Using Microsoft Advanced Threat Analytics

Objective

After performing this lab you will better understand how to:

Configure and validate port-mirroring on Hyper-V
Validate the ATA service account
Read permissions to the Deleted Objects container for the ATAService user
Install the ATA Center
Install the ATA Gateway
Install the ATA Lightweight Gateway
Generate suspicious activity
Check the database collections that have been created

Scenario

This lab will walk you through the steps to successfully deploy Advanced Threat Analytics. Including tasks to configure port mirroring and generating suspicious activity.

Virtual Machines

Win10_Client

Exercise 1 : Start the Virtual Machines

In this exercise you will:

Start the virtual machines

Scenario: In this exercise you will start the virtual machines required for the rest of the lab.

VMs used in this exercise: DC, DC2, ATACenter, ATAGateway, Client1

Sign In to Host VM (Client)

Sign in as Administrator (password: Passw0rd!).
Open Hyper-V Manager

On the host VM, open Hyper-V Manager.
Start VMs

Right-click each virtual machine, and then click Start.

Congratulations!

You have successfully:

Started the virtual machines

Click Continue to advance to the next exercise.

Exercise 2 : Configuring and Validating Port-Mirroring on Hyper-V

In this exercise you will:

Configure and validate port-mirroring on Hyper-V

Scenario: In this exercise you will configure port mirroring on the DC and ATAGateway VMs. The DC will be configured as the source and the ATAGateway will be configured as the destination. This is required for ATA to see the network traffic to and from the domain controllers.

VMs used in this exercise: ATAGateway, Client1

Open Settings (DC)

On host VM, in Hyper-V Manager, right-click the DC VM and click Settings.

Configure Port Mirror on ATA- DC Server

In steps 1 and 2, we will configure the domain controller to be the source of the port mirrored traffic.
Configure Port Mirroring (Source)

Expand the Network Adapter and select Advanced Features. Scroll down to the Port mirroring section, change the setting to Source, and then click OK.
Connect to VM (ATAGateway)

Connect to the ATAGateway VM and logon as ATAGateway\Administrator using the password: Password!

Configure Port Mirror on ATA- Gateway Server

The ATA Gateway has two network adapters installed one named Capture and one named Management. In steps 3 through 7, we will identify the MAC address of the Capture network adapter and then in the settings of the VM we will enable port mirroring (destination) for adapter with the same MAC address.
Get MAC Address

Open a PowerShell window and at the PS prompt type Get-NetAdapter -Name Capture and then press Enter. Note the MAC Address of the network adapter.

Watch for the Type Text icon!!

To have the text automatically typed for you, position the cursor where you want the text to be entered and click the Type Text icon to the left of the Done button in the lab interface. After the text is typed, press Enter.

This capability is available whenever the Type Text icon is visible.
```
Get-NetAdapter -Name Capture
```
Open VM Settings

In the Virtual Machine Connection window, select File and Settings. This will open the settings for the VM.
Match MAC Address

Expand the second Network Adapter and select Advanced Features. Verify that the MAC address from PowerShell matches the MAC address listed.
Configure Port Mirroring (Destination)

Scroll down to the Port Mirroring section, change the setting to Destination, and then click OK.
Connect to VM (Client1)

Connect to the Client1 VM and logon as contoso\shalini using the password: Password!

Validate Port Mirroring Functionality by Pinging the DC from Client1

In steps 8 through 17, you will validate Port mirroring functionality.
Ping DC

Open a Command Prompt window, and at the prompt type: Ping DC -t and then press Enter. Leave the command prompt window open.
Switch to ATAGateway VM

Switch to the ATAGateway VM.
Open Microsoft Network Monitor

On the desktop, double-click the Microsoft Network Monitor 3.4 shortcut.
Configure Network Capture (Select Netwoks)

In the Microsoft Network Monitor 3.4 window, under Select Networks located on the bottom right, deselect all adapters except the Capture adapter. The Capture network adapter should now be the only item selected.
Configure Network Capture (Select Mode)

With the Capture adapter selected (highlighted and checked), under Select Networks located on the bottom right of the window, click the P-Mode button. This enables promiscuous mode on the Capture network adapter.
(Note that after ATA Gateway is installed NIC is already in P-mode).
Initate New Capture

Click New Capture.
Set Filter Type

In the Display Filter type ICMP and click Apply.
Start Network Capture

Click Start to start the network capture. You should see the ping request going to the DC from the client AS WELL AS the response the DC replied back with. This shows that port mirroring is configured properly.
Close Network Monitor

Close Network Monitor. You do not need to save the capture.

Congratulations!

