locked
Test a new install RRS feed

  • Question

  • Hi,

    I have installed and configured ATA in our environment:

    - 2 x Physical DCs

    - 1 x ATA Server - VM - holds all components

    I have connected the DCs and can see all users and computers within my domain. 

    I would like to test that the install is working, i have tried a simple DNS reconnaissance attack, but nothing is recorded/flagged in ATA. Is there any other tests i can do to make sure ATA is picking up threats?

    Thanks in advance 

    Wednesday, July 27, 2016 8:55 AM

Answers

  • I had to install the light gateway on the DNS and then ATA started showing events
    • Marked as answer by MartinKerr Monday, August 22, 2016 12:41 PM
    Monday, August 22, 2016 12:41 PM

All replies

  • Download Microsoft's Remote Server Administration Tools (https://www.microsoft.com/en-au/download/details.aspx?id=45520&wa=wsignin1.0) and run ldp.exe

    1. From the tool click on Connection and then Connect
    2. Server: {enter 1 of your DC's FQDN]
    3. Port: 389
    4. Click ok to proceed
    5. Click Connection and then Bind
    6. In the Bind window enter Domain Admin credentials, select Simple BIND and then click Ok
    7. In the main window you should see a message showing a successful authentication using the credentials.

    Go back to the ATA Portal and you should see an event for credentials exposed in cleartext.

    You can also set a honeytoken account and attempt to log in to a pc with those credentials.

    There are a number of tools for pass-the-ticket attacks if you wish to be more aggressive with your testing.

    Wednesday, July 27, 2016 10:08 PM
  • Hi,

    This didn't work i'm afraid. Therefore what have i done wrong?

    Thanks

    Martin

    Monday, August 22, 2016 9:24 AM
  • I had to install the light gateway on the DNS and then ATA started showing events
    • Marked as answer by MartinKerr Monday, August 22, 2016 12:41 PM
    Monday, August 22, 2016 12:41 PM