Last week, Microsoft announced the latest update to Advanced Threat Analytics (ATA) to version 1.6.

This adds some notable enhancements, such as:

  • New detections such as
    • Pass-The-Hash and Bruteforce based on unusual protocol behavior
    • Elevation of privileges
    • Reconnaissance via Net Session enumeration
    • Compromised credentials via malicious DPAPI Request
    • Compromised credentials via malicious Replication Requests
  • New deployment option with the ATA Lightweight Gateway helping with branch sites and IaaS deployments
  • New and improved detection engine that significantly improves our performance and scale
  • Support for automatic updates and upgrades using Microsoft Updates
  • Improvements in third party integration to enrich detection

One of the biggest additions, is the ability to now have a lightweight Gateway for those branch offices where you can’t expand a physical footprint, or even in Azure!

New deployment option

The ATA Lightweight Gateway is a new deployment option that enables you to deploy the ATA Gateway on the on-premises or IaaS Domain Controllers, removing the need for dedicated hardware and/or port-mirroring configuration. The ATA Lightweight Gateway introduces automatic and dynamic resource management based on the available resources on the DC. This intelligent capability will make sure that the existing operations of the DC will not be affected. In addition, the ATA Lightweight Gateway simplifies the deployment of the ATA Gateway in branch sites where there is a limitation of hardware resources and/or port-mirroring support and reduce the TCO.

It should also be noted that ATA now requires approximately 5x less space than prior due to some new optimizations as well as has automatic updating!

Let’s walk through the upgrade of our environment.

First let’s grab the download here.

We’ll update the ATA Center server first per the instructions.

You’ll want to first take a snapshot of your VM or perform a database backup. We’ll opt for the former.

Now let’s run the installer.

050916_1947_UpgradingAd1.png 050916_1947_UpgradingAd2.png

You can see the new update options added


Readiness will be evaluated

050916_1947_UpgradingAd4.png 050916_1947_UpgradingAd5.png

Now I was running a pretty lean disk volume, so I had to first expand it a bit 🙂

Also, the docs mentioned about a 5 min upgrade, mine was closer to 15-20, although I’m also running a lean CPU/Memory as well in my lab

050916_1947_UpgradingAd6.png 050916_1947_UpgradingAd7.png 050916_1947_UpgradingAd8.png 050916_1947_UpgradingAd9.png


If you receive an Error code: 0x80070643 than it may be a DB issue or possibly a duplicate key error.

This may be similar to the issue mentioned on the forums here and they’ve built a tool to help remove the duplicate profiles.

Moving on, our install completes successfully


After updating the ATA Center, the ATA Gateways will report that they are now outdated.


Grab the latest package

NOTE: If you didn’t previously have the gateway installed, it will prompt for a reboot at the end.


Unzip the package


Run the installer

050916_1947_UpgradingAd15.png 050916_1947_UpgradingAd16.png

Choose the correct cert and enter your creds

050916_1947_UpgradingAd17.png 050916_1947_UpgradingAd18.png 050916_1947_UpgradingAd19.png 050916_1947_UpgradingAd20.png

Note some new options under the Gateway configuration once it checks in and is healthy

  • Domain synchronizer candidate
  • Update ATA Gateway automatically


Once it’s healthy, you should be all set!


And a few nice new UI touches as well!


And some nice new looking e-mails!


And some new attacks!


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>