SID-500.COM

Home » Cyber Security » Cyber Security: Installing Microsoft Advanced Threat Analytics (ATA) version 1.8

Cyber Security: Installing Microsoft Advanced Threat Analytics (ATA) version 1.8

Microsoft Advanced Threat Analytics (ATA) is a platform that enables you to protect your infrastructure from cyber attacks. ATA is using a parsing engine to capture network traffic of protocols such as Kerberos. It monitors authentication and authorization. This can be done with port mirroring from Domain Controllers and other important computers. You can also deploy ATA directly on Domain Controllers which is called ATA Lightweight Gateway.

ATA supports installation on a server running Windows Server 2012 R2 or Windows Server 2016.

ATA can detect attacks such as Pass-the-Ticket, Pass-the-Hash, Golden Ticket, Brute-Force and much more. In short:

  • Malicious attacks
  • Abnormal behaviour
  • Security issues

In this article I’m going to install the ATA Center on a Member Server of my Active Directory Domain. Then my Domain Controller will be configured as an ATA Lightweight Gateway, so there is no need for a dedicated server or configuration of port mirroring. Both server run Windows Server 2016. This sample screenshot from the Microsoft Docs shows what is possible. At the end of the article I will simulate a reconnaissance via DNS.

Unbenannt.PNG

Link: https://docs.microsoft.com/de-de/advanced-threat-analytics/what-is-ata

For downloading the 90-day ATA trial follow this link:

https://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-advanced-threat-analytics

Installing ATA Center on a Member Server

Run the Microsoft ATA Center installation package.

Unbenannt.PNG

Click next.

Unbenannt.PNG

Accept the license terms. I would strongly recommend to check for updates before proceeding.

Unbenannt.PNG

Choose an installation and database path. If you have a valid SSL certificate then provide it in this step. I don’t have one, so I choose Create self-signed certificate. Click Install.

Unbenannt.PNG

Progress …

Unbenannt.PNG

I’m surprised how quick an painless it is to install it on my member server.

Unbenannt.PNG

Now click on Launch. Accept the certificate warning.

Unbenannt.PNG

Nice view. 😉

Creating an Active Directory ATA User (Read Access)

Switch to your Domain Controller. Our next step is to connect our ATA Center to the AD Forest. We have to provide a username and password. This user should only have read access to all Active Directory objects. Domains users by default have read access to Active directory objects.

Unbenannt.PNGMore about the prerequisites here: https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-prerequisites#before-you-start

Connect to your Active Directory Forest

Now switch back to the member server ATA center. Enter username, password and your domain name. Click on Test connection.

Unbenannt.PNG

That’s it. Click Save.

Configure the ATA Gateway

Our next step is to download the Gateway setup and configure our first Gateway. My Domain Controller will become the first gateway. In ATA Center click on Download Gateway Setup.

Unbenannt.PNG

Unbenannt.PNG

Save the file to your computer. Copy it to your Domain Controller. On your Domain Controller extract the installation package and open Microsoft ATA Gateway Setup.exe.

Unbenannt.PNG

Choose your language and click Next. As mentioned, I will use a Domain Controller as an ATA Lightweight Gateway. Select installation path and click Install.

Unbenannt.PNG

A quick glance at the ATA Center shows me that the Gateway was successfully installed and has done it’s first sync.

Unbenannt.PNG

Unbenannt.PNG

Click on the name of your gateway and check Domain synchronizer candidate. It should be set to ON.

Unbenannt.PNG

Look at the right area. ATA begins learning. This may take some time.

1.PNG

We’re done. Exciting moment. My network is now monitored.

ATA and PowerShell

There is a PowerShell module for ATA available on GitHub. I haven’t tried it yet, here is the link: https://github.com/Microsoft/Advanced-Threat-Analytics

Another way is to install it via Install-Module.

Install-Module Advanced-Threat-Analytics

1.PNG

First look.

Get-Command -Module Advanced-Threat-Analytics | Select Name

2.PNG

Maybe I will play with this commands later on. For now I want to do my first test with ATA.

First steps …

My first tests are already done. Here’s a complete DNS zone transfer attempt:

1.PNG

This activity was recorded by ATA a few minutes later. Nice.

Unbenannt.PNG

What’s next?

Well, as promised I will write down my experience with ATA later on in another blog post, because now ATA has to learn and analyze the default behavior and activities of my infrastructure for a longer period of time. Stay tuned!


2 Comments

  1. […] via Cyber Security: Installing Microsoft Advanced Threat Analytics (ATA) version 1.8 […]

    Like

  2. Onur B. says:

    thank you

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

GET-AUTHOR

My name is Patrick Grünauer. Microsoft MVP. I am from Austria. On sid-500 I write about Windows, Cisco and IT-Security in English and German. Have fun while reading!

Categories

Patrick Gruenauer
Follow SID-500.COM on WordPress.com