Microsoft Advanced Threat Analytics Attack Demo

Cyber Attack Demo

During my session at Experts Live 2016 I’ve shown a demo which consists of an cyber attack with Microsoft ATA running in the background. Various stages from the Attack Kill Chain are included in this demo like internal reconnaissance, lateral movement, pass-the-ticket and domain dominance. I’ve recorded the demo and enhanced it for YouTube. You can review the slidedeck of the presentation here.

Microsoft ATA

Behind the action you’ll notice the Microsoft ATA console which shows you real-time detection of attacks and notifications Microsoft ATA generates. The demo environment consists of three domain controllers running Windows Server 2012 R2 and 2016, Windows 8.1 clients and a IIS webserver.

The client of the victim has been compromised and is prepped with some tooling like Mimikatz and NetSess. This is the starting point from demo perspective.


The main goal of the attack is to gain full control over the Active Directory domain, also known as domain dominance or pwnage.