Hi,

When I enable the Microsoft NDIS Capture Extension on the Virtual Switch I want capture the traffic on, I get the message: 

"The Selected Extension is not operating correctly.  Check the event logs for further information. If this is a non-Microsoft Extention, contact the vendor for further troubleshooting steps."

I am running Hyper-V on a Windows 8.1 computer, and would like to test ATA 2016.

Get the same error if I use either "Internal" or "Private" switch.

Has anyone seen this problem before?

Thank you

• Edited by Shim Kwan Friday, August 28, 2015 11:39 PM

Hi Gershoni,

Thank you, this is how I have things configured - have removed the NDIS Capture.

However, even though ATA has realized that I have 20 users in AD, it is not picking up any anomalies.

This is what I have in AD thus far:

• 3 accounts with password never to expire
• 5 accounts that have failed to login (as I deliberately used the wrong password)
• 2 accounts added to the Enterprise and Domain Admins groups

Should ATA report on any of the above?

Just trying determine how best to demo the product?

Thanks,

SK

PS. I have had the ATA lab environment running for 5 days now.

• Edited by Shim Kwan Sunday, August 30, 2015 10:30 PM

The deployment guide states you need 21 days of data prior to it reporting any anomalies.

Thanks,

BK

Wow, so we have to wait 21 days before we will be told we have a problem?

By then the hacker's already run off with everything they need and covered their tracks, and retired ;)

We obviously had a very wrong impression about this product.

At least there are plenty product alternative choices out there...

So we have to wait 21 days before we will be told we have a problem?

• Edited by Shim Kwan 5 hours 42 minutes ago

So we have to wait 21 days before we will be told we have a problem?

• Edited by Shim Kwan Wednesday, September 02, 2015 1:56 AM

Hi Shim,

The 21 days is needed to build \ learn  the normal user profiles. During this 21 day period ATA will not generate any "abnormal" suspicious activities or alerts.

However during this period ATA will still detect and generate suspicious activities for what we call "deterministic" activities. For example:

• PtH
• PtT
• DNS Reconnaissance
• Broken Trust
• Remote Execution
• Reconnaissance using Account Enumeration
• Brute Force Attack using LDAP Simple Bind
• Services exposing account credentials in clear text
• Honeytoken access

So as you can see even during this 21 days needed to learn normal user behavior ATA is still able to provide value.

I hope this helps.

Thx

ATA Team

Hi Shim,

We do not raise an alert for the items you listed.

For accounts with passwords that do not expire and failed logins you will see this in the user entity profile. We do not track the number of failed logins just the last failed login.  

Additionally you can see that account is determined to be "sensitive". A sensitive account is an account that has higher level privileges in the domain based upon account membership.

To quickly demo this in a lab you can try the following:

• DNS transfer using NSLookup
• Remote Execution using PSexec tools from Sysinternals
• There are tools you can download to perform PtT.

See attached screen shot.

HTH

ATA Team

Thanks Gershon, clarifies matters greatly, much appreciated!