Welcome! Microsoft Tech Talks - Charlotte, NC Agenda 6:00pm Food & Social/Networking 6:25pm Welcome/Kickoff 6:30pm Speakers: Mark Bias & Darol Timberlake 7:15 7:30pm (estimate) Break 8:15pm Final Thoughts Facilities: Restrooms In the lobby, follow the short hallway between the two elevators, restrooms are on the right WiFi The Microsoft campus has WiFi Internet MSFTGUEST is the SSID, once you connect, launch your favorite web browser and agree to the Terms and Conditions msevent404jc
Code: What are Microsoft Tech Talks? Technical Community Events (founded by the CIP Program) Deep Microsoft-technology based discussions and opportunity to network / bring technical community together Opportunity to evangelize, promote and sell Microsoft Products and Services Flagship Technical Community event for the Community Immersion program Role-model for other events and communities+
Over 3400 members!! Location Information Links: http://www.meetup.com/mttcharlotte http://www.meetup.com/mtttempe http://www.meetup.com/mttsocal http://www.meetup.com/mttlasvegas http://www.meetup.com/mttpacwest http://www.meetup.com/mttdetroit http://www.meetup.com/mttnorcal http://www.meetup.com/mttatlanta https://www.meetup.com/mttnewyork Next Microsoft Tech Events March 29, 2018 Setting up Windows 10 AutoPilot http://aka.ms/MTTCharlotteMarch (registration link is active) April 26 , 2018 - Troubleshooting Windows Application for the IT Admin http://aka.ms/MTTCharlotteApril (link not active yet) Stay informed go to http://www.meetup.com/mttcharlotte
Survey Your feedback is appreciated! Microsoft Tech Talks February Event https://aka.ms/charlottesurvey PPT Files Location Microsoft Tech Talks February Event File Location https://aka.ms/grabit Mitigating and Detecting Credential Theft with and Mark BiasSLAM & Darol Timberlake Enterprise Services ATA Presentation Agenda Understanding Credential Theft Attacks
Mitigating Pass-the-Hash and Lateral Account Movement ATA Overview Configuration Suspicious Alert Discussion Role of directory and identity in security Foundation of security assurances for all information assets in the organization: Authenticates all user and computer accounts within the on-premises Active Directory infrastructure Centralized delegation and authorization mechanism for many resources. Modern cyberattackers actively target directories to get intellectual
property and corporate assets 10 What is credential theft, and why is it important? Credential theft is a technique in which an attacker captures account credentials from a compromised computer. The attacker then uses these credentials to authenticate and access other network resources. Why is it important? Once the attacker gets in, Credential Theft is the technique they use to spread their access throughout the network 11 Typical attack timeline and First Host
Domain Admin observations Compromised Compromised Research & Preparation 24-48 Hours Attack Sophistication Attack operators will exploit any weakness Target information on any device or service Attacks not detected Current detection tools miss most attacks You may be under attack (or compromised) Attack Discovered Data Exfiltration (Attacker Undetected) +8 months Exploiting Credentials On-premises Active
Directory controls access to business assets Attackers commonly target AD DS and IT Admins Response and Recovery Response requires advanced expertise and tools. Expensive and challenging to successfully recover from. 12 Understanding credential theft attacks Pass-the-hash (PtH) The What: PtH allows an attacker to authenticate to a remote server/service by using the underlying NTLM and/or Lan Manager hash (LMHash) of a
user's password, instead of requiring the associated plaintext password as is normally the case Attacker uses a tool to replace their username/hash with target account hash in memory. Tools to do this are freely available on the web! The How: 1. Attacker sends spear phishing email and gets access to a system 2. Once on the system, attacker uses tools to grab hashes of logged on users or local admin 3. Attacker moves laterally to a PC where domain admin logs in 4. Attacker grabs domain admins hash 16 Pass-the-ticket (PtT) The What: PtT allows an attacker to extract
an existing, valid Kerberos ticket from one machine and pass it to another one to gain access to resources as that user Attacker grabs TGT or TGS from target user and replaces in memory, then accesses resources as the users. The How: 1. Attacker sends spear phishing email and gets access to a system 2. Attacker uses a hacking tool to grab user TGT/TGS 3. Attacker then authenticates to resources as the user 4. Attacker can act as user and exfiltrate data, etc. All activity appears to be from that user 5. If domain admin is found, attacker can access anything on the network as domain admin 19
Golden tickets and silver tickets The What: Theres more: A Golden Ticket, is a homemade ticket Its done with a lot of effort and a key. A golden ticket is a forged TGT with longer lifespan. Typically, a TGT has a 10 hour lifetime but the attacker can forge with a 10 year lifetime Attacker can also change group membership, SID, user name Its not made by the KDC, so: Its not limited by GPO or others settings ;) You can push whatever you want inside Its smartcard independent (sorry CISO) A silver ticket is a forged service ticket.
