Last week, Microsoft announced the latest update to Advanced Threat Analytics (ATA) to version 1.6.

This adds some notable enhancements, such as:

• New detections such as
  • Pass-The-Hash and Bruteforce based on unusual protocol behavior
  • Elevation of privileges
  • Reconnaissance via Net Session enumeration
  • Compromised credentials via malicious DPAPI Request
  • Compromised credentials via malicious Replication Requests
• New deployment option with the ATA Lightweight Gateway helping with branch sites and IaaS deployments
• New and improved detection engine that significantly improves our performance and scale
• Support for automatic updates and upgrades using Microsoft Updates
• Improvements in third party integration to enrich detection

One of the biggest additions, is the ability to now have a lightweight Gateway for those branch offices where you can’t expand a physical footprint, or even in Azure!

New deployment option

The ATA Lightweight Gateway is a new deployment option that enables you to deploy the ATA Gateway on the on-premises or IaaS Domain Controllers, removing the need for dedicated hardware and/or port-mirroring configuration. The ATA Lightweight Gateway introduces automatic and dynamic resource management based on the available resources on the DC. This intelligent capability will make sure that the existing operations of the DC will not be affected. In addition, the ATA Lightweight Gateway simplifies the deployment of the ATA Gateway in branch sites where there is a limitation of hardware resources and/or port-mirroring support and reduce the TCO.

It should also be noted that ATA now requires approximately 5x less space than prior due to some new optimizations as well as has automatic updating!

Let’s walk through the upgrade of our environment.

First let’s grab the download here.

We’ll update the ATA Center server first per the instructions.

You’ll want to first take a snapshot of your VM or perform a database backup. We’ll opt for the former.

Now let’s run the installer.

You can see the new update options added

Readiness will be evaluated

Now I was running a pretty lean disk volume, so I had to first expand it a bit 🙂

Also, the docs mentioned about a 5 min upgrade, mine was closer to 15-20, although I’m also running a lean CPU/Memory as well in my lab

If you receive an Error code: 0x80070643 than it may be a DB issue or possibly a duplicate key error.

This may be similar to the issue mentioned on the forums here and they’ve built a tool to help remove the duplicate profiles.

Moving on, our install completes successfully

After updating the ATA Center, the ATA Gateways will report that they are now outdated.

Grab the latest package

NOTE: If you didn’t previously have the gateway installed, it will prompt for a reboot at the end.

Unzip the package

Run the installer

Choose the correct cert and enter your creds

Note some new options under the Gateway configuration once it checks in and is healthy

• Domain synchronizer candidate
• Update ATA Gateway automatically

Once it’s healthy, you should be all set!

And a few nice new UI touches as well!

And some nice new looking e-mails!

And some new attacks!