Microsoft Advanced Threat Analytics (ATA) - Part 3

Posted by Ahmed Nabil | 0 comments»
In part 1 of this series Microsoft ATA was introduced in details with different roles and installation checklist. In Part 2 Microsoft ATA center and Gateway components were installed and configured in details. For more information please check below links.

ATA Part 1 http://itcalls.blogspot.com.eg/2016/04/microsoft-advanced-threat-analytics-ata.html

ATA Part 2 http://itcalls.blogspot.com.eg/2016/04/microsoft-advanced-threat-analytics-ata_19.html


In this final Part, I will simulate a malicious activity and how ATA will detect it. I will conclude my blog series with couple of Frequently asked questions on the ATA Product.

Now its time for some action, I will simulate a simple DNS reconnaissance and DNS zone transfer using NSLOOKUP tool from a another machine in my lab which is not even a domain joined machine. Normally a proper secure environment would deny such zone transfer however we will see how the ATA detected this threat in details.

DNS Reconnaissance/Zone Transfer Simulation


  1. Launch Nslookup on another Lab machine (Not ATA Center or Gateway or even the DC)                         
  2. Run Nslookup -ls as per below screen shot.                                                                                                                                                                                                                                                            
                                                                                                                                                                    
  3. The query is refused however we will check whether ATA detected this attempt or not.                                           
  4. Open the ATA Center and in the threats you will find the attack detected with all details as per below screen shot                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
  5. ATA detected the malicious DNS activity coming from which machine and targeting Domain controller in details.

That is the main purpose of ATA and how it fits as a Proactive solution monitoring your network for any suspicious activity. ATA can be configured to send emails to the administrator whenever a threat is detected.

Microsoft ATA Frequently asked Questions:

  1. What DB is used with ATA? MonjoDB is used and not SQL DB                                                                    
  2. Can I have Multiple Gateways? Yes you can have Multiple gateways, Some clients are installing two gateways in the same site as a kind of high availability. The Gateway Installation package will be installed on all gateways (Same Package)                                                                                            
  3. Do ATA need always to be on 2 box machine setup? No you can install both Center and Gateway on one machine however this is not recommended.                                                                                      
  4. What is the current Integration status with SIEM? ATA currently can get only event 4776 from SIEM however its limited to few SIEM solutions as Splunk, RSA and ArcSight. Product group promised that more will be added in the next version

Hopefully you will find this 3 part blog posts beneficial and i would encourage everyone to start playing and testing ATA in their environment.






Microsoft Advanced Threat Analytics (ATA) - Part 2

Posted by Ahmed Nabil | 0 comments»
In part 1 of this blog series we discussed the new Microsoft Advanced Threat Analytics Tool (ATA) and how it can fit in your security platform with its different components.

For more information, please check Part 1 from this series

http://itcalls.blogspot.com.eg/2016/04/microsoft-advanced-threat-analytics-ata.html

In part 2 I will move on with installing and configuring the ATA including the Center and Gateway installation.

MY Lab environment is mainly 4 VMs on Hyper-V Host


  1. Domain Controller
  2. Client machine
  3. ATA Center (1 Network Card with 2 IPs) - Workgroup machine not domain joined
  4. ATA Gateway (2 Network Cards, one connected to the network and another one for capturing data) - Workgroup machine not domain joined



Port Mirroring Configuration

Port mirroring configuration on Hyper-V is quite simple. On the domain controller NIC options - Advanced features - Port Mirroring

Change the mode to be Source as shown below (this indicates that this NIC will be the source of the traffic - DC traffic)




The Same to be done on the ATA Gateway on the Capture NIC (this is the second NIC on the Gateway that is on our network however its not configured / No IP address) but this time the Mirroring mode is Destination.





ATA Center Installation

The first component to start with is the ATA center, you can get a trial version for the ATA software from Microsoft TechNet Evaluation Center https://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-advanced-threat-analytics


Microsoft ATA is available for all Enterprise Volume license customers (ECAL) as well as customers with Enterprise Mobility and Cloud suite, for more information please check the following link

https://www.microsoft.com/en-us/server-cloud/products/advanced-threat-analytics/purchasing.aspx

The installation is straight forward, after launching the software and picking your language, click Next and approve the User License Agreement


On the next window you will get couple of options as where to install your files and database (Of course in Production environment its recommended to have your DB on separate Disk), the 2 Center IPs and whether you will use certificates from your internal PKI environment or use Self Signed Certificates.


