# Microsoft ATA

## General

* Traffic destined for Domain Controllers is mirrored to ATA sensors
* Use activity profile is build over time, i.e.
  * use of computers
  * credentials
  * log on machines
* Collects Event 4776 (The DC attempted to validate the credentials for an account) to detect credential replay attacks
* Can detect behavioral anomalies
* Useful for detecting:
  * Recon: account enum, netsession enum
  * Compromised Credentials Attacks: bruteforce, high privilege account/service account exposed in clear text, honey token, unusual protocol (NTLM and Kerberos)
  * Credential/Hash/Ticket Replay attacks

## Bypassing ATA

* Avoid talking to the DC as long as possible
* Try to blend in with normal traffic


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.bufu-sec.com/active-directory/detection_and_defense/microsoft_ata.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.