Suspected brute-force attack (Kerberos, NTLM) azure ATP
We have recently installed Azure ATP in few Servers. After that we are getting below alert from those Servers. "Suspected brute-force attack (Kerberos, NTLM) was detected in your company". "An actor on <Server name/IP> generated a suspicious number of failed login attempts on <User name>" Upon checking with the user, we found that the user did logged in to that server at that mentioned time frame, but did not come across any login issue at that time. Can anybody assist how to proceed for such alerts?Using gMSA with ATP results in many 2947 events
We have an ATP deployment with several domains and different Trusts. We have 3 different credentials in use, 2 x 'ordinary' service accounts and 1 x gMSA. On the DCs in the domain where the gMSA is hosted the "Directory Service" event logs are full of 2947 events ("An attempt to fetch the password of a group managed service account failed.") for the gMSA. The source computers for these events are computers in other domains with the ATP sensor installed. Is there any way of filtering which credentials are used by the sensors in a given domain? The deluge of 2947 events is making it difficult to find useful information in the logs of the affected DCs.
ATP and group managed service account not working on RODC
We have ATP sensors set up on our domain controllers. A group managed service account (gMSA) is being used. There are a few read only domain controllers that can't seem to read the password, even though the servers are in the group that can read the GMSA user password. The GMSA account is set with permissions for 'log in as service'. Any suggestions on what to look for? Errors from the sensor log: 2020-09-14 22:02:11.7896 Debug DirectoryServicesClient SetState Creating 2020-09-14 22:02:11.8346 Info ImpersonationManager CreateImpersonatorAsync started [UserName=<MSA-ACCOUNT> IsGroupManagedServiceAccount=True] 2020-09-14 22:02:11.8846 Info ImpersonationManager CreateImpersonatorAsync finished [UserName=<MSA-ACCOUNT> IsSuccess=False] 2020-09-14 22:02:11.8846 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=servername.domain.corp Domain=domain.corp UserName=<MSA-ACCOUUNT> ] 2020-09-14 22:02:12.0846 Error DirectoryServicesClient+<CreateLdapConnectionAsync>d__38 Microsoft.Tri.Infrastructure.ExtendedException: CreateLdapConnectionAsync failed [DomainControllerDnsName=<serverwhereATPfailing.domain.corp] at async Task<LdapConnection> Microsoft.Tri.Sensor.DirectoryServicesClient.CreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing) at async Task<bool> Microsoft.Tri.Sensor.DirectoryServicesClient.TryCreateLdapConnectionAsync(DomainControllerConnectionData domainControllerConnectionData, bool isGlobalCatalog, bool isTraversing) 2020-09-14 22:02:12.0946 Error DirectoryServicesClient Microsoft.Tri.Infrastructure.ExtendedException: Failed to communicate with configured domain controllers at new Microsoft.Tri.Sensor.DirectoryServicesClient(IConfigurationManager configurationManager, IDomainNetworkCredentialsManager domainNetworkCredentialsManager, IImpersonationManager impersonationManager, IMetricManager metricManager, IWorkspaceApplicationSensorApiJsonProxy workspaceApplicationSensorApiJsonProxy) at object lambda_method(Closure, object[]) at object Autofac.Core.Activators.Reflection.ConstructorParameterBinding.Instantiate() at void Microsoft.Tri.Infrastructure.ModuleManager.AddModules(Type[] moduleTypes) at new Microsoft.Tri.Sensor.SensorModuleManager() at ModuleManager Microsoft.Tri.Sensor.SensorService.CreateModuleManager() at async Task Microsoft.Tri.Infrastructure.Service.OnStartAsync() at void Microsoft.Tri.Infrastructure.TaskExtension.Await(Task task) at void Microsoft.Tri.Infrastructure.Service.OnStart(string[] args)
Unable to install azure ATP sensor on DCs. Could not load file or assembly 'Ben.Demystifier, V
