ATA Directory Services Account Behavior

%3CLINGO-SUB%20id%3D%22lingo-sub-1341667%22%20slang%3D%22en-US%22%3EATA%20Directory%20Services%20Account%20Behavior%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1341667%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E(please%20see%20the%20two%20screenshots%20attached)%3C%2FSTRONG%3E%3CBR%20%2F%3EHello.%20I%20am%20seeing%20a%20large%20number%20of%20successful%204624%20logon%20type%203%20events%20coming%20from%20one%20of%20my%20Windows%20machines%20(a%20non-ATA%20related%20server)%2C%20and%20the%20logon%20account%20name%20that%20continuously%20appears%20in%20the%20logs%20is%20the%20ATA%20Directory%20Services%20account.%20%3CSTRONG%3EThe%20extremely%20high%20number%20of%20events%20is%20generating%20%22LDAP%20User%20Login%20Brute%20Force%20Attempt%22%20alerts%20on%20my%20firewall%3C%2FSTRONG%3E.%20Two%20things%20that%20I%20need%20help%20understanding%20are%3A%3CBR%20%2F%3E%3CSTRONG%3E(1)%3C%2FSTRONG%3E%20%3CSTRONG%3EWhat%20does%20the%20ATA%20Directory%20services%20account%20do%20exactly%3F%3C%2FSTRONG%3E%20All%20I%20can%20find%20is%20that%20this%20should%20be%20a%20read-only%20account%20used%20to%20connect%20to%20the%20AD%20forest%2C%20not%20much%20more%20details%20are%20provided%20in%20ATA%20documentation%20on%20how%20it%20works.%20Is%20the%20account%20trying%20to%20log%20into%20all%20endpoints%20in%20my%20domain%20to%20gather%20information%20to%20bring%20back%20to%20the%20ATA%20console%3F%20I%20am%20not%20sure%20what%20it%20does%20or%20how%20it%20connects%20to%20other%20systems.%3C%2FP%3E%3CP%3E%3CSTRONG%3E(2)%3C%2FSTRONG%3E%20%3CSTRONG%3EAny%20ideas%20why%20this%20account%20is%20continuously%20authenticating%20over%20and%20over%20again%20on%20one%20system%3F%3C%2FSTRONG%3E%26nbsp%3BThis%20behavior%20is%20only%20sourcing%20from%20one%20of%20my%20Windows%20servers%2C%20my%20firewall%20is%20not%20alerting%20it%20from%20anywhere%20else%2C%20only%20this%20one%20system.%20%3CSTRONG%3E(please%20see%20the%20two%20screenshots%20attached)%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1341667%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1355688%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Directory%20Services%20Account%20Behavior%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1355688%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129592%22%20target%3D%22_blank%22%3E%40Johann%20Terc%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20the%20Gateway%20is%20querying%20the%20machines%20on%20the%20network%20to%20get%20a%20list%20of%20members%20of%20the%20local%20administrators%20group.%20This%20information%20is%20used%20for%20ATA%20to%20understand%20when%20a%20there%20is%20a%20potential%20lateral%20movement%20path%20(LMP)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20a%20sensitive%20user%20logs%20in%20to%20a%20machine%20ATA%20will%20calculate%20if%20there%20is%20a%20potential%20LMP%20and%20the%20membership%20of%20the%20local%20administrator%20group%20from%20the%20machines%20on%20the%20network%20are%20required.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20more%20information%20on%20LMP%20see%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Fuse-case-lateral-movement-path%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Fuse-case-lateral-movement-path%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%26nbsp%3B%3C%2FP%3E%3CP%3EGershon%20%5BMSFT%5D%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1391408%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Directory%20Services%20Account%20Behavior%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1391408%22%20slang%3D%22en-US%22%3E%3CP%3ETry%20running%20wireshark%20and%20see%20what%20is%20going%20on%20with%20your%20browser%20I%20had%20issues%20with%20LAPD%20previouosly%20but%20wireshark%20helps%20in%20letting%20you%20know%20whats%20going%20on%20and%20its%20free%3A)%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129592%22%20target%3D%22_blank%22%3E%40Johann%20Terc%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1433443%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Directory%20Services%20Account%20Behavior%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1433443%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45656%22%20target%3D%22_blank%22%3E%40Gerson%20Levitz%3C%2FA%3EThank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1433444%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Directory%20Services%20Account%20Behavior%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1433444%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F662271%22%20target%3D%22_blank%22%3E%40killerfoxx%3C%2FA%3EOk%20thanks%20for%20the%20tip!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

(please see the two screenshots attached)
Hello. I am seeing a large number of successful 4624 logon type 3 events coming from one of my Windows machines (a non-ATA related server), and the logon account name that continuously appears in the logs is the ATA Directory Services account. The extremely high number of events is generating "LDAP User Login Brute Force Attempt" alerts on my firewall. Two things that I need help understanding are:
(1) What does the ATA Directory services account do exactly? All I can find is that this should be a read-only account used to connect to the AD forest, not much more details are provided in ATA documentation on how it works. Is the account trying to log into all endpoints in my domain to gather information to bring back to the ATA console? I am not sure what it does or how it connects to other systems.

(2) Any ideas why this account is continuously authenticating over and over again on one system? This behavior is only sourcing from one of my Windows servers, my firewall is not alerting it from anywhere else, only this one system. (please see the two screenshots attached)

4 Replies
Highlighted

Hi @Johann Terc 

 

This the Gateway is querying the machines on the network to get a list of members of the local administrators group. This information is used for ATA to understand when a there is a potential lateral movement path (LMP)

 

When a sensitive user logs in to a machine ATA will calculate if there is a potential LMP and the membership of the local administrator group from the machines on the network are required. 

For more information on LMP see - https://docs.microsoft.com/en-us/advanced-threat-analytics/use-case-lateral-movement-path

 

Best 

Gershon [MSFT]

Highlighted

Try running wireshark and see what is going on with your browser I had issues with LAPD previouosly but wireshark helps in letting you know whats going on and its free:)@Johann Terc 

Highlighted
Highlighted

@killerfoxxOk thanks for the tip!