Advanced Threat Analytics

(ATA)

Advanced Threat Analytics Attack Simulation Playbook

Version 1.0 Final

Prepared by

Andrew Harris

Sr Program Manager
C+E Security Customer Experience Team
@ciberesponce

Contributors

Gal Zilberstein, Program Manager, Advanced Threat Analytics

Arbel Zinger, Program Manager, Advanced Threat Analytics

 Advanced Threat Analytics Attack Simulation Playbook

MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter
in this document. Except as expressly provided in any written license agreement from Microsoft, our provision of this document does
not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The descriptions of other companies products in this document, if any, are provided only as a convenience to you. Any such references
should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may
change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For
authoritative descriptions of these products, please consult their respective manufacturers.
2013 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express authorization of Microsoft
Corp. is strictly prohibited.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
 Advanced Threat Analytics Attack Simulation Playbook

Contents
Reintroducing Credential Theft ................................................................................................... 4

What is Advanced Threat Analytics? ......................................................................................... 6

Lab Setup ...................................................................................................................................................................................................................... 7
Servers and computers ........................................................................................................................................................ 7

User Setup ............................................................................................................................................................................. 8

Security research tools ...................................................................................................................................................... 10

Assumptions ............................................................................................................................................................................................................. 11

Environment Topology ........................................................................................................................................................................................ 11

Helpdesk Simulation ............................................................................................................................................................................................. 12

Beachhead via Spearphish.................................................................................................................................................................................. 13

Executing the attack ...................................................................................................................... 14

Reconnaissance ....................................................................................................................................................................................................... 14
DNS Reconnaissance .......................................................................................................................................................... 14

Directory Services Enumeration ....................................................................................................................................... 15

SMB Session Enumeration .................................................................................................................................................................................. 18

Lateral Movement .................................................................................................................................................................................................. 19

Enumerate Credentials In-Memory .................................................................................................................................. 19

OverPass-the-Hash ............................................................................................................................................................. 23

Domain Escalation ................................................................................................................................................................................................. 26

Harvest Credentials ............................................................................................................................................................ 26

Pass-the-Ticket ................................................................................................................................................................... 29

Remote Code Excecution ................................................................................................................................................... 32

Domain Dominance .............................................................................................................................................................................................. 34

Skeleton Key ........................................................................................................................................................................ 34

DC Sync: Compromise the KRBTGT .................................................................................................................................. 37

Conclusion ........................................................................................................................................ 40

3
 Advanced Threat Analytics Attack Simulation Playbook

Reintroducing Credential Theft

Assume breach. These are the two words that kicked off Microsofts Mitigating Pass-the-Hash
and Other Credential Theft1 whitepaper, entirely focused on illustrating the credential theft
techniques used by malicious cyber actors. These techniques are used after the adversary has
achieved a beachhead in their victims environment.

Attackers are in; our perimeter is breached. Our ability, however, to detect an adversary in our
environments after theyve already circumvented our defense mechanisms remains limited. The
average cost of a cyber intrusion is estimated to be around $3.8M2 for an enterprise, per incident.
Why is this so expensive? Many Information Technology (IT) organizations have no post-
infiltration detection capabilities and have slow and malformed responses.

Multi-factor authentication, Smartcards, Privileged Account Management tools have been sold to
solve this problem3. These tools certainly help operationalize the environments but these
solutions dont mitigate or provide visibility into credential theft itself.4 In fact, many
implementations of these solutions can make the credential theft problem space even worse while
at the same time providing a false sense of security.

To make matters worse, words like pass-the-hash and credential theft have morphed into buzz
words. They have become words that many hear about, and conceptually understand, but the
vagueness that still exists around them prevents us from being able to act urgently and
immediately.

This article will turn the buzz words into something real and tangible, walking through the
credential theft attack techniques themselves, by using readily available research tools on the
Internet. At each point of the attack we will show how Microsofts Advanced Threat Analytics
(ATA) 5 helps IT organizations gain visibility into these post-infiltration activities happening in their
environments.

Ignorance can no longer be bliss.

1
http://aka.ms/pthv2
2
Ponemon Institute Releases 2014 Cost of Data Breach: http://www.ponemon.org/blog/ponemon-institute-
releases-2014-cost-of-data-breach-global-analysis
3
http://aka.ms/smartcardpth
4
http://aka.ms/cyberpaw
5
http://aka.ms/ata

4
 Advanced Threat Analytics Attack Simulation Playbook

5
 Advanced Threat Analytics Attack Simulation Playbook

What is Advanced Threat Analytics?

