Friday, December 22, 2017

Advanced Threat Analytics–Attack Simulation and Demo – Part1

Friday, December 22, 2017 2:00 AM  Unknown  17 comments

Advanced Threat Analytics–Attack Simulation and Demo–Part2
Advanced Threat Analytics–Attack Simulation and Demo–Part3
Microsoft Advanced Threat Analytics (ATA) is an user and entity behavior analytics solution to identify and protect protect organizations from advanced targeted attacks (APTs).  You can read more information about Microsoft Advanced Threat Analytics (ATA) here.  The purpose of this blog is to provide a few methods which can be used to simulate and demonstrate some of the basic attacks for demo and testing purpose.
Suspicious Activity Simulation #1 – ATA Gateway Stopped Communicating 
We will start with the most obvious one! – ATA communication issue.   In this scenario, I am using ATA Light Weight Gateway(LWGW).  In this case Microsoft Advanced Threat Analytics Gateway (ATAGateway) service should be running on Domain Controllers. 
To simulate this scenario,
  1. Identify all Domain Controllers from the forest/domain. You can use the following DSQUERY command to get all DCs from the domain.  
    • DsQuery Server -Forest
  2. Stop the ATAGateway service remotely
    • Here are a few scripts -  Script1 or Script2 or Script3 – if you want to go a script based approach
    • Or we can use a simple SC command – SC \\Lab-DC01 stop ATAGateway
    • image
You will receive the following high alert – ATA Gateway Stopped Communicating – in Health Center. 
image
Suspicious Activity Simulation #2Honey Token Account Activities
In general, the Honey Token accounts are non-interactive accounts.  These accounts can be dummy accounts for detect malicious activities.
To simulate this scenario,
  1. Create two 2 user accounts in Active Directory (ATA-Test1 and ATA-Test2)
  2. Add ATA-Test2 to Domain Admins group
  3. Get the SID of ATA-Test1 and ATA-Test2 using PowerShell or DSQUERY command
    • dsquery * -filter (samaccountname=ata-test1) -attr objectsid (Reference)
    • Get-ADUser Ata-test1 -Properties objectSID (Reference)
  4. Add this SID as Honey token accounts (ATA Console –> Configuration –> Detection –> Honeytoken Account SIDs). Save the configuration. 
  5. image
  6. Establish an integrative logon session using these accounts. You can RDP into a machine use these accounts
Honey Token accounts (non-sensitive)
You will receive the following alert/email with recommended actions in the ATA console. 
image
Honey Token accounts (Sensitive)
Since ATA-Test2 account is a domain admin account, you will receive the same alert with "Sensitive (S )" indicating that this account is a high privileged account in Active Directory. 
image
Suspicious Activity Simulation #3 – Massive Object Deletion
Bulk object deletion can be a suspicious activity in an Active Directory environment.  ATA can alert alert you based on massive object deletion activities. 
To simulate this scenario,
  1. Create a few users in Active directory. Here is a sample PowerShell  script which you can use to create test accounts in Active Directory
Clear
Import-module activedirectory
$pass = ConvertTo-SecureString "MyPassword0!" –asplaintext –force
for ($i=0;$i -lt 100;$i++)
{
$accountname = "Test-Account$i"
Write-Host "Creating $accountname" -NoNewline
New-ADUser –SamAccountName $accountname –name $accountname -OtherAttributes @{'description'="ATA Test User Account"} -Path "OU=Test Accounts,OU=User Accounts,DC=labanddemo,DC=com"
Set-ADAccountPassword –identity $accountname –NewPassword $pass
Write-Host "...Done"
}
  1. Make sure ATA is "learned" about these account.
  2. image
  3. Delete these accounts from Active Directory 
You will receive the Massive Object Deletion alert in the ATA console right away as shown below. 
image
Suspicious Activity Simulation #4 - Reconnaissance using DNS
The DNS or name resolution information in a network would be  useful reconnaissance information. In general, DNS data contains a list of all the servers and workstations and the mapping to their IP addresses. Verifying this  information may provide attackers with a detailed view of the environment allowing attackers to focus their efforts on the relevant entities. 
For this simulation, the plan is to perform a DNS zone lookup using NSLOOKUP LS command. 
To simulate this scenario,
  1. Logon to a remote server. 
  2. Open Command Prompt and run NSLOOKUP command
  3. From the NSLOOKUP window, run LS command to list the DNS zone
image
You will receive the following Reconnaissance using DNS alert the ATA console. 
image
Advanced Threat Analytics–Attack Simulation and Demo–Part2
Advanced Threat Analytics–Attack Simulation and Demo–Part3

Posted in:
Reactions: 

17 comments:

Hi Santhosh, Sanjay here. I just wanted to say that over the years you've been sharing helpful info and helping people learn more about AD, please keep up the good work. Last week I wrote a post titled A Few Notable Names in Active Directory, and you're on the list :-)

Alright then, keep up the good work Santhosh!


