Closed Mirabis closed 4 years ago
Removing the ATA installation from the DC, rebooting and triggering 'install-microsoft-ata.ps1' from the wef machine gives the following:
Manually downloading it and copying commands out of the .PS1 I get the following:
Waiting a while for it to start I continued with the remainder of the commands on WEF:
Seems like a SSL validation issue so I checked the rest of the code and tried to re-add the 'SSLValidator'
After this and a little debugging I located a different PowerShell snippet to disable the CertificatePolicy (instead of the ServerCertificateValidationCallback) and was able to get it working:
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
The UI also shows the correct information now:
Unfortunately all those steps still did not fix the initial issue. The Gateway logs are full of errors related to access rights: " System.UnauthorizedAccessException: Attempted to perform an unauthorized operation."
I seem to be unable to reproduce this. I just spun up the lab in Azure and did the following:
Logged into ATA, everything looks OK
From win10, ran nslookup
, then ls -d windomain.local
Also did a dcsync via:
c:\tools\mimikatz\x64\mimikatz.exe
lsadump::dcsync /domain:windomain.local /user:krbtgt
Let me dig through the logs you've attached and see if anything sticks out
For what it's worth, I have a bunch of those "Attempted to perform an unauthorized operation." errors and everything seems to be working fine. If you get a chance to spin this up in Azure again, I would be really curious to see if you run into the same issue or if it was intermittent.
It looks like that log is likely related to ATA trying to read an eventlog channel that it doesn't have permission to access.
I will spin up a new environment later today to check and report back.
I pulled all changes in today and re-ran the entire Terraform/Ansible deployment. This time it correctly added both machines to the Domain and the Advanced Threat Protection installation was completed without manual intervention. However:
What data/info would you need to assist?
--------------- EDIT
It took a long while .. 5-10 min between performing the activity to showing up in the dashboard.
Yeah, there's definitely a delay with ATA - not sure how to troubleshoot that, I'm guessing it's primarily due to the low RAM/CPU on the DC backing the lightweight gateway. I don't think there's a workaround other than to give it a beefier box.
Re: the other issues:
Licensing volume is an issue but I now added a Dev license to fix that;
I'll open an issue to try to keep indexing under 500mb per day and see if there's more noise I can cut down to prevent license violations.
ThreatHunter dashboard stays empty
I noticed this recently as well. Will open an issue for this.
Tried BadBlood to see if stats update, it shows new group/user stats but no detections still.
I don't think there would be detections for adding a bunch of new users and groups to the domain. What type of detections are you expecting to see from running BadBlood?
I'm going to close this issue because I think the problem being described in it has been resolved and may have been intermittent.
I've opened up the following new issues based on your most recent comment:
Thanks for reporting these and feel free to open any new issues you come across!
Yeah, there's definitely a delay with ATA - not sure how to troubleshoot that, I'm guessing it's primarily due to the low RAM/CPU on the DC backing the lightweight gateway. I don't think there's a workaround other than to give it a beefier box.
Re: the other issues:
Licensing volume is an issue but I now added a Dev license to fix that;
I'll open an issue to try to keep indexing under 500mb per day and see if there's more noise I can cut down to prevent license violations.
ThreatHunter dashboard stays empty
I noticed this recently as well. Will open an issue for this.
Tried BadBlood to see if stats update, it shows new group/user stats but no detections still.
I don't think there would be detections for adding a bunch of new users and groups to the domain. What type of detections are you expecting to see from running BadBlood?
I'm aware I'm responding to a closed ticket but: I was not expecting detections from BadBlood. I was just checking whether it would show the updates in User, Group, Computer counts as a way to confirm the stats do update. If they did not update it was just not receiving any info > if they did update it was just not receiving any malicious activity notifications from earlier actions (dcsync, dump, cobaltstrike beacons etc.).
Ah, I see what you're saying - the ATA console doesn't show the additional users? I wonder if maybe it doesn't count them unless they get logged into?
Ah no, it did show the new updated count for users, groups and computers. That was my way of confirming it does receive information from the gateway. So from that point on I was more focused on why it did not show any detections as a second debugging step.
Please verify that you are building from an updated Master branch before filing an issue. = DONE
Description of the issue:
Microsoft ATA Logs stay empty. I've deployed multiple times and had the following results:
To trigger events I ran mimikatz, cobaltstrige stagers etc.... nothing. Splunk dashboard for Threat Analytics is empty but the indexes are populated if I do manual searches. Seems like something in deployment goes wrong.
Link to Gist Containing Ansible Logs:
Link: https://gist.github.com/Mirabis/274a987d2a90e4b1965145882b7ee951 ATA installation failed and I did it again after which it was successful (according to ansible) but problem remained. do note: task: "Disabling Windows Defender automatic sample submission" was added manually after 2-3 tries because the GPO did not seem to take into affect immediately. No further changes to master code was made.
ATA Logs
Microsoft.Tri.Gateway-Errors.log
Microsoft.Tri.Gateway.log