1Jan

Ata Manual Guide

1 Jan 2000admin
Ata Manual Guide 8,9/10 1198 votes

ATA is a strong advocate of mandatory testing of commercial motor vehicle operators for drug and alcohol use. Also, ATA supports allowing the use of alternative specimens, such as hair, to comply with federal drug testing requirements.

Advanced Threat Analytics suspicious activity guide. 28 minutes to read.In this articleApplies to: Advanced Threat Analytics version 1.9Following proper investigation, any suspicious activity can be classified as:.True positive: A malicious action detected by ATA.Benign true positive: An action detected by ATA that is real but not malicious, such as a penetration test.False positive: A false alarm, meaning the activity didn’t happen.For more information on how to work with ATA alerts, see.For questions or feedback, contact the ATA team at. Abnormal modification of sensitive groupsDescriptionAttackers add users to highly privileged groups. They do so to gain access to more resources and gain persistency. Detections rely on profiling the user group modification activities, and alerting when an abnormal addition to a sensitive group is seen. Profiling is continuously performed by ATA.

The minimum period before an alert can be triggered is one month per domain controller.For a definition of sensitive groups in ATA, see.The detection relies on.To make sure your domain controllers audit the needed events, use the tool referenced in.Investigation.Is the group modification legitimate?Legitimate group modifications that rarely occur, and were not learned as “normal”, might cause an alert, which would be considered a benign true positive.If the added object was a user account, check which actions the user account took after being added to the admin group. Go to the user’s page in ATA to get more context. Were there any other suspicious activities associated with the account before or after the addition took place? Download the Sensitive group modification report to see what other modifications were made and by whom during the same time period.RemediationMinimize the number of users who are authorized to modify sensitive groups.Set up if applicable. Broken trust between computers and domain. NoteThe Broken trust between computers and domain alert was deprecated and only appears in ATA versions prior to 1.9.DescriptionBroken trust means that Active Directory security requirements may not be in effect for these computers.

This is considered a baseline security and compliance failure and a soft target for attackers. In this detection, an alert is triggered if more than five Kerberos authentication failures are seen from a computer account within 24 hours.InvestigationIs the computer being investigated allowing domain users to log on?. If yes, you may ignore this computer in the remediation steps.RemediationRejoin the machine back to the domain if necessary or reset the machine's password. Brute force attack using LDAP simple bindDescription. NoteThe main difference between Suspicious authentication failures and this detection is that in this detection, ATA can determine whether different passwords were in use.In a brute-force attack, an attacker attempts to authenticate with many different passwords for different accounts until a correct password is found for at least one account. Once found, an attacker can log in using that account.In this detection, an alert is triggered when ATA detects a massive number of simple bind authentications. This can be either horizontally with a small set of passwords across many users; or vertically” with a large set of passwords on just a few users; or any combination of these two options.Investigation.If there are many accounts involved, click Download details to view the list in an Excel spreadsheet.Click on the alert to go to its dedicated page.

Check if any login attempts ended with a successful authentication. The attempts would appear as Guessed accounts on the right side of the infographic. If yes, are any of the Guessed accounts normally used from the source computer? If yes, Suppress the suspicious activity.If there are no Guessed accounts, are any of the Attacked accounts normally used from the source computer? Final fantasy explorers download. If yes, Suppress the suspicious activity.Remediationprovide the necessary first level of security against brute-force attacks. Encryption downgrade activityDescriptionEncryption downgrade is a method of weakening Kerberos by downgrading the encryption level of different fields of the protocol that are normally encrypted using the highest level of encryption.

A weakened encrypted field can be an easier target to offline brute force attempts. Various attack methods utilize weak Kerberos encryption cyphers. In this detection, ATA learns the Kerberos encryption types used by computers and users, and alerts you when a weaker cypher is used that: (1) is unusual for the source computer and/or user; and (2) matches known attack techniques.There are three detection types:.Skeleton Key – is malware that runs on domain controllers and allows authentication to the domain with any account without knowing its password. This malware often uses weaker encryption algorithms to hash the user's passwords on the domain controller.

