my personal blog about systemcenter

All posts in Advanced Threat Analytics

Count your Domain Controllers Often and Always

Categories: Active Directory, AD, Advanced Threat Analytics, ATA, Security
Comments Off on Count your Domain Controllers Often and Always

Had a talk the other day with a friend around domain controllers , we talked about how fast many orgs would actually detect a new domain controller , and if they did how fast

As this is a normal operation its not flagged by ATA , but it would be a very nice feature to add ( as far as i can see , this is a new install so no 30 days ML with admin behavior) , ATA should detect a admin logging on to a new server but need to test on a aged system

There is most likely a lot of eventlog hints of new domain controllers added need to examine for them also


Adding a new domain controller


We can see the new object as domain controller


Adding Domain Controllers Group to Sensitive Groups could h


So we could get a report like this if a DC was added could be a very good feature


Or list domain controllers not monitored by ATA

Detecting Domain Controllers being added

One method could be to use @LazyWinAdm


.\Monitor-ADGroupMembership.ps1 -group “Domain Controllers” -Emailfrom [email protected] -Emailto “[email protected]” -EmailServer –Verbose

on a rapid schedule



First run find the now 2 domain controllers


And we will now get a email alart when a new domain controller is added or removed

Thycotis Weak Password Finder and Microsoft Advanced Threat Analytics

Categories: Active Directory, Advanced Threat Analytics, ATA, Thycotic
Comments Off on Thycotis Weak Password Finder and Microsoft Advanced Threat Analytics

Thycotic made a free tool available to check for bad password in Active Directory


If we dig into the about file

The core functionality of this product has been inspired by Jakob Heidelberg and developed by Michael Grafnetter

We can see where the inspiration and development came from , and thank you to Thycotic for making this tool available for free

This is just a quick drill through with the detection from Advanced Threat Analytics


Running on a member server pointing to DC and Domain


Using the overpowered administrator i have logged on with


and ready to scan


Looking through all AD objects


And reporting time


Something very pretty to present to security/management


with 26 items on the todo list to fix


and to the point of the post , Microsoft Advanced Threat Analytics catches the non standard replication

When time permits further digging in the tool , for production enviroment i would always run this in a restored domain controller without network access even though i trust the people involved in this

MongoDB and Microsoft Advanced Threat Analyties and Secure by Default

Categories: Advanced Threat Analytics, ATA, MONGODB, Ransomware
Comments Off on MongoDB and Microsoft Advanced Threat Analyties and Secure by Default

The last few days we seen very public attacks on unsecured MongoDB databases exposed directly to the internet

MongoDB ransom attacks soar, body count hits 27,000 in hours

and respons from MondoDB

These attacks are preventable with the extensive security protections built into MongoDB. You need to use these features correctly, and our security documentation will help you do so. Here are pointers to the relevant documentation and other useful resources:

and a reference to their securty manual on how to secure mongodb

So was looking on where we are using mongodb and found our Advanced Thread Analytics install , this isnt internet connected but a internal attack wiping the database could be bad enough so we looked


Local Host listener only


and doublecheck in the mongod config file

And the only acceptable result , secure by default , thx Microsoft and MongoDB