Generating alerts

%3CLINGO-SUB%20id%3D%22lingo-sub-225552%22%20slang%3D%22en-US%22%3EGenerating%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-225552%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe've%20starting%20rolling%20out%20EMS5%20to%20our%20users%2C%20and%20have%20deployed%20the%20ATP%20Sensor%20on%20our%20dc's.%20The%20daily%20reports%20are%20working%20as%20expected%20but%20we%20have%20yet%20to%20see%20an%20alert.%20I've%20tried%20the%20FAQ%20trick%20of%20running%20nslookup%20againest%20the%20DC%20but%20no%20joy.%20Anyone%20got%20an%20ways%20to%20trigger%20an%20alert%20within%20AATP%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOh%20AATP%20has%20been%20running%20for%20about%205%20days.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-330706%22%20slang%3D%22en-US%22%3ERe%3A%20Generating%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-330706%22%20slang%3D%22en-US%22%3EHello.%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%20for%20the%20reply.%20Apparently%20my%20issue%20is%20that%204%20week%20learning%20period.%3CBR%20%2F%3ECreated%20AATP%20instance%20a%20week%20ago%20so%20that%20is%20the%20reason.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-330689%22%20slang%3D%22en-US%22%3ERe%3A%20Generating%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-330689%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F274612%22%20target%3D%22_blank%22%3E%40Mtee-%3C%2FA%3E%20%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-domain-dominance-alerts%23suspicious-modification-of-sensitive-groups-external-id-2024%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESuspicious%20modifications%20of%20sensitive%20groups%3C%2FA%3E%20requires%20learning%20period%20of%204%20weeks%20per%20DC.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23000000%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EThe%20detection%20relies%20on%20events%20audited%20on%20domain%20controllers.%20Make%20sure%20your%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-prerequisites%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Edomain%20controllers%20are%20auditing%20the%20events%20needed%3C%2FA%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23000000%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EDo%20you%20see%20any%20data%20in%20the%20Modification%20to%20sensitive%20groups%20report%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23000000%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EThanks%2C%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23000000%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3ETali%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-330679%22%20slang%3D%22en-US%22%3ERe%3A%20Generating%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-330679%22%20slang%3D%22en-US%22%3E%3CP%3EHello!%3CBR%20%2F%3E%3CBR%20%2F%3ETried%20simulating%20the%20sensitive%20group%20alert%20but%20did%20not%20get%20any%20alert%20when%20adding%20users%20to%20domain%20admins%20etc...%20The%20actions%20are%20shown%20if%20searched%20the%20user%20from%20top%20right%20corner%20search%20bar%20but%20it%20does%20not%20alert%20in%20the%20timeline.%3CBR%20%2F%3EWhy%20is%20that%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-238359%22%20slang%3D%22en-US%22%3ERE%3A%20Generating%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-238359%22%20slang%3D%22en-US%22%3EHey%20All%2C%20finally%20got%20an%20alert.%20Turns%20out%20if%20you%20send%2012%2B%20authenication%20requests%20from%20a%20single%20server%20within%2010%20seconds...you%20get%20an%20ldap%20bind%20alert.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-226008%22%20slang%3D%22en-US%22%3ERe%3A%20Generating%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-226008%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Joe%2C%20John%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20is%20a%20FP%2FB-TP%20that%20is%20caused%20by%20remote%20credential%20guard.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUsing%20remote%20credential%20guard%20t%3CSPAN%3Ehe%20RDP%20client%20copies%20its%20original%20TGT%20to%20the%20RDP%20server%20so%20the%20user%20can%20use%20this%20TGT%20for%20requesting%20other%20TGS%E2%80%99s.%20%3C%2FSPAN%3E%3CSPAN%3EThe%20new%20TGS%E2%80%99s%20seems%20like%20PTT%20because%20their%20TGT%20parent%20created%20from%20the%20RDP%20client.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIt%20is%20n%20our%20backlog%20to%26nbsp%3Bexclude%20this%20case%20and%20not%20trigger%20PTT.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ERegarding%20the%20DNS%20recon%20-%20are%20you%20trying%20it%20against%20a%20DNS%20server%20which%20is%20on%20a%20DC%20that%20is%20covered%20by%20a%20Sensor%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThanks%2C%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETali%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-225902%22%20slang%3D%22en-US%22%3ERe%3A%20Generating%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-225902%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20letting%20me%20know%2C%20we%20will%20check%20if%20we%20can%20spot%20that%20as%20false%20positive...%3C%2FP%3E%0A%3CP%3E(although%20technically%20you%20might%20say%20it's%20a%20benign%20true)%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-225900%22%20slang%3D%22en-US%22%3ERe%3A%20Generating%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-225900%22%20slang%3D%22en-US%22%3EYes%2C%20that's%20exactly%20what%20happened.%20I%20decided%20to%20stop%20using%20mstsc%20with%20%2Fremoteguard%20rather%20than%20generate%20false%20positives%2C%20or%20disable%20meaningful%20alerts.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-225896%22%20slang%3D%22en-US%22%3ERe%3A%20Generating%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-225896%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20happened%3F%20did%20it%20alert%20on%20Pass%20The%20Ticket%20claiming%20the%20ticket%20was%20stolen%20from%20your%20source%20computer%20to%20the%20remote%20host%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-225891%22%20slang%3D%22en-US%22%3ERe%3A%20Generating%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-225891%22%20slang%3D%22en-US%22%3E%3CP%3EI%20got%20a%26nbsp%3Bhigh%20priority%20alert%20after%20setting%20up%20AATP%20when%20I%20used%20this%20command%3A%20%3CSTRONG%3Emstsc%20%2Fv%20computername%20%2Fremoteguard%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20intention%20was%20to%20connect%20to%20another%20computer%20(where%20I%20have%20admin%20privileges)%20by%20remote%20desktop%2C%20but%20without%20exposing%20my%20credentials%20to%20that%20computer.%20AATP%20really%20got%20worried%20about%20me%20skating%20on%20my%20Kerberos%20ticket%20like%20that.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-225660%22%20slang%3D%22en-US%22%3ERe%3A%20Generating%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-225660%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Itay%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20no%20errors%20in%20the%20workspace.%20I%20can%20see%20the%20senors%20are%20checking%20in..so%20i%20believe%20there%20is%20no%20communication%20issue.%20I%20can%20also%20see%20the%20reports%20are%20getting%20updated%20with%20current%20information.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20tried%20a%20very%20basic%20nslooking%20recon%20process...with%20no%20joy.%20If%20you%20are%20able%20to%20provide%20a%20method%20that%20will%20trigger%20something%20happy%20to%20have%20a%20look%20at%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-225637%22%20slang%3D%22en-US%22%3ERe%3A%20Generating%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-225637%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20there%20any%20health%20alerts%20on%20the%20portal%3F%20if%20yes%2C%20what%20are%20they%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-225608%22%20slang%3D%22en-US%22%3ERe%3A%20Generating%20alerts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-225608%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20easiest%20way%20to%20generate%20an%20alert%20is%20to%20do%20DNS%20recon%20against%20the%20Domain%20Controller%20-%20which%20is%20protected%20by%20the%20AATP%20Sensor.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Elet%20me%20know%20if%20you%20require%20more%20information.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EItay%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi all,