In this detection, the encryption method of the KRBERR message from the domain controller to the account asking for a ticket was downgraded compared to the previously learned behavior.Golden Ticket – In a alert, the encryption method of the TGT field of TGSREQ (service request) message from the source computer was downgraded compared to the previously learned behavior. This is not based on a time anomaly (as in the other Golden Ticket detection). In addition, there was no Kerberos authentication request associated with the previous service request detected by ATA.Overpass-the-Hash – An attacker can use a weak stolen hash in order to create a strong ticket, with a Kerberos AS request. In this detection, the ASREQ message encryption type from the source computer was downgraded compared to the previously learned behavior (that is, the computer was using AES).InvestigationFirst check the description of the alert to see which of the above three detection types you’re dealing with. For further information, download the Excel spreadsheet.

Skeleton Key – You can check if Skeleton Key has affected your domain controllers by using the. If the scanner finds malware on 1 or more of your domain controllers, it is a true positive.

Golden Ticket – In the Excel spreadsheet, go to the Network activity tab. You will see that the relevant downgraded field is Request Ticket Encryption Type, and Source Computer Supported Encryption Types lists stronger encryption methods.a.Check the source computer and account, or if there are multiple source computers and accounts check if they have something in common (for example, all the marketing personnel use a specific app that might be causing the alert to be triggered).

There are cases in which a custom application that is rarely used is authenticating using a lower encryption cipher. Check if there are any such custom apps on the source computer. If so, it is probably a benign true positive and you can Suppress it.b.Check the resource accessed by those tickets, if there is one resource they are all accessing, validate it, make sure it is a valid resource they supposed to access. In addition, verify if the target resource supports strong encryption methods. You can check this in Active Directory by checking the attribute msDS-SupportedEncryptionTypes, of the resource service account.

Overpass-the-Hash – In the Excel spreadsheet, go to the Network activity tab. You will see that the relevant downgraded field is Encrypted Timestamp Encryption Type and Source Computer Supported Encryption Types contains stronger encryption methods.a.There are cases in which this alert might be triggered when users log in using smartcards if the smartcard configuration was changed recently.

Check if there were changes like this for the account(s) involved. If so, this is probably a benign true positive and you can Suppress it.b.Check the resource accessed by those tickets, if there is one resource they are all accessing, validate it, make sure it is a valid resource they supposed to access. In addition, verify if the target resource supports strong encryption methods. You can check this in Active Directory by checking the attribute msDS-SupportedEncryptionTypes, of the resource service account.Remediation.Skeleton Key – Remove the malware. For more information, see.Golden Ticket – Follow the instructions of the suspicious activities.Also, because creating a Golden Ticket requires domain admin rights, implement.Overpass-the-Hash – If the involved account is not sensitive, then reset the password of that account. This prevents the attacker from creating new Kerberos tickets from the password hash, although the existing tickets can still be used until they expire.

If it’s a sensitive account, you should consider resetting the KRBTGT account twice as in the Golden Ticket suspicious activity. Resetting the KRBTGT twice invalidates all Kerberos tickets in this domain so plan before doing so. See guidance in. Also see using the. Since this is a lateral movement technique, follow the best practices of.Honeytoken activityDescriptionHoneytoken accounts are decoy accounts set up to identify and track malicious activity that involves these accounts. Honeytoken accounts should be left unused, while having an attractive name to lure attackers (for example,SQL-Admin).

Any activity from them might indicate malicious behavior.For more information on honey token accounts, see.Investigation.Check whether the owner of the source computer used the Honeytoken account to authenticate, using the method described in the suspicious activity page (for example, Kerberos, LDAP, NTLM).Browse to the source computer(s) profile page(s) and check which other accounts authenticated from them. Check with the owners of those accounts if they used the Honeytoken account.This could be a non-interactive login, so make sure to check for applications or scripts that are running on the source computer.If after performing steps 1 through 3, if there’s no evidence of benign use, assume this is malicious.RemediationMake sure Honeytoken accounts are used only for their intended purpose, otherwise they might generate many alerts. Identity theft using Pass-the-Hash attackDescriptionPass-the-Hash is a lateral movement technique in which attackers steal a user’s NTLM hash from one computer and use it to gain access to another computer.InvestigationWas the hash used from a computer owned or used regularly by the targeted user? If yes, the alert is a false positive, if not, it is probably a true positive.Remediation.If the involved account is not sensitive, reset the password of that account.

