One of the biggest points of confusion I hear is that Azure Advanced Threat Protection is only applicable to Windows. That is not true. I also hear that “credential theft” is a Windows problem. Also, not true!

Here I’ll show how you can extend the Azure ATP Security Alert Playbook and leverage the harvested credentials from Admin-PC on Kali Linux. This is a vital component to be aware of as network defenders; compromised credentials can be used from other machines, including non-Domain joined Linux ones!

Here is a video showing you a play-by-play:

The above video shows the specific steps. You can use the DefendTheFlag program to replicate this environment quickly within Azure, if you so choose.

References in the video:

  • Kekeo (link)
  • Benjamin Delpy’s twitter (link); author/father of Mimikatz and Kekeo
  • Kali (link)
  • Impacket (link)
  • Azure ATP Security Alert Playbook (link)
  • Azure ATP (link)

Points to be aware of:

  • Azure ATP can detect post-exploit activity from Kali Linux and other non-domain machines (including your favorite mobile devices); all it cares about is the user accounts are domain accounts
  • Credentials don’t always stay on the device; they can be re-used if harvested and moved to other machines. This means a malicious backdoor installed on your Domain Controller is equal to someone harvesting your Domain Admin credential which is never reset.

Not being able to defend against credential abuse can cost you more money overall, not to mention a false sense of security. Too often adversary activity goes unnoticed for sometimes years in an environment.

Once an adversary has had time to mature in the environment the price to evict them drastically goes up! Think about it. When an adversary achieves Domain Admin privileges, you as the network defender, now must attempt to confidently evict them with the same level of privileges they have (Domain Admin)! That’s an awfully challenging task.

Why should you care?

Hopefully, this proves that tickets/identities/credentials are only as good as the security of the endpoints on which they are exposed to. This should also point that if a credential is compromised, the Identity is compromised until that credential is no longer valid. This means someone can have “keys to your kingdom” without persistent access on a device. They can come back anytime they want, knock on your door, and be given the most sensitive privileges — even from non-Domain joined computers.

Getting visibility and security into your Identity-plane is of utmost importance. Continuous monitoring is not optional — and that is a much bigger challenge then just Endpoint Protection (EPP)/Endpoint Detection and Response (EDR).

Happy Hunting,