ATA Playbook Issues

%3CLINGO-SUB%20id%3D%22lingo-sub-58165%22%20slang%3D%22en-US%22%3EATA%20Playbook%20Issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-58165%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3EI%20ran%20through%20the%20playbook%20today%20but%20I%20had%20a%20few%20issues.%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3EStep%209%3A%20Powersploit%20appears%20to%20have%20a%20bug%20with%20Powershell%205.0%20that%20mean%20the%20Get-NetLocalGroup%20cmdlet%20doesn't%20work%20(obviously%20not%20the%20ATA%20playbook%20authors%20fault%2C%20just%20putting%20it%20out%20there)%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3EStep%2010-12%3A%26nbsp%3B%20ATA%20didn't%20alert%20me%20to%20the%20Overpass-The-Hash%20attack%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3EStep%2015-17%3A%26nbsp%3B%20ATA%20didn't%20alert%20me%20to%20the%20PTT%20attack%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3ENow%20I'll%20admit%20my%20lab%20isn't%20exactly%20as%20in%20the%20guide%20but%20surely%20ATA%20should%20offer%20the%20same%20protection%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E1%20x%20Windows%20Server%202016%20DC%20with%20lightweight%20gateway%20installed%3CBR%20%2F%3E2%20x%20Windows%2010%20Enterprise%201511%20machines%20representing%20admin-pc%20and%20victim-pc%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3ECould%20missing%20the%20OPTH%20and%20PTT%20attacks%20be%20as%20the%20result%20of%20a%20misconfiguration%3F%26nbsp%3B%20Everything%20else%20got%20picked%20up%20as%20expected.%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3EI%20think%20this%20guide%20is%20great%20btw%2C%20just%20a%20couple%20of%20issues%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-58165%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-65302%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Playbook%20Issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-65302%22%20slang%3D%22en-US%22%3E%3CP%3EWe%60re%20glad%20you%20liked%20the%20Playbook%2C%20and%20thanks%20for%20shouting%20out%2C%20Robert.%20I%60m%20sure%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F38157%22%20target%3D%22_blank%22%3E%40Ophir%20Polotsky%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F26094%22%20target%3D%22_blank%22%3E%40Hadi%20Inja%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F26184%22%20target%3D%22_blank%22%3E%40Michael%20Dubinsky%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F38643%22%20target%3D%22_blank%22%3E%40Benny%20Lakunishok%3C%2FA%3E%2C%20and%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F44888%22%20target%3D%22_blank%22%3E%40Ryan%20Heffernan%3C%2FA%3E%20will%20be%20most%20interested%20in%20this%20feedback.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Senior Member

Hi
 
I ran through the playbook today but I had a few issues. 
 
Step 9: Powersploit appears to have a bug with Powershell 5.0 that mean the Get-NetLocalGroup cmdlet doesn't work (obviously not the ATA playbook authors fault, just putting it out there)
 
Step 10-12:  ATA didn't alert me to the Overpass-The-Hash attack
 
Step 15-17:  ATA didn't alert me to the PTT attack
 
Now I'll admit my lab isn't exactly as in the guide but surely ATA should offer the same protection
 
1 x Windows Server 2016 DC with lightweight gateway installed
2 x Windows 10 Enterprise 1511 machines representing admin-pc and victim-pc
 
Could missing the OPTH and PTT attacks be as the result of a misconfiguration?  Everything else got picked up as expected.
 
I think this guide is great btw, just a couple of issues :)

1 Reply

We`re glad you liked the Playbook, and thanks for shouting out, Robert. I`m sure @Ophir Polotsky@Hadi Inja, @Michael Dubinsky@Benny Lakunishok, and @Ryan Heffernan will be most interested in this feedback.