locked
ATA Playbook Issues RRS feed

  • Question

  • Hi

    I ran through the playbook today but I had a few issues.  

    Step 9: Powersploit appears to have a bug with Powershell 5.0 that mean the Get-NetLocalGroup cmdlet doesn't work (obviously not the ATA playbook authors fault, just putting it out there) 

    Step 10-12:  ATA didn't alert me to the Overpass-The-Hash attack

    Step 15-17:  ATA didn't alert me to the PTT attack

    Now I'll admit my lab isn't exactly as in the guide but surely ATA should offer the same protection

    VMware Workstation 12.5

    1 x Windows Server 2016 DC with lightweight gateway installed

    1 x Windows 2012 R2 server with ATA centre installed

    2 x Windows 10 Enterprise 1511 machines representing admin-pc and victim-pc

    Could missing the OPTH and PTT attacks be as the result of a misconfiguration?  Everything else got picked up as expected.

    I think this guide is great btw, just a couple of issues :-)             

    Thursday, March 30, 2017 10:15 AM

All replies

  • Hello,

    I test it in lab with Windows 10 Enterprise for admin-pc and victim-pc. Meanwhile, I also test these scenarios on Windows 7 Enterprise.

    >>>  Step 9: Powersploit appears to have a bug with Powershell 5.0 that mean the Get-NetLocalGroup cmdlet doesn't work (obviously not the ATA playbook authors fault, just putting it out there) 

    Powersploit works on Windows 7, but it doesn't work on Windows 10.

    The error message is as below in Powershell on Windows 10.
    PS C:\users\jeffv\Desktop\PowerSploit-master> Get-NetLocalGroup 10.168.172.72
    WARNING: [!] Error: Exception calling "Invoke" with "2" argument(s): "Access is denied."

    >>> Step 10-12:  ATA didn't alert me to the Overpass-The-Hash attack

    I can receive an alert for “unusual protocol implementation” for overpass-the-hash attack for Windows 7, but can't receive the alert for Windows 10.

    >>> Step 15-17:  ATA didn't alert me to the PTT attack

    I can receive an alert for "pass-the-hash" for both Windows 7 and Windows 10.

    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 31, 2017 7:08 AM