Forum Discussion

SpeedRacer's avatar
SpeedRacer
Brass Contributor
May 04, 2017

Not seeing generated threat alerts in ATA

We're currently running ATA version 1.7.5757.57477 and as I was following along with the ATA Playbook, I performed three commands to see if I could generate the alerts in ATA:   nslookup ls -d ...
JIDE-JIMOH's avatar
JIDE-JIMOH
MCT
May 15, 2017

Can you try use one of the tools in sysinternals for your test. the ATA in my lab is working fine and detecting the lateral movement. If that does not working. i will help troubleshoot your ATA installation. 

JIDE-JIMOH's avatar
JIDE-JIMOH
MCT
May 15, 2017

Did you create a User in your Windows Active Directory and gave it permission to read deleted object and used that user for ATA to query the environment for information. Also how well can you say ATA has learnt about the objects in your environment. 

  • SpeedRacer's avatar
    SpeedRacer
    Brass Contributor
    May 15, 2017

    I'm using an existing user, and I've had AT running in my environment for about two months now so I believe ATA has had time to learn about the objects in my environment.

     

    Thx

    • JIDE-JIMOH's avatar
      JIDE-JIMOH
      MCT
      May 16, 2017

      Can we quickly run thnrough your ATA installations. Did you create a honeytoken account? If you did, is it working ?

      • SpeedRacer's avatar
        SpeedRacer
        Brass Contributor
        May 17, 2017

        I do have a honeytoken and I just tried to log into a Windows server with the account (generated a few failed login attempts with it), and I'm waiting for an ATA alert. I'll let you know if I get/don't get one shortly.

         

        Thx