Advanced Threat Analytics (ATA) is an on-premises platform that helps protect your enterprise from multiple types of advanced targeted cyber attacks and insider threats.


Having Microsoft ATA allows defenders to test detections and gain a better sense of ATA’s capabilities. It allows offensive security professionals to determine what tools and/or techniques will be detected by Microsoft ATA.

Configuration Details

  • Microsoft ATA is installed on the WEF host
  • A lightweight gateway is installed on DC

Sample Usage

To attempt a zone transfer: From a cmd.exe prompt, run

Default Server:  UnKnown

> ls -d windomain.local
*** Can't list domain windomain.local: Query refused
The DNS server refused to transfer the zone windomain.local to your computer. If this
is incorrect, check the zone transfer security settings for windomain.local on the DNS
server at IP address

To attempt to do a DCSync:

lsadump::dcsync /domain:windomain.local /user:krbtgt

Both of these activities should trigger MSATA alerts within a few minutes.

Data Location