[08A4:25DC][2020-02-15T14:32:46]i001: Burn v3.11.0.1701, Windows v10.0 (Build 14393: Service Pack 0), path: C:\Users\AAWESH~2\AppData\Local\Temp\{4DF4837A-FAC5-45E1-8CF7-65C865EC14F1}\.cr\Azure ATP Sensor Setup.exe [08A4:25DC][2020-02-15T14:32:46]i000: Initializing hidden variable 'AccessKey' [08A4:25DC][2020-02-15T14:32:46]i000: Initializing hidden variable 'ProxyConfiguration' [08A4:25DC][2020-02-15T14:32:46]i000: Initializing hidden variable 'ProxyUserPassword' [08A4:25DC][2020-02-15T14:32:46]i000: Initializing string variable 'NetFrameworkCommandLineArguments' to value '/passive /showrmui' [08A4:25DC][2020-02-15T14:32:46]i009: Command Line: '"-burn.clean.room=C:\Windows\ccmcache\10\Azure ATP Sensor Setup.exe" -burn.filehandle.attached=544 -burn.filehandle.self=632' [08A4:25DC][2020-02-15T14:32:46]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Windows\ccmcache\10\Azure ATP Sensor Setup.exe' [08A4:25DC][2020-02-15T14:32:46]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Windows\ccmcache\10\' [08A4:25DC][2020-02-15T14:32:46]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\AAWESH~2\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20200215143246.log' [08A4:25DC][2020-02-15T14:32:46]i000: Setting string variable 'WixBundleName' to value 'Azure Advanced Threat Protection Sensor' [08A4:25DC][2020-02-15T14:32:46]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation' [08A4:25DC][2020-02-15T14:32:47]i000: Loading managed bootstrapper application. [08A4:25DC][2020-02-15T14:32:47]i000: Creating BA thread to run asynchronously. [08A4:25DC][2020-02-15T14:32:47]i100: Detect begin, 5 packages [08A4:25DC][2020-02-15T14:32:47]i000: 2020-02-15 09:02:47.4352 Debug DeploymentModel DetectDeploymentAction DetectBegin [\[]Installed=False[\]] [08A4:25DC][2020-02-15T14:32:47]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.1.1.2' [08A4:25DC][2020-02-15T14:32:47]i000: Setting numeric variable 'Kb4019990Windows2008R2Exists' to value 0 [08A4:25DC][2020-02-15T14:32:47]i000: Registry key not found. Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.2.1.1' [08A4:25DC][2020-02-15T14:32:47]i000: Setting numeric variable 'Kb4019990Windows2012Exists' to value 0 [08A4:25DC][2020-02-15T14:32:47]i000: Setting string variable 'NetFrameworkRegistryValue' to value '528049' [08A4:25DC][2020-02-15T14:32:47]i000: Setting string variable 'ServerLevelsServerCoreRegistryValue' to value '1' [08A4:25DC][2020-02-15T14:32:47]i000: Setting string variable 'ServerLevelsServerGuiShellRegistryValue' to value '1' [08A4:25DC][2020-02-15T14:32:47]i052: Condition 'Kb4019990Windows2008R2Exists' evaluates to false. [08A4:25DC][2020-02-15T14:32:47]i052: Condition 'Kb4019990Windows2012Exists' evaluates to false. [08A4:25DC][2020-02-15T14:32:47]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true. [08A4:25DC][2020-02-15T14:32:47]i052: Condition 'NetFrameworkRegistryValue >= 460798' evaluates to true. [08A4:25DC][2020-02-15T14:32:47]i101: Detected package: Kb4019990Windows2008R2Package, state: Absent, cached: None [08A4:25DC][2020-02-15T14:32:47]i101: Detected package: Kb4019990Windows2012Package, state: Absent, cached: None [08A4:25DC][2020-02-15T14:32:47]i101: Detected package: NetFrameworkPackageServer, state: Present, cached: None [08A4:25DC][2020-02-15T14:32:47]i101: Detected package: NetFrameworkPackageServerCore, state: Present, cached: None [08A4:25DC][2020-02-15T14:32:47]i101: Detected package: MsiPackage, state: Absent, cached: None [08A4:25DC][2020-02-15T14:32:47]i199: Detect complete, result: 0x0 [08A4:3284][2020-02-15T14:32:47]i000: 2020-02-15 09:02:47.4508 Debug DeploymentModel .ctor [\[]DeploymentAction=Install[\]] [08A4:3284][2020-02-15T14:32:47]i000: 2020-02-15 09:02:47.5289 Debug DeploymentModel .ctor [\[]IsAfterRestartAndConfigured=False[\]] [08A4:3284][2020-02-15T14:33:11]i000: 2020-02-15 09:03:11.8095 Error DeploymentModel ValidateCreateSensorAsync System.IO.FileNotFoundException: Could not load file or assembly 'Ben.Demystifier, Version=0.1.0.0, Culture=neutral, PublicKeyToken=a6d206e05440431a' or one of its dependencies. The system cannot find the file specified. File name: 'Ben.Demystifier, Version=0.1.0.0, Culture=neutral, PublicKeyToken=a6d206e05440431a' at Microsoft.Tri.Infrastructure.SanitizationExtension.Sanitize(Exception exception) at Microsoft.Tri.Common.CommunicationWebClient.<SendWithRetryAsync>d__9`1.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Tri.Common.CommunicationWebClient.<SendAsync>d__7.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Tri.Sensor.Common.WorkspaceApplicationSensorApiDeploymentProxy.<SendAsync>d__5.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Tri.Sensor.Deployment.Bundle.UI.DeploymentModel.