You have successfully:

Configured and validated port-mirroring on Hyper-V

Click Continue to advance to the next exercise.

Exercise 3 : Validate ATA Service Account

In this exercise you will:

Validate the ATA service account

Scenario: In this exercise you will validate that the ATA Gateway server can query the domain controllers via LDAP using the credentials of the user account that ATA will use. The ATA Gateway queries the domain controllers to retrieve information about users, computers, groups, and resources. If the ATA Gateway cannot successfully connect to the any of the monitored domain controllers the ATA Gateway service will not start.

We will create a LDAP connection from ATAGateway to DC using the following domain user: Contoso\ATAService. This user account is a standard user and is only a member of the Domain Users group. ATA service account will need read access to all objects in the domains that will be monitored.

VM used in this exercise: ATAGateway

Run LDP.exe

On the ATAGateway VM, run LDP.exe. LDP is a GUI tool for Lightweight Directory Access Protocol (LDAP).
Connect

Click Connection and select Connect. On the Connect dialog box, in the Server box, type DC.contoso.com and then click OK. This will also confirm that name resolution on the ATA Gateway is working.
Bind

Click Connection and select Bind. On the Bind dialog box, in the User box, type ataservice. In the Password box, type: Password! In the Domain box, type contoso. Under Bind type, click to select Bind with credentials and then click OK.
View Results

In the main window you should see a message that you have been authenticated as Contoso\ATAService. You can now browse the domain.
Select BaseDN

Select View Tree and in the BaseDN select DC=contoso,DC=com and then click OK.
View Objects

In the left pane, expand DC=contoso,DC=com to view the objects in the domain.
Close LDP

Close the LDP tool.

Congratulations!

You have successfully:

Validated the ATA service account

Click Continue to advance to the next exercise.

Exercise 4 : Assign Read Permissions to the Deleted Objects Container for the ATAService User

In this exercise you will:

Assign Read permissions to the Deleted Objects container for the ATAService user

Scenario: ATA can detect when there has been a bulk deletion of objects in a domain. For ATA to be able to detect this the user account used by ATA, in our lab Contoso\ATAService, needs read permissions to the Deleted Object container.

Follow the steps in this exercise to assign read permission to the Contoso\ATAService user to the Deleted Object container.

VM used in this exercise: DC

Connect to VM (DC)

Connect to the DC VM and logon as Contoso\administrator using the password: Password!
Determine Ownership of Deleted Object Container

Open a Command Prompt (Admin) window. At the command prompt, type dsacls “CN=Deleted Objects, DC=Contoso,DC=com” /takeownership and press Enter to take ownership of the Deleted Object container.

Don't forget to use the Type Text icon!!
```
dsacls “CN=Deleted Objects, DC=Contoso,DC=com” /takeownership
```
Grant Permissions

At the command prompt, type dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /G CONTOSO\ATAService:LCRP and press Enter to grant the ATAService account permission to view the objects.
```
dsacls "CN=Deleted Objects,DC=Contoso,DC=com" /G CONTOSO\ATAService:LCRP
```

Congratulations!

You have successfully:

Assigned Read permissions to the Deleted Objects container for the ATAService user

Click Continue to advance to the next exercise.

Exercise 5 : Installing ATA Center

In this exercise you will:

Install the ATA Center

Scenario: We are now ready to start the deployment of ATA. The first step is to install the ATA Center and to configure the domain connectivity settings. In this exercise we will select the option to use self-signed certificates, in production environments you should use certificates issued by an internal CA.

VMs used in this exercise: DC, ATACenter

Connect to VM (ATACenter)

Open the ATACenter VM and logon as Contoso\Administrator using the password: Password!

Configure Domain Connectivity Settings

In steps 1 through 9, you will perform the steps required to configure domain connectivity settings.
Initiate ATA Center Setup

Browse to C:\Install and double-click Microsoft ATA Center Setup.exe to launch the ATA Center setup. Note: Be patient...this will take awhle to start.
Select Language

Select the installation language and click Next.
Accept Software License

Read the EULA and select I accept the Microsoft Software License Terms and click Next.
Set Installation Path and Database Data Path

On the ATA Center Configuration settings dialog box, leave the default settings for the Installation Path and Database Data Path. In production deployments you will probably have a separate drive to store the database files. For the ATA Center Service IP Address: Port, select 10.1.1.5 and port 443. For the ATA Center Service SSL Certificate, select Create self-signed certificate. For the ATA Console IP Address, select 10.1.1.6. Click Install to start the installation. See the Knowledge icon for additional information.
- The ATA Center Service IP address is used by the ATA Gateways to communicate with the ATA Center and the ATA Console IP address is used by IIS and is how you connect to interact with ATA Console. During the installation of the ATA Gateway, the ATA Gateway will register with the ATA Center using the ATA Console IP address over port 443.
- If you only have one IP address, you can modify the port number used by the ATA Center Service. The ATA Console will always use port 443.
Open ATA Console Web Page

