cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ATA Directory Services Account Behavior

Systems_Online0101
Copper Contributor

‎Apr 27 2020 02:02 PM - last edited on ‎Nov 30 2021 09:29 AM by

‎Apr 27 2020 02:02 PM - last edited on ‎Nov 30 2021 09:29 AM by

ATA Directory Services Account Behavior

(please see the two screenshots attached)
Hello. I am seeing a large number of successful 4624 logon type 3 events coming from one of my Windows machines (a non-ATA related server), and the logon account name that continuously appears in the logs is the ATA Directory Services account. The extremely high number of events is generating "LDAP User Login Brute Force Attempt" alerts on my firewall. Two things that I need help understanding are:
(1) What does the ATA Directory services account do exactly? All I can find is that this should be a read-only account used to connect to the AD forest, not much more details are provided in ATA documentation on how it works. Is the account trying to log into all endpoints in my domain to gather information to bring back to the ATA console? I am not sure what it does or how it connects to other systems.

(2) Any ideas why this account is continuously authenticating over and over again on one system? This behavior is only sourcing from one of my Windows servers, my firewall is not alerting it from anywhere else, only this one system. (please see the two screenshots attached)

Preview file
19 KB
Preview file
24 KB
1,913 Views
0 Likes
4 Replies
Reply
4 Replies
Gerson Levitz

‎May 03 2020 01:04 AM

‎May 03 2020 01:04 AM

Re: ATA Directory Services Account Behavior

Hi @Systems_Online0101 

 

This the Gateway is querying the machines on the network to get a list of members of the local administrators group. This information is used for ATA to understand when a there is a potential lateral movement path (LMP)

 

When a sensitive user logs in to a machine ATA will calculate if there is a potential LMP and the membership of the local administrator group from the machines on the network are required. 

For more information on LMP see - https://docs.microsoft.com/en-us/advanced-threat-analytics/use-case-lateral-movement-path

 

Best 

Gershon [MSFT]

0 Likes
Reply
killerfoxx

‎May 14 2020 06:55 PM

‎May 14 2020 06:55 PM

Re: ATA Directory Services Account Behavior

Try running wireshark and see what is going on with your browser I had issues with LAPD previouosly but wireshark helps in letting you know whats going on and its free:)@Systems_Online0101 

0 Likes
Reply
Systems_Online0101

‎Jun 02 2020 07:15 AM

‎Jun 02 2020 07:15 AM

Re: ATA Directory Services Account Behavior

@Gerson LevitzThank you!

0 Likes
Reply
Systems_Online0101

‎Jun 02 2020 07:15 AM

‎Jun 02 2020 07:15 AM

Re: ATA Directory Services Account Behavior

@killerfoxxOk thanks for the tip!

0 Likes
Reply