 

We've starting rolling out EMS5 to our users, and have deployed the ATP Sensor on our dc's. The daily reports are working as expected but we have yet to see an alert. I've tried the FAQ trick of running nslookup againest the DC but no joy. Anyone got an ways to trigger an alert within AATP?

 

Oh AATP has been running for about 5 days.

12 Replies
Highlighted

Hi,

 

The easiest way to generate an alert is to do DNS recon against the Domain Controller - which is protected by the AATP Sensor.

 

let me know if you require more information.

 

Thanks,

Itay

Highlighted

Are there any health alerts on the portal? if yes, what are they?

Highlighted

Hey Itay,

 

We have no errors in the workspace. I can see the senors are checking in..so i believe there is no communication issue. I can also see the reports are getting updated with current information.

 

I've tried a very basic nslooking recon process...with no joy. If you are able to provide a method that will trigger something happy to have a look at it.

Highlighted

I got a high priority alert after setting up AATP when I used this command: mstsc /v computername /remoteguard

 

My intention was to connect to another computer (where I have admin privileges) by remote desktop, but without exposing my credentials to that computer. AATP really got worried about me skating on my Kerberos ticket like that. 

Highlighted

What happened? did it alert on Pass The Ticket claiming the ticket was stolen from your source computer to the remote host?

Highlighted
Yes, that's exactly what happened. I decided to stop using mstsc with /remoteguard rather than generate false positives, or disable meaningful alerts.
Highlighted

Thanks for letting me know, we will check if we can spot that as false positive...

(although technically you might say it's a benign true) 

Highlighted

Hi Joe, John,

 

It is a FP/B-TP that is caused by remote credential guard.

 

Using remote credential guard the RDP client copies its original TGT to the RDP server so the user can use this TGT for requesting other TGS’s. The new TGS’s seems like PTT because their TGT parent created from the RDP client.

 

It is n our backlog to exclude this case and not trigger PTT.

 

Regarding the DNS recon - are you trying it against a DNS server which is on a DC that is covered by a Sensor?

 

Thanks,

Tali

Highlighted
Hey All, finally got an alert. Turns out if you send 12+ authenication requests from a single server within 10 seconds...you get an ldap bind alert.
Highlighted

Hello!

Tried simulating the sensitive group alert but did not get any alert when adding users to domain admins etc... The actions are shown if searched the user from top right corner search bar but it does not alert in the timeline.
Why is that?

Highlighted

Hi @Mtee- ,

 

Suspicious modifications of sensitive groups requires learning period of 4 weeks per DC.

The detection relies on events audited on domain controllers. Make sure your domain controllers are auditing the events needed.

 

Do you see any data in the Modification to sensitive groups report?

 

Thanks,

Tali

Highlighted
Hello.

Thank you for the reply. Apparently my issue is that 4 week learning period.
Created AATP instance a week ago so that is the reason.