Once the TGT is forged, Kerberos does not need to complete KRB_AS_REQ or KRB_AS_REP, essentially skipping steps 1 and 2, and the authentication portion with the Domain Controller. 21 Overpass-the-hash The What: OtH is a hacking technique that allows an attacker to use the NTLM hash to obtain a valid user Kerberos ticket request. The user key (NTLM hash when using RC4) is used to encrypt the PreAuthentication & first data requests The How : 1. Attacker sends spear phishing email and gets access to a system 2. Attacker uses a hacking tool to grab user hash and generates Kerberos request 3. Attacker then authenticates to resources as the user
24 Mitigating Pass-the-Hash and Lateral Account Movement 26 Restrict and protect high privileged domain accounts Restrict domain administrator accounts and other privileged accounts from authenticating to lower trust servers and workstations. Provide admins with accounts to perform administrative duties that are separate from their normal user accounts. An attacker cannot steal credentials for an account if the credentials are never used on the compromised computer. Using these mitigations significantly reduces the risk of attackers compromising privileged accounts.
Assign dedicated workstations for administrative tasks. Mark privileged accounts as sensitive and cannot be delegated in Active Directory. Do not configure services or schedule tasks to use privileged domain accounts 27 Restrict Privileged Domain Accounts from Authenticating to Lower Tiers 28 Dedicated Privileged Access Workstations (PAW) 29 Kerberos Delegation Overview 30 Account is sensitive
and cannot be delegated Restrict and protect local accounts with administrative privileges Restrict the ability of attackers to use administrative local accounts for lateral movement PtH attacks. Enforce the restrictions that prevent local accounts from being used for remote administration. An attacker who successfully obtains local account credentials from a compromised computer will not be able to use those credentials to perform lateral movement on the organization's network. Explicitly deny network and Remote Desktop logon rights for all administrative local accounts. Create unique passwords for local
accounts with administrative privileges. 32 Restrict Local Security Groups NT AUTHORITY\Local account S-1-5-113 is added to the users access token at the time of logon if the user account being authenticated is a local account. NT AUTHORITY\Local account and member of Administrators group S-1-5-114 is also added to the token if the local account is a member of the BUILTIN\Administrators These SIDs can grant or deny access to all local accounts or all administrative local accounts for example, in User Rights Assignments to Deny access to this computer from the network
and Deny log on through Remote Desktop Services, as we recommend in our latest security guidance. Prior to the definition of these SIDs, you would have had to explicitly name each local account to be restricted to achieve the same effect. 33 Access Token Group Membership Local Administrator Password Solution (LAPS) 35 LAPS Overview Provides IT Administrators with the ability to randomize local administrator passwords, and to do so independently on each domain joined computer, so that there isnt a common password across multiple computers
Provides the IT Administrator with the ability to manage the password of a local Administrator account on domain joined computers Uses a GPO-managed client side extension to change a local Administrator accounts password to a new random value periodically The local Administrators password is stored in Active Directory in a confidential attribute of the computer object A Domain Administrator can grant the right to read and also reset the passwords stored in AD to designated users or groups 36
LAPS Configuration 1. Extend the Schema with two new Computer attributes (using 2. Configure permissions (using PowerShell) PowerShell) - Computer Rights (write passwords) 3. Create and configure a new GPO - User Rights (read / reset from LAPS template passwords) 3. Active Directory 1. 1. Admin account selection 2. Password settings - Complexity
- Lenght - Age 1. ms-MCSAdmPwd 2. ms-MCSAdmPwdExpirationTime 5. 4. Install Client (Client Side Extension CSE DLL) 5. Link LAPS GPO to OU with managed machines 6. Refresh GPO on managed machines LAPS GPO 6. 7. Verify password change and uniqueness 7. 4. # 1
#2 #3 #4 Password Change Process 1. Group Policy refresh triggers CSE 2. CSE reads ms-MCSAdmPwdExpirationTime - Checks if it is time to change password - If not, process is finished 3. CSE generates new random password and keeps it in memory only 4. CSE writes password to ms-MCSAdmPwd 5. CSE writes/commits password locally 6. CSE updates ms-MCSAdmPwdExpirationTime - Adds amount of days configured in LAPS GPO (Age) to current time and writes into attribute Note: Connectivity to AD ensured before issuing reset - prevents issues if machines fall off domain and had a password mismatch Active Directory
