locked
ATA Team Question: missing some behaviors? smb scanning but not triggering an alert RRS feed

  • Question

  • A coworker and I are scanning our network for open shares as prep for a Disaster Recovery Tabletop Exercise. 
    We're looking for fileshares with files that we could list as being encrypted by a Ransomware.
    The participants will be presented with a scenario on how to resolve the problem.

    Anyways, we're using a test domain account copied on a random enduser.
    His workstation performing the scan is hitting hundreds of network devices' fileshares simultaneously.

    I'm curious why ATA isn't seeing these mass authentication success/failures as a possible issue, especially the nmap/metasploit.


    Wednesday, June 15, 2016 8:50 PM

All replies

  • In my experience, ATA detects such anomalies quite effectively, but only on accounts whose regular behavior (from the past month) is already known to ATA. This is to eliminate false positives, e. g. network management / monitoring software.
    Saturday, June 18, 2016 8:59 AM