Lab of a Penetration Tester: Week of Evading Microsoft ATA

I have been experimenting with Microsoft Advanced Threat Analytics (ATA) for the past few months. I found it to be quite beneficial for Blue Teams, but also intimidating for Red Teamers, as it effectively detects various Active Directory (AD) tools and techniques. This naturally led me to seek ways to bypass its defenses, which motivated me to dedicate my weekends and nights to discovering potential workarounds. I uncovered several methods to bypass ATA, some strategies to avoid detection, and even techniques to attack the ATA installation itself. Recently, I delivered a talk titled 'Evading Microsoft ATA for Active Directory Dominance' at Black Hat USA last week (slides are available at the end of this post). I will also be speaking at 44CON and BruCON about some of the additional research I am conducting.

During my research, I discovered that evading detection by Microsoft ATA is not particularly difficult, provided we do not use tools mindlessly without understanding their functions. To promote a more intelligent use of offensive tools and to adapt techniques based on detection mechanisms, I am excited to announce a 'Week of Evading Microsoft ATA' starting on August 7, 2017. Throughout this week, we will explore fascinating topics, including everything discussed in my presentations and more. Here’s what to expect on Day 1: - Introduction, detection, and methods for bypassing or avoiding R.