Install configure ATA

Install Configure ATA

What isAdvanced Threat Analytics

Advanced Threat Analytics also known as ATA is the only solution on premise of the EMS suite. This platform, which is present in a local network, protects the information system of a company against cyber attacks (targeted attacks, sophisticated attacks, internal threats, etc.). To locate these attacks, the elements present in the local network allow users to learn their behavior. This is for one purpose only: to define a behavioural profile and thus define abnormal behaviours.

ATA Infrastructure

The infrastructure consists of two server (the ATA server and ATA Gateway). In my lab I have the server SRV-ATA and SRV-GW-ATA. Server SRV-ATA

  • Adresse IP : 192.168.1.203
  • Masque de sous-réseau : 255.255.255.0
  • Passerelle par défaut : 192.168.1.254
  • Serveur DNS primaire : 192.168.1.200

Server SRV-GW-ATA
This server has two network card. The second card is used for capture, it must be configured has follows.

  • Management network card
  • Adresse IP : 192.168.1.204
  • Masque de sous-réseau : 255.255.255.0
  • Passerelle par défaut : 192.168.1.254
  • Serveur DNS primaire : 192.168.1.200
  • Capture network card
  • Adresse IP : 1.1.1.1
  • Masque de sous-réseau : 255.255.255.255

Configure network card

ATA Installation

Following the validation of the prerequisites, the installation step can begin. Advanced Threat Analytics can be downloaded from the VLSC website. If you do not have a license and wish to test the product, you can retrieve a trial version from the Technet Evaluation Center.
https://www.microsoft.com/fr-fr/evalcenter/#products.

On the ATA server, connect the ATA ISO to the virtual machine to proceed with the installation. From the DVD, double-click Microsoft ATA Center Setup.

Install ATA

In the window that appears, click Accept and install. This allows you to install the. Net Framework.
A wizard starts, select the desired language from the drop-down list and click Next.

Install Configure ATA started

Accept the license terms and then click Next. In the Use Microsoft Update window to keep your computer safe, check Use Microsoft Update when searching for updates (recommended) and click Next.

Use Windows Update for ATA

Configure the desired installation path and database data path. It is possible in this window to use certificates that are self-signed or issued by the company’s certification authority. In production, it is recommended for database data (database data path) to be redirected to a data partition other than the system partition.

Click Install to start the installation.

Configure SSL certificate

Click Start, once the installation is complete. Configuration can now be performed.

Launch installation

After you click Start, the configuration page is displayed. It can also be accessed by accessing the URL: https://localhost/configuration?tab=directoryServices. Create a user account in the Active Directory, it is not necessary to give it administrator rights. In the ATA configuration windows, enter the account credentials (username and password). Click Test Connection and then click Save.

ATA console lauched

From the ATA console, click the Download Gateway Installation link. In the new window, click Install Gateway and copy the file on the server that function as a Gateway.

Install ATA Gateway

Gateway ATA Configuration

In the Hyper-V Manager console, right-click the virtual machine and select Settings from the context menu. Navigate to the previously added network card (capture card) and click the + to the left of Network Card. Select Advanced Features and then from the Mirror Ports drop-down list select Destination. You can also configure mirroring on the domain controller. Select Source from the drop-down list.

Configure Hyper-V for Gateway ATA

Configure the capture network card to have IP address 1.1.1.1 and subnet mask 255.255.255.255.
Execute installation file, if necessary, click Install to install the. Net Framework. Choose the desired language and click Next.

Install Gateway ATA

Validate the following windows and start the installation. The configuration window appears. If you have not already done so, go to the Gateways window. Click on the desired gateway.

Gateway ATA has been added

Enter the FQDN of the domain controller’s in the Listening Port Domain Controller field and click the + icon. Select the capture network card (network card previously added). Click to save.

Configure Gateway ATA

Click Updates on the menu and then activate the upgrade. Click Save to confirm the change. Collection through Syslog, SIEM or event logs can begin.

Add account on local group

Run the command winrm quickconfig on all domain controllers. The configuration on the domain controller is now complete. Run the command wecutil qc on the ATA gateway. Then access the event logs on the ATA gateway. Right-click on Subscriptions and select Create Subscription from the context menu.
A new window appears, enter the name of the subscription and check the destination log. It’s must be transferred Events.

Configure collector

In Subscription type and source computers, select Initialization by collector. If you want to do an initialization by the source, a PKI may be necessary. Click Select Computers, in the window that appears click Add Computers. of the domain. Enter the name of the domain controller and click Check Name. Click OK to validate the modification.

Add desired computer

In the Subscription Properties window, click Select Events. From the By Log List drop-down list, select Security.
Enter 4776,4732,4733,4733,4728,4729,4756,4757 in the Include/exclude event IDs field. Click OK to validate the changes.

Configure filter

Restart the Gateway ATA and Domain controllers. After a few minutes, the first events are transferred to the ATA gateway.

Confirm ATA gateway configuration

To validate the correct operation, it is necessary to download and install Microsoft Network Monitor 3.4 on the ATA Gateway virtual machine. Be careful not to use any other software. The software can be downloaded from the following link.

https://www.microsoft.com/en-us/download/details.aspx?id=4865
Once downloaded, install the tool with the default options. Run the software after installation is complete. Check only the network capture card and click P-Mode. In Recent Captures, click New capture tab.

Capture tools

In Display Filter, enter KerberosV5 OR LDAP and click Apply. Click Start for capture traffic. Traffic from or to the domain controller is present. If this is not the case, it is necessary to check the mirroring configuration (configuration of network adapter into Hyper-V Manager Console).

Analyze traffic

If traffic is captured, you can move on to the next point to simulate an attack.

Simulate Attack

First we will try to list the AD domain information. The user account connected to the machine is not admins of the domain.
To do this, use the nslookup command and then the domainnameAD.

Simulate attack

Access was denied. A new entry is now present in the ATA console. On the ATA server, access the console by double-clicking the icon on the desktop.

Menace are present on ATA

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.