Microsoft Advanced Threat Analytics (ATA) - Part 2

Posted by Ahmed Nabil | 1 comments»
In part 1 of this blog series we discussed the new Microsoft Advanced Threat Analytics Tool (ATA) and how it can fit in your security platform with its different components.

For more information, please check Part 1 from this series

In part 2 I will move on with installing and configuring the ATA including the Center and Gateway installation.

MY Lab environment is mainly 4 VMs on Hyper-V Host

  1. Domain Controller
  2. Client machine
  3. ATA Center (1 Network Card with 2 IPs) - Workgroup machine not domain joined
  4. ATA Gateway (2 Network Cards, one connected to the network and another one for capturing data) - Workgroup machine not domain joined

Port Mirroring Configuration

Port mirroring configuration on Hyper-V is quite simple. On the domain controller NIC options - Advanced features - Port Mirroring

Change the mode to be Source as shown below (this indicates that this NIC will be the source of the traffic - DC traffic)

The Same to be done on the ATA Gateway on the Capture NIC (this is the second NIC on the Gateway that is on our network however its not configured / No IP address) but this time the Mirroring mode is Destination.

ATA Center Installation

The first component to start with is the ATA center, you can get a trial version for the ATA software from Microsoft TechNet Evaluation Center

Microsoft ATA is available for all Enterprise Volume license customers (ECAL) as well as customers with Enterprise Mobility and Cloud suite, for more information please check the following link

The installation is straight forward, after launching the software and picking your language, click Next and approve the User License Agreement

On the next window you will get couple of options as where to install your files and database (Of course in Production environment its recommended to have your DB on separate Disk), the 2 Center IPs and whether you will use certificates from your internal PKI environment or use Self Signed Certificates.

The Center communication IP is the listening IP on the Center Server responsible for getting the data from the ATA Gateway. The Management IP is the IP used by Users/Admins to open and administer the ATA Web IIS Interface.

You may use the same IP for both the Communication and Management on the Center however in this case you will need to change the port on the communication IP address because the management interface is using 443 by default. I will Pick the default settings using self signed certificates for the sake of the demo.

Click Next for the installation progress and then Finish when done then Launch the Web interface (Management IP). You can log on the center either by using Local admin accounts on the ATA center or accounts member in the Microsoft ATA Administrator group created on the ATA Center.

After Logging with my ATA center Local admin account (administrator), Open the Gateway TAB (as shown below). You will need to enter a domain user credentials (Check Part 1 in the pre-requisites for a Read only Domain User Account), this user doesn't need any admin rights, its a normal user that can read the objects in AD.

Download the ATA Gateway installation from the bottom. This Gateway installation can be used on any gateway whether you are using one gateway or several gateway machines.

ATA Gateway Installation

After downloading the Gateway Installation, copy it to the Gateway machine and install the software. You will receive the below message if you didn't install the two KBs mentioned earlier in Part 1.

After Installing the required KBs (Pre-requisites) on the Gateway you can move on with installation as shown below.

You can change the installation path, if needed, and again you need to assign a certificate (For the sake of lab I picked the self signed). This certificate is used to validate that you are communicating with the legitimate approved Gateway to your center otherwise an attacker can introduce a rogue gateway that connects to our center.

Again the account used is the local admin account or member in the local group of Microsoft ATA Admins. In my case, i am using local admin account

Click Install to install some pre-requisites

Then product / Gateway files get installed.

Finally we are done and you can launch to continue configuring the ATA Gateway. This will open the ATA web/Management on the Center (reminder all configuration and changes are done on the center)

When you open the Gateway settings it will mention that configuration is required. We will need to pick the domain controller (Mirrored to our Gateway) which in our case is one Domain controller.

The second configuration is to choose which NIC with port Mirroring configured on it where the traffic is sent to this NIC (I named it capture for simplicity which is the recommended naming)

That's all what need to be done for the ATA installation for both the Center and Gateway.

In the next part of this series I will start simulating couple of different attacks and how they are detected by Microsoft ATA as well as some common FAQ.

Hope this post was beneficial and see you on the final post in this series.

Microsoft Advanced Threat Analytics (ATA) - Part 1

Posted by Ahmed Nabil | 1 comments»
Due to the changing nature of Cyber Security threats for the last couple of years and the focus on compromising User credentials and identity with different type of attacks as Pass the Hash the need for a new proactive security tool as Microsoft Advanced Threat Analytics (ATA) was a must to be added to any corporate arsenal of tools to detect such type of attacks.

Microsoft Advanced Threat Analytics tool analyze data from three data sources (Active Directory Database, Active Directory Traffic and SIEM solutions) and learn about the entities in your organization and their behavior and then start to detect suspicious events.

Microsoft ATA targets three categories of Risks

  1. Security Issues and Risks (Broken Trust, Weak Protocols and known Protocol vulnerabilities)
  2. Malicious Attacks (Pass the Hash, Pass the Ticket, BruteForce........etc)
  3. Abnormal Behavior (Suspicious activities, Password sharing, lateral movement.......etc)
Microsoft Recommends around 3-4 weeks for the ATA engine to learn about your environment and start detecting abnormal behavior, latest MS Office well this is for the 3rd category (abnormal Behavior), as for the first and second category (Security Risk and Malicious attacks) this will be done instantly after installation of ATA (Real time)

There are two components in ATA (Gateway and Center), Gateway collects all data using port mirroring and its sent to the Center where all processing occurs.


  1. Capture Data from DCs via Port Mirroring
  2. Listen to Multiple DCs from Multiple Domains
  3. Receive Event from SIEM
  4. Retrieve data from entities in domain
  5. Perform name resolution of network entities
  6. Transfer Relevant data to ATA Center


  1. Manage ATA Gateway Configuration Setting
  2. Receive data from ATA Gateway and store in DB
  3. Detect Suspicious activity and abnormal behavior (Machine Learning)
  4. Provide Web Management Interface
  5. Support Multiple Gateways

What is the ATA Pre-deployment Checklist ?

  1. Configure Port Mirroring from DCs (Domain Controllers) to ATA Gateway.
  2. Create domain User (Read only)
  3. KB2919355/KB2919442 installed on the Gateway machine or VM
  4. ATA Center has 2 static IP addresses
  5. Optional - Deploy Certificates from your internal PKI. For demo only you can use self signed certificates.
  6. ATA Gateway has 2 NICs (Network Cards)
  7. ATA Gateway Account either Local admin account on the ATA Gateway server or member of the ATA built-in Group

In Part 2 I will start deploying ATA and configuring both Gateway and Center machines/VMs.

You can check part 2 from the following link