All: Apologies if you see this more than once. I posted to the Technet > Security > Advanced Threat Analytics forum as well. I am curious if those of you who are testing MS ATA are experiencing any of the issues that I am.
· I have installed and have been testing the ATA in a test AD Forest. I have successfully tested against the honey token account and DNS Reconnaissance.
I am now testing for Pass-the-ticket detection that is touted on the Microsoft ATA announcement pages. I used MimiKatz on one server to obtain a ticket of the Domain Admin account performing a CIFS session to a DC $ADMIN share and transferred it to another machine logged in as a non Domain Admin account. I then was able to use Mimikatz to replay that token and then access the DC's directory and copy a sensitive file from the NTDS folder. ATA did not report any such behavior. If I understand the ATA correctly, it should have discovered PTT and reported it. Based upon the documentation, it just magically works when you set up the ATA.
I also performed several simple bind tests using ldp.exe to a Domain Controller in my test forest and it was still not detected by the MS ATA, which is also something that is touted and is just supposed to work.
What am I missing here? the only thing I did not do was grant the ATA GW access to the client computers in the Domain. Since we are a large Enterprise, it would be difficult to get that kind of by-in from all depts.
It was touted to be so easy to set up at Ignite.
Any idea what I could be doing wrong?