Gaining visibility into the problem requires focused attention on a layer of the environment
typically not used for cybersecurity purposes: The Identity layer. Microsofts Advanced Threat
Analytics (ATA) turns Active Directory into a powerful post-infiltration detection tool leveraging
both signature and user-and-entity-behavioral analytic techniques.

ATA will detect and alert IT of post-infiltration activities, from internal reconnaissance to
compromised credentials, including lateral movement, privilege escalation and domain
dominance.

This article will walk you through these techniques, the respective research tools to execute these
attacks yourself, and illustrate just how important getting ATA installed and configured is.
Defenders must fully understand our attackers and their tools.

This article focuses on ATAs signature-based capabilities and does not include any
advanced machine-learning user and entity behavioral detection.

6
 Advanced Threat Analytics Attack Simulation Playbook

Lab Setup

We recommend following these instructions closely, including the experiments at the end. There
is some setting up to do, specifically 4 computers, 3 users and some research software to grab off
the Internet.

For help on installing ATA and getting an evaluation copy, good for 90 days, check this out:
http://aka.ms/ataeval. This guide was built for version 1.7 of ATA.

Servers and computers

The following lists the computers you will need and the configurations used in this exercise. These
are all staged as guest virtual machines (VMs) on Windows 10 Hyper-V. If you go this route, and
we recommend you do, make sure the VMs are placed in the same virtual switch.

FQDN OS IP Purpose

DC1.contoso.local Windows Server 2012 192.168.10.10 Domain Controller with ATA the
R2 Lightweight Gateway (LWGW)
installed

ATACenter.contoso.local Windows Server 2012 192.168.10.20 ATA Center

R2

Admin-PC.contoso.local Windows 7 Enterprise 192.168.10.30 Admins PC

Victim-PC.contoso.local Windows 7 Enterprise 192.168.10.31 Victims PC

Our domain will be called CONTOSO.LOCAL, so create the domain, then domain join these
computers and lets get rolling.

Now that all four machines up and domain joined, lets add some fictitious users to the
environment.

7
 Advanced Threat Analytics Attack Simulation Playbook

User Setup
In this exercise, you will create role separation between Helpdesk and Domain Administrators.
Unfortunately, as you will see, this isnt enough to prevent credential theft, lateral movement or
domain escalation because understanding security dependencies that transcend these two groups
across an environment is tricky.

Lets create a security group to make the separation.

Name Members Purpose

Helpdesk RonHD Manages the clients of contoso.local.

Lets create three users in the domain:

Full Name SAMAccount Purpose

Jeff Victim JeffV The victim of yet another impressively effective spear
phishing attack

Ron HD RonHD Ron is the go-to-guy at Contosos IT shop. RonHD is

a member of the Helpdesk security group.

Nuck Chorris NuckC Before now, believed not to exist. At Contoso, he

happens to be our Domain Admin.

Before proceeding, ensure RonHD was added as a member to the Helpdesk Security Group.

8
 Advanced Threat Analytics Attack Simulation Playbook

Nuck Chorris, our Domain Admin, uses Admin-PC.

The Helpdesk (that RonHD is a member of) also
manages NuckC computer. This can be quickly
configured via Restricted Groups6.

In addition, like in many IT shops, JeffV was added as

an Administrator on his own device (Victim-PC). This
was done on purpose and will be explained further in
the Help Desk Simulation assumption in this article. .

6
https://support.microsoft.com/en-us/kb/279301

9
 Advanced Threat Analytics Attack Simulation Playbook

Security research tools

1. To set up the lab, install these research tools on Victim-PC, in C:\tools:
o Mimikatz: https://github.com/gentilkiwi/mimikatz
o PowerSploit: https://github.com/PowerShellMafia/PowerSploit
o PsExec: https://technet.microsoft.com/en-us/pxexec
o NetSess.exe: available at www.joeware.net/freetools

Figure 1: On Victim-PC, this is where the research tools where placed

2. For this proof of concept, turn off all antivirus software.

These tools are for research purposes only. Microsoft does not own these tools nor can it
guarantee their behavior. These tools should only be run in a test lab environment.

Although turning off antivirus might seem like this just skewed the results, it is important to note
that the source code for these tools is freely available, which means attackers can modify it to
evade antivirus signature based detection. It is also important to note that as soon as an adversary
achieves local admin on a machine, evasion of antivirus becomes very possible. The goal at that
point is protecting the rest of the organization. One computer compromise should not lead to
domain escalation and certainly not domain compromise!

10
 Advanced Threat Analytics Attack Simulation Playbook

Assumptions

In our example, JeffV is an admin of his own workstation. Many IT shops still have their user-
population running with admin privileges. In these scenarios, local escalation attacks arent
necessary as the adversary already has admin access in the environment from which to perform
their post-infiltration operations.

