Hello,
I setup ATA 1.9 in my dev environment recently. I'm going through the attack playbook and triggering alerts.
For the DNS Recon alert that is trigged when an entity attempts to do a zone xfer, would this trigger if the zone xfer request wasn't directly against the domain controller, but instead was against a forwarder?
We use forwarders in our environment that pass all internal domain queries onto the domain controller.
I don't have forwarders setup in my DEV environment, so I was just wondering if anybody has done this.
Thanks!