Hey Folks! I just got my ATA lab up and running and thought I’d share a few tips and tricks for those of you doing a lab or POC type setup and want to get up and running quickly.
First of all, here’s the ‘official’ documentation for ATA. It’s worth walking through that as I won’t really detail the setup process here since I’ve already done that and don’t have the screenshots. The setup/install for ATA is very straightforward although I’ll provide a few tidbits here that might help you not run into the same snags I did getting this up and running.
If you need the 90 day trial bits – you can grab those here: https://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-advanced-threat-analytics
They are also on MSDN as well if you are a subscriber there (along with a key you can use):
In my lab I’m running everything (DC, ATA Center and ATA Gateway) all in Hyper-V VM’s. I happen to be using the Windows Server 2016 Tech Preview 4 but most folks will, at least at the time of this writing, will use 2012 R2 which will work fine of course. The key here is that you’ll need to enable port mirroring on both your DC and ATA Gateway VM’s so keep that in mind.
When you are installing the ATA Center you’ll need a VM with 2 NIC’s – easy to do with a VM of course. One of them is to connect to the console and the other is for ATA management. Make sure you notate the IP’s correctly when you get this setup. Read the deployment guide as well – there’s a Windows Server hotfix that needs to be applied or you’ll have issues.
Now, on the DC go to the network settings on the VM and enable port mirroring and choose ‘source’ from the drop down.
On the Gateway VM you’ll connect to the ATA Center console IP address and then download the gateway installer components. Follow the instructions per the deployment guide for installing – it’s pretty straightforward.
The thing here is – you’ll need to 2 NIC’s on the Gateway VM as well. One for LAN and the other for CAPTURE. I like to name the NIC’s just to keep track easily.
On the CAPTURE NIC you’ll want some ‘dummy’ information in there. Pick an IP/subnet that is not routable and no DNS. Here’s what I did:
On the gateway server you’ll need to enable port mirroring on that CAPTURE NIC. Make sure you pick the right one – in the Hyper-V settings I always look for the MAC address and then do an ipconfig in the VM to match up which NIC since it’s not blatantly obvious in the settings which one is which. Make sure you choose ‘destination’ from the drop down.
In the ATA web console you’ll see the option to check the appropriate capture NIC:
You may need to check to make sure that the ATA Service is running at this point on the gateway.
As the deployment guide states – check the perfmon counters to make sure your gateway is installed correctly.
The one that will tell you whether or not the gateway is the network listener / captures messages per second:
When you add that counter you’ll start to see some activity there:
At this point you should be able to login to the console and over on the right hand side you’ll see that ATA will start picking up some information about your environment:
You should also be able to use the ‘search’ box to look up users/computers, etc…
At this point we can do a few tests to check and make sure our environment is working properly. ATA will take 21 days to really learn your environment so you won’t see pattern behavior type activity for a period of time because ATA is in learning mode. However, there are quite a few attacks that will show up immediately. Here’s a few you can use to do some testing or demos:
DNS Recon:
Open a CMD window and do an NSLOOKUP against your protected DC:
nslookup –dc.domain.com
Now do this:
ls domain.com
You’ll see all your machines enumerated in the window. Now lets go check out the ATA Console:
We can see here that I ran this a couple times. Once at 11:33am and again for this demo at 12:28pm:
Let’s try something else…
Remote Execution:
Download the PsExec Tools from TechNet: https://technet.microsoft.com/en-us/sysinternals/bb896649.aspx
From a member server in the domain run the following command:
PsExec.exe \DC01 Ipconfig
(DC01 of course represents one of your protected DC’s)
You’ll get an ipconfig from the DC. In your ATA console you’ll see this:
Finally let’s log into a PC with the honey token user account:
If you followed the directions in the ATA install guide you have your honey token account setup. Typically this is the good ol’ DOMAINAdministrator account.
In my case, I have a user called ‘admin’ and I just logged into one of my Windows 7 VM’s with that identity. This is what shows up in the ATA console:
So there you go! ATA is really a pretty easy product to install and get especially when you consider the kind of information and insight it provides. Hopefully this helps you on your way to getting ATA setup and configured properly and if you are like me and doing demos and such this gives you a few things that you can show off in real time.
Have fun!