Apr 27 2020
- last edited on
Nov 30 2021
(please see the two screenshots attached)
Hello. I am seeing a large number of successful 4624 logon type 3 events coming from one of my Windows machines (a non-ATA related server), and the logon account name that continuously appears in the logs is the ATA Directory Services account. The extremely high number of events is generating "LDAP User Login Brute Force Attempt" alerts on my firewall. Two things that I need help understanding are:
(1) What does the ATA Directory services account do exactly? All I can find is that this should be a read-only account used to connect to the AD forest, not much more details are provided in ATA documentation on how it works. Is the account trying to log into all endpoints in my domain to gather information to bring back to the ATA console? I am not sure what it does or how it connects to other systems.
(2) Any ideas why this account is continuously authenticating over and over again on one system? This behavior is only sourcing from one of my Windows servers, my firewall is not alerting it from anywhere else, only this one system. (please see the two screenshots attached)
May 03 2020 01:04 AM
This the Gateway is querying the machines on the network to get a list of members of the local administrators group. This information is used for ATA to understand when a there is a potential lateral movement path (LMP)
When a sensitive user logs in to a machine ATA will calculate if there is a potential LMP and the membership of the local administrator group from the machines on the network are required.
For more information on LMP see - https://docs.microsoft.com/en-us/advanced-threat-analytics/use-case-lateral-movement-path