However, even when IT shops reduce the privileges to using non-admin accounts, other forms of
attacks (such as known application vulnerabilities, 0-days and such) are executed to achieve local
privilege escalation. In this case, our assumption is simple: The adversary achieved local privilege
escalation on Victim-PC. As we will discuss below, in our fictitious lab, this was achieved via a
spearphishing email to JeffV.

Environment Topology

Your lab now looks something like the above. Again, we have role separation between Domain
Admins and the helpdesk, but as you will see, one security dependency linkage (sorry RonHD) is
all an adversary needs to take over the entire environment with readily available research tools.

11
 Advanced Threat Analytics Attack Simulation Playbook

Helpdesk Simulation

To simulate a common helpdesk scenario, in which helpdesk personnel are

logged into different computers, log in with RonHD to Victim-PC and then
log back in as JeffV. Use the switch user mechanism to simulate privileged
credential management on this workstation.

We could have chosen other ways to simulate this management workflow in our lab, such
as creating batch script service accounts, scheduled tasks, an RDP session or runas in the
command line. At the end of the day, something (not always a someone) has to manage
these resources and management means local admin privileges. We chose the quickest
route to simulate this workflow.

Do not log out or restart Victim-PC as this will wipe RonHDs credentials from memory and require
re-enacting the helpdesk scenario.

Computer Credentials saved on computer

Admin-PC NuckC

Victim-PC JeffV
RonHD (Caused by enacting the helpdesk
scenario)

The lab is now ready. The hard part is overthe pieces are in place and the lab is in a position
where it is one-exploit-away (#1ea) from domain compromise. As you will soon see, the single
compromise typically comes from your environments lowest privileged assets against the most
Internet facing applications from an adversary who just wont stop. And you have to assume a
breach took place.

12
 Advanced Threat Analytics Attack Simulation Playbook

Beachhead via Spearphish

In Microsofts Security
Intelligence Report Volume
217, two different actor groups
were discussed, PROMETHIUM
and NEODYNIUM. Both of
activity groups take part in
spearphishing to gain a
foothold in their target
environments. Why?

We could have chosen

multiple scenarios to establish
this pseudo-adversarys
command-and-control in our
Figure 2: Real spear phishing Email tracked and responded to by Microsoft's
lab, but were starting with Threat Intelligence Center. Courtesy of @JohnLaTwC
spearphishing.

The question remainshow can you gain visibility into the post-infiltration activity of the
adversary after theyve achieved this beachhead? How can you gain visibility into these activities
before the larger herd is affected?

7
https://www.microsoft.com/security/sir/default.aspx

13
 Advanced Threat Analytics Attack Simulation Playbook

Executing the attack

Now the fun begins. Its time use real-world tools and simulate the post-infiltration activities of
an adversary.

Reconnaissance

Once a human adversary gains presence in an environment, reconnaissance begins. At this phase,
the adversary spends time researching the environment: discovering settings, computers of
interest, enumerating security groups and other active directory objects of interest, etc. to paint a
picture for themselves of your environment.

DNS Reconnaissance
One of the first things many adversaries will do is to try to receive all the contents of the DNS.
ATA can detect this action.

1. Action: DNS Recon

On Victim-PC, logged in as JeffV, the PC and user whom the adversary just compromised, run the
following commands:
nslookup
ls -d contoso.local

Luckily, our DNS is configured to block this DNS

dump against the domain. Unfortunately,
though, all too often, this event gets ignored or
is lost in the network noise, preventing network
defenders from realizing that an adversary has
reached some level of access in their
environment and is in the beginning phases of
a more targeted attack.

ATA helps detect this and bring it to light (as it

Action 1: DNS recon does with all post-infiltration activity). Since
ATA continuously parses your DNS traffic, it can
see the dump request, whether it is successful or not. It even gives you the ability to learn from
this event in the future, in case the suspicious activity is legitimate, and coming from an approved
DNS scanning device.

14
 Advanced Threat Analytics Attack Simulation Playbook

Look at the ATA dashboard and see what ATA tells you.

ATA Detection: DNS Recon

The adversary, blocked from what would have been a big win for them: doing a DNS dump, turns
to other reconnaissance techniques.

Detecting failures can be just as insightful as detecting successful attacks against

an environment

Notice the blue bubble in the Suspicious Activity? ATA is constantly learning, based both on
consumed data and from the analyst. The analyst feedback helps remove benign true positives
and reduce noise over time, customizing ATA and its Suspicious Activity detections to your
environment.

