Advanced Threat Analytics – Build in lab

Objective

In this post, I will be guiding you through a simple lab deployment of Advanced Threat Analytics (ATA). This blog is intended to assist those who are just starting out with ATA and want to get a look at the product and see it in action.

Overview

Advanced Threat Analytics (ATA) is an on-premises platform that helps protect your enterprise from multiple types of advanced targeted cyber-attacks and insider threats.

Microsoft has published detailed steps on architecture and capacity planning, design considerations and deployment. For more information on ATA in these areas and in general, please start from here.

Below is the architecture diagram from Microsoft’s ATA Architecture page. In this lab, we will be deploying the highlighted components, which would be the simplest implementation of ATA.

In summary, the main steps in this lab are:

  1. Meet prerequisites
  2. Install ATA Centre
  3. Install ATA Lightweight Gateway
  4. Confirm operational status

Prerequisites

For this lab, you will require the following. I am focusing on the core requirements to facilitate this guide in my lab and the server specifications I am using are to facilitate this exercise and wouldn’t be used in a production environment. There is a comprehensive list of ATA prerequisites here, which I would suggest you review.

  1. A logon to TechNet Evaluation Center (90 day trial), an MSDN subscription or Microsoft Volume Licensing Service Center to download the ATA software
  2. 1 x Windows 2012 R2 or Windows 2016 member server (Windows 2012 R2 in my lab), where ATA Centre will be installed:
    1. Server specs are covered in the above prerequisites, in my lab I installed this on Hyper-V VM with 1 processor and 2 GB RAM
    2. 1 x extra IP address for the ATA Console IP. For the lab, I just added this as an extra IP address on the existing adapter
    3. On Windows 2012 R2, confirm that update KB2919355 and KB2934520 have been installed
    4. There are port requirements, which in my lab environment I didn’t need to consider, you may in yours though
    5. For the lab, we will be using a self-signed certificate.
  3. 1 x Windows DC (Windows 2012 R2 in my lab), where the ATA Lightweight Gateway will be installed
    1. Server specs are covered in the above prerequisites, in my lab I installed this on Hyper-V VM/DC with 1 processor and 3 GB RAM
    2. On Windows 2012 R2, confirm that update KB2919355 has been installed
  4. An account with local administrator rights to both the servers for the installs.
  5. A normal user account with read access to all objects in the domain. This will be used by ATA to connect to directory services of your domain.
  6. Another normal user account that will be used to demonstrate ATA alerting (this is called the ‘honeytoken’ account)
  7. NOTE: Port mirroring on the DC does not need to be configured for this lab as we’ll be installing the ATA Lightweight Gateway
  8. Add the domain NETWORK SERVICE account to the domain BUILTIN\Event Log Readers group.

Install ATA Centre

Download the ATA software from here or one of the other locations as indicated above if you have a subscription (approx 0.7GB)

Log onto the server you’re installing ATA Centre on as a member of the Local Administrators group.

NOTE: The install will create a local group on the server named Microsoft Advanced Threat Analytics Administrators and add the account you run the install with to this group.

Run the setup file, Microsoft ATA Centre Setup.exe.

NOTE: If Microsoft .Net Framework is not installed, you will be prompted to install it when you start installation. You may be prompted to reboot afterwards.

Choose your language and click Next. Accept MS license Terms on next page and click Next again.

Select Use Microsoft Update when I check for updates (recommended). Click Next

Leave the defaults for Installation Path and Database Data Path.

Use the server’s primary IP address for the Centre Service IP Address and the secondary IP address for the Console IP Address.

Leave the Centre Service SSL Certificate option checked for Create self-signed certificate. Click Install

The setup will run and install ATA and the MongoDB backend database. Click Launch when the setup has finished.

The console will open. You will receive a warning related to the certificate, this is normal and you should click Continue to this website.

There should also be a shortcut to ATA on your Desktop

Log on with the credentials that you installed ATA under.

The first time the ATA console is opened. You are presented with the below screen to enter the account to connect to Directory Services.

Enter the account details for the account you created in step 5 of the prerequisites. For the Domain field, enter the FQDN of your domain.

Click Test connection to confirm the credentials work as shown below.

Click on Save when finished.

 

The welcome message in the console should now change to display the next step.

Click on Download Gateway setup and install first Gateway.

Click on Download Gateway Setup and save the file locally.

Once it has downloaded, copy it across to the DC (where we will install the ATA Lightweight Gateway) for the next step.

Install ATA Lightweight Gateway

On the DC, Extract the installation file that you copied across in the previous step. Installing directly from the zip file will fail.

Run the setup file, Microsoft ATA Gateway Setup.exe.

NOTE: If Microsoft .Net Framework is not installed, you will be prompted to install it when you start installation. You may be prompted to reboot afterwards.

NOTE: In my lab at this point I also received a prompt to stop Active Directory Web Services as shown below, which I did to proceed with the installation.

Choose your language and click Next. Accept MS license Terms on next page and click Next again.

The installation wizard will automatically check if the server is a DC or a dedicated server. If it is a DC, the ATA Lightweight Gateway will be installed as shown below.

NOTE: I received a warning in my lab that my DC didn’t meet hardware requirements, which I ignored.

Click Next.

