Getting started with Microsoft Advanced Threat Analytics

This is something I have been meaning to try out for a while, since the preview release at Ignite. Advanced Threat Analytics is a new software from Microsoft (which comes from a purchace Microsoft did a while back) but it focuses on some of the more common problems with security in Windows enviroment, such as Golden tickets, Pass the hash, abnormal user behavior and so on.

Now Microsoft ATA is pretty simple architecture it consist of two components and a MongoDB base where the data is stores, the two components

The ATA Center performs the following functions:

  • Manages ATA Gateway configuration settings

  • Receives data from ATA Gateways

  • Detects suspicious activities and behavioral machine learning engines

  • Supports multiple ATA Gateways

  • Runs the ATA Management console

  • Optional: The ATA Center can be configured to send emails or send events to your Security Information and Event Management (SIEM) system when a suspicious activity is detected.

The ATA Gateway performs the following functions:

  • Captures and inspects domain controller network traffic via port mirroring

  • Receive events from SIEM or Syslog server

  • Retrieves data about users and computers from the domain

  • Performs resolution of network entities (users and computers)

  • Transfers relevant data to the ATA Center

  • Monitors multiple domain controllers from a single ATA Gateway

These roles can be deployed on two different virtual machines or on the same VM, really important that during setup of the ATA center, define that communcation happen using the external IP on Center communication and management IP. By default it sits on then you need to install both components on the same server.

ATA Center Configuration

Now the Gateway needs to be able to see the DC (or Global Catalogs) traffic using Port Mirroring, which can either be used in a physical enviroment with SPAN or RPSAN, or we cna setup port mirroring in a virtualized fashion.

I have my demo enviroment running on Hyper-V which allows me to easily setup Port mirroring. First thing I need to do is configure the NIC on my DC to do port mirroring.


Then I need to add another NIC on my Gateway VM and configure that as a destination mirroring mode.


I also need to enable the NDIS monitoring filter on the vSwitch


Before the initial setup note that there are some limitations in the preview…

Make sure that KB2919355 has been installed!

Only enter domain controllers from the domain that is being monitored. If you enter a domain controller from another domain, this will cause database corruption and you will need to redeploy the ATA Center and Gateways from scratch!

After you have deployed both components, all you need to do is define the domain controller and NIC, in the management console.


Now after this is done we can verify that it has connectivity by checking the dashboard and search for a user


Now by default ATA takes about 2 weeks before it can etasblish a baseline for how regular activity works, but it has some default alters which we can trigger to make sure that it works as it should. For instance we can use a DNS reconnasince attack


Simple nslookup and ls paramter. This will then trigger in the console


Since this is still preview it has a some limitations, as of right now it cannot detect PtH, so stay tuned for more about this when the full release comes.

#ata, #microsoft-advanced-threat-analytics, #pass-the-hash

What new at Ignite! Nano Server, Containers, Azure Stack, OMS, ATA and so on

So this is my recap on what has happend at Ignite, sorted by subject of course but the focus and strategy at Microsoft is clear! “MOVE TO OUR CLOUD” of course they did not leave out the guys on the floor as well.

Microsoft announced numerous changes to their Azure platform, including more of an architechtural change to their IaaS platform (Which is due time) so to sum up Azure changes happening over the last two weeks.

  • User defined routes (Which allow us finally define a routing table for each subnet)
  • Reserved IP addresses (Allow us to move reserved IP addresses between services now!)
  • Instance level public IP
  • Multiple VIPs per Cloud Service
  • Azure DNS (Which allows us to manage our DNS zones from Azure, whic also will eventually support DNSSEC and integrate with Traffic Manager)
  • Networking support for resource manager
  • Bring in BGP routes if you are using ExpressRoute
  • 16 vNICs pr virtual machine
  • Azure Automation with support for Graphical Authoring and integration with on-premises
  • Azure Resource Manager which will allos us to build total services based upon JSON files, this will also play a huge role in Azure Stack
  • IP forwarding on virtual appliances
  • Announced a bunch of different virtual appliance partners which will arrive in the marketplace soon (For instance Citrix Netscaler, CheckPoint and so on)
  • Role Based Access
  • Exchange supported on Premium Storage in Azure

So as you can see there is much on Azure happening, specifically on networking which has been lacking for quite some time. So what about Office365 and EMS?

