Microsoft Advanced Threat Analytics (ATA) is an on-premises platform that helps protect enterprise from multiple types of advanced targeted cyber attacks and insider threats by using information from multiple data-sources in their network to learn the behavior of users and other entities in the organization and build a behavioral profile about them and by leveraging ATA’s proprietary network parsing engine to capture and parse network traffic of multiple protocols.
Microsoft has recently released Advanced Threat Analytics v1.8 update with several new features and improvements. As hackers find new type of attacks, Microsoft updates their ATA engine periodically to improve detections for known and unknown attacks. Find the new and updated detections included in this update below.
- Abnormal modification of sensitive groups: As part of the privilege escalation phase of an attack, attackers modify groups with high privileges to gain access to sensitive resources. ATA now detects when there’s an abnormal change in a group with elevated privileges (i.e. a sensitive group).
- Suspicious authentication failures (Behavioral brute force): Attackers often attempt to use brute force on credentials to compromise accounts. ATA now raises an alert when abnormal failed authentication behavior is detected.
- Remote execution attempt – WMI exec: Attackers can attempt to control your network by running code remotely on your domain controller. ATA has added a detection for remote execution leveraging WMI methods to run code remotely.
This update will also empower security ops to triage suspicious activities by:
- Suppressing recurring suspicious activities from alerting.
- Excluding entities from raising future suspicious activities, to prevent ATA from alerting when it detects benign true positives (such as an admin running remote code or using nslookup).
- Deleting suspicious activities from the attack time line.
Microsoft has also added a couple of new reports that will make it easy to analyze and investigate the security issues. The new summary report was added to enable you to see all the summarized data from ATA, including suspicious activities, health issues and more. And the sensitive groups report was improved to enable you to see all the changes made in sensitive groups over a certain period.
Find the full change log here.