This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

ATA 1.8.1 upgrade : Playbook and detections

Question
0

Sign in to vote

Hello,

We proceed the full upgrade to ATA 1.8.1.

There is no official communication/information regarding the ATA playbook and detections changes, so I ask this question here.

The following tests reported an alert in version 1.7, but no more in 1.8/1.8.1 :

- Directory services enumeration (net user /domain & net group /domain) : I saw the answer in this topic : https://social.technet.microsoft.com/Forums/ie/en-US/de6acf94-3699-4f19-a8f3-0823637a3385/reconnaissance-using-directory-services-enumeration?forum=mata

- KRBTGT compromise (DCSync) : Why this type of detection doesn't raise an alert ? Is it now (since 1.8) based on the learning period ? If not, why alerts aren't raised ?

We also observe that a new type of detection (abnormal modification of sensitive groups) doesn't raise alerts too. Is it also based on the learning period ? If not, why alerts aren't raised ?

Thank you for your answers.

Best regards.

Monday, September 4, 2017 9:46 AM

All replies

1

Sign in to vote

DCSync - no learning period for this one. How exactly did you try to trigger it?

abnormal modification of sensitive groups - Yes, there is a learning period.

Monday, September 4, 2017 7:16 PM
0

Sign in to vote

Hello Eli, thank you for your answer.

We have follow the entire ATA Playbook 3 times :

- One when we have deploy the ATA v1.7 in pre-production environment : we have done all the tests with success and all the detections has been raised in the ATA console.

- One when we have deploy the ATA v1.7 in production environment : The test wasn't done because it involve the use of Mimikatz tool (forbidden in production environment).

- One when we have upgrade the pre-production environment to 1.8.1 : we have done all the tests with success but all the detections hasn't raised in the ATA console : directory services enumeration, abnormal modification of sensitive groups and KRBTGT compromise (DCSync).

Each time (so two times in pre-production environment) we did the KRBTGT compromise test, we have follow the entire ATA Playbook. We use theses commands to do the DCSync :

mimikatz.exe “lsadump::dcsync /domain:contoso.local /user:krbtgt “exit” >> krbtgt-export.txt

For sure we have replace the domain name and we have open then krbtgt-export.txt file, seeing the Hash NTLM of the krbtgt account.

Thank you very much,

Best regards.

Tuesday, September 5, 2017 1:21 PM
0

Sign in to vote

We just verified again that in a simple lab test we get the alert.

There might be something else that is missed here, but to find out we will need more data/ logs etc.

I can try to help, but the best option here is to open a premier support ticket ..

If you decide to do so, you can tell me the case # & engineer name so I can help too.

Tuesday, September 5, 2017 8:23 PM