Intro
ATA/ATP are next generation defense mechanisms that help prevent, detect, investigate to security events. These are post breach defenses that are useful to blue teamers and network defenders due to the large telemetry these security products give you.
ATP is analyzes hosts, while ATA analyzes the domain and network traffic.
ATP deploys various technologies like
  • Endpoint behavioral sensors: collect data and behavioral signals from the OS and send it to the cloud for further analysis.
  • Cloud Security Analytics: Uses machine learning from big data sets to detect and respond to threats.
  • Parent child analysis: This gives you a tree of the parent child relationships that processes have which can be used to detect malicious behavior
  • Attack path graphing: You can follow an attack path like if one process starts another process and uses that to execute commands or if they laterally move throughout the network, you can see this type of relation
  • Host Isolation and File Quarantine: You can quarantine a certain file on multiple boxes or isolate a host from the network if the operator thinks the computer is infected with suspicious activity
  • Threat Intelligence: Identifies TTPs by using collected data from previous/other attacks
  • Detection of malicious use of APIs via EtwTI
  • Integration with other Defender brand protections like: Credential guard, Exploit guard, Application Guard, Device Guard, Windows Firewall(Makes firewall rules to block C2 traffic)etc.
  • Integration with Other OS's like Linux
  • Integration with ATA
In terms of PowerShell:
  • It can detect heavily obfuscated PowerShell cradles from invoke-obfuscation and such.
  • Script block logging
  • Transcription Logging
  • Module Logging
  • "Suspicious strings"
  • CLM
  • Just enough Admin support
  • AMSI
  • No way to downgrade to PowerShell version 2
  • System-wide transcripts
  • These are all built into the PowerShell framework core
ATA is domain based security product which is designed to detect AD: recon, credential attacks, lateral movement, domain dominance etc.
It captures and parses multiple protocols such as Kerberos, DNS, RPC, NTLM, and others to detect malicious activity. This information is collected in 2 ways:
  1. 1.
    Port mirroring traffic on DCs and DNS servers
  2. 2.
    Or deploy a light weight gateway directly on DCs
This is a high level overview of how ATA works.
  1. 1.
    ATA has a console UI which runs on top of the ATA center
  2. 2.
    ATA gateways, these are full gateways that either gather mirrored port traffic or is a light weight gateway installed directly on a DC(Basically just gathers traffic) ATA can also be integrated with your SIEM or integrate with your VPN with radius
  3. 3.
    MongoDB database which collects data from the different gateways on the ATA center
For more information:
Advanced Threat Analytics architecture
docsmsft
ATA gives a very useful overview of what happened in the event of an attack. For example, Microsoft gave an example of what would happen if ATA detected a PTT attack. As we can see, we can see the who, what, where of the attack, the resources the attack accessed, we can also see the history of the machines to get a better insight of the attack and see any suspicious commands and queries that were ran.
ATA can detect abnormal user behavior in the sense that a certain user is doing something odd related to their function. For example, if bob from the construction group is suddenly RDPing into every machine, is this malicious traffic or not? Because of this, ATA needs some time to learn to detect attacks and anomalous user behavior to reduce the flagging of false positives.
An example of such, is that ATA produces an alarm when a user accesses 4 computers that are not ordinarily accessed this user:
ATA also has the ability to detect security issues and risks like:
  • Broken trust
  • Weak protocols
  • Known protocol vulnerabilities
For example:
Note that there may be time delays on generating alerts, complex attacks may take longer to generate an alert while a simple attack may take less time to generate an alert. Because of this, we may be able to do a quick smash and grab attack before ATA/ATP generates an alert and alerts defenses.

Resources

What is Microsoft Advanced Threat Analytics (ATA)?
docsmsft
What is Microsoft Defender Advanced Threat Protection (ATP)
Copy link