Advanced Threat Analytics (ATA) is an on-premises platform that helps protect your enterprise from multiple types of advanced targeted cyber attacks and insider threats.

How ATA works

ATA leverages a proprietary network parsing engine to capture and parse network traffic of multiple protocols (such as Kerberos, DNS, RPC, NTLM, and others) for authentication, authorization, and information gathering. This information is collected by ATA via:

• Port mirroring from Domain Controllers and DNS servers to the ATA Gateway and/or
• Deploying an ATA Lightweight Gateway (LGW) directly on Domain Controllers

ATA takes information from multiple data-sources, such as logs and events in your network, to learn the behavior of users and other entities in the organization, and builds a behavioral profile about them. ATA can receive events and logs from:

• SIEM Integration
• Windows Event Forwarding (WEF)
• Directly from the Windows Event Collector (for the Lightweight Gateway)
• For more information on ATA architecture, see ATA Architecture.

Evading ATA

It is posible to evade or make less noise while our red teams engagements.

Apart from the LM/NT hashes, the Kerberos keys, derived from the user password and used in the Kerberos authentication protocol, are stored.

The Kerberos keys can be used to ask for a Kerberos ticket that represents the user in Kerberos authentication. There are several different keys, and different ones are used for different Kerberos encryption support:

• AES 256 key Used by the AES256-CTS-HMAC-SHA1-96 algorithm. This is the one commonly used by Kerberos, and the one a pentester should use in order to avoid triggering alarms.
• AES 128 key: Used by the AES128-CTS-HMAC-SHA1-96 algorithm.
• DES key: Used by the deprecated DES-CBC-MD5 algorithm.
• RC4 key: This is the NT hash of the user used by the RC4-HMAC algorithm.