Pass the ticket Attack RRS feed

  • Question

  • Could you explain how the pass the ticket attack is determined or how to verify that this is an actual problem and not a falso positive?

    I am piloting ATA in my environment and have already received three warnings regarding pass the ticket.

    It is only for computer accounts and not users.

    Tuesday, September 29, 2015 7:53 PM

All replies

  • Hi Mark,

    If you have devices that are connecting through a VPN server or WIFI network that quickly reassigns IP addresses when devices connect and disconnect this can trigger a PtT suspicious activity.

    If you go to Configuration --> Detection you can add the IP Subnet range (in slash notation) to the "Short-term lease subnet". Remember to click the plus sign to add the range and then click Save.


    ATA Team

    Gershon Levitz [MSFT]

    Thursday, October 1, 2015 4:00 PM
  • Can you explain this in more detail?

    Also, what is considered short-term?

    Friday, October 2, 2015 4:24 PM
  • Hi Mark,

    In order to minimize network traffic and queries, ATA have caching mechanism whereby it will not try to re-resolve entity that was already recently resolved. This caching time is different when the machines are part of the "Short-term lease subnet". So if you have VPN or WiFi network with DHCP short lease (minutes and not hours) you should add those subnets to the configuration.

    Hope this clarify the issue,

    Microsoft ATA Team.

    Wednesday, October 7, 2015 12:53 PM
  • The subnets, that have alerts, have DHCP lease duration of two days. So, that does not sound like the issue.

    One PC has an alert that its ticket has been stolen by four different PCs over the course of a few days.

    Any other explanations?

    I just enabled WEF for 4776. Will that help? How do you verify WEF is working? I see the DC events on the gateway in Forwarded Events.

    Wednesday, October 7, 2015 2:37 PM
  • Hi Mark,

    Could it be that this machine is behind a NAT or Kerberos proxy device (i.e. several machines are using the same IP address to access the DCs) ?

    If this is the case, when you are getting the event, there is a question asking you if this machine is behind a NAT. Answering "Yes" will prevent this event from showing again.

    If this is not the case in your scenario, then I am afraid this may require more deep investigation that may be out of scope for this public forum.

    Microsoft ATA Team

    Wednesday, October 7, 2015 2:51 PM
  • Mark,

    We too are seeing occasional Pass-The-Ticket alerts. With roughly 700 devices we are getting them once every couple of weeks and almost always it's a surface on one end or both. These devices are moving between wired and wireless but keeping their same IP address. With the first few I was very concerned but now I am 100% convinced that these are false positives. I think that ATA has great promise and I'm sticking with if for now but more visibility into what makes the alert fire would certainly be helpful.  

    Thursday, January 21, 2016 1:15 AM
  • Hi Mark, 

    Typically IP addresses on WiFi networks have a high substitution rate to support the large number of devices that connect to the WiFi networks. So the same IP address could be assigned to multiple devices in short period of time. Of not at the same time. 

    If this is the case ATA might think that the IP address that was assigned to a device is assigned to another device. What needs to be done is to configure the IP address range used by the WiFi networks as "Short-term lease subnets". 

    Configure short-term lease subnets and Honeytoken user


    ATA Team

    Gershon Levitz [MSFT]

    Thursday, January 21, 2016 7:29 AM