Domain Dominance
DCSync Across Trusts
DCsync from a user machine will for sure cause suspicious and generate an alert, but you can actually perform DCSync across trusts as this is normal traffic since DCs replicate stuff all the time.
PSRemoting
Mixing PSremoting and other attacks will not be detected by ATA. For example, with WinRM or PSRemoting, we can inject Mimikatz into LSASS on a dC and grab the credentials in memory:
Another thing you could to is use NinjaCopy, which uses PSRemoting with raw disk access to make a copy of the live system file:
Last updated