ATA Suspicious Activity Playbook

This was updated to include the new ATA v1.8 capabilitiesThis article will walk through the credential theft attack techniques by using readily available research tools on the Internet.  At each point of the attack we will show how Microsoft’s Advanced Threat Analytics (ATA) he

 
 
 
 
 
4.4 Star
(14)
25,630 times
Add to favorites
Security
10/4/2017
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Is there a Playbook for Password Spray
    2 Posts | Last post September 24, 2018
    • I've been told that ATA can detect Password Spraying in an environment. Is there a playbook where I can test this?
    • We dont have that as part of the playbook yet nor the one we plan on publishing on our Docs site.  I will see what we can do, however.  Have a favorite tool of choice you'd like to see us use? Hydra? Medusa?
  • ATA not picking up step 1
    2 Posts | Last post September 24, 2018
    • I am going through this playbook but cant get past step 1. the DNS recon. The ATA center does not recognize the suspicious activity done on the victim pc. Any help is greatly appreciated!
    • This should be picked up _every time_.  Confirm the Sensor is installed on the DC and that DC is who you are doing the DNS recon against.
  • Don't access to admin-pc's C Drive
    3 Posts | Last post June 05, 2017
    • I’m trying the content of Playbook.
      I can't access the C drive of Admin-PC on P.25
      I can't access it because I can not enter ronhd's credential information from Windows Explorer.
      Am I making a mistake?
    • I solved it myself.
      Thank you.
    • RonHDs credentials should be harvested--and later injected into another CMD process (thanks to Mimikatz). Let me know if you have any other questions! Version 1.5 will be released shortly. 
  • Will this run on Azure VM`s?
    2 Posts | Last post June 05, 2017
    • Hi, It is recommended to run it on Windows 10 Hyper-V, but will it run on Azure VM`s as well? I`m running al my labs on Azure.
      Thanks!
    • Yes, all of this can be done in Azure, including the ATA Center. 
  • Please Japanese version ATA Playbook
    2 Posts | Last post March 09, 2017
    • I want to share ATA Playbook with Japan customers/partners.
      Please Japanese edition of this ATA Playbook
    • Yoshihiro, would you be able to help with the translation to Japanese?  Our resources are limited but do have translations of this work as a ToDo action on our end.
  • Problem With File?
    2 Posts | Last post February 17, 2017
    • Keeps downloading as zero-length file
    • Please try again.  Just had to reupload the file--second time this has happened so we will need to look into this.  This will eventually migrate to our ATA Docs section in the future as well.