  • Sway (Will be available to all later this month)
  • New Office2016 Public Preview
  • Skype for Buisness Broadcast meetings
  • Announced one Sync client for OneDrive
  • Mobile offline files IOS and Android OneDrive
  • Save to OneDrive from OWA
  • 20,000 file limit and 10GB max file site will be gone
  • You can see more about the OneDrive Roadmap here
  • Intune announced support for Mac OSX
  • Intune app wrapping for Android
  • Support for Apple Volume Purchage Program
  • Support for MAM in Outlook app
  • Multi-identity
  • Restrict Access to Outlook based upon compliance of device
  • Windows 10 support for Intune
  • Document Tracking with Azure RMS
  • Cloud App Discovery GA
  • Priviliged Identity Managment
  • Also heard that eventually Intune will merge into Azure Active Directory

Other then these news Microsoft also announced a new bundle which is called OMS (Operations Management Suite) which consists of

  • Azure Automation
  • Azure Backup
  • Azure Site Recovery
  • Azure Operational Insights ( Which will later get support for components like networking logging, syslog tracking and CMDB options.

This suite can be tried now! Microsoft also announced that they will be opening for partners to add their own intelligence packs for their own monitoring solutions. Which means that more data moving to the cloud.

So what did Microsoft annonunce for the guys on the floor ? Well alot! For instance a lot of new capabiliteis in Server 2016.

  • Microsoft Advanced Threat Analytics (Which is currently in preview is a combination of networking and log based monitoring to be able to detect attacks like Pass the Hash, accounts that have been comprimised and so on) This will become more advanced with capabilities like networking monitoring and be able to take action if there is an attack.
  • PowerShell DSC support for Linux (Which just came out of nowhere!)
  • Nano Server (Which is a newly created fashin of Windows Server, which is designed for delivering the next generation cloud services with a very low footprint in terms of RAM, DISK and CPU where Microsoft stripped most of the tradisional solutions away. ill be writing more about Nano Server but it essence it now looks more like ESX.
  • Containers, Containers, Containers! (Also something I will be writing more about)
  • Storage Spaced Direct (Shared Nothing File Cluster can also be combined with Hyper-V to deliver HCI)
  • Storage Replica which is not like DFS-R.. Which allow us to Async or Syncronous replicate any volume.
  • Storage QoS on a scale out file server
  • Windows Defender not installed and enabled by default (even i Nano)
  • Rolling Cluster Upgrades
  • RDS support for OpenGL 4.4, OpenCL 1.1 + Support for GEN2 VMs and RemoteFX,
  • Web Application Proxy, preauth for HTTP Basic, HTTP to HTTPS redirect
  • Windows Server 2016 will support VXLAN
  • Software loadbalancing capabilities
  • Production Checkpoints and integration with VSS
  • Linux SecureBoot
  • Connected Standby
  • Hyper-V manager and alternate Credetials
  • ReFS more used in centralized SOFS
  • Binary virtual machine configuration VMCX
  • Hot Add and remove of memory and network adapters
  • SMB 3.1.1 (Pre authentication integrity check, encryption improvements,
  • The Network Controller which will allow central management of virtual and physical network devices
  • Shielded VMs and Host Guardian Service
  • JEA (Just Enough Administration
  • Converged NIC across tenant and RDMA traffic
  • Server Side Support for HTTP/2 including header compression and connecrtion multiplexing on IIS
  • Online Resizing support for Shared VDHX
  • PowerShell Direct to a virtual machine.

Now with all these capabilities in place in the fabric, there is only missing one thing. Which is something they announced in the Keynote which is Azure Stack, now Microsoft means buisness. They are moving in and competing with the likes of OpenStack and Cloudplatform and so on. Now many wondered if this was the new version of Azure Pack ( and it its! its the evolution of Azure Pack) Microsoft will continue to support Azure Pack for a while but the main development will be into Azure Stack. Now unlike Azure Pack, Stack is not so deeply dependant on System Center. Now of course you would still use this to manage the infrastructure, but the fabric connection between Azure Stack Providers would be against Hyper-V or clusters.

The Azure Stack will consist of an Azure like fabric controller and will also have the option to communicate with the network controller to manage the fysical and virtual network layer. Stack will also look and feel like the new portal which is currently in use in the preview portal and will come with a set of different provides to deliver specific services.

With the support of VXLAN in the fabric and some support for Vmware with DPM maybe Microsoft is moving with the Azure Stack and support for Vmware ?

Time will tell, and stay tuned for more.

#ata, #azure-stack, #containers, #nano-server, #oms