Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp and windows defender atp

Jagadeesh Parameswaran, Microsoft
Rahul Sachan, Microsoft

Windows Defender Advanced Threat Protection (WDATP) gives defenders unparalleled visibility into the enterprise. And Azure Advanced Threat Protection (AATP) gives the power to monitor attacks on the Domain Controllers and user identities. Come spend an hour with us as we pull back the covers and go through detailed examples of real attacks that we saw as we defended the Microsoft corporate environment using WDATP & AATP.

BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp and windows defender atp

  1. 1. Screenshots present in this session are either from the Production environments (with obfuscated contents) or from the Demo environments
  2. 2. Digital Crimes Unit (DCU) Microsoft Azure (C+AI Security) Microsoft Security Response Center (C+AI Security) Cyber Security Services Engineering Microsoft Threat Intelligence Center (MSTIC) Office 365 Security Data & Intelligence (DI) Cyber Defense Operations Center (CDOC)
  3. 3. Consoles Host Network Big Data (Queries & Analytics) SIEM IDS++FW++
  4. 4. How does Windows Defender Advanced Threat Protection (WDATP) helps us? Windows Defender ATP (WDATP) works behind the scenes to better detect threats on the network and helps the SOC investigate and respond to data breaches.
  5. 5. Behavior- based, post- breach detection
  6. 6. Rich timeline for investigation
  7. 7. Abnormal resource access Account enumeration Net Session enumeration DNS enumeration SAM-R Enumeration LDAP Enumeration (Roadmap) Brute force using NTLM, Kerberos, or LDAP Honey Token account suspicious activities Unusual protocolimplementation Malicious Data Protection Private Information (DPAPI) Request Suspicious VPN Connections Abnormal authentication requests Remote Execution Pass-the-Ticket Pass-the-Hash Overpass-the-Hash Malicious service creation MS14-068 exploit (Forged PAC) MS11-013 exploit (Silver PAC) Skeleton key malware Golden ticket non-existent account Remote execution Malicious replication requests Abnormal Modification of Sensitive Groups Suspicious domain controller promotion & replication (potential DCShadow attack)Compromised Credential ! Reconnaissance ! ! ! Lateral Movement Privilege Escalation Domain Dominance Azure ATP (AATP) detects a WIDE RANGE of Suspicious Activities on the AD & UEBA Monitoring perspectives Covers various Active Directory and User accounts related attacks across the Kill-Chain phases
  8. 8. sensitive
  9. 9.        • • • • • • • •
  10. 10. Horizontal Bruteforce: • a small set of passwords across many users Vertical Bruteforce: • a large set of passwords on just a few users
  11. 11. Not secure
  12. 12. LDAP_Simple_bind
  13. 13. COMPLEX
  14. 14. NO Realtime detection
  15. 15. A real attack by an adversary A service / application that leverages LDAP Simple Binds rather LDAPS
  16. 16. Changed passwords of the compromised users Checked WDATP events in the victim machines to identify any suspicious process executions later the attack Asked them to use Strong Passwords to prevent Bruteforce attacks Checked any suspicious login for the user accounts using MCAS to identify any possible compromise / access of Exchange Online / SharePoint Online Data
  17. 17. Attacker was contacted to identify the necessary reasons for the attack This was done for experimental purposes by the attacker – as a Script kiddie Attacker was educated NOT to use any malicious activities using Tools or Scripts from the Microsoft CORP domain joined machines
  18. 18. LDAP Simple Bind Bruteforce attacks are simple, but are difficult to track Using AATP & WDATP, BF attack can be quickly detected Complex, Strong passwords help to prevent Bruteforce attacks
  19. 19. Compromised Acc 1 2 Victim User 1 Victim User 2 Domain Admin DC ATTACKER BRUTE FORCE COMPROMISED ACCOUNT MOVE LATERALLY 1 2 Attack Workflow
  20. 20. In less than two hours of successfully achieving access to the permanent domain admin account, Attacker used its hash to replicate the directory to their machine: Desktop-xxxx …. a non domain joined box…… a rogue Domain Controller …
  21. 21. Compromised account + Non DJ machine + Mimikatz can bring troubles to the AD AATP provides visibility to the attack targeting AD environment Rich time lines of WDATP helps to pinpoint anomalies of Domain joined machines
  22. 22. Securing Privileged Access Office 365 Security Rapid Cyberattacks (Wannacrypt/Petya) Video Recording Strategies SQL Encryption & Data Masking Office 365 Dynamics 365 +Monitor Data Loss Protection Data Governance eDiscovery