You are on page 1of 22

Deploying Microsoft

Advanced Threat Analytics (v1.11)

Written by Michel de CREVOISIER - January 2017

Based on ATA v1.7 update 2

SOURCES
ATA installation:
https://docs.microsoft.com/en-us/advanced-threat-analytics/plan-design/ata-capacity-planning
https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/install-ata-step1
https://blogs.technet.microsoft.com/enterprisemobility/2016/11/04/advanced-threat-analytics-event-log-collection/

Security best practices and attack simulation:


https://blogs.technet.microsoft.com/enterprisemobility/2016/06/10/best-practices-for-securing-advanced-threat-
analytics/
https://gallery.technet.microsoft.com/ATA-Playbook-ef0a8e38/view/Reviews
INDEX
SOURCES.............................................................................................................................................................. 1
INDEX................................................................................................................................................................... 2
1. Architecture ................................................................................................................................................ 3
1.1 ATA Center........................................................................................................................................... 3
1.2 ATA Gateway ....................................................................................................................................... 3
1.3 ATA Lightweight Gateway ................................................................................................................... 3
1.4 ATA Global architecture overview ....................................................................................................... 4
2. ATA Center installation ............................................................................................................................... 5
2.1 Prerequisites ........................................................................................................................................ 5
2.2 Installation ........................................................................................................................................... 8
2.3 Update ................................................................................................................................................. 9
3. ATA Center configuration ......................................................................................................................... 10
3.1 Login .................................................................................................................................................. 10
3.2 Directory Services .............................................................................................................................. 10
3.3 User group management................................................................................................................... 10
3.4 Notifications ...................................................................................................................................... 11
4. ATA Gateway installation ......................................................................................................................... 12
4.1 Prerequisites ...................................................................................................................................... 12
4.2 Installation ......................................................................................................................................... 13
4.3 ATA Gateway configuration ................................................................................................................. 16
5. Attacks and events management ............................................................................................................. 17
5.1 Directory services enumeration ........................................................................................................ 17
5.2 Reconnaissance using DNS ................................................................................................................ 17
5.3 Pass the ticket attack ......................................................................................................................... 18
6. Monitoring and troubleshooting.............................................................................................................. 19
6.1 Mongo database ................................................................................................................................ 19
6.2 Gateway performance counters........................................................................................................ 19
6.3 ATA Lightweight Gateway issue on VMware..................................................................................... 20
6.4 Logs path ........................................................................................................................................... 21
6.5 Gateway issue .................................................................................................................................... 21
7. Security enforcements .............................................................................................................................. 22
7.1 Telemetry .......................................................................................................................................... 22
7.2 ATA center web access ...................................................................................................................... 22
1. Architecture
ATA global infrastructure is composed by the following components (source):

1.1 ATA Center

Roles:
Manages ATA Gateway and ATA Lightweight Gateway configuration settings
Receives data from ATA Gateways and ATA Lightweight Gateways
Detects suspicious activities
Runs ATA behavioral machine learning algorithms to detect abnormal behavior
Runs various deterministic algorithms to detect advanced attacks based on the attack kill
chain
Runs the ATA web console
Send email and SYSLOG notifications

Note: since ATA version 1.7, web console runs OWIN instead of IIS (source). Microsofts OWIN
implementation is called Katana.

1.2 ATA Gateway

Roles:
Capture and inspect domain controller network traffic (port mirrored traffic in the case of an
ATA Gateway and local traffic of the domain controller in the case of an ATA Lightweight
Gateway)
Receive Windows events from SIEM or Syslog servers, or from domain controllers using WEF
Retrieve data about users and computers from the Active Directory domain
Perform resolution of network entities (users, groups and computers)
Transfer relevant data to the ATA Center
Monitor multiple domain controllers from a single ATA Gateway, or monitor a single domain
controller for an ATA Lightweight Gateway.

1.3 ATA Lightweight Gateway

ATA Lightweight Gateway provides the same services than a standard ATA Gateway except on the
following points (source):
Traffic is directly captured from the domain controller instead of port mirroring traffic
Per default its not a domain synchronizer candidate (see point 5)
It includes a monitoring component to evaluate the available resources on the domain
controller
Its purpose is to be installed:
o In branch offices sites
o On RODC domain controllers
o On virtual domain controllers deployed in the cloud

Be aware of an issue with domain controllers located on VMware host when using ATA Lightweight
Gateway. Refers to point 7.3 for more details.
1.4 ATA Global architecture overview

Components overview:

Process overview:
2. ATA Center installation
2.1 Prerequisites

The following requirements need to be applied before ATA Center installation (source).

2.1.1 Server sizing

As ATA Center requires intensive resources (CPU, Disk, Memory and IOPS), Microsoft provides a tool
to properly size the server (source):

You may need to remotely launch the EXE file with domain privilege and let it run during 24h (source):

During execution, program will gather information from your DC and put it into an Excel file:
Then depending on the value collected inside the Excel, you may need to adjust value like CPU,
Memory or Disk space:

2.1.2 Physical server specifications

If ATA Center is installed on a physical server, ATA database requires to disable NUMA in the BIOS.