1. ms-MCSAdmPwd 2. ms-MCSAdmPwdExpirationTime 4. 6. 2. 3. 1. 5. Restrict inbound traffic using the Windows Firewall Restrict attackers initiating lateral movement from a compromised workstation by blocking inbound connections on all other workstations with the local Windows Firewall. Enabling this mitigation will prevent an attacker from connecting to other workstations
on the network using any type of stolen credentials. Restrict all inbound connections to all workstations except for those with expected traffic originating from trusted sources such as helpdesk workstations, security compliance scanners and management servers. Applications that do not directly accept authentication credentials may also be allowed through the Windows firewall without incurring the risks of credential theft and reuse. 39 Power: Domain Controllers Servers and Applications Access: Users and Workstations
Logon Data: Logon Logon Credential Theft Mitigation Strategy Recap 1. Privilege Elevation (Credential Partitioning) 2.1Lateral Traversal Local - Restrict domain -administrator 1 Deny access to computers Accounts accounts and other privileged
3.from Lateral Domain the Traversal network &Deny logon accounts from authenticating to Accounts through terminal services to all Dotrust not configure services or 4.1 Application and Service Risks lower servers
and local accounts (S-1-5-114 & S-1-5scheduled tasks to use privileged workstations 113) 1 Applications notcan bestill domain accounts on guys lower trust Keep in mind that should bad installed on Domain Controllers
systems, such as user target individual computers & users, but 2 - Provide admins with accounts 2 Have unique passwords forharder (IIS Web, SQL Database) workstations these mitigations make it much
to perform administrative duties local accounts with administrative to: that are separate from their privileges 2 If infected, applications Have a powerful list of all credentials serviceshould / task Steal normal user accounts not allowed toon
compromise accounts and which machines Do anything with stolen 3 Restrict inboundortraffic using sensitive accounts Domain credentials they are used 3 - Assign dedicated workstations Windows Firewall Controllers for administrative tasks 4 UAC & LocalAccountTokenFilterPolicy
Additional Credential Theft Mitigation Recommendations Patch, Patch, PATCH all network connected devices Disable Legacy Protocols -Windows Digest -NTLM Modern Operating Systems -Credential Guard -Remote Credential Guard -Device Guard Authentication Policies and Silos -Protected Users group Just Enough Administration (JEA) -RBAC Model for PowerShell Service Account Delegation -Leverage built-in service accounts -Managed Service Accounts -Delegate LUA permissions Security, Identity and Cybersecurity Services Microsoft Advanced Threat Analytics (ATA)
Technical Overview What Is Microsoft Advanced Threat Analytics? User and Entity Behavior Analytics (UEBA) Monitors behaviors of users and other entities by using multiple data-sources Profiles behavior and detects anomalies by using machine learning algorithms Evaluates the activity of users and other entities to detect advanced attacks Enterprises successfully use UEBA to detect malicious and abusive behavior that otherwise went unnoticed by existing security
monitoring systems, such as SIEM and (DLP) . SIEM: Security Information and Event Management DLP: data loss prevention 44 Behavior Analytics In Practice Credit card companies monitor cardholders behavior. By observing purchases, they learn what is typical behavior for each buyer. $ $$ $
If there is any abnormal activity, they will notify the cardholder to verify charge. 45 Microsoft Advanced Threat Analytics An on-premises platform to identify advanced security attacks before they cause damage Behavio ral Analytic s Microsoft Advanced Threat Analytics brings the behavioral analytics concept to IT and the organizations users. Detection for known attacks and issues Advanced Threat
Detection Email attachment 46 Advanced Threat Analytics: Differentiating Factors It is fast It is reliable No need to create rules, thresholds, or baselines Straightforward and fast deployment Takes advantage of unique data sources, combines entity contextual deep packet inspection (DIP) and logs Consistent learning and abnormal behavior identification
Detection of human and non-human service accounts Network name resolution It provides clear information It is innovative Functional, clear, and actionable attack timeline, that shows the who, what, when, and how in near real time Patented technology Combines deterministic and machine learning based algorithms 47 Detected Threats Reconnaissance and brute force suspicious