After the installation has completed successfully, click Launch to open the ATA Console web page.
Continue to Website

Click Continue to this website (not recommended). At the login screen you can login with either the local administrator’s credential or as a member of the domain admins group. Only users who are members of the local group Administrators, Microsoft Advanced Threat Analytics Administrators, Microsoft Advanced Threat Analytics Users, or Microsoft Advanced Threat Analytics Viewers may login to the ATA console.
Logon to ATA Console

Logon as contoso\administrator using the password: Password! It will take awhile for the main connectivity settings page to appear.
Set Connection Credentials

In the Username box, type ATAService and in the Password box, typ: Password! In the Domain box, type contoso.com and then click Test Connection. If the test returns Connection succeeded, click Save. Note: A message appears indicating that the ATA Center service is stopped. This is expected as changes to some settings requires the ATA Center service to restart.
Connect to VM (DC)

Connect to the DC VM and logon as Contoso\administrator using the password: Password!

Configure a HoneyToken User

The HoneyToken user is a user account that should have no activity. You will configure it in steps 10 through 14.
Get Honeytoken User SID

We need the SID for the honeytoken user. A honeytoken user already exists in the domain named, Fake Admin (contoso\admin). Open PowerShell, type Get-ADUser Admin and then press Enter to get the SID for this user.
```
Get-ADUser Admin
```
Copy User SID

Copy the SID for the Fake Admin account.
Switch to ATACenter VM

Switch to the ATACenter VM.
Paste User SID

On the ATA Console window, click Settings under Detection and paste the SID for the Fake Admin account in HoneyToken account SIDs. Click the plus sign and then click Save. We are now ready to install the ATA Gateway.

Congratulations!

You have successfully:

Installed the ATA Center

Click Continue to advance to the next exercise.

Exercise 6 : Install ATA Gateway

In this exercise you will:

Install the ATA Gateway

Scenario: After installing the ATA Center and configuring the Domain connectivity settings, we are ready to install the ATA Gateway. Just to recap, we have already configured and tested that port mirroring is configured properly and that the user account configured in the Domain connectivity settings can perform the required LDAP queries and configured access to the deleted objects container.

VM used in this exercise: ATAGateway

Connect to VM (ATA Gateway)

Open the ATA Gateway and login as the same account used to login to the ATA Center (Contoso\Administrator; password: Password!). This user should have local administrative rights.

Download the ATA Gateway Setup Package

In steps 1 through 7, you will perform the steps necessary to download the ATA Gateway Setup package.
Open ATA Center

Open Internet Explorer and browse to the ATA Center at https://10.1.1.6. Click Continue to this website (not recommended) if your SSL certificates are not trusted.
Logon to ATA Center

Logon to the ATA Console.
Open Configuration Pane

Click the settings icon (three dots on the top right) and then select Configuration.
Download ATA Gateway Setup

Click Gateways under System. Click Download ATA Gateway Setup and select Save As to save the file locally.
Open Download Folder

After the download has completed click Open folder.
Extract All

Right-click the Microsoft ATA Gateway Setup.zip file and select Extract All. Click Extract. Important: Do not install the ATA Gateway from within the Zip file. You must extract the files before starting the installation.
Initiate ATA Gateway Installation

Browse to the folder where you extracted the contents of the zip file. Double-click the Microsoft ATA Gateway Setup.exe file and click Run in the Open File – Security Warning dialog box. Select Accept and Install on the .net Framework dialog box.

Install the ATA Gateway Setup Package

In steps 8 through 13, you will perform the steps necessary to install the ATA Gateway Setup package.
Select Installation Language

Select the installation language and click Next.
Set ATA Gateway Deployment Type

On the ATA Gateway deployment type dialog box, choose the default option of ATA Gateway and select Next.
Configure Gateway

In the ATA Gateway Configuration section, select Create self-signed certificate. In the ATA Gateway Registration section, in the Username box type contoso\administrator, in the Password box type Password! and then click the Install button.
Launch Gateway Configuration

After the installation completes click the Launch button or go back to Internet Explorer.
Continue to Website

In Internet Explorer, click Continue to this website (not recommended).
Open Configuration Pane

In the ATA Console click on the settings icon (three dots on the top right) and select Configuration.

