Finally got to the first upgrade from ATA 1.8 to ATA 1.9 , so Windows Update
And first change , no option to retain data only partial data migrated this is afaik new for 1.9
And running
3-4 minutes later and we are upgraded
and portal can see out of data gateways
and from the time to took to drill down first agent was updated
first major change noticed is adding custom groups to monitor for changes , very welcome change
Time to play
Had a talk the other day with a friend around domain controllers , we talked about how fast many orgs would actually detect a new domain controller , and if they did how fast
As this is a normal operation its not flagged by ATA , but it would be a very nice feature to add ( as far as i can see , this is a new install so no 30 days ML with admin behavior) , ATA should detect a admin logging on to a new server but need to test on a aged system
There is most likely a lot of eventlog hints of new domain controllers added need to examine for them also
Adding a new domain controller
We can see the new object as domain controller
Adding Domain Controllers Group to Sensitive Groups could h
So we could get a report like this if a DC was added could be a very good feature
Or list domain controllers not monitored by ATA
Detecting Domain Controllers being added
One method could be to use @LazyWinAdm
https://github.com/lazywinadmin/Monitor-ADGroupMembership
Running
.\Monitor-ADGroupMembership.ps1 -group “Domain Controllers” -Emailfrom [email protected] -Emailto “[email protected]” -EmailServer 10.0.0.51 –Verbose
on a rapid schedule
First run find the now 2 domain controllers
And we will now get a email alart when a new domain controller is added or removed
Thycotic made a free tool available to check for bad password in Active Directory
UNCOVER YOUR MOST VULNERABLE SECURITY GAPS: FREE WEAK PASSWORD FINDER FOR ACTIVE DIRECTORY
https://thycotic.com/solutions/free-it-tools/
If we dig into the about file
The core functionality of this product has been inspired by Jakob Heidelberg https://www.linkedin.com/in/heidelberg and developed by Michael Grafnetter https://www.linkedin.com/in/grafnetter.
We can see where the inspiration and development came from , and thank you to Thycotic for making this tool available for free
This is just a quick drill through with the detection from Advanced Threat Analytics
![clip_image002[1]](http://flemmingriis.com/wp-content/uploads/2017/01/clip_image0021.jpg "clip_image002[1]")
Running on a member server pointing to DC and Domain
![clip_image004[1]](http://flemmingriis.com/wp-content/uploads/2017/01/clip_image0041.jpg "clip_image004[1]")
Using the overpowered administrator i have logged on with
![clip_image006[1]](http://flemmingriis.com/wp-content/uploads/2017/01/clip_image0061.jpg "clip_image006[1]")
and ready to scan
![clip_image008[1]](http://flemmingriis.com/wp-content/uploads/2017/01/clip_image0081.jpg "clip_image008[1]")
Looking through all AD objects
![clip_image010[1]](http://flemmingriis.com/wp-content/uploads/2017/01/clip_image0101.jpg "clip_image010[1]")
And reporting time
![clip_image012[1]](http://flemmingriis.com/wp-content/uploads/2017/01/clip_image0121.jpg "clip_image012[1]")
Something very pretty to present to security/management
![clip_image014[1]](http://flemmingriis.com/wp-content/uploads/2017/01/clip_image0141.jpg "clip_image014[1]")
with 26 items on the todo list to fix
![clip_image016[1]](http://flemmingriis.com/wp-content/uploads/2017/01/clip_image0161.jpg "clip_image016[1]")
and to the point of the post , Microsoft Advanced Threat Analytics catches the non standard replication
When time permits further digging in the tool , for production enviroment i would always run this in a restored domain controller without network access even though i trust the people involved in this
The last few days we seen very public attacks on unsecured MongoDB databases exposed directly to the internet
http://www.theregister.co.uk/2017/01/09/mongodb/
and respons from MondoDB
https://www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data
These attacks are preventable with the extensive security protections built into MongoDB. You need to use these features correctly, and our security documentation will help you do so. Here are pointers to the relevant documentation and other useful resources:
and a reference to their securty manual on how to secure mongodb
So was looking on where we are using mongodb and found our Advanced Thread Analytics install , this isnt internet connected but a internal attack wiping the database could be bad enough so we looked
Local Host listener only
and doublecheck in the mongod config file
And the only acceptable result , secure by default , thx Microsoft and MongoDB
Microsoft is keeping the fast pace with update to the star of their “classic” AD security solution
So we saw version 1.7 drop yesterday
New Major Features are
· Role based access control.
· Windows Server core support.
· Reconnaissance using Directory Services Enumeration detection.
· Pass-the-Ticket detections enhancements.
Unusual Protocol Implementation detection enhancements
Link : https://support.microsoft.com/en-us/kb/3185481
Personally we are looking fwd to RBAC its a major improvement for the majority of our customers and highly requested
Starting the install , we are upgrading fra 1.6.1 , we have a few enviroments on 1.4 and there is NO direct upgrade to 1.7
At upgrade we can either upgrade the whole database or do a partial migration , we opted for partial as having ATA offline for a longer duration wasnt a option , the database is placed on SSD so its unlikely it will take a day but we will test that in another enviroment
Sucess
New UX for updating agent and improved progress indicator
And we now have a few new security groups
This now means we can give auditors access to the enviroment without handing them the keys to the kingdom 