locked
Hyper-V NDIS Capture Extension Error - Port Mirroring not working for ATA RRS feed

  • Question

  • Hi,

    When I enable the Microsoft NDIS Capture Extension on the Virtual Switch I want capture the traffic on, I get the message: 

    "The Selected Extension is not operating correctly.  Check the event logs for further information. If this is a non-Microsoft Extention, contact the vendor for further troubleshooting steps."

    I am running Hyper-V on a Windows 8.1 computer, and would like to test ATA 2016.

    Get the same error if I use either "Internal" or "Private" switch.

    Has anyone seen this problem before?

    Thank you


    • Edited by Shim Kwan Friday, August 28, 2015 11:39 PM
    Friday, August 28, 2015 11:36 PM

Answers

  • Hi Shim,

    If all of your VMs are running on your Windows 8.1 Client Hyper-V enabled box, you do not need to enable the NDIS Capture extension on the Virtual Switch.

    Assuming you domain controller VM and ATA Gateway VM are connected to the same switch. Make sure that the domain controller virtual machine is configured as the Source and the ATA Gateway virtual machine is configure as the Destination. This is configured as part of the network adapter setting in the configuration of each virtual machine.

    HTH

    The ATA Team


    Gershon Levitz [MSFT]

    • Marked as answer by Shim Kwan Wednesday, September 2, 2015 1:57 AM
    Sunday, August 30, 2015 12:03 PM
  • Hi Shim,

    The 21 days is needed to build \ learn  the normal user profiles. During this 21 day period ATA will not generate any "abnormal" suspicious activities or alerts.

    However during this period ATA will still detect and generate suspicious activities for what we call "deterministic" activities. For example:

    • PtH
    • PtT
    • DNS Reconnaissance
    • Broken Trust
    • Remote Execution
    • Reconnaissance using Account Enumeration
    • Brute Force Attack using LDAP Simple Bind
    • Services exposing account credentials in clear text
    • Honeytoken access

    So as you can see even during this 21 days needed to learn normal user behavior ATA is still able to provide value.

    I hope this helps.

    Thx

    ATA Team


    Gershon Levitz [MSFT]

    • Marked as answer by Shim Kwan Wednesday, September 2, 2015 1:57 AM
    Tuesday, September 1, 2015 5:58 AM
  • Hi Shim,

    We do not raise an alert for the items you listed.

    For accounts with passwords that do not expire and failed logins you will see this in the user entity profile. We do not track the number of failed logins just the last failed login.  

    Additionally you can see that account is determined to be "sensitive". A sensitive account is an account that has higher level privileges in the domain based upon account membership.

    To quickly demo this in a lab you can try the following:

    • DNS transfer using NSLookup
    • Remote Execution using PSexec tools from Sysinternals
    • There are tools you can download to perform PtT.

    See attached screen shot.

    HTH

    ATA Team


    Gershon Levitz [MSFT]

    • Marked as answer by Shim Kwan Wednesday, September 2, 2015 1:57 AM
    Tuesday, September 1, 2015 6:20 AM

All replies

  • Hi Shim,

    If all of your VMs are running on your Windows 8.1 Client Hyper-V enabled box, you do not need to enable the NDIS Capture extension on the Virtual Switch.

    Assuming you domain controller VM and ATA Gateway VM are connected to the same switch. Make sure that the domain controller virtual machine is configured as the Source and the ATA Gateway virtual machine is configure as the Destination. This is configured as part of the network adapter setting in the configuration of each virtual machine.

    HTH

    The ATA Team


    Gershon Levitz [MSFT]

    • Marked as answer by Shim Kwan Wednesday, September 2, 2015 1:57 AM
    Sunday, August 30, 2015 12:03 PM
  • Hi Gershoni,

    Thank you, this is how I have things configured - have removed the NDIS Capture.

    However, even though ATA has realized that I have 20 users in AD, it is not picking up any anomalies.

    This is what I have in AD thus far:

    • 3 accounts with password never to expire
    • 5 accounts that have failed to login (as I deliberately used the wrong password)
    • 2 accounts added to the Enterprise and Domain Admins groups

    Should ATA report on any of the above?

    Just trying determine how best to demo the product?

    Thanks,

    SK


    PS. I have had the ATA lab environment running for 5 days now.
    • Edited by Shim Kwan Sunday, August 30, 2015 10:30 PM
    Sunday, August 30, 2015 9:47 PM
  • The deployment guide states you need 21 days of data prior to it reporting any anomalies.

    Thanks,

    BK

    Monday, August 31, 2015 3:30 PM
  • So we have to wait 21 days before we will be told we have a problem?


    • Edited by Shim Kwan Wednesday, September 2, 2015 1:56 AM
    Tuesday, September 1, 2015 1:38 AM
  • Hi Shim,

    The 21 days is needed to build \ learn  the normal user profiles. During this 21 day period ATA will not generate any "abnormal" suspicious activities or alerts.

    However during this period ATA will still detect and generate suspicious activities for what we call "deterministic" activities. For example:

    • PtH
    • PtT
    • DNS Reconnaissance
    • Broken Trust
    • Remote Execution
    • Reconnaissance using Account Enumeration
    • Brute Force Attack using LDAP Simple Bind
    • Services exposing account credentials in clear text
    • Honeytoken access

    So as you can see even during this 21 days needed to learn normal user behavior ATA is still able to provide value.

    I hope this helps.

    Thx

    ATA Team


    Gershon Levitz [MSFT]

    • Marked as answer by Shim Kwan Wednesday, September 2, 2015 1:57 AM
    Tuesday, September 1, 2015 5:58 AM
  • Hi Shim,

    We do not raise an alert for the items you listed.

    For accounts with passwords that do not expire and failed logins you will see this in the user entity profile. We do not track the number of failed logins just the last failed login.  

    Additionally you can see that account is determined to be "sensitive". A sensitive account is an account that has higher level privileges in the domain based upon account membership.

    To quickly demo this in a lab you can try the following:

    • DNS transfer using NSLookup
    • Remote Execution using PSexec tools from Sysinternals
    • There are tools you can download to perform PtT.

    See attached screen shot.

    HTH

    ATA Team


    Gershon Levitz [MSFT]

    • Marked as answer by Shim Kwan Wednesday, September 2, 2015 1:57 AM
    Tuesday, September 1, 2015 6:20 AM
  • Thanks Gershon, clarifies matters greatly, much appreciated!
    Wednesday, September 2, 2015 1:57 AM