If the added object was a user account, check which actions the user account took after being added to the admin group. Is the group modification legitimate? Legitimate group modifications that rarely occur, and weren't learned as "normal", might cause an alert, which would be considered a benign true positive. To make sure your domain controllers audit the needed events, use the tool referenced in ATA Auditing (AuditPol, Advanced Audit Settings Enforcement, Lightweight Gateway Service discovery). The detection relies on events audited on domain controllers. The minimum period before an alert can be triggered is one month per domain controller.įor a definition of sensitive groups in ATA, see Working with the ATA console. Profiling is continuously performed by ATA. Detections rely on profiling the user group modification activities, and alerting when an abnormal addition to a sensitive group is seen. They do so to gain access to more resources and gain persistency.
Last name of the original golden ticket creator how to#
True positive: A malicious action detected by ATA.īenign true positive: An action detected by ATA that is real but not malicious, such as a penetration test.įalse positive: A false alarm, meaning the activity didn't happen.įor more information on how to work with ATA alerts, see Working with suspicious activities.įor questions or feedback, contact the ATA team at Abnormal modification of sensitive groupsĪttackers add users to highly privileged groups. Applies to: Advanced Threat Analytics version 1.9įollowing proper investigation, any suspicious activity can be classified as:
0 kommentar(er)