<ValidateCreateSensorAsync>d__52.MoveNext() WRN: Assembly binding logging is turned OFF. To enable assembly bind failure logging, set the registry value [\[]HKLM\Software\Microsoft\Fusion!EnableLog[\]] (DWORD) to 1. Note: There is some performance penalty associated with assembly bind failure logging. To turn this feature off, remove the registry value [\[]HKLM\Software\Microsoft\Fusion!EnableLog[\]]. failed connecting to service. The issue can be caused by a transparent proxy configuration [\[]WorkspaceApplicationSensorApiEndpoint=Unspecified/amdocssensorapi.atp.azure.com:443[\]] [08A4:3284][2020-02-15T14:33:11]i000: 2020-02-15 09:03:11.8105 Info Model ValidateAsync ValidateCreateSensorAsync returned [\[]validateCreateSensorResult=FailedConnectivity[\]] [08A4:3284][2020-02-15T14:33:53]i000: 2020-02-15 09:03:53.4862 Debug SensorBootstrapperApplication Run Engine.Quit [\[]deploymentResultStatus=1602 isRestartRequired=False[\]] [08A4:25DC][2020-02-15T14:33:53]i500: Shutting down, exit code: 0x642 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: Kb4019990Windows2008R2Exists = 0 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: Kb4019990Windows2012Exists = 0 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: NetFrameworkCommandLineArguments = /passive /showrmui [08A4:25DC][2020-02-15T14:33:53]i410: Variable: NetFrameworkRegistryValue = 528049 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: RebootPending = 0 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: ServerLevelsServerCoreRegistryValue = 1 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: ServerLevelsServerGuiShellRegistryValue = 1 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleAction = 5 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleElevated = 1 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleLog = C:\Users\AAWESH~2\AppData\Local\Temp\Azure Advanced Threat Protection Sensor_20200215143246.log [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleManufacturer = Microsoft Corporation [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleName = Azure Advanced Threat Protection Sensor [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleOriginalSource = C:\Windows\ccmcache\10\Azure ATP Sensor Setup.exe [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleOriginalSourceFolder = C:\Windows\ccmcache\10\ [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleProviderKey = {ae513c9a-d60f-4ba4-9bd2-6d5ccae1c9d3} [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleSourceProcessFolder = C:\Windows\ccmcache\10\ [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleSourceProcessPath = C:\Windows\ccmcache\10\Azure ATP Sensor Setup.exe [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleTag = [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleUILevel = 4 [08A4:25DC][2020-02-15T14:33:53]i410: Variable: WixBundleVersion = 2.0.0.0 [08A4:25DC][2020-02-15T14:33:53]i007: Exit code: 0x642, restarting: No
Azure Advanced Threat Protection Sensor service terminated
Since applying June patches and Azure automatically updating the Azure Advanced Threat Protection Sensor, the service continues to bomb. Anyone else seeing this behavior? The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this 31 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. App event Application: Microsoft.Tri.Sensor.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.Net.Sockets.SocketException at System.Net.Sockets.Socket.EndReceive(System.IAsyncResult) at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) Exception Info: System.IO.IOException at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) at Microsoft.Tri.Infrastructure.TaskExtension.UnsafeAsyncCallback[[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.IAsyncResult, System.Func`2<System.IAsyncResult,Int32>, Microsoft.Tri.Infrastructure.TaskCompletionSourceWithCancellation`1<Int32>) at System.Net.LazyAsyncResult.Complete(IntPtr) at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object) at System.Net.ContextAwareResult.Complete(IntPtr) at System.Net.LazyAsyncResult.ProtectedInvokeCallback(System.Object, IntPtr) at System.Net.Sockets.BaseOverlappedAsyncResult.CompletionPortCallback(UInt32, UInt32, System.Threading.NativeOverlapped*) at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)