activities: Reconnaissance using DNS Reconnaissance using Directory Services Enumeration Reconnaissance using account enumeration Net session enumeration Brute force attacks (LDAP, Kerberos) Identity theft suspicious Forged PAC (MS14-068) activities: Pass-the-ticket Golden ticket Pass-the-hash Remote execution Over-Pass-the-hash Unusual protocol implementation Skeleton key Malicious DPAPI Request MS11-013 Elevation of Privilege Abnormal behavior suspicious activities: Abnormal behavior based on authentication, authorization, and working hours (machine learning algorithm) Abnormal modification of sensitive groups Massive object deletion
Security issues: Sensitive account exposed in plain text authentication Service exposing accounts in plain text authentication Broken trust Honey token accounts suspicious activity 48 How Does ATA Work? How Microsoft Advanced Threat Analytics Works 1 Analyz e After installation: Simple nonintrusive port-mirroring configuration copies all Active Directoryrelated traffic Remains invisible to the attackers Analyzes all on-premises Active Directory traffic Collects relevant events from
SIEM and other sources Note: ATA Lightweight Gateway uses an agent, rather than port-mirroring 50 How Microsoft Advanced Threat Analytics Works 2 Learn ATA: Automatically starts learning and profiling entity behavior Identifies normal behavior for entities Learns continuously to update the activities of the users, devices, and resources What is an entity? An entity represents users, devices, or resources 51 How Microsoft Advanced Threat Analytics Works 3 Detect
Microsoft Advanced Threat Analytics: Looks for abnormal behavior and identifies suspicious activities Only raises red flags if abnormal activities are contextually aggregated Uses world-class security research to detect known attacks and security issues (regional or global) ATA not only compares the entitys behavior to its own, but also to the behavior of other entities in the environment. 52 How Microsoft Advanced Threat Analytics Works 4 Alert ATA reports all suspicious activities on a simple, functional, usable attack timeline ATA identifies Who?
What? When? How? For each suspicious activity, ATA provides recommendations for the investigation and remediation 53 ATA Technical Overview The ATA Center File server Manages ATA Gateway configuration settings Receives data from ATA Gateways and stores in the database Detects suspicious activity and
abnormal behavior (machine learning) Provides web management interface (ATA Analyst Console) Supports multiple gateways Optional: Can be configured to send emails and generate events when a suspicious activity is detected Database File server 55 TopologyGateway Captures and inspects domain controller network traffic via port mirroring Listens to multiple domain controllers from multiple domains on a single gateway Transfers relevant data to the ATA Center Retrieves data about entities from the On-premises Active
Directory domain Performs resolution of network entities (users, groups and computers) Receives Windows events from security information and event management (SIEM) or Syslog servers, or from DCs by using Windows Event Forwarding File server Database File server 56 TopologyATA Lightweight Gateway SIEM Installed locally on light or branchsite Domain Controllers Fileserver Analyzes all the traffic for a specific DC
DC1 ATA Lightweight Gateway DC2 Provides dynamic resource limitation Retrieves data about entities from the on-premises Active Directory domain Performs resolution of network entities (users, groups and computers) ATA CENTER DC3 DC4 ATA Lightweight Gateway DB
Transfers relevant data to the ATA Center Fileserver 57 ATA Requirements AD DS requirements No software required on the DCs (except if deploying Lightweight Gateway) DCs running Windows Server 2008 or newer User account and password with read access to all objects in the domains that will be monitored If there are custom Access Control Lists (ACLs) on various Organizational Units (OU) in the domain (such as list object mode), make sure that the selected user has read permissions to those OUs. Optional: User should have read only permissions on the Deleted Objects container. This will allow ATA to detect bulk deletion of
objects in the domain. Optional: A user account for a user that is not used and therefore has no network activities. This account will be configured as the ATA Honeytoken user and will be monitored for potential attack use. 59 ATA Center requirements OS Hardware BIOS Windows Server 2012 R2 and latest updates are recommended. The number of DCs you are monitoring and the load on each of the DCs dictates the hardware requirements. See ATA Sizing later in module.