2.1.3 Operating system

ATA Center can be installed on Windows Server 2012 R2 or 2016. On Server 2012 R2, ensure that the
following update is installed: KB2919355.

Get-HotFix -Id kb2919355

2.1.4 Database file management

For performance and management reasons, its recommended to have the Mongo database located
a separated and dedicated hard drive with high speed performance.

2.1.5 Users group access

To enhance user access, consider creating the Active Directory groups below. We will add those
groups to local ATA groups in point 3.3:
<Company> ATA Administrators
<Company> ATA Users
<Company> ATA Viewers
2.1.6 ATA user account access

Create a domain account to provide ATA access to your domain in point 5. Do not use an account
containing words like ATA or any other word related to this software. This account should have the
following rights access:
Read access on all domain objects
Read access on deleted objects container (see next point). This will allow ATA to detect bulk
deletion of objects in the domain

2.1.7 ATA deleted objects access

To grant access on deleted objects to your ATA service account (source) to prepare point 3.2.
dsacls <deleted_object_dn> /<takeownership>
dsacls <deleted_object_dn> /G <user_or_group>:<Permissions>

Example:
dsacls "CN=Deleted Objects,DC=demo,DC=lan" /takeownership
dsacls "CN=Deleted Objects,DC=demo,DC=lan" /G demo\ad-svc-ata:LCRP
2.1.8 Certificate

A certificate is required to secure web console access. You can use your own certificate or generate
a self-signed certificate during installation process.

2.1.9 Network

ATA Center server requires two different IP for the following purpose:
Center Service
Web Console

Ensure to have defined those IP on a single NIC or on two NICs before continue with installation
process.

2.2 Installation

Configure the settings below according your configuration from point 2.1:
Once installation process is completed, check the two new created firewall rules:

Two Windows Services has also been created:


Microsoft Advanced Threat Analytics
MongoDB

2.3 Update

Check ATA optional Windows Updates and install it:

During update process, its recommend to choose Full option if you want to keep your data:
3. ATA Center configuration
3.1 Login

Once installation is done, connect to the web interface using the desktop shortcut. Use a local
administrator account to be authenticated:

3.2 Directory Services

Provide the account configured on point 2.1.6 to connect ATA to your domain:

3.3 User group management

Add domain groups created from point 2.1.5 to their respective local ATA groups on ATA Center
server (source):
3.4 Notifications

Its possible to configure email and Syslog notifications in order to be informed about security events.

3.4.1 Syslog configuration

3.4.2 SYSLOG message

Notifications are transmitted from console interface IP. Note that Wireshark has a limitation of 240
characters printed. Therefore, you will need to open the PCAP file with tcpdump in order to fully view
the message. Full SYSLOG message can be found in point 6.
4. ATA Gateway installation
4.1 Prerequisites

4.1.1 Server sizing

Follow same instructions from point 2.1.1 to perform proper Gateway sizing (source).

4.1.2 Operating system

ATA Gateway can be installed on Windows Server 2012 R2 or 2016. On Server 2012 R2, ensure that
the following update is installed: KB2919355.

Get-HotFix -Id kb2919355

4.1.3 Software

Ensure to NOT INSTALL Wireshark or Message Analyzer on ATA Gateway server.

4.1.4 Network

ATA Gateway server requires two different adapters:


Management adapter: will be used for communication with ATA Center
Capture adapter: will be configured to capture all mirrored traffic from domain controllers

4.1.5 Port mirroring

As ATA Gateway use port mirroring, as main data source for DPI, you may need to configure port
mirroring on all your domain controllers. It exists three kinds of port mirroring technology:
SPAN: copies network traffic from one or more switch ports to another switch port on the
same switch
RSPAN: allows to monitor network traffic from source ports distributed over multiple physical
switches
ERPSAN (Cisco proprietary, operates at layer 3): allows to monitor network traffic across
switches using GRE protocol. However, ATA doesnt support this solution and you will need
an intermediate switch or router to decapsulate the traffic into SPAN or RSPAN

Also, depending on your ATA and DC configuration (physical and/or virtual), you may check if
mirrored traffic can be handled (source). For VMware troubleshooting, see point 7.3.
4.2 Installation

4.2.1 Download

To deploy a gateway, download the setup from the web interface and install it on your gateway
server. You may need to extract him from the ZIP file to avoid installation fail.

