[ATA] Microsoft Advanced Threat Analytics 1.6 is available!

Microsoft recently released Advanced Threat Analytics (ATA) 1.6.

The main new features are:

• New detection mechanism like:
  • Net Session enumeration through SMB in order to discover the share with the GPOs and so the domain controllers
  • Malicious AD replications requests
  • Malicious DPAPI in order to steal the recovery keys that give access to the shared secrets protected by this key
• Improvement of existing detection mechanism
• A new Lightweight gateway role: if the gateway with the port mirroring prerequisite is to heavy it’s possible for small remote sites it’s now possible to deploy a small version of the gateway on the domain controller acting like an agent
• Automated updates: it’s now possible to use Microsoft Update, SCCM or WSUS in order to deploy new behaviour algorithm, detection mechanism, new features and hotfixes
• Improvement of performance
• Reduction of storage requirement: this version use only 20% of storage space used by the previous version
• Support of IBM QRadar SIEM

This version is available for download at the following address:

• Evaluation version on Download Center
• Volume License Service Portal
• MSDN

If you want to use the new technical documentation portal of Microsoft which replace TechNet, you could found the dedicated part for ATA is available at: https://docs.microsoft.com/en-us/advanced-threat-analytics/

And as usual don't forget to read carefully how to upgrade to the last version your infrastructure and the known issues ;)