Best wishes, Sanjay

I think this should be the best replica watch I have ever bought.Best UK Swiss watches I share this website with my friends. They are very happy, the price is so cheap,Fake rolex Watches and I can buy such a good watch.

I am sure that on https://resume-chief.com/blog/teacher-resume you can learn a lot about teacher resume. It means a lot if you want to achieve success

Those ESL assignment writing services have an advantage of hiring the best English language coursework writing service company that is familiar with ESL assignment help services for their English Language Writing Services.

That’s a nice article, thank you for a great article. It helped me a lot. Keep it up Must Visit Epson Printer belgie

I am really enjoying your site.It’s simple, yet effective, thank you for this article.Now I have to share some information about How To Fix “mcafee Antivirus” problem. If you have any problem rearding Mcafee so click on this site:mcafee antivirus nummer belgie

I like your blog.You have done Excellent work. I appreciate.Here I want to inform all of you if you are looking for to resolve your Norton Antivirus problems,so you are in right place.we always available for your support.So whenever you need any help so just click on this link- norton Antivirus ondersteuningsnummer

I’m really impressed with your writing skills and also with the layout on your blog it's Very interesting to read.Now Here i would llike to share some information about HP Printer If you are facing any problem relate to your HP Printer's we wil resolve your queries at sam time.For any help please visit on our website:hp printer contact belgie

Excellent post. I certainly appreciate this website.Keep writing.well here if you want to Overcome the issues of Avast antivirus.Pick the Best Assistance over our site to resolve your queries.Visit us :avast antivirus ondersteuning

hi, your post is very helpful for me. Finally, I found exactly what i want. If need information regarding printers then you can visit our site Xerox Printer ondersteuning for help.

hi, Your post is very helpful for me, If you want to know more about antivirus then you can visit our site Canon Printer contacteren for help.


hi, Your post is very helpful for me,finally i got exactly what I want. If you want to know more about antivirus then you can visit our site Bitdefender belgie help.


Commenting as lilyloo180@gmail.com
Comment as:

hi, Your post is very helpful for me, finally i found exactly what i want , If you want to know more about antivirus then you can visit our site Kaspersky antivirus nummer for help.

When you setup or connect your HP printer with your PC framework, the extremely essential thing you need is the unaffected HP printer driver to hard with the printing procedure. Like the vast majority of the minimal gadgets or machines, HP printer likewise requires reasonable drivers first to introduce inside your framework so as to perform. Be that as it may, you can without much of a stretch download and introduce printer driver from 123.com.setup .However, you can generally have the decision to physically download the driver and after that introduce it in your PC framework.

Writing in style and getting good compliments on the article is hard enough, to be honest, but you did it so calmly and with such a great feeling and got the job done. This item is owned with style and I give it a nice compliment. Better!
Cyber Security Training in Bangalore

The effectiveness of IEEE Project Domains depends very much on the situation in which they are applied. In order to further improve IEEE Final Year

Project Domains practices we need to explicitly describe and utilise our knowledge about software domains of software engineering Final Year Project

Domains for CSE technologies. This paper suggests a modelling formalism for supporting systematic reuse of software engineering technologies

during planning of software projects and improvement programmes in Final Year Projects for CSE.



Software management seeks for decision support to identify technologies like JavaScript that meet best the goals and characteristics of a software

project or improvement programme. JavaScript Training in

Chennai Accessible experiences and repositories that effectively guide that technology selection are still lacking.



Aim of technology domain analysis is to describe the class of context situations (e.g., kinds of JavaScript software projects) in which a software

engineering technology JavaScript Training in Chennai can be applied successfully



The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing,

and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

Post a Comment

Popular Posts

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More