Explore techniques for evading Microsoft Advanced Threat Analytics (ATA) in Active Directory environments in this Black Hat conference talk. Delve into ATA's functionality, threat detection capabilities, and lab configurations. Learn about user hunting, service principal scanning, and evasion methods using PowerView. Examine brute force attacks, golden ticket techniques, and constrained delegation vulnerabilities. Discover how to manipulate ATA's MongoDB, alter alert identities, and set visibility. Analyze ATA's limitations and discuss defensive strategies. Gain insights into avoiding detection and understanding the implications for Active Directory security.
Evading Microsoft ATA for Active Directory Domination
Overview
Syllabus
Introduction
About Me
Agenda
What is ATA
How it works
Lab Configuration
Threat Detection
User Hunting
SP and Scanning
Evading ATA with Power View
Brute Force
EType
AES Keys
Over Pasta Hash Detection
Fake Events
Golden Ticket Attack
Golden Ticket Downgrade
Lifetime Based Detection
Constrainted Delegation
Not Detected
No Use
No Detection
Kerberos
Sequel Servers
Interactions
Espeon Scanning
LDAP IPSec ESB
Attacking Microsoft ATA
MongoDB
Change Alert Identity
Set Alert Visibility
Defenses
Avoiding ATA
Limitations
ATA Team
Summary
Conclusion
Taught by
Black Hat
