This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Test a new install

Question
0

Sign in to vote

Hi,

I have installed and configured ATA in our environment:

- 2 x Physical DCs

- 1 x ATA Server - VM - holds all components

I have connected the DCs and can see all users and computers within my domain.

I would like to test that the install is working, i have tried a simple DNS reconnaissance attack, but nothing is recorded/flagged in ATA. Is there any other tests i can do to make sure ATA is picking up threats?

Thanks in advance

Wednesday, July 27, 2016 8:55 AM

Answers

0

Sign in to vote
I had to install the light gateway on the DNS and then ATA started showing events
- Marked as answer by MartinKerr Monday, August 22, 2016 12:41 PM
Monday, August 22, 2016 12:41 PM

All replies

0

Sign in to vote
Download Microsoft's Remote Server Administration Tools (https://www.microsoft.com/en-au/download/details.aspx?id=45520&wa=wsignin1.0) and run ldp.exe

From the tool click on Connection and then Connect
Server: {enter 1 of your DC's FQDN]
Port: 389
Click ok to proceed
Click Connection and then Bind
In the Bind window enter Domain Admin credentials, select Simple BIND and then click Ok
In the main window you should see a message showing a successful authentication using the credentials.

Go back to the ATA Portal and you should see an event for credentials exposed in cleartext.

You can also set a honeytoken account and attempt to log in to a pc with those credentials.

There are a number of tools for pass-the-ticket attacks if you wish to be more aggressive with your testing.
Wednesday, July 27, 2016 10:08 PM
0

Sign in to vote

Hi,

This didn't work i'm afraid. Therefore what have i done wrong?

Thanks

Martin

Monday, August 22, 2016 9:24 AM
0

Sign in to vote
I had to install the light gateway on the DNS and then ATA started showing events
- Marked as answer by MartinKerr Monday, August 22, 2016 12:41 PM
Monday, August 22, 2016 12:41 PM