One of the biggest points of confusion I hear is that Azure Advanced Threat Protection is only applicable to Windows. That is not true. I also hear that “credential theft” is a Windows problem. Also not true!
Here I’ll show how you can extend the Azure ATP Security Alert Playbook, and leverage the harvested credentials from Admin-PC on Kali Linux. This is an important component to be aware of as network defenders; compromised credentials can be used from other machines, including non-Domain joined linux ones!
Here is a video showing you a play-by-play:
References in the video:
- Kekeo (link)
- Benjamin Delpy’s twitter (link); author/”father” of mimikatz and kekeo
- Kali (link)
- Impacket (link)
- Azure ATP Security Alert Playbook (link)
- Azure ATP (link)
Points to be aware of:
- Azure ATP can detect post-exploit activity from Kali Linux and other non-domain machines (including your favorite mobile devices); all it cares about is the user accounts are domain accounts
- Credentials don’t always stay on the device; they can be re-used if harvested. This means a malicious backdoor installed on your Domain Controller is equal to someone harvesting your Domain Admin credential which is never reset.
Not being able to defend against credential abuse can cost you more money in the long-run, not to mention a false sense of security. Too often adversary activity goes unnoticed for sometimes years in an environment.
Once an adversary has had time to mature in the environment the price to evict them drastically goes up! Think about it. When an adversary achieves Domain Admin privileges, you as the network defender, now have to attempt to confidentily evict them with the same level of privileges they have (Domain Admin)! That’s a very hard task at hand.