The Center communication IP is the listening IP on the Center Server responsible for getting the data from the ATA Gateway. The Management IP is the IP used by Users/Admins to open and administer the ATA Web IIS Interface.

You may use the same IP for both the Communication and Management on the Center however in this case you will need to change the port on the communication IP address because the management interface is using 443 by default. I will Pick the default settings using self signed certificates for the sake of the demo.


Click Next for the installation progress and then Finish when done then Launch the Web interface (Management IP). You can log on the center either by using Local admin accounts on the ATA center or accounts member in the Microsoft ATA Administrator group created on the ATA Center.

After Logging with my ATA center Local admin account (administrator), Open the Gateway TAB (as shown below). You will need to enter a domain user credentials (Check Part 1 in the pre-requisites for a Read only Domain User Account), this user doesn't need any admin rights, its a normal user that can read the objects in AD.

Download the ATA Gateway installation from the bottom. This Gateway installation can be used on any gateway whether you are using one gateway or several gateway machines.



ATA Gateway Installation


After downloading the Gateway Installation, copy it to the Gateway machine and install the software. You will receive the below message if you didn't install the two KBs mentioned earlier in Part 1.




After Installing the required KBs (Pre-requisites) on the Gateway you can move on with installation as shown below.


You can change the installation path, if needed, and again you need to assign a certificate (For the sake of lab I picked the self signed). This certificate is used to validate that you are communicating with the legitimate approved Gateway to your center otherwise an attacker can introduce a rogue gateway that connects to our center.

Again the account used is the local admin account or member in the local group of Microsoft ATA Admins. In my case, i am using local admin account


Click Install to install some pre-requisites



Then product / Gateway files get installed.


Finally we are done and you can launch to continue configuring the ATA Gateway. This will open the ATA web/Management on the Center (reminder all configuration and changes are done on the center)



When you open the Gateway settings it will mention that configuration is required. We will need to pick the domain controller (Mirrored to our Gateway) which in our case is one Domain controller.

The second configuration is to choose which NIC with port Mirroring configured on it where the traffic is sent to this NIC (I named it capture for simplicity which is the recommended naming)



That's all what need to be done for the ATA installation for both the Center and Gateway.

In the next part of this series I will start simulating couple of different attacks and how they are detected by Microsoft ATA as well as some common FAQ.

Hope this post was beneficial and see you on the final post in this series.







Microsoft Advanced Threat Analytics (ATA) - Part 1

Posted by Ahmed Nabil | 0 comments»
Due to the changing nature of Cyber Security threats for the last couple of years and the focus on compromising User credentials and identity with different type of attacks as Pass the Hash the need for a new proactive security tool as Microsoft Advanced Threat Analytics (ATA) was a must to be added to any corporate arsenal of tools to detect such type of attacks.


Microsoft Advanced Threat Analytics tool analyze data from three data sources (Active Directory Database, Active Directory Traffic and SIEM solutions) and learn about the entities in your organization and their behavior and then start to detect suspicious events.


Microsoft ATA targets three categories of Risks

  1. Security Issues and Risks (Broken Trust, Weak Protocols and known Protocol vulnerabilities)
  2. Malicious Attacks (Pass the Hash, Pass the Ticket, BruteForce........etc)
  3. Abnormal Behavior (Suspicious activities, Password sharing, lateral movement.......etc)
Microsoft Recommends around 3-4 weeks for the ATA engine to learn about your environment and start detecting abnormal behavior, this is for the 3rd category (abnormal Behavior), as for the first and second category (Security Risk and Malicious attacks) this will be done instantly after installation of ATA (Real time)

There are two components in ATA (Gateway and Center), Gateway collects all data using port mirroring and its sent to the Center where all processing occurs.