Resetting the password prevents the attacker from creating new Kerberos tickets from the password hash. Existing tickets are still usable until they expire.If the involved account is sensitive, consider resetting the KRBTGT account twice, as in the Golden Ticket suspicious activity. Resetting the KRBTGT twice invalidates all domain Kerberos tickets, so plan around the impact before doing so. Seethe guidance in, also refer to using the.

As this is typically a lateral movement technique, follow the best practices of.Identity theft using Pass-the-Ticket attackDescriptionPass-the-Ticket is a lateral movement technique in which attackers steal a Kerberos ticket from one computer and use it to gain access to another computer by reusing the stolen ticket. In this detection, a Kerberos ticket is seen used on two (or more) different computers.Investigation.Click the Download details button to view the full list of IP addresses involved.

Is the IP address of one or both computers part of a subnet allocated from an undersized DHCP pool, for example, VPN or WiFi? Is the IP address shared? For example, by a NAT device?

If the answer to any of these questions is yes, the alert is a false positive.Is there a custom application that forwards tickets on behalf of users? If so, it is a benign true positive.Remediation.If the involved account is not sensitive, then reset the password of that account. Password resent prevents the attacker from creating new Kerberos tickets from the password hash. Any existing tickets remain usable until expired.If it’s a sensitive account, you should consider resetting the KRBTGT account twice as in the Golden Ticket suspicious activity. Resetting the KRBTGT twice invalidates all Kerberos tickets in this domain so plan before doing so. See the guidance in, also see using the. Since this is a lateral movement technique, follow the best practices in.Kerberos Golden Ticket activityDescriptionAttackers with domain admin rights can compromise your.

Attackers can use the KRBTGT account to create a Kerberos ticket granting ticket (TGT) providing authorization to any resource. The ticket expiration can be set to any arbitrary time. This fake TGT is called a 'Golden Ticket' and allows attackers to achieve and maintain persistency in your network.In this detection, an alert is triggered when a Kerberos ticket granting ticket (TGT) is used for more than the allowed time permitted as specified in thesecurity policy.Investigation.Was there any recent (within the last few hours) change made to the Maximum lifetime for user ticket setting in group policy? If yes, then Close the alert (it was a false positive).Is the ATA Gateway involved in this alert a virtual machine? If yes, did it recently resume from a saved state? If yes, then Close this alert.If the answer to the above questions is no, assume this is malicious.RemediationChange the Kerberos Ticket Granting Ticket (KRBTGT) password twice according to the guidance in, using the. Resetting the KRBTGT twice invalidates all Kerberos tickets in this domain so plan before doing so.Also, because creating a Golden Ticket requires domain admin rights, implement.

Malicious data protection private information requestDescriptionThe Data Protection API (DPAPI) is used by Windows to securely protect passwords saved by browsers, encrypted files, and other sensitive data. Domain controllers hold a backup master key that can be used to decrypt all secrets encrypted withDPAPI on domain-joined Windows machines. Attackers can use that master key to decrypt any secrets protected by DPAPI on all domain-joined machines.In this detection, an alert is triggered when the DPAPI is used to retrieve the backup master key.Investigation.Is the source computer running an organization-approved advanced security scanner against Active Directory?.If yes and it should always be doing so, Close and exclude the suspicious activity.If yes and it should not do this,.Close the suspicious activity.RemediationTo use DPAPI, an attacker needs domain admin rights. Malicious replication of Directory ServicesDescriptionActive Directory replication is the process by which changes that are made on one domain controller are synchronized with all other domain controllers. Given necessary permissions, attackers can initiate a replication request, allowing them to retrieve the data stored in Active Directory, including password hashes.In this detection, an alert is triggered when a replication request is initiated from a computer that is not a domain controller.Investigation. Is the computer in question a domain controller? For example, a newly promoted domain controller that had replication issues.

If yes, Close the suspicious activity. Is the computer in question supposed to be replicating data from Active Directory? For example, Azure AD Connect. If yes, Close and exclude the suspicious activity. Click on the source computer or account to go to its profile page. Check what happened around the time of the replication, searching for unusual activities, such as: who was logged in, which resources where accessed.RemediationValidate the following permissions:.Replicate directory changes.Replicate directory changes allFor more information, see.You can leverage or create a Windows PowerShell script to determine who in the domain has these permissions. Massive object deletionDescriptionIn some scenarios, attackers perform denial of service (DoS) attacks rather than only stealing information.

