Пусть тут поживут. Постоянно приходится искать 🙂
– Определение LM\NTLM
https://secpfe.com/wordpress/en/2017/03/01/controlling-and-restricting-ntlm-usage-part-i/
https://github.com/secpfe/NTLMHound/
– ATA и ATA Playbook
https://docs.microsoft.com/en-us/advanced-threat-analytics/what-is-ata
https://gallery.technet.microsoft.com/ATA-Playbook-ef0a8e38
– Identifying Clear Text LDAP binds to your DC’s
– LAPS Audit Reporting via WEF PoSH and PowerBI
https://blogs.technet.microsoft.com/kfalde/2015/11/18/laps-audit-reporting-via-wef-posh-and-powerbi/
-LAPS and permission to join computer to domain
https://blogs.msdn.microsoft.com/laps/2015/07/17/laps-and-permission-to-join-computer-to-domain/
– Pass-the-Hash
https://technet.microsoft.com/en-us/security/dn785092
(Mitigating Pass-the-Hash and Other Credential Theft v1, Mitigating Pass-the-Hash and Other Credential Theft v2, How Pass-the-Hash works PDF)
– Administrative Tools and Logon Types
– Privileged Access Workstations (PAW)
– Privileged Access Workstation (PAW) Content
https://gallery.technet.microsoft.com/Privileged-Access-3d072563
Update 31.07.2017
Microsoft Advanced Threat Analytics Proof of Concept Playbook
https://gallery.technet.microsoft.com/Advanced-Threat-Analytics-591ca681
Update 21.08.2017
Troubleshooting ATA known issues
https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide
Update 26.08.2017
Understanding ATA Suspicious Activity Alerts