Gateway


  1. Capture Data from DCs via Port Mirroring
  2. Listen to Multiple DCs from Multiple Domains
  3. Receive Event from SIEM
  4. Retrieve data from entities in domain
  5. Perform name resolution of network entities
  6. Transfer Relevant data to ATA Center

Center

  1. Manage ATA Gateway Configuration Setting
  2. Receive data from ATA Gateway and store in DB
  3. Detect Suspicious activity and abnormal behavior (Machine Learning)
  4. Provide Web Management Interface
  5. Support Multiple Gateways






What is the ATA Pre-deployment Checklist ?

  1. Configure Port Mirroring from DCs (Domain Controllers) to ATA Gateway.
  2. Create domain User (Read only)
  3. KB2919355/KB2919442 installed on the Gateway machine or VM
  4. ATA Center has 2 static IP addresses
  5. Optional - Deploy Certificates from your internal PKI. For demo only you can use self signed certificates.
  6. ATA Gateway has 2 NICs (Network Cards)
  7. ATA Gateway Account either Local admin account on the ATA Gateway server or member of the ATA built-in Group

In Part 2 I will start deploying ATA and configuring both Gateway and Center machines/VMs.

You can check part 2 from the following link

http://itcalls.blogspot.com.eg/2016/04/microsoft-advanced-threat-analytics-ata_19.html

 




How to Enable/Search Users in Lync 2013 Control Panel ?

Posted by Ahmed Nabil In | 0 comments»
Lately I received several inquiries about enabling Lync 2013 features as Enterprise Voice for new domain users in the Lync Control Panel and the difference between enabling a user and searching for a user. Power Shell is my default location for any action as adding new user however i started checking this issue and discussing it with several admins as well as Microsoft Support team.

The User Search Option as shown in the below image with its two option (Search or LDAP) is limited to searching for users that are already enabled for Lync not new users who are not enabled yet for Lync


To Search for Existing enabled users, you can use the Search button and enter the user name for the user you are looking for. If you would like to use the LDAP search then you need to search using LDAP Expression. If you tried to enter normal username in the LDAP search you will get an error "Active Directory Operation Failed. The Search filer is invalid"


So to use the LDAP search for existing users you need to enter LDAP expression. To get the LDAP expression for the user you can get it from AD ADSIEDIT by navigating to the user location or by running the below PowerShell command in Lync Server

"Get-Aduser -identity -username"

The Value of the distinguished name is the one that you need to enter in LDAP Search



So back to the first question, How to enable new users that joined the domain and are not yet enabled for Lync. To add/Enable new user you need to click on Enable Users in the User Search Menu (Lync Control Panel) then Click Add






Now you will get a new Search Window where you can search here for New users either using normal username (Search Check box) or using LDAP expression as explained earlier.


Now you can enable this new user and assign him to the correct pool



Hopefully this can clarify the difference between Searching for Existing users and adding new users using the Lync Control Panel.





Windows 10 Security Part 2 : Enable Credentials Guard / Pass the Hash Mitigation

Posted by Ahmed Nabil In | 0 comments»
For checking Part 1 of Windows 10 Security, please check the below link

http://itcalls.blogspot.com.eg/2015/09/windows-10-security-part-1-windows-10.html

Pass the Hash was really one of the hottest attacks in 2015, No major attack happened last year without having a flavor of PTH either on local accounts or domain accounts by stealing the Hash and passing it to other services.........etc

Windows 10 introduced a new feature which is Credential Guard or Virtual Secure Mode (VSM). The main idea is utilizing Microsoft hyper-V by enabling Hyper-V on the Windows 10 machine and having a special secure kernel mode based on the virtualization technology to store critical process as the Local Security Authority (Your passwords). This new feature provides a promise to finally get rid of Pass the Hash attack and stealing passwords/Hashes. This secure Kernel mode has no GUI or network access and it communicates with the OS in a new format that cannot be replayed or passed (at least for the time being)