The ATA database necessitates that you DISABLE Non-uniform memory access (NUMA) in the BIOS. Networking Certificates 1 Network Adapter, 1 IP Addresses Web Server Certificate for ATA Console (HTTPS) Time synchronization The ATA Center server and the ATA Gateway server must have time synchronized to within 5 minutes of each other 60
ATA Center network port requirements Protocol Transport Port To/From Direction SSL (ATA Communications) TCP 443 ATA Gateway Inbound HTTP (optional) TCP
80 Company Network Inbound HTTPS TCP 443 Company Network and ATA Gateway Inbound SMTP (optional) TCP 25 SMTP Server Outbound
SMTPS (optional) TCP 465 SMTP Server Outbound Syslog (optional) LDAP TCP TCP and UDP 514 389 Syslog server Domain controllers Outbound Outbound
LDAPS (optional) TCP 636 Domain controllers Outbound DNS TCP and UDP 53 DNS servers Outbound Kerberos (optional if domain joined) Netlogon (optional if domain joined) Windows Time (optional if domain joined)
TCP and UDP 88 Domain controllers Outbound TCP and UDP 445 Domain controllers Outbound UDP 123 Domain controllers Outbound 61
ATA capacity planning How do you plan ATA Sizing? ATA sizing is all about the amount of network traffic that is being analyzed Everything equates to amount of CPU, RAM and disk needed for the ATA Center and Gateway roles ATA analyzing all traffic going to/from the DC Will dictate the number of gateways that you are required to deploy to support your customers infrastructure ATA only keeps
data that is considered suspicious activity Special Note User and Entity Behavior Analytics (UEBA) ATA requires approximately 30 days to determine UEBA (TechNet says minimally) 62 ATA Center sizing The recommended and simplest way to determine capacity for your ATA deployment is to use the ATA Sizing Tool. Alternatively, gather the packet/sec counter information from all DCs for 24 hours with a low collection interval (5 seconds) and calculate the daily average and the busiest period (15 minutes) average. Memory (GB) Database storage per day (GB)
Database storage per month (GB) IOPS*** 2 32 0.3 9 30 (100) 40,000 4 48 12 360
500 (750) 200,000 8 64 60 1,800 1,000 (1,500) 400,000 12 96 120 3,600 2,000 (2,500)
750,000 24 112 225 6,750 2,500 (3,000) 1,000,000 40 128 300 9,000 4,000 (5,000) Packets per second*
CPU (cores**) 1,000 * Total daily average number of packets-per-second from all domain controllers being monitored by all ATA Gateways. ** This includes physical cores, not hyper-threaded cores. 63 ATA Center sizing notes The ATA Center can handle an aggregated maximum of 1,000,000 frames per second (FPS) from all the monitored DCs. The amounts of storage illustrated on the previous slide are net values, you should always account for future growth and to make sure that the disk the database resides on has at least 20% of free space. ATA will automatically remove captured network data older than 30 days. 64 ATA Gateway requirements
Power Settings For optimal performance, set the Power Option of the ATA Gateway to High Performance Time Synchronization The ATA Center server and the ATA Gateway server must have time synchronized to within 5 minutes of each other. Networking 2 or more NICs Management Adapter: will be used for communications on the company network Capture Adapter: will be used to capture traffic to and from the DCs ATA uses port mirroring to capture traffic to and from the DC will require discussion with customer network team Configure a static non-routable IP address on the capture adapter with no default gateway and no DNS server addresses.
For example, 184.108.40.206 /32 will ensure that the capture network adapter can capture the maximum amount of traffic and that the management network adapter is used to send and receive the required network traffic. Components installed during setup: ATA Gateway Service Microsoft Visual C++ 2013 Redistributable .Net Framework 4.6 Custom performance monitor data collection set Important Items to Consider: Do not install Message Analyzer, Wireshark, or other network capture software on the ATA Gateway. If you need to capture network traffic, install and use Microsoft Network Monitor 3.4.
65 ATA Gateway sizing An ATA Gateway can support monitoring multiple DCs, depending on the amount of network traffic of the DCs being monitored. Packets per second* CPU (cores**) Memory (GB) 1,000 1 6 5,000 2 10 10,000
3 12 20,000 6 24 50,000 16 48 * Total number of packets-per-second from all domain controllers being monitored by the specific ATA Gateway. ** Hyper-Threading Technology must be disabled. 66 ATA sizing how do I figure it out? The recommended and simplest way is to use the ATA Sizing Tool. Another option: use Performance Monitor 1. Create a new Data Collector Set
2. Select Create manually (advanced) 3. Choose Create data logs and check Performance Counter 4. Add Network Adapter or Network Interface and select Packets/sec, and add the counter 5. Collect the data for 24 hours and stop the collection 6. Open the .blg file in File Explorer and record the average and maximum values * Must be performed on all DCs that will be monitored to capture your baseline and apply the formulas 67 ATA Lightweight Gateway requirements Domain Controller OS The domain controller can be a read only domain controller (RODC).
