down the line. Um, if you wanted to perform, uh, overpass the hash attack, so pass the hash attacks are really easily detected. Um, I'll tell you why in a minute, but if we want to use an overpass the hash technique, um, it's flagged as encryption downgrade because, um, we're using, uh, an NTLM hash and that uses, uh, DESCBC MD5. And so, um, in authentication logs, it's really easy to see that only those, um, type, uh, encryption types are being used. But if we instead use the, uh, AES 256 key, um, it's still gonna detect it because it doesn't see the right values in the ASREC. But if we also give it the AS128 value and the MD5, or the NTLM hash, it's not gonna flag it as suspicious activity. Uh, it's, I, I find it's really hard to get the AS128 key, uh, I don't know enough about it to, to figure out why. But, uh, I look all through the, you know, the MemeCats documentation, I couldn't see why. So instead I was like, well, what if I just give it all zeros? Yeah, it's fine. So, you know, you don't, you don't have to find the AS key, uh, and grab it, uh, for the ticket. It's just, you know, throw whatever 32 characters you want in there. Um, silver tickets aren't gonna be detected. Um, so if you're familiar with golden tickets and silver tickets, uh, golden tickets are the, you know, that Forge, uh, Kerberos TGT, um, which is valid to gaining access to anything that's running Kerberos. But the silver ticket is a Forge TGS. So, this means that the silver ticket scope is limited to whatever service is targeted on the specific server. So, it's not community, where, when we Forge a silver ticket, we don't have to communicate to a domain controller. Because we're not communicating with a domain controller, uh, AT has no idea that, that, that this attack's happening. Um, and, you know, you can read, uh, on Sean Metcalf's, uh, awesome AT security org site about all, you know, golden tickets and silver tickets and whatnot. Um, lateral movement via SQL off isn't detected as well because it's SQL off. So, uh, the domain controllers aren't monitoring, um, that. So if you target an SA box or you can perform SQL injection successfully on a SQL box, you can move between different SQL servers, um, and find one of those boxes that might have a privileged active directory. Use your login, you know, steal his token, steal his hash, uh, impersonate that user and go from there. Uh, Nikhil, um, you know, demonstrated a lot of those techniques, um, on that link if you want to learn more. Um, so once you have access to a privileged user, it's time to, to move towards actually achieving the primary goals of a red team engagement. So that, those might include, uh, getting dominance over the network. So you may or may not need to grab the active directory database or the ntds.dit, um, but it sure comes in handy. And if you can do it without getting detected, why not, right? Um, you might need to access sensitive information such as financial directories or IP, um, or you might need to gain privileged access to certain systems that, that are in scope. So a common technique, uh, to grab the AD database is to use DC sync which effectively impersonates a domain controller and says, hey, I'm a, I'm a DC as well, semi a full replication of, of your, your, your credentials basically. Um, so as you can imagine, this is super easy to detect on because, you know, why is a Windows 10 workstation saying they're a DC and want all the crats, right? So it's super easy to detect upon. Um, so if you run DC sync within the same forest, it's definitely gonna be detected. Cross forest, uh, it might not be. Uh, you can, you can use the WMI, uh, Windows 32 shadow copy class to dump the NTTDS update via shadow, volume shadow copies. And you can use that without directly calling the SS, uh, admin. Um, so it's a lot stealthier. Um, but as of ATA 1.8, this is now flagged as a low severity event. Not, not, you know, critical. We, we just grabbed all the AD crads, but it's, it's a low severity event. Um, but it's not because we did a volume shadow copy, it's because it saw the Windows 32 process create. So that's probably an area you could spend some time with and bypass using that all together. Uh, ATA 1.8 may also detect WMI exact methods, but I, I couldn't replicate it in a lab environment. Um, not detected if you want to, uh, use PowerSploit and, uh, use PS remoting to inject Mimi Katz in memory, uh, do L, L SAS injection. You can just, uh, grab the NTTDS that did there. Um, there are a lot of ways to harden WinRM and PS remoting, uh, by restricting, you know, PS remoting access via groups and whatnot. If, if you're a blue teamer out there. Um, you can also use Ninja copy because it does raw dist access. So instead of doing L SAS injection or, or doing volume shadow copy, we're just going to directly do a raw dist access. So, you know, sometimes when you copy the, the NTTDS that did there, there's a couple of areas you might have to clean up. Uh, but, but it's super easy to do. Or, or you can just try and grab it again and get a clean file. Um, and if you're a blue teamer out there, you can detect L, uh, our raw dist access and L SAS injection fairly easily with Sysmon and then, you know, using Windows event forwarding to, to alert. Um, if you grab that NTTDS that did a while ago and you have the K, K, K-R-B-T-G-T or the Kerberos ticket granting ticket service. Um, and you want to come back three months later, uh, to create a golden ticket. If you use the NTLM hash, uh, just like in an overpass that hash attack, um, we're going to get flagged, uh, as an encryption downgrade as we're using our C4 and, um, the TGS rack thinks that those, uh, properties should also include the AES key. Um, so if you just use the AES key, you, you can, uh, generate a golden ticket, no problem. You don't have to include the NTLM hash or the AES 128 key. I don't know why, but, um, easy enough. So, um, blue team takeaways, um, how am I doing for time? I need sunglasses up here. Good? Two? Alright. Um, take a picture. Uh, here I'll leave it up for a minute. So you want to harden SQL boxes, forest trust, um, you want to, uh, use Windows event log forwarding, um, you want to integrate all those new defender ATP tools that we talked about and roll it across to your different servers. Um, the spring update is going to come probably with some good WMI detection, so you got to return, uh, to, you know, different Sysmon detection techniques. Um, if you're a red teamer, you got to go back to living off the land and directly calling those Windows APIs. Make sure you're leveraging those awesome Power Shell tools only after you've disabled AT, ATP. Uh, and make sure you're, you're running local ones that aren't directly communicating with, with the DC. You want to look at RDP and PSession history to help avoid user behavior analytics by also connecting to those same, uh, uh, systems and resources. Um, you want to look at blocking Windows event log forwarding because that's one of the biggest techniques that people are using right now with Sysmon and whatnot. Um, so thanks a lot for, for all your time. Uh, and thank you to all these awesome people and the Microsoft AT&T team and thanks to Simon for his heart. Thanks guys.