Deleting a large number of accounts is one method of attempting a DoS attack.In this detection, an alert is triggered any time more than 5% of all accounts are deleted. The detection requires read access to the deleted object container.For information about configuring read-only permissions on the deleted object container, see Changing permissions on a deleted object container in.InvestigationReview the list of deleted accounts and determine if there is a pattern or a business reason that justifies a large-scale deletion.RemediationRemove permissions for users who can delete accounts in Active Directory. For more information, see. Privilege escalation using forged authorization dataDescriptionKnown vulnerabilities in older versions of Windows Server allow attackers to manipulate the Privileged Attribute Certificate (PAC). PAC is a field in the Kerberos ticket that has user authorization data (in Active Directory this is group membership) and grants attackers additional privileges.Investigation.Click on the alert to access the details page.Is the destination computer (under the ACCESSED column) patched with MS14-068 (domain controller) or MS11-013 (server)? If yes, Close the suspicious activity (it is a false positive).If the destination computer is not patched, does the source computer run (under the FROM column) an OS/application known to modify the PAC?

If yes, Suppress the suspicious activity (it is a benign true positive).If the answer to the two previous questions was no, assume this activity is malicious.RemediationMake sure all domain controllers with operating systems up to Windows Server 2012 R2 are installed with andall member servers and domain controllers up to 2012 R2 are up-to-date with KB2496930. For more information, see.

Reconnaissance using account enumerationDescriptionIn account enumeration reconnaissance, an attacker uses a dictionary with thousands of user names, or tools such as KrbGuess to attempt to guess user names in your domain. The attacker makes Kerberos requests using these names in order to try to find a valid username in your domain. If a guess successfully determines a username, the attacker will get the Kerberos error Preauthentication required instead of Security principal unknown.In this detection, ATA can detect where the attack came from, the total number of guess attempts and how many were matched. NoteThis suspicious activity was deprecated and only appears in ATA versions prior to 1.9. For ATA 1.9 and later, see.DescriptionSome services send account credentials in plain text. This can even happen for sensitive accounts. Attackers monitoring network traffic can catch and then reuse these credentials for malicious purposes.

Any clear text password for a sensitive account triggers the alert, while for non-sensitive accounts the alert is triggered if five or more different accounts send clear text passwords from the same source computer.InvestigationClick on the alert to get to its details page. See which accounts were exposed. If there are many such accounts, click Download details to view the list in an Excel spreadsheet.Usually there’s a script or legacy application on the source computers that uses LDAP simple bind.RemediationVerify the configuration on the source computers and make sure not to use LDAP simple bind. Instead of using LDAP simple binds you can use LDAP SALS or LDAPS. Suspicious authentication failuresDescriptionIn a brute-force attack, an attacker attempts to authenticate with many different passwords for different accounts until a correct password is found for at least one account.

Once found, an attacker can log in using that account.In this detection, an alert is triggered when many authentication failures using Kerberos or NTLM occurred, this can be either horizontally with a small set of passwords across many users; or vertically with a large set of passwords on just a few users; or any combination of these two options. The minimum period before an alert can be triggered is one week.Investigation. Click Download details to view the full information in an Excel spreadsheet. You can get the following information:.

List of the attacked accounts. List of guessed accounts in which login attempts ended with successful authentication. If the authentication attempts were performed using NTLM, you will see relevant event activities. If the authentication attempts were performed using Kerberos, you will see relevant network activities. Click on the source computer to go to its profile page. Check what happened around the time of these attempts, searching for unusual activities, such as: who was logged in, which resources where accessed. If the authentication was performed using NTLM, and you see that the alert occurs many times, and there is not enough information available about the server that the source machine tried to access, you should enable NTLM auditing on the involved domain controllers.

To do this, turn on event 8004. This is the NTLM authentication event that includes information about the source computer, user account, and server that the source machine tried to access. After you know which server sent the authentication validation, you should investigate the server by checking its events such as 4624 to better understand the authentication process.Remediationprovide the necessary first level of security against brute-force attacks. Suspicious service creationDescriptionAttackers attempt to run suspicious services on your network. ATA raises an alert when a new service that seems suspicious has been created on a domain controller.