Directory Services Enumeration

Security Account Manager Remote Protocol (SAMR) 8 provides management functionality for
users and groups across a domain. Knowing the relationship between users, groups, and
privileges can be extremely important to an adversary. Any authenticated user can execute these
commands9.

8
https://msdn.microsoft.com/en-us/library/cc245477.aspx
9
For more information on SAMR settings and restricting such reconnaissance to only users who are
members of the Local Administrators Group, please refer to:
https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b#content

15
 Advanced Threat Analytics Attack Simulation Playbook

Enumerate all users and groups

Enumerating users and groups is very useful to an adversary. Knowing usernames and the names
of groups can come handy. As an attacker, you want to grab as much as you can, after all, this is
the reconnaissance phase.

2. Action: Enumerate users and groups

Use the compromised JeffV account, logged onto Victim-PC, and try to pull all the domain users
and groups by using the following commands:
net user /domain
net group /domain

That was too easy. These are operations

performed with legitimate credentials! The
attacker now knows all the users and groups in
the environment. Whats worse, without ATA, this
action would probably go
unnoticed.

Action 2: Enumeration of all users and groups

Lets see what ATA detected. Head over to the ATA dashboard and look:

ATA Detection: ATA detecting directory services enumeration

Not only did ATA detect the attack, but it also displays the data the attacker got ahold of.

16
 Advanced Threat Analytics Attack Simulation Playbook

Enumerate high privileged accounts

The attacker now holds both the user list and the group list. But knowing who is in which group
is also important, specifically for highly privileged groups such as Enterprise Admins and
Domain Admins. Lets do just that

3. Action: Enumerate Domain Admins

Run the following command, on Victim-PC as JeffV:

net group domain admins /domain

Action 3: Enumeration of Domain Admins

The attacker now has all the users and groups, and knows which users belong to the highly
privileged Domain Admins group.

The attacker wont stop there, they know there is no security boundary between Enterprise Admins
and Domain admins10, so theyll grab the Enterprise Admins list as well.

4. Action: Enumerate Enterprise Admins

To grab the members of this Enterprise Admins group, run the following command on Victim-PC:
net group enterprise admins /domain

Action 4: Enumerate Enterprise Admins

10
For more information on security boundaries between Forests and Domains, Enterprise Admins and
Domain Admins, and other Tier-0-level privileges, please refer to: http://www.aka.ms/tier0

17
 Advanced Threat Analytics Attack Simulation Playbook

There is a single account in the Enterprise Admins groupnot exactly interesting since it is just
the default, but the attacker has that much more knowledge into your accounts and has identified
which user they most want to compromise.

SMB Session Enumeration

The attacker knows who they would love to compromise to get the most credentials but they
dont exactly know how to compromise those credentials, right? SMB enumeration can provide a
precise location for where these highly interesting accounts are exposed.

All authenticated users must connect to the domain controller to process Group Policy (against
the SYSVOL) making SMB Enumeration a valuable tool for attackers. This makes domain
controllers prime targets to perform SMB Enumeration against.

Here you will use the first research tool pulled from the Internet, NetSess. NetSess is a command
line tool to enumerate NetBIOS sessions on a specified local or remote machine. You, of course,
will use it against the domain controller in your lab.

5. Action: Perform SMB Session Enumeration against the DC

To enumerate whos connected to a specific machine, in this case the DC, on Victim-PC, go to the
location where NetSess is saved locally and run the following command:
NetSess.exe dc1.contoso.local

Action 5: SMB Enumeration against the DC

We already know that NuckC is a Domain Admin. You now know the IP address of NuckC
(192.168.10.30).

This kind of reconnaissance is hard to detect with firewallsSMB protocol is how IT shops work
and a protocol that Active Directory relies on. However, with ATA, not only can this SMB Session
Enumeration be detected, but an alert will notify you as to which accounts were exposed.

18
 Advanced Threat Analytics Attack Simulation Playbook

ATA Detection: Detecting SMB Enumeration

ATA allows you to get the same relevant data that the attacker didit identifies the source
account, the source computer, as well as the exposed accounts and the IP addresses at the time
of adversary enumeration.

The more data you have, the better prepared you are to respond to attacks.

Lateral Movement

In just the few steps you took, you were already able to gain a lot of information. At this point,
the goal becomes getting to the IP address you discovered: 192.168.10.30 (where NuckCs
computer credentials are exposed).

Enumerate Credentials In-Memory

Victim-PC isnt just exposed to JeffVs credentials, there are many other accounts that might be
useful to an attacker to discover. Lets enumerate those in-memory credentials on Victim-PC.
Luckily, there is a tool for that: Mimikatz.