The download package contains two files (see image below):


Gateway setup
JSON configuration file

4.2.2 Setup
The setup will choose the most appropriate gateway type for you depending if your server is a domain
controller or not:

Provide the requested information:


Own certificate or self-signed certificate
Account having administrator privilege on ATA Center
During installation process, the following components will be installed:
KB3047154 (do not install it on the virtualized host -Hyper-V- otherwise port mirroring will
failed)
ATA Gateway service
Visual C++ 2013
Custom Performance Monitor data collection set

Once installation process is finished, two new services are created:


4.3 ATA Gateway configuration
Now that ATA Gateway has been configured, you should see it in the ATA Center:

Click on it and configure the following settings:


Description: gateway friendly name
FQDN: list of the domain controllers monitored by the gateway
Capture network adapter: indicate the mirrored NIC
Domain synchronizer candidate: a domain synchronizer candidate is use to synchronize
entities from your Active Directory domain. One candidate is chosen randomly from the list
of candidates to perform this synchronization (source)

Once gateway process configuration is done, you should see a status change:
5. Attacks and events management

5.1 Directory services enumeration

Directory service enumeration / SYSLOG event:


<36>1 2017-03-02T10:29:28.830659+00:00 MSATA ATA 1608 SamrReconnaissanceSuspiciousActi
...CEF:0|Microsoft|ATA|1.7.5757.57477|SamrReconnaissanceSuspiciousActivity|Reconnaissance
using directory services enumeration|5|start=2017-03-02T10:27:13.6075080Z app=Samr
shost=MSJUMP suser=Admin outcome=Success msg=The following directory services enumerations
using SAMR protocol were attempted against VM1-2K12 from MSJUMP:\r\nSuccessful
enumeration of all groups in demo.lan by Admin cs1Label=url
cs1=https://192.168.56.101/suspiciousActivity/58b6bf33f99ab30890632671

5.2 Reconnaissance using DNS


5.3 Pass the ticket attack

Pass the ticket / SYSLOG event:


<35>1 2017-03-02T10:28:16.593127+00:00 MSATA ATA 1608 PassTheTicketSuspiciousActivity
...CEF:0|Microsoft|ATA|1.7.5757.57477|PassTheTicketSuspiciousActivity|Identity theft using Pass-
the-Ticket attack|10|start=2017-03-01T12:30:20.5270000Z app=Kerberos shost=192.168.56.1
suser=Admin request=cifs/vm1-2k12.demo.lan msg=Admin's Kerberos tickets were stolen from
MSJUMP to 192.168.56.1 (192.168.56.1) and used to access cifs/vm1-2k12.demo.lan.
cs2Label=ticketSourceComputer cs2=MSJUMP cs3Label=ticketSourceComputerIpAddress cs3=
cs1Label=url cs1=https://192.168.56.101/suspiciousActivity/58b6bdd7f99ab30890632511
6. Monitoring and troubleshooting
6.1 Mongo database

Mongo database:
Troubleshooting (source)
Management (source)

Note: according Microsoft Technet (link), we are planning on supporting remote back-end
MongoDB.

6.2 Gateway performance counters

ATA Gateway and ATA Center installation process create several performance counters than you can
use to monitor their health for troubleshooting and/or monitoring purpose:
6.3 ATA Lightweight Gateway issue on VMware

Using ATA Lightweight Gateway on VMware may, in some cases, create some dropped packets.
Therefore, Microsoft recommends to set those settings to Disabled on the VM NIC (source):
IPv4 Checksum Offload
Large Send Offload
Large Receive Offload (not found in NIC settings)
TCP Checksum Offload

You can also check Offload/Chimney status on a specific interface by PowerShell:


Get-NetAdapterAdvancedProperty <Interface> | ft DisplayName, DisplayValue, RegistryKeyword,
RegistryValue
To fully disable Offload:
Set-NetAdapterAdvancedProperty <interface> -DisplayName "IPv4 Checksum Offload" -DisplayValue
"Disabled" -NoRestart
Set-NetAdapterAdvancedProperty <interface>-DisplayName "Large Send Offload V2 (IPv4)" -
DisplayValue "Disabled" -NoRestart
Set-NetAdapterAdvancedProperty <interface>-DisplayName "TCP Checksum Offload (IPv4)" -
DisplayValue "Disabled" -NoRestart
Set-NetAdapterAdvancedProperty <interface>-DisplayName "Large Receive Offload (IPv4)" -
DisplayValue "Disabled"

6.4 Logs path

Logs are located in the following path:


ATA Center: C:\Program Files\Microsoft Advanced Threat Analytics\Center\Logs
ATA Gateway: C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Logs
Deployment logs: C:\Users\<Account>\AppData\Local\Temp

More information about logs can be found here and here.

6.5 Gateway issue

If ATA Gateway has been installed on a DC in Core mode or with traffic capture software, the
following notification may appear:
7. Security enforcements
A list of full security enforcements provided by Microsoft can be found here.

7.1 Telemetry

Per default, several anonymized information are sent to Microsoft. You can disable this telemetry in
the About menu unchecking the box (source):

7.2 ATA center web access

Its strongly recommended to apply the following network enforcements on ATA Center:
Keep Windows firewall enabled
Use two network adapters in different subnets
Filter access to web console with port filtering and/or with a reverse proxy

Feel free to send me your feedback or questions to the following address:


m.decrevoisier A-R-0-B-A-5 outlook . com

Soyez-en dores et dj remerci