Install Configure ATA

Install Configure ATA

What isAdvanced Threat Analytics

Advanced Threat Analytics also known as ATA is the only solution on premise of the EMS suite. This platform, which is present in a local network, protects the information system of a company against cyber attacks (targeted attacks, sophisticated attacks, internal threats, etc.). To locate these attacks, the elements present in the local network allow users to learn their behavior. This is for one purpose only: to define a behavioural profile and thus define abnormal behaviours.

Install Advanced Threat Analytics

ATA Infrastructure

The infrastructure consists of two server (the ATA server and ATA Gateway). In my lab I have the server SRV-ATA and SRV-GW-ATA.

Server SRV-ATA

  • Adresse IP : 192.168.1.203
  • Masque de sous-réseau : 255.255.255.0
  • Passerelle par défaut : 192.168.1.254
  • Serveur DNS primaire : 192.168.1.200

Server SRV-GW-ATA
This server has two network card. The second card is used for capture, it must be configured has follows.

  • Management network card
  • Adresse IP : 192.168.1.204
  • Masque de sous-réseau : 255.255.255.0
  • Passerelle par défaut : 192.168.1.254
  • Serveur DNS primaire : 192.168.1.200
  • Capture network card
  • Adresse IP : 1.1.1.1
  • Masque de sous-réseau : 255.255.255.255

Install Configure ATA

ATA Installation

Following the validation of the prerequisites, the installation step can begin. Advanced Threat Analytics can be downloaded from the VLSC website. If you do not have a license and wish to test the product, you can retrieve a trial version from the Technet Evaluation Center.
https://www.microsoft.com/fr-fr/evalcenter/#products.

On the ATA server, connect the ATA ISO to the virtual machine to proceed with the installation. From the DVD, double-click Microsoft ATA Center Setup.

Install Configure ATA

In the window that appears, click Accept and install. This allows you to install the. Net Framework.
A wizard starts, select the desired language from the drop-down list and click Next.

Install Configure ATA

Accept the license terms and then click Next. In the Use Microsoft Update window to keep your computer safe, check Use Microsoft Update when searching for updates (recommended) and click Next.

Install Configure ATA

Configure the desired installation path and database data path. It is possible in this window to use certificates that are self-signed or issued by the company’s certification authority. In production, it is recommended for database data (database data path) to be redirected to a data partition other than the system partition.

Click Install to start the installation.

Install Configure ATA

Click Start, once the installation is complete. Configuration can now be performed

Install Configure ATA

After you click Start, the configuration page is displayed. It can also be accessed by accessing the URL: https://localhost/configuration?tab=directoryServices. Create a user account in the Active Directory, it is not necessary to give it administrator rights. In the ATA configuration window, enter the account credentials (username and password). Click Test Connection and then click Save.

Install Configure ATA

From the ATA console, click the Download Gateway Installation link. In the new window, click Install Gateway and copy the file on the server that function as a Gateway.

Install Configure ATA

Gateway ATA Configuration

In the Hyper-V Manager console, right-click the virtual machine and select Settings from the context menu. Navigate to the previously added network card (capture card) and click the + to the left of Network Card. Select Advanced Features and then from the Mirror Ports drop-down list select Destination. You can also configure mirroring on the domain controller. Select Source from the drop-down list.

Install Configure ATA

Configure the capture network card to have IP address 1.1.1.1 and subnet mask 255.255.255.255.
Execute installation file, if necessary, click Install to install the. Net Framework. Choose the desired language and click Next.

Install Configure ATA

Validate the following windows and start the installation. The configuration window appears. If you have not already done so, go to the Gateways window. Click on the desired gateway.

Install Configure ATA

Enter the FQDN of the domain controller’s in the Listening Port Domain Controller field and click the + icon. Select the capture network card (network card previously added). Click to save.

Install Configure ATA

Click Updates on the menu and then activate the upgrade. Click Save to confirm the change. Collection through Syslog, SIEM or event logs can begin.

Configure collect event viewer

it is possible to collect events from several sources (event logs, Siem, Syslog). In this section we go to the configuration of the event collection. Note that since version 1.8 of ATA, it is no longer necessary to configure the event collection for ATA light gateways. The latter is able to read directly on the domain controller where it is located. To improve detection, ATA requires Windows 4776,4732,4733,4728,4729,4756 and 4757 events. If no light gateway is installed, these events can be transferred to the ATA gateway. Before performing the following operations, it is important to configure port mirroring. From the Active Directory Users and Computers console, access the groups Read the Event Viewer (Builtin container). Add the ATA gateway computer account and network service account to the group.

Install Configure ATA

Run the command winrm quickconfig on all domain controllers. The configuration on the domain controller is now complete. Run the command wecutil qc on the ATA gateway. Then access the event logs on the ATA gateway. Right-click on Subscriptions and select Create Subscription from the context menu.
A new window appears, enter the name of the subscription and check the destination log. It’s must be transferred Events.

Install Configure ATA

In Subscription type and source computers, select Initialization by collector. If you want to do an initialization by the source, a PKI may be necessary. Click Select Computers, in the window that appears click Add Computers. of the domain. Enter the name of the domain controller and click Check Name. Click OK to validate the modification.

Install Configure ATA

In the Subscription Properties window, click Select Events. From the By Log List drop-down list, select Security.
Enter 4776,4732,4733,4733,4728,4729,4756,4757 in the Include/exclude event IDs field. Click OK to validate the changes.

Install Configure ATA

Restart the Gateway ATA and Domain controllers. After a few minutes, the first events are transferred to the ATA gateway.

Confirm ATA gateway configuration

To validate the correct operation, it is necessary to download and install Microsoft Network Monitor 3.4 on the ATA Gateway virtual machine. Be careful not to use any other software. The software can be downloaded from the following link.

https://www.microsoft.com/en-us/download/details.aspx?id=4865

Once downloaded, install the tool with the default options. Run the software after installation is complete. Check only the network capture card and click P-Mode. In Recent Captures, click New capture tab.

Install Configure ATA

In Display Filter, enter KerberosV5 OR LDAP and click Apply. Click Start for capture traffic. Traffic from or to the domain controller is present. If this is not the case, it is necessary to check the mirroring configuration (configuration of network adapter into Hyper-V Manager Console).

Install Configure ATA

If traffic is captured, you can move on to the next point to simulate an attack.

Simulate Attack

First we will try to list the AD domain information. The user account connected to the machine is not admins of the domain.
To do this, use the nslookup command and then the domainnameAD.

Install Configure ATA

Access was denied. A new entry is now present in the ATA console. On the ATA server, access the console by double-clicking the icon on the desktop.

Install Configure ATA

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.