6. Action: Dump credentials from Victim-PC

From an elevated command prompt on Victim-PC, go to the tools folder where Mimikatz is saved
and execute the following command:
mimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> c:\temp\victim-pc.txt

19
 Advanced Threat Analytics Attack Simulation Playbook

Action 6: Dump credentials from Victim-PC

The above command will execute Mimikatz which will then harvest credentials in-memory. The
tool will write this into a text file named victim-pc.txt.

Open the file victim-pc.txt to see what you can find.

7. Action: Parse through Mimikatzs credential dump output

Open the file, victim-pc.txt in notepad. Your file will look different as different passwords were
used, potentially different operating systems with default settings on/off, so dont be alarmed if
it doesnt look exactly like this example.

Action 7: Review the Mimikatz credential dump file

The attacker found JeffVs credentials, which will allow them to masquerade as JeffV.

The attacker also found the computer account, which, like a user account, can be added to other
computers Local Admin Group and other highly privileged Security Groups. That isnt useful in
this scenario but you should always remember that Computer Accounts can map to privileges
elsewhere as well.

20
 Advanced Threat Analytics Attack Simulation Playbook

The attacker also discovered a potentially

interesting account, RonHD. Remember that
RonHD was logged on to Victim-PC during
the setup phase. That credential was exposed
to the LSA process in-memory at that time,
which Mimikatz just gave the attacker visibility
to. RonHD wasnt listed when you
enumerated against users in Domain Admins
or Enterprise Admins, but remember that you
now have access to his credentials.
RonHD account is now compromised.

It is also worth noting that in some cases, this Mimikatz dump might reveal plaintext passwords,
when the environment is not updated or not configured to prevent WDigest. An up-to-date
environment, following best practices, will return an empty Password field.11

Finally, before you use RonHDs account lets see if its even of any value. Lets do some recon
against that account.

8. Action: Perform recon against the RonHD account

From the command line of Victim-PC, execute the following:

net user ronhd /domain

Action 8: Learn about RonHD

11
For more information on WDigest, please refer to:
https://blogs.technet.microsoft.com/kfalde/2014/11/01/kb2871997-and-wdigest-part-1/

21
 Advanced Threat Analytics Attack Simulation Playbook

The attacker will learn that RonHD is a member of the Helpdesk. RonHDs account just became
interesting to the attacker. However, further more analysis is needed to see if the account has
admin privileges on other computers. After all, it would make little sense to use it to laterally move
to another computer only to discover that it has lower privileges than what the attacker already
has.

9. Action: Enumerate a remote computers memberships

Here is where you turn to PowerSploit, a series of PowerShell modules used by penetration
testers. Open a PowerShell session and traverse to the location where PowerSploit is saved locally
on Victim-PC. In the PowerShell console, execute:
Import-Module .\PowerSploit.psm1
Get-NetLocalGroup 192.168.10.30

In the first line, you import the PowerSploit module into memory and in the second line you
execute one of the provided functions provided by that module, in this case, Get-NetLocalGroup.

Action 9: Remote local group membership against 192.168.10.30 via PowerSploit

22
 Advanced Threat Analytics Attack Simulation Playbook

Again, 192.168.10.30 is the discovered IP address from the SMB Enumeration phase (page 18 of
this document).

The attacker just found the following:

192.168.10.30 is connected to Admin-PC (we resolved the IP address to a computer name

via PowerSploit as well)
Contoso.local/Domain Admins and Contoso.local/Helpdesk are members of the
Administrators Group

RonHD is a member of the Helpdesk group, therefore RonHD can give the attacker Admin
privileges on Admin-PC (where the attacker knows NuckC is, from earlier reconnaissance).

The attacker used this graph-like thinking is to discover relationships in the network. This kind of
mentality is something that defenders need to adopt to handle new threats to enterprise
networks.

This is all great, but how do you use RonHD to laterally move?

OverPass-the-Hash
If the attacker is in an environment that did not disable WDigest, it is already game over as they
have the plaintext password. But, in the spirit of learning, lets make it harder and assume you do
not know/have access to the plaintext password.

NOTE: This is a good time to take a minute and make sure your IT department has disabled
WDigest12 .

So, with just access to the NTLM hash of RonHD, what can you do?

Using a technique called Overpass-the-Hash you can take the NTLM hash and use it to obtain a
Ticket Granting Ticket (TGT) via Kerberos\Active Directory. With a TGT you can masquerade as
RonHD and access any domain resource that RonHD has access to.

10. Action: Perform Overpass-the-hash attack against RonHD

Here you will be using Mimikatz again. Copy RonHDs NTLM hash from victim-pc.txt, harvested
earlier (from Action: Dump credentials from Victim-PC on page 19).

