Hi,
We have been asked by our customer to share this information with the ATA/MS community:
We performed a large number of attacks to try test ATA's functionality, and unfortunately don't have anything good to say about ATA:
- Illegal DNS zone transfer from DC: ATA logged this attempt
- Mimikatz DCSync on DC: ATA noticed nothing
- ms14068.exe attack on DC: ATA noticed nothing
- Netsess.exe SMB enumeration of DC: ATA noticed nothing
- PSexec of DC: ATA noticed nothing
- LDAP simple bind/SPNEGO: ATA noticed nothing
- Countless other 'hacks' from various MS and Unix environments
Tests were performed and repeated by different people using Domain Admin accounts, Domain User accounts, non-domain accounts, anonymous accounts, domain joined and not joined machines.
Unfortunately, after a lot of testing, ATA has proven itself to be pretty useless - and we feel that this particular customer will be removing ATA from its list of product/vendor candidates by the end of this week.
Annyeong.
PS.
Version:
- ATA 2016 1.6 on Windows 2012 R2.
- DC on Windows 2012.