Configure the ATA Gateway Setup Package

In steps 14 through 20, you will perform the steps necessary to configure the ATA Gateway Setup package.
Confirm Gateway Configuration State

Click Gateways under System. You will see the ATA Gateway that was just installed and is in a Not Configured state.
Open Gateway Settings

Click the new gateway.
Configure ATAGateway

In the Port Mirrored Domain Controllers (FQDN) box, type DC.contoso.com and then click the plus sign. For Capture network adapters select Capture and click Save.
Verify Service

Open the Services console to verify that the Microsoft Advanced Threat Analytics Gateway service is Running.
The first time the service starts it will take a few minutes for the service to start and will be in Starting state.
View Microsoft.Tri.Gateway-Errors.log File

If the service does not start you can check the Microsoft.Tri.Gateway-Errors.log file which is located by default in the following location, C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Logs. You can rename the existing file and new file will be automatically created if there are any new errors. Note: Until you configure the ATA Gateway in the ATA Console you will see the error shown in the screenshot, which messages that you can ignore.
Check Synchronization Status

After Gateway service is started, check if user and computer profiles have been synced from AD by searching for a user in ATA console. ATA builds a profile for each user and computer in the network. In the user profile ATA displays general information, such as group membership, recent logins, and recently accessed resources.

Congratulations!

You have successfully:

Installed the ATA Gateway

Click Continue to advance to the next exercise.

Exercise 7 : Install Lightweight Gateway

In this exercise you will:

Install a Lightweight Gateway

Scenario: ATA 1.6 introduced the concept of lightweight gateway. The ATA Lightweight Gateway is installed directly on the domain controllers and monitors their traffic directly, without the need for a dedicated server or configuration of port mirroring. It is an alternative to the ATA Gateway.

VM used in this exercise: DC2

Connect to VM (DC2)

Open the DC2 VM and login as the same user you logged in with to the ATA Center(Contoso\Administrator). This user should have local administrative rights.

Download the ATA Gateway Setup Package

In steps 1 through 7, you will perform the steps necessary to download the ATA Gateway Setup package.
Open ATA Center

Open Internet Explorer and browse to the ATA Center at https://10.1.1.6. Click Continue to this website (not recommended) if your SSL certificates are not trusted.
Logon to ATA Center

Logon to the ATA Console.
Open Configuration Pane

Click the settings icon (three dots on the top right) and then select Configuration.
Download ATA Gateway Setup

Click Gateways under System. Click Download ATA Gateway Setup and select Save As to save the file locally.
Open Download Folder

After the download has completed click Open folder.
Extract All

Right-click the Microsoft ATA Gateway Setup.zip file and select Extract All. Click Extract. Important: Do not install the ATA Gateway from within the Zip file. You must extract the files before starting the installation.
Initiate ATA Lightweight Gateway Installation

Browse to the folder where you extracted the contents of the zip file. Double-click the Microsoft ATA Gateway Setup.exe file and click Run in the Open File – Security Warning dialog box. Select Accept and Install on the .net Framework dialog box.

Install the ATA Lightweight Gateway Setup Package

In steps 8 through 13, you will perform the steps necessary to install the ATA Lightweight Gateway Setup package.
Select Installation Language

Select the installation language and click Next.
Set ATA Gateway Deployment Type

On the ATA Gateway deployment type dialog box, choose the default option of ATA Lightweight Gateway and select Next.
Configure Gateway

In the ATA Gateway Configuration section, select Create self-signed certificate. In the ATA Gateway Registration section, in the Username box type contoso\administrator, in the Password box type Password! and then click the Install button.
Complete Installation

Click Finish to complete the installation.
Verify Service

Open the Services console to verify that the Microsoft Advanced Threat Analytics Gateway service is Running.
The first time the service starts it will take a few minutes for the service to start and will be in Starting state.

Congratulations!

You have successfully:

Installed a Lightweight Gateway

Click Continue to advance to the next exercise.

Exercise 8 : Generate Suspicious Activity

In this exercise you will:

Generate suspicious activity

Scenario: In this exercise we will generate a number of suspicious activities to validate that ATA is working as expected. The attacks shown are deterministic. It is not possible to demonstrate detections made by the ATA machine learning algorithm live as those scenarios require ATA to observe the network for at least 21 days of activity by a minimum of 50 users to establish a behavioral baseline against which to compare suspicious activity.

Important: Make sure the ATA Gateway service has started before starting this exercise.

VMs used in this exercise: DC, ATACenter, Client1

Connect to VM (Client1)

Connect to Client1 and logon as contoso\shalini using the password: Password!