On Victim-PC, go to the location where Mimikatz is stored on the filesystem and execute the
following commands:

12
https://blogs.technet.microsoft.com/kfalde/2014/11/01/kb2871997-and-wdigest-part-1/

23
 Advanced Threat Analytics Attack Simulation Playbook

Mimikatz.exe privilege::debug sekurlsa::pth /user:RonHD /ntlm:[ntlm hash]

/domain:contoso.local exit

Replace the [ntlm hash] with the pasted NTLM value from victim-pc.txt.

Action 10: Overpass-the-hash against RonHD

A new command prompt session opens. This new command prompt injected RonHDs credentials
into it!

Lets validate this and see if you can read the contents of the C$ of the Admin-PC, something JeffV
the user should not be able to do at all.

11. Action: Read Admin-PCs C$ with RonHDs credential

From the new command prompt, run the following command:

dir \\admin-pc\c$

Action 11: Read contents of C$ of Admin-PC

24
 Advanced Threat Analytics Attack Simulation Playbook

Yep, you have access to the C drive of Admin-PC!

Now, lets just drill the point home. Lets validate that the new command-prompt you have open
injected RonHDs ticket and you didnt just misconfigure JeffV to have read rights.

12. Action: Inspect tickets in Overpass-the-hash command prompt

From the new command prompt that opened from the Overpass-the-hash attack, execute the
following:
klist

Action 12: Kerberos tickets in the cmd prompt

Yep, you are acting as RonHD in this command prompt which validates that you used his
legitimate credential to gain access to his own Admin-PC!

ATA Detection: Unusual protocol implementation

So, what does ATA see when all this happens? Because Overpass-the-hash uses NTLM, and thus
RC4, it shows up as an unusual protocol implementation. Thus, from the defenders perspective,
you will learn that on Victim-PC, RonHDs account successfully authenticated against our domain
controller. You could then start our investigation.

25
 Advanced Threat Analytics Attack Simulation Playbook

Domain Escalation

The attacker now has access to Admin-PC, a computer that from earlier reconnaissance was
identified as a good attack vector to compromise the high privileged account NuckC. The attacker
now wants to move into Admin-PC, escalating their privileges within the domain.

Harvest Credentials
Performing a Pass-the-Hash attack will allow us to move to Admin-PC. You will need to move
attacker tools to it however, first, specifically Mimikatz and PsExec.

13. Action: Execute Mimikatz against Admin-PC

From the new command prompt, running in the context of RonHD, go to the part of the filesystem
where Mimikatz is located from that library. Run the following commands:
xcopy mimikatz \\admin-pc\c$\temp

Next, execute MimiKatz remotely to export all Kerberos tickets from Admin-PC:
psexec.exe \\admin-pc -accepteula cmd /c (cd c:\temp ^& mimikatz.exe privilege::debug
sekurlsa::tickets /export ^& exit)

Copy these tickets back to Victim-PC:

xcopy \\admin-pc\c$\temp c:\temp\tickets

26
 Advanced Threat Analytics Attack Simulation Playbook

What just happened?

The attacker successfully copied the Mimikatz tool over to Admin-PC.

Action 13: Move Mimikatz to Admin-PC, execute Mimikatz on Admin-PC to harvest tickets, copy tickets back to Victim-
PC

They successfully executed Mimikatz remotely, exporting all Kerberos tickets from Admin-PC.
Finally, the attacker copied back the results to Victim-PC, and now has NuckCs credentials without
having to exploit his computer!

14. Action: Locate the NuckC TGT

Locate the kirbi files which are not NuckC (i.e. ADMIN-PC$). Delete those and keep the NuckC
tickets.

27
 Advanced Threat Analytics Attack Simulation Playbook

Action 14: Find the right filename, copy it as you will use it in the next action.

We can now import the NuckC tickets in the next action.

28
 Advanced Threat Analytics Attack Simulation Playbook

Pass-the-Ticket
What can you do with these tickets? You can pass them, literally, into memory and use them to
gain access to resources as if you were NuckC.

The attacker is ready to import them into Victim-PCs memory, to get the credentials to access
sensitive resources.

15. Action: Pass-the-Ticket

From an elevated command prompt, where Mimikatz is located on the filesystem, execute the
following:
mimikatz.exe privilege::debug kerberos::ptt c:\temp\tickets exit

Action 15: Pass-the-ticket

Ensure that the [email protected] tickets were successfully imported as illustrated

above.

Now, lets validate that the right tickets are in the command prompt session.

