Latest news: 1.8 private review – public preview March – GA planned for April 2017
What’s new in ATA version 1.8
New & updated detections
- NEW! Abnormal modification of sensitive groups – As part of the privilege escalation phase, attackers modify groups with high privileges to gain access to sensitive resources. ATA now detects when there’s an abnormal change in an elevated group.
- NEW! Suspicious authentication failures (Behavioral brute force) – Attackers attempt to brute force credentials to compromise accounts. ATA now raises an alert when an abnormal failed authentication behavior is detected.
- NEW! Remote execution attempt – WMI exec – Attackers can attempt to control your network by running code remotely on your domain controller. ATA added detection for remote execution leveraging WMI methods to run code remotely.Reconnaissance using directory services queries– In ATA 1.8, a learning algorithm was added to this detection allowing ATA to detect reconnaissance attempts against a single sensitive entity and improve the results for generic reconnaissance.
- Kerberos Golden Ticket activity – ATA 1.8 includes an additional technique to detect golden ticket attacks, detecting time anomalies for Kerberos tickets.
- Enhancements to some detections, to remove known false positives:
- Privilege escalation detection (forged PAC)
- Encryption downgrade activity (Skeleton Key)
- Unusual protocol implementation
- Broken trust
- NEW! More actions can be made to suspicious activities during the triage process.
- Exclude some entities from raising future suspicious activities. Prevent ATA from alerting when it detects benign true positives (i.e. an admin running remote code or using nslookup) or known false positives (don’t open a Pass-The-Ticket alert on a specific IP).
- Suppress a reoccurring suspicious activity from alerting.
- Delete suspicious activities from the timeline.
- A more efficient triage – The suspicious activities time line has gone through a major process of re-design. In 1.8, a lot more suspicious activities will be visible at the same time, and will contain better information for triage and investigation purposes.
- NEW! Summary report. An option to see all the summarized data from ATA, including suspicious activities, health issues and more. It’s possible to define a reoccurring report.
- NEW! Modification to sensitive groups report to see all the changes made in sensitive groups during a certain period.
- Lightweight Gateways can now read events locally, without configuring event forwarding
- Feature flags were added for all detection, periodic tasks and monitoring alerts
- Accessibility ramp up – ATA now stands with Microsoft in providing an accessible product, for everyone.
- E-mail configuration for monitoring alerts and for suspicious activities are separated
- NEW! Single sign on for ATA management.
- Gateway and Lightweight gateway silent installation scripts will use the logged on user’s context, without the need to provide credentials.
- Local System privileges removed from Gateway process
- You can now use virtual accounts (available on stand-alone GWs only), managed service accounts and group managed service accounts to run the ATA Gateway process.
- Auditing logs for ATA Center and Gateways were added and all actions are now logged in the event viewer.Added support for KSP Certificates
Current version: 1.7
ATA on Technet: https://technet.microsoft.com/en-us/library/dn707706.aspx
ATA deployment demo: https://www.youtube.com/watch?v=xvWJssUpU6w
Powershell windows forensics: https://github.com/Invoke-IR/PowerForensics
Powershell windows forensics: https://github.com/gfoss/PSRecon
Powershell windows forensics: https://github.com/davehull/Kansa