DNS Zone Transfer

In steps 1 through 11, you will view suspicious activity generated by DNS Zone Transfer activity.
Run NSLookup

Open a Command Prompt window, and at the command prompt type nslookup and then press Enter. At the prompt, type ls contoso.com and then press Enter. At the prompt, type Exit and then press Enter to exit the nslookup tool.
Connect to VM (ATACenter)

Switch back to the ATACenter VM.
Open Attack Time Line

Click the Attack Time Line icon on the toolbar. Optionally you can browse to http://10.1.1.6 from the Client1 VM.
View Suspicious Activity

You should see a Reconnaissance Using DNS suspicious activity.
View Details

Click Details to view additional information about the activity.
View Client1 Details

Click Client1 to view additional information about the offending PC. Note the recommendations given to investigate this alert.
Connect to VM (Client1)

Switch to the Client1 VM.
Run NSLookup

On Client1 VM, at the command prompt type nslookup and then press Enter. At the prompt, type ls fabrikam.com and then press Enter. Each time you run nslookup it will generate an instance of suspicious activity.
Connect to VM (ATACenter)

Switch to the ATACenter VM.
View Suspicious Activity

On the ATA Center VM, you should see that suspicious activity has been updated. Check the details of the suspicious activity again.
Connect to VM (Client1)

Switch to Client1.

Administrator Password in Clear Text

In steps 12 through 18, you will view suspicious activity generated as a result of an administrator password being transmitted in clear text.
Run LDP.exe

On the Client1 VM, run LDP.exe.
Connect

Click Connection and select Connect. On the Connect dialog box, in the Server box, type DC.contoso.com and then click OK.
Bind

Click Connection and select Bind. On the Bind dialog box, in the User box, type contoso\administrator. In the Password box, type: Password! In the Domain box, type contoso. Under Bind type, click to select Simple Bind and then click OK.
View Results

In the content pane you should see a message that you have been authenticated as contoso\administrator. Close LDP.
Connect to VM (ATACenter)

Switch to the ATACenter VM.
View Suspicious Activity

On the ATA Center VM check the attack timeline for an alert on Sensitive Account Credentials Exposed.
Connect to VM (Client1)

Switch to the Client1 VM.

Login with HoneyToken User

In steps 19 through 23, you will view suspicious activity generated as a result of HoneyToken activity.
Log Off VM (Client1)

Log off of Client1 VM.
Log On

Logon as contoso\admin using the password ATAATAATA. Note: Login will fail since that is not the correct password.
Connect to VM (ATACenter)

Switch to the ATACenter VM.
View Suspicious Activity

Check the ATA Console attack timeline for HoneyToken Activity.
Connect to VM (DC)

Switch to the DC VM.

Delete Large Number of Objects

In steps 24 through 27, you will view suspicious activity generated as a result of the deletion of a large number of objects.
Delete User Objects

Click the DSA icon on the desktop. Browse to the User Accounts OU and select all the users in the OU and delete them. Click Yes to confirm deletion.
Connect to VM (ATACenter)

Switch to the ATACenter VM.
View Suspicious Activity

Check the ATA console attack timeline for Massive Object Deletion Alert.

Be patient, it may take a few minutes for AD to replicate the changes that were made, for the alert to show up in the attack timeline.
Connect to VM (Client1)

Connect to Client1 and logon as contoso\shalini using the password: Password! If prompted, change the password to something you will remember.

Remote Execution

In steps 28 through 32, you will view ATA Alerts generated as a result of remote execution of processes against DC.
Open Command Prompt

Open a Command Prompt and change directory to c:\sysinternals.
```
c:\sysinternals
```
Perform Remote Execution

At the command prompt type psexec \\dc “notepad” and then press Enter.
```
psexec \\dc “notepad”
```
Connect to VM (ATACenter)

Switch to the ATACenter VM.
View Suspicious Activity

Check the ATA console attack timeline for Remote Execution attempt alert.

Congratulations!

You have successfully:

Generated suspicious activity

Click Continue to advance to the next exercise.

Exercise 9 : Check the Database Collections That Have Been Created

In this exercise you will:

Check the database collections that have been created

VM used in this exercise: ATACenter

Start Robomongo

On Client1 VM, click Start. Type robo. Click Robomongo. Note: Robomongo is a free GUI utility for MongoDB.
Create Connection

Click Create. Enter ATA for the Name field. Click Save.
Connect

Select the ATA Connection. Click Connect.
View Collection Data

Expand ATA. Expand Collections. Starting in 1.6, all collections are created during the installation process. You can view the content of the collections by using a 3rd party tool such as RoboMongo.