ATA Suspicious Activity Playbook

This was updated to include the new ATA v1.8 capabilitiesThis article will walk through the credential theft attack techniques by using readily available research tools on the Internet.  At each point of the attack we will show how Microsoft’s Advanced Threat Analytics (ATA) he

4.4 Star
23,587 times
Add to favorites
E-mail Twitter Digg Facebook
Sign in to ask a question

  • ATA not picking up step 1
    1 Posts | Last post July 24, 2018
    • I am going through this playbook but cant get past step 1. the DNS recon. The ATA center does not recognize the suspicious activity done on the victim pc. Any help is greatly appreciated!
  • Don't access to admin-pc's C Drive
    3 Posts | Last post June 05, 2017
    • I’m trying the content of Playbook.
      I can't access the C drive of Admin-PC on P.25
      I can't access it because I can not enter ronhd's credential information from Windows Explorer.
      Am I making a mistake?
    • I solved it myself.
      Thank you.
    • RonHDs credentials should be harvested--and later injected into another CMD process (thanks to Mimikatz). Let me know if you have any other questions! Version 1.5 will be released shortly. 
  • Will this run on Azure VM`s?
    2 Posts | Last post June 05, 2017
    • Hi, It is recommended to run it on Windows 10 Hyper-V, but will it run on Azure VM`s as well? I`m running al my labs on Azure.
    • Yes, all of this can be done in Azure, including the ATA Center. 
  • Please Japanese version ATA Playbook
    2 Posts | Last post March 09, 2017
    • I want to share ATA Playbook with Japan customers/partners.
      Please Japanese edition of this ATA Playbook
    • Yoshihiro, would you be able to help with the translation to Japanese?  Our resources are limited but do have translations of this work as a ToDo action on our end.
  • Problem With File?
    2 Posts | Last post February 17, 2017
    • Keeps downloading as zero-length file
    • Please try again.  Just had to reupload the file--second time this has happened so we will need to look into this.  This will eventually migrate to our ATA Docs section in the future as well.