29
 Advanced Threat Analytics Attack Simulation Playbook

16. Action: Validate the ticket was imported

Execute the following in the same elevated command prompt:

klist

Action 16: validate the NuckC@krbtgt ticket was imported successfully

The attacker now successfully imported the harvested ticket into the session, and will now leverage
their new privilege and access to access the domain controllers C drive:

17. Action: Access contents of dc1\c$ with NuckCs credential

Execute the following in the same command prompt to which the tickets were just imported.
dir \\dc1\c$

Action 17: Access \\dc1\c$ with NuckC's credential from Victim-PC

The attacker is now, for all intents and purposes, NuckC, in the digital world. Only administrators
should be able to access the root of the domain controller. The attacker is using legitimate
credentials, can access legitimate resources and executing legitimate executables.

Most IT shops would be blind to this post-infiltration activity going on in their environment.
Fortunately, you have ATA. Lets look at the ATA Console to see what was detected:

30
 Advanced Threat Analytics Attack Simulation Playbook

ATA Detection: ATA detecting Pass-the-Ticket

ATA detected that Nuck Chorriss tickets were stolen from ADMIN-PC and moved to VICTIM-PC.
ATA also shows which resources were accessed using the stolen tickets. Not only did you become
aware of the attack, you gain insight into where to start our investigation.

Figure 3: ATA illustrating the resources accessed with

the associated Pass-the-Ticket

This information is highly important to focus on as a network defender. The attacker accessed the
CIFS, using the dir \\dc1\c$ command. The attacker sent an LDAP request to the local DC1 for
purposes of the CIFS. The KRBTGT was used to directly talk to DC1 and authenticate (a necessary
process for accessing the c$ drive of the DC). From this, we, as defenders can confirm that the
Pass-the-Ticket activity led to direct access to the DC1 computer.

31
 Advanced Threat Analytics Attack Simulation Playbook

Remote Code Execution

Remote code execution against a DC is something every adversary wishes to domaking
modifications to our Identity layer itself can make it extremely hard to detect their presence. Lets
execute remote commands to add a user to the domain, and add them to the Administrators
security group, using NuckCs legitimate credentials. With built-in tools, no malicious software or
research tools necessary.

18. Action: PsExec against DC1 to add an Administrator

From the location where PsExec is located on Victim-PC, execute:

psexec \\dc1 -accepteula net user /add InsertedUser pa$$w0rd1
psexec \\dc1 -accepteula net localgroup Administrators InsertedUser /add

Action 18: Add an Administrator to the Domain

What just happened?

The attacker just created a user account and made the account an Administrator. You clearly
exerted our Doman Admin privileges you now possess, via remote code execution. Not only that,
you can create more Domain Admins, remove domain admins. Again, all with legitimate
credentials with legitimate tools.

32
 Advanced Threat Analytics Attack Simulation Playbook

Good news, ATA detected the remote execution against DC1 from Victim-PC. In the below
screenshot, we also illustrate ATA detecting not just successful attempts but also failed attempts
by the adversary.

33
 Advanced Threat Analytics Attack Simulation Playbook

Domain Dominance

The attacker has achieved domain dominance- they can run any code, as administrators, and
access any resource in the domain.

However, to ensure the persistency of domain dominance, backdoors and other mechanisms are
put in place as insurance policies, in case the original method of attack was discovered or a
credential randomly reset.

Skeleton Key
Lets assume that the attacker wanted to create the ultimate backdoor to the DC, a way to instantly
create Admin privileged users. This method is known as Skeleton Key.

19. Action: Inject the Skeleton Key attack on DC1

First, you must copy Mimikatz over to the DC. Note that in this phase it is important to know if
the DC is a 32-bit or 64-bit machine. The example uses a 64-bit machinemodify it to the needs
of your specific environment.
xcopy x64\mimikatz.exe \\dc1\c$\temp\

Now, lets use PsExec to execute it remotely, and deploy the Skeleton Key.
PsExec \\dc1 -accepteula cmd /c (cd c:\temp ^& mimikatz.exe privilege::debug misc::skeleton ^&
exit)

Action 19: Execute Skeleton Key on the DC1

34
 Advanced Threat Analytics Attack Simulation Playbook

The attacker patched the LSASS.exe binary with the Skeleton Key. Lets figure out exactly what
this means and what an attacker could do with this.

20. Action: Leverage Skeleton Keyconfirm you have a clean command prompt with JeffV

First lets open a command prompt as JeffV. Lets also validate that no tickets from other users
are present, just so you can confirm exactly what is going.

