ATA 2016 fails to live up to its promise... RRS feed

  • Question

  • Hi,

    We have been asked by our customer to share this information with the ATA/MS community:

    We performed a large number of attacks to try test ATA's functionality, and unfortunately don't have anything good to say about ATA:

    • Illegal DNS zone transfer from DC: ATA logged this attempt
    • Mimikatz DCSync on DC: ATA noticed nothing
    • ms14068.exe attack on DC: ATA noticed nothing
    • Netsess.exe SMB enumeration of DC: ATA noticed nothing
    • PSexec of DC: ATA noticed nothing
    • LDAP simple bind/SPNEGO: ATA noticed nothing
    • Countless other 'hacks' from various MS and Unix environments

    Tests were performed and repeated by different people using Domain Admin accounts, Domain User accounts, non-domain accounts, anonymous accounts, domain joined and not joined machines.

    Unfortunately, after a lot of testing, ATA has proven itself to be pretty useless - and we feel that this particular customer will be removing ATA from its list of product/vendor candidates by the end of this week.




    • ATA 2016 1.6 on Windows 2012 R2.
    • DC on Windows 2012.

    • Edited by Shim Kwan Thursday, May 12, 2016 3:47 AM
    Thursday, May 12, 2016 3:45 AM

All replies

  • Im not sure how your setup is done, but i just did a simple mimikatz:LSADUMP:DCsync test against my ATA system and it was detected with ATA 1.6, freshly installed 3 days ago.

    All servers are 2012R2

    Thursday, May 12, 2016 11:09 AM
  • I have also carried out most of the same tests and ATA has detected them within my environment as well.

    I did have an issue when I first set it up and didn't read to not install wireshark on the gateways it didn't like that

    All 2012R2 and I checked it against 1.5 and 1.6 as I tested again as I just upgraded
    • Edited by dscotland Thursday, May 12, 2016 6:40 PM Forgot to put versions
    Thursday, May 12, 2016 1:15 PM