Red Team Revenge - Attacking Microsoft ATA

Explore advanced techniques for attacking Microsoft Advanced Threat Analytics (ATA) in this 53-minute conference talk from 44CON 2017. Delve into the inner workings of ATA, a defense platform that monitors various data sources to detect security threats. Learn about ATA's capabilities in identifying common attacks like Pass-the-Hash, Pass-the-Ticket, and Golden Ticket. Discover methods to identify and exploit ATA installations, including strategies to suppress alerts, exempt specific identities from detection, and remotely control or cripple ATA. Gain insights into the noise levels associated with attacking ATA and understand its limitations. The presentation covers topics such as SPN scanning, AES key manipulation, false event generation, and MongoDB backend exploitation. Conclude with a discussion on ATA's limitations and how to detect its presence in a network.

Introduction
About Nikhil
What is ATA
Threats of Interest
Avoiding ATA Detection
SPN Scanning
AES Keys
False Events
Golden Ticket
AES Key Bypass
Ticket Lifetime
MongoDB Backend
Change attribution
Defense
Limitations of ATA
How to detect ATA
Limitations
Conclusion