From Victim-PC, as JeffV, execute:

klist

Action 20: Ensure you have a clean command prompt session

No high privileged tickets are there. This means that every command that the attacker will run
should only have the privileges JeffV has.

21. Action: Attempt to authenticate to DC1

Now, lets attempt to map the C$ of DC1. You will use a wrong password, on purpose, to illustrate
that not every password will work.

From the same clean command prompt, run:

net use k: \\dc1\c$ wrongpassword /user:[email protected]

35
 Advanced Threat Analytics Attack Simulation Playbook

This failed, as it should. But this is where Skeleton Key becomes scary lets try this again but
with the Master Key which you just added to every account authenticated against DC1, where you
injected the Skeleton Key.

From the command prompt, execute the following, this time, using the master key mimikatz:
net use k: \\dc1\c$ mimikatz /user:[email protected]

Action 21: Leveraging Skeleton Key with a master key

Wait, what!?

With the master key, mimikatz (hardcoded), the attacker could gain administrator privileges.
That key is not the password to the account, a way to reach DC1, using the patched process, and
authenticate any user as administrator (or any other security group).

Note that there are 2 active passwords for each account now:

The original, user/admin created password.

The skeleton master key

So, you could imagine how hard this is to detect, but heres what you can see in ATA:

ATA Detection: Detecting encryption downgrade (Skeleton Key)

36
 Advanced Threat Analytics Attack Simulation Playbook

DC Sync: Compromise the KRBTGT

So far, everything the attacker did on the DC required them to run arbitrary code on the DC. ATA
detected these actions this, raising the respective Suspicious Activity flag as well as providing the
network defender with information to pivot on.

But what if the attacker decided to run a more covert attack, one that doesnt run arbitrary code
on the DC (without PsExec or injecting the Skeleton Key into the LSASS process directly).

Mimikatz, the research tool of choice in this area, has a capability called DC Sync. This allows
the attacker, with Domain Admin credentials, to replicate any credential back to them as if they
were a DC.

22. Action: Validate Command Session is NuckC

Open up the command prompt that has NuckCs credentialsif you closed the command prompt,
go back to action number 15 (Action: Pass-the-Ticket) on page 29.

Go to the command prompt and make sure that NuckCs ticket is still injected in the session.

Action 22: Validate NuckC from krbtgt/Contoso.Local

Now that you know youre working from the correct console, you can emulate the attacker and
try to get the ultimate credentials of the domain: the KRBTGT. Why this account? With this
account, you can sign your own tickets.

37
 Advanced Threat Analytics Attack Simulation Playbook

23. Action: Execute DC Sync

From the now validated NuckC command prompt on Victim-PC, traverse to where Mimikatz is
located on the filesystem and execute the following command:
mimikatz.exe lsadump::dcsync /domain:contoso.local /user:krbtgt exit >> krbtgt-export.txt

Action 23: DC Sync against krbtgt account

Once the attacker will open-up the krbtgt-export.txt they will have the KRBTGT details needed.
Open the krbtgt-export.txt file you just exported the hash to.

Figure 4: The KRBTGT account now belong to us.

At this point, the attacker has all they need to sign any TGT for any resource using the stolen
NTLM hash without ever going back to the Domain Controller. With this, the attacker can
become anyone at any time he so desires (until the KRBTGT account itself is reset, twice13).

Lets head to the ATA console and see what was presented back to the network defenders:

13
https://blogs.microsoft.com/microsoftsecure/2015/02/11/krbtgt-account-password-reset-
scripts-now-available-for-customers/

38
 Advanced Threat Analytics Attack Simulation Playbook

ATA Detection: ATA detecting malicious replication (DC Sync)

ATA not only detected the attack but also provided the information needed to take remedial
actions.

Leveraging the KRBTGT to sign fake tickets is known as a Golden Ticket attack, which is also
detected by ATA. However, for purposes of scope and signature-based detections, it is outside
the scope of this article.

39
 Advanced Threat Analytics Attack Simulation Playbook

Conclusion
ATA gives you information and insight into defending your network that arent available anywhere
else. ATA turns the Identity-plane into a powerful detection tool that discovers post-infiltration
activities in your environment. ATA helps you digest macro-events and turn them quickly into
cohesive attack stories.

ATA provides the necessary insights and intelligence into the assume breach world, where
discovering post-infiltration activities is a must. Firewalls, antivirus engines, intrusion detection
services, and intrusion prevention services all attempt to keep the bad guy out but are more-or-
less blind after the bad guy gets in, when legitimate tools with legitimate credentials are used
maliciously. In the world of cybersecurity, it is crucial to truly understand these malicious activities.

For more information, contact ATA [email protected]; contact local Microsoft rep.

40