How to Enable Credential Guard

  1. First of all we need to add the Hyper-V from Control Panel - Programs and Features - Turn windows Features on or off.                                                                                                                             
  2. Secure Boot need to be enabled.                                                                                                                           
  3. This feature will work only on Windows 10 Enterprise.                                                                                    
  4. Machine should be domain joined as this will protect domain accounts, its not for local accounts. For local accounts you should have other protection mechanisms as Microsoft LAPS                                                                                                                                                  
  5. VSM or Credential Guard can be enabled using Group Policy (Updated group policy for Windows 10 copied to the Domain Controller Central store), In my case i am enabling it manually on my Laptop using Local Group Policy Editor as shown below (Computer configuration - Administrative Templates - System - Device Guard - Turn on Virtualization based Security)                                                                                                                                                         
                                                                         
  6. Enable the setting, I picked Enabled without Lock so it can be controlled/Disabled later using Group policy. Detailed description is shown in Help section.                                                                                               
                                                                        
  7. Start the special VSM process by editing the boot Configuration data as shown below from an elevated command prompt                                                                                                                              
                                                                                                                                             
To verify its running and working normally as designed, you will need first to reboot the computer and after booting go to the computer system information (From Cortana Search for System Information or msinfo) and check the system summary as shown below.


Also in the Task Manager you will find Credential Guard Process as well as in the details Tab.




This is a very new nice feature to secure your credentials and i would advice Windows 10 users to go ahead and try it.




How to Upgrade/Move your Enterprise Certification Authority (CA) from 2008 R2 to 2012 R2 - Part 1

Posted by Ahmed Nabil In | 0 comments»
In this series we will be going through the main steps to migrate and move our Enterprise Subordinate Certification Authority from Windows 2008 R2 server to Windows 2012 R2 Server (Side by Side move). In Part 1 of this series I will be discussing the main requirements and preparation done on the Source Server (CA on 2008 R2)

Key things to note:


  1. If you would like to have the new CA server computer name same as the old one then you will need to decommission and remove the old server from the domain prior to building the new server. In our case i will keep the old server (Just disable the Certificate Windows services) and have the new server with new name (Just in case you need to revert back at any time)                                                                    
  2. During the Migration and setup of CA on the new server no certificates or CRLs will be issued. Its preferred to run this after hours. Plan to publish a CRL that will cover the downtime period.                                                                                 
  3. User running the migration should be member of Enterprise Admins or Domain Admins group.

Source Server (2008 R2) Preparation

  1. Publish a new CRL to ensure that your migration period is covered. Open Certification Authority - Right Click Revoked Certificates - All Tasks - Publish                                                                                  
                                                            
  2. Take a backup from the Current Source CA (2008R2 server) - Right Click Certification Authority - All Tasks - Back Up CA                                                                                                        
                                                  Make sure to pick both check boxes as shown above   (Private Key, CA Cert and DB). Store them in a dedicated empty folder (will be copied later to the destination server).                              
                                                                
              
  3. After picking a password and finishing the Wizard check the Backup folder (In our case C:\CA_Backup). We should have a CAname.P12 file and a Database folder.                                                        
  4. Next step will be taking a backup from the CA configuration in the registry as another check point/line of defense (hopefully won't be needed). Navigate to HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration and right click configuration and take an Export and save the output REG file in the same Backup location.                                                                                                      
                                                                                                  
  5. If a Custom CApolicy is used then we need to copy the CApolicy.inf file from the C:\Windows (Default location) to the backup folder created earlier.                                                                                 
  6. Final step to be done on the Source CA server is to stop the certification Authority service and change its start up to be disabled in case anyone by mistake tried to start it (Remember we will be keeping the source server for some time till everything is up on the new server)                                                             

This should conclude Part 1 of this series, In Part 2 we will install the CA on the new 2012 R2 and restore the backup taken on the old  2008 R2.  Hopefully this has been beneficial and see you on the next Part.










PKIView OCSP Location#1 Error

Posted by Ahmed Nabil In | 0 comments»
After configuring and installing OCSP on an Enterprise Certification Authority I noticed that the OCSP location in the PKIView is displaying an error as per below screen shot.