Networking The ATA Lightweight Gateway monitors the local traffic on all of the domain controller's network adapters. Windows Server 2008 R2 SP1 (not a Server Core), Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 (including Core but not Nano). Before installing ATA Lightweight Gateway on a domain controller running Windows Server 2012 R2, confirm that the following update has been installed: KB2919355. If the installation is for Windows server 2012 R2 Server Core, the following update should also be Server
specifications The ATA Lightweight Gateway can be deployed on domain controllers of various loads and sizes. A minimum of 2 cores and 6 GB of RAM installed on the domain controller. Time synchronization The ATA Center server, the ATA Lightweight Gateway servers and the domain controllers must have time synchronized to within 5 minutes of each other. 68 ATA Console The ATA Management console is accessed via a browser. The following browsers are supported: Internet Explorer version 10 and above
Google Chrome 40 and above Minimum screen width resolution of 1700 pixels 69 Administrative requirements ATA Gateway: Configured via ATA Center and install package downloaded to ATA Gateway server. Requires an AD DS account with read-only access (does not need interactive logon) used to enumerate users and devices for event correlation and behavioral analysis in ATA Center Nothing special added (not even an administrative local group) ATA Center: Creates Microsoft Advanced Threat Analytics Administrators local group Consider how it will be managed if
in a non-domain joined configuration. 70 Configuration Options Event collection In addition to collecting and analyzing network traffic to and from the DCs, ATA can use Windows events 4776, 4732, 4733, 4728, 4729, 4756, 4757 to further enhance ATAs detection capabilities. This can be read automatically by the ATA Lightweight Gateway, received from your SIEM or by setting Windows Event Forwarding from your DC. Events collected provide ATA with additional information that is not available via the DC network traffic. Event Forwarding ATA listens to network traffic great for Kerberos, may miss bigger NTLM picture Event forwarding sends DC events, in a syslog type format, to a listener (ATA Gateway)
SIEM Integration Many customers already forward events from their DCs into a SIEM ATA can push data to any syslog enabled SIEM system (must support RFC 3164 or 5424 format) ATA can pull events from a SIEM system (syslog listener Current Supported SIEMs (Pull data) HP Arcsight Splunk
RSA Security Analytics Snare QRadar Note Configure one of your ATA Gateway servers to listen to and accept events forwarded from the SIEM/Syslog server Configure your SIEM/Syslog server to forward specific events to the ATA Gateway Important Do not forward all the Syslog data to the ATA Gateway; ATA supports UDP traffic from the SIEM/Syslog server 72 Designing an ATA Deployment Important factors to consider Number of Active Directory (AD DS) Forests Port Mirroring Drives Design Discussions Which DCs do you monitor?
A single ATA Center can monitor 1 AD DS forest Typically means that the gateway is deployed to same VLAN/location Gateways can monitor multiple DCs but MUST have ability to enable port mirroring from DC to gateway. Multiple forests = multiple ATA Center deployments Think: 1 gateway (minimally) per AD DS Site Multiple ATA Center deployments DO NOT communicate with each other At the end of the day, the gateway MUST be able to receive all traffic to/from the domain controller (DC)
May be forced to consider not monitoring some remote DCs Causes potential for missing important details An ATA gateway can only talk to a single ATA center 74 Steps to Troubleshoot a suspicious alert Scope the Alert From which machine does the traffic come? From which Network does the traffic come? Is the suspicious traffic expected from this machine? I.e., is it a security scanner?
75 Troubleshoot Honeytoken SA For the Honeytoken SA we would continue with: 1. What information is present in ATA regarding the computer the honey token user employed? 5. Is the machine showing an abnormal number of Kerberos/NTLM calls from this machine? 2. Is the computer verified with high certainty? 6. What users were recently logged on t the machine? 3. What other actions have been captured by ATA on this machine? 7. What other network traffic is going from this machine, based on firewall logs?
4. Is the machine showing an abnormal number of LDAP calls from this machine? 76 Azure ATP or ATA 77 Typical Dashboard 78 Questions & Answers Next Microsoft Tech Events Stay informed check mttcharlotte community or email [email protected] Check http://www.meetup.com/mttcharlotte Microsoft Offerings POP-SLAM (Securing Lateral Account Movement) POP - ATA (Advanced Threat Analytics) Fundamentals OA - Deployment and Migration Assistance for Advanced Threat Analytics (ATA)
Active Directory Security Risk Assessment POP - Active Directory Delegation Access Control Visualization and Reporting Assessment Survey Your feedback is appreciated! Microsoft Tech Talks February Event https://aka.ms/charlottesurvey