locked
ATA 1.8.1 upgrade : Playbook and detections RRS feed

  • Question

  • Hello,

    We proceed the full upgrade to ATA 1.8.1.

    There is no official communication/information regarding the ATA playbook and detections changes, so I ask this question here.

    The following tests reported an alert in version 1.7, but no more in 1.8/1.8.1 :

    - Directory services enumeration (net user /domain & net group /domain) : I saw the answer in this topic : https://social.technet.microsoft.com/Forums/ie/en-US/de6acf94-3699-4f19-a8f3-0823637a3385/reconnaissance-using-directory-services-enumeration?forum=mata

    - KRBTGT compromise (DCSync) : Why this type of detection doesn't raise an alert ? Is it now (since 1.8) based on the learning period ? If not, why alerts aren't raised ?

    We also observe that a new type of detection (abnormal modification of sensitive groups) doesn't raise alerts too. Is it also based on the learning period ? If not, why alerts aren't raised ?

    Thank you for your answers.

    Best regards.

    Monday, September 4, 2017 9:46 AM

All replies

  • DCSync - no learning period for this one. How exactly did you try to trigger it?

    abnormal modification of sensitive groups - Yes, there is a learning period. 

     
    Monday, September 4, 2017 7:16 PM
  • Hello Eli, thank you for your answer.

    We have follow the entire ATA Playbook 3 times :

    - One when we have deploy the ATA v1.7 in pre-production environment : we have done all the tests with success and all the detections has been raised in the ATA console.

    - One when we have deploy the ATA v1.7 in production environment : The test wasn't done because it involve the use of Mimikatz tool (forbidden in production environment).

    - One when we have upgrade the pre-production environment to 1.8.1 : we have done all the tests with success but all the detections hasn't raised in the ATA console : directory services enumeration, abnormal modification of sensitive groups and KRBTGT compromise (DCSync).

    Each time (so two times in pre-production environment) we did the KRBTGT compromise test, we have follow the entire ATA Playbook. We use theses commands to do the DCSync :

    mimikatz.exe “lsadump::dcsync /domain:contoso.local /user:krbtgt “exit” >> krbtgt-export.txt 

    For sure we have replace the domain name and we have open then krbtgt-export.txt file, seeing the Hash NTLM of the krbtgt account.

    Thank you very much,

    Best regards.

    Tuesday, September 5, 2017 1:21 PM
  • We just verified again that in a simple lab test we get the alert.

    There might be something else that is missed here, but to find out we will need more data/ logs etc.

    I can try to help, but the best option here is to open a premier support ticket ..

    If you decide to do so, you can tell me the case # & engineer name so I can help too.

    Tuesday, September 5, 2017 8:23 PM