The OCSP was working fine with current certificate and I verified and validated it using the

Certutil -url (Check below article for more details)

http://blogs.technet.com/b/askds/archive/2009/06/29/implementing-an-ocsp-responder-part-iii-configuring-ocsp-for-use-with-enterprise-cas.aspx

It turned to be that the original AIA path that was used has been changed on my CA extensions with another path which led to this error. So in order to fix this issue, the following was done:


  1. Revoked the Latest CA Exchange certificate, this can be done by checking your Certification Authority - Issued Certificate - Arrange them by Certificate template and check the latest CA Exchange Certificate                                                                                                                                                                                                                                                                                                                                       
                                                                                                                                                                                                                   
  2. From an Admin Command prompt run "certutil -cainfo xchg"                                                                                                                                                                                                                                   
                                                                                                                                                                                            
This did the trick and it was fixed back in the PKIView.



Accessing Exchange 2013 On-Premise Public folders for Office 365 Users

Posted by Ahmed Nabil In | 1 comments»
Recently I have been working with a friend on his Exchange 2013 Hybrid configuration. After the Hybrid configuration is setup and configured its becomes easy to start migrating and moving on-premise mailboxes to the cloud (Office 365) and assign them the needed licenses.........etc.

One issue we received from the users was that being not able to see and access their Public folders from their Outlook client. Yes its Legacy and Microsoft have been trying to phase it out however still many companies depend on it and users love it.

Microsoft has a very good document for configuring legacy public folders for Exchange hybrid configuration however its mainly on Exchange 2007 and 2010.

For more info, check it on https://technet.microsoft.com/en-us/library/dn249373(v=exchg.150).aspx

So little background on Public folders in Exchange 2013, starting 2013 there is no longer a specific separate database for Public folders but rather there are now special mailboxes which store both the public folder hierarchy and content.

When you create the first public folder mailbox, it will be the Primary Hierarchy Mailbox (Check below image)

 
 






So in the above screenshots the Public folders are stored in MasterHierarchy Mailbox. This was the tricky point. So how to configure the cloud/Office365 users access the On-Premise Exchange 2013 Public folders:

  1. First of all we need to sync this mailbox (MasterHierarchy) to the cloud using DirSync or whatever tool you are using for syncing your On-premise users to the cloud, this user/Mailbox should be synced from the local on-premise AD to the Cloud/Office 365.
  2. Open an Exchange online Power shell (To do this follow this document https://technet.microsoft.com/en-us/library/jj984289(v=exchg.160).aspx )
  3. Run the below command from the Exchange online Power. Shell "Set-OrganizationConfig -PublicFoldersEnabled Remote -RemotePublicFolderMailboxes MasterHierarchy@domain.com" You will replace domain.com with your actual domain name.
  4. To make sure the public folders are set for remote access and can be viewed for Exchange online users run the following Power Shell command " Get-OrganizationConfig | fl *public* "
This should do the trick and you can access your public folders. One more thing is what if you have a mail enabled public folders that you need to send emails. Well this is not synced using the DirSync or whatever tool you are using. In this case we will go back to the first document I mentioned https://technet.microsoft.com/en-us/library/dn249373(v=exchg.150).aspx


  1. Go to Step 2 in the document referred above and download the 2 scripts.
  2. Follow Step 3 and run the needed commands from your Exchange 2013 to Sync your mail enabled public folders.

Hopefully this post will help users facing this common issue with Hybrid configurations.




How to Remove Old Domain Network Adapter Profiles

Posted by Ahmed Nabil | 0 comments»
A common simple issue that sometimes pass by you while building a new server or virtual machine is noticing that the Network Card/Local Area Connection is not displaying domain.com Name but rather domain.com 1, 2.....etc (Check below picture).





It should be noted that the network adapter name is controlled by the Registry entry "ProfileName" value under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles.

The first network adapter profile name  when doing clean fresh installation should be "Domain Name" as in our example "Test.com". If a new network adapter is created a new GUID registry key will get created in the above mentioned Registry location. This will be a new profile and will take the name "Domain.com 2"




It might happen especially on Virtual Machines to remove Network cards or install new drivers that remove Network cards and re-install them back which will create the new network profiles since the old registry key still exists.

In order to remove all these network profiles to get the default "Domain.com" profile you need to remove all these GUIDs from the Registry under profiles then disable your network adapter and Enable it again. It will come back with the default Domain.com.