'Bruteforce Attack', 'Pass-The-Ticket', 'Pass-The-Hash', 'Sensitive account exposed' Attacks NOT DETECTED!! RRS feed

  • General discussion

  • Hi All,

    I tested the following attacks in Microsoft Advanced Threat Analytics and found them not to be working.

    1. Bruteforce Attack
    2. Pass-The-Ticket
    3. Pass-The-Hash
    4. Sensitive account exposed Using Plain-Text Authentication

    I have tested other attacks like Reconnaissance using DNS, Broken Trust, Honey Token account suspicious activities but they are working perfectly fine. I don't know what's the issue with the above 4.


    1. Bruteforce Attack:

    I used thc-hydra-windows and triggered a dictionary attack using a list of passwords.

    2. Pass-The-Ticket:

    I used mimikatz to steal the kerberos ticket from a PC on which Admin is logged on. Impersonating an attacker, I copied the .kirbi file and Injected that file(using mimikatz again) to another PC on which a domain user is logged in.

    3. Pass-The-Hash:

    (Same as above)

    4. Sensitive account exposed in plain text authentication:

    I used mimikatz command 'sekurlsa :: logonpasswords' and was able to get passwords of all the users who logged on to that PC. But this was also not detected by MATA.

    Please help me with the above issues. If possible, provide the tools using which I can trigger and detect those attacks.


    Wednesday, November 18, 2015 8:54 AM

All replies