 

Accept the default Installation Path, use a self-signed certificate, and enter the credentials for Gateway Registration. These credentials should be the credentials that you installed ATA Centre with.

Click Install.

When the installation completes click Finish.

Back in the ATA Centre console, browse to gateway configuration. You can navigate to this by clicking the 3 dots indicating the Menu in the top-right corner, selecting Configuration and then Gateways from the menu on the left.

You should see your lightweight gateway now in the list, but its status will be Not Configured. Click on the gateway to configure it.

Enter a Description for your gateway, ignore the Domain Controller field (you can’t modify anyway for a Lightweight Gateway), leave the default self-signed Certificate, in Capture network adapters check the box against the adapter, and leave the other settings as default and click Save.

Confirm that the Microsoft Advanced Threat Analytics Gateway service is started on the Domain Controller as shown below.

You should also see the gateway status updated to Running as shown below.

After a few minutes, go back into the ATA Console and open the notification pane at the top-right side of the screen. You should see a list of Entities Recently Learned in the notification bar on the right side of the console, which indicates the ATA Lightweight Gateway is communicating with ATA Centre.

You can also confirm that there is activity on the gateway by checking in Performance Monitor. In the Performance tree, click on Performance Monitor and then click the plus icon to Add a Counter. Expand Microsoft ATA Gateway and scroll down to Network Listener PEF Captured Messages/Sec and add it. Then, make sure you see activity on the graph.

Finally, in the ATA Console > Configuration, click on Events in the left-hand menu. Confirm that Windows Event Forwarding is enabled.

Configure Windows Event Forwarding on the Domain Controller

In addition to collecting and analysing network traffic to and from the domain controllers, ATA can use Windows event 4776 to further enhance ATA Pass-the-Hash detection.

NOTE: This step isn’t required for this lab, so if you don’t want to perform this step in your lab you don’t have to. I included it because; I intend to follow up this blog post with another demonstrating attack simulation; you would typically configure this; and you may want to do your own simulations! If you want to skip this step you can go to the next step, Configure Honeytoken User.

NOTE: Make sure that you have added the NETWORK SERVICE account to the domain Event Log Readers Group as specified in the Prerequisites.

Perform the below steps on the DC.

Open an elevated Powershell prompt and run 2 commands, winrm quickconfig and wecutil qc. I’ve already enabled remote management on my DC in lab as can be seen below, so the output for you will be different.

Open Event Viewer. Right-click Subscriptions and select Create Subscription.

In the new Subscription Properties, enter a Name and for Destination log select Forwarded Events from the drop-down list.

Select Collector initiated under Subscription type and source computers and then click on the Select Computers button.

In the Computers dialog box, click on Add Domain Computers and to the DC the ATA Lightweight Gateway is installed on. Select the DC and click OK. Then click OK again.

Back in the Subscription Properties, click the Select Events button. Under the Query Filter dialog, in the By Log field, select Security from the drop-down list.

In the Includes/Excludes Event ID field, type 4776. Click OK. Click OK again on the Subscription Properties dialog.

Right click the created subscription and select Runtime Status to see if there are any issues with the status.

NOTE: You may need to reboot the DC before the settings take effect.

Configure Honeytoken User

Create a User in Active Directory that can be used for the Honeytoken user in ATA. For more information on what a Honeytoken user is for, please refer to the references section at the end of this blog.

Once you have created the user, copy the user’s SID to Notepad. There are many ways to get a user’s SID. I used powershell on the Domain Controller as shown below to run Get-AdUser <samaccountname>.

In the ATA console under Configuration, browse to Detection > Settings, enter the account SID and click Save.

Demonstrate ATA Alerting

To see ATA in action and to further prove functionality, below are 2 examples.

To demonstrate a Reconnaissance using DNS alert, follow the below instructions.

From a machine joined to the domain (that is not a DNS server), open a command prompt.

Type Nslookup and press Enter.

Type ls yourdomain.local and press Enter (yourdomain.local is the internal FQDN of your AD domain).

You will receive a response similar to what is shown below.

In the ATA Console, click on the Timeline icon, .

Under the timeline in the ATA console you should see a warning regarding suspicious DNS activity as shown below.

To demonstrate a Honeytoken activity alert, log into a workstation joined to the domain with the Honeytoken user credentials.

Under the timeline in the ATA console you should see an alert similar to what is shown below.

NOTE: The Advanced Threat Analytics (ATA) team has written a playbook to simulate attacks and see how ATA detects them. This playbook can be downloaded at Download the ATA Attack Simulation Playbook.

So, that’s it! Congratulations on deploying ATA. I intend to do a follow up blog soon on using the above-mentioned playbook to simulate attacks. And perhaps another blog on using the ATA Sizing tool, but for now, chow!

References

ATA Architecture

ATA Capacity Planning

Advanced Threat Analytics (ATA) Sizing tool (v3.1.0)

Working with ATA Detection Settings (Honeytoken Account)

 

 

Andrew Matthews
Andrew Matthews
SENIOR CLOUD CONSULTANT AT CUBESYS Andrew has 13+ years’ experience in senior operational and support roles, solution architecture, design, professional services and project management. Andrew specialises in Office 365 and Azure AD, EM+S, Exchange and Lync/Skype for Business.

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message

Get in touch

Your Name (required)

Your Email (required)

Subject

Your Message