none
Citrix : Identity Theft Using Pass-The-Hash Attack RRS feed

  • Question

  • I've noticed that when users attempt to log into a Citrix session but provide the wrong password initially, but then provide the correct password the "Identity Theft Using Pass-The-Hash Attack" is triggered. I assume this is because Citrix makes use of pass-through authentication. Is there anything I can do to tune these out or reduce the number of false positives that are observed?

    Thursday, September 6, 2018 9:08 AM

All replies

  • Hi,

    It is a known issue but not a common one, currently we don't have an option to handle it except for disabling the detection of PTH.

    In Azure ATP there is an option to exclude computers for PTH detection.

    Best,

    Tali

    Thursday, September 6, 2018 9:47 AM
  • I disagree that this is not a common problem. I raised a thread on this forum about this very subject in December 2017 and subsequently provided detailed diagnostics to the ATA team. They analysed it, agreed it was a problem and said that a fix (or at least a filter) would be included, hopefully in version 1.9. Unfortunately it doesn't seem to have been included in 1.9 or 1.9-update1, nearly a year later!

    1) Citrix is designed to be used from thin clients/low spec PCs. By their very nature, thin clients do not usually retain login history through a power cycle/reboot, so users often appear to be new to a device, even if they have used it before.

    2) In a large Company like mine, where hot-desking and thin clients are the standard, it is extremely unusual for any given person to use the same device more than once.

    3) Citrix uses pass-through authentication by design, this should not be raised as PTH (although I realise that this is, in effect, exactly what pass-through authentication is)!

    For us, our experience of ATA has been severely devalued due to the daily quantity of high-priority suspected PTH events. PLEASE can this be sorted out? As I posted on my original thread, I would like to be able to say that any suspected PTH events generated FROM my internal thin clients and directed TO my internal Citrix farms were automatically ignored. There is currently no way to filter on both source and destination subnets.

    Thanks

    Friday, September 7, 2018 8:30 AM
  • I disagree that this is not a common problem. I raised a thread on this forum about this very subject in December 2017 and subsequently provided detailed diagnostics to the ATA team. They analysed it, agreed it was a problem and said that a fix (or at least a filter) would be included, hopefully in version 1.9. Unfortunately it doesn't seem to have been included in 1.9 or 1.9-update1, nearly a year later!

    1) Citrix is designed to be used from thin clients/low spec PCs. By their very nature, thin clients do not usually retain login history through a power cycle/reboot, so users often appear to be new to a device, even if they have used it before.

    2) In a large Company like mine, where hot-desking and thin clients are the standard, it is extremely unusual for any given person to use the same device more than once.

    3) Citrix uses pass-through authentication by design, this should not be raised as PTH (although I realise that this is, in effect, exactly what pass-through authentication is)!

    For us, our experience of ATA has been severely devalued due to the daily quantity of high-priority suspected PTH events. PLEASE can this be sorted out? As I posted on my original thread, I would like to be able to say that any suspected PTH events generated FROM my internal thin clients and directed TO my internal Citrix farms were automatically ignored. There is currently no way to filter on both source and destination subnets.

    Thanks

    What you have said mirrors what we experience on a daily basis. Every day we have several PTH alerts, these are always on the Citrix infrastructure and are usually triggered by an initial failed login and then a successful logon.
    Monday, September 10, 2018 8:49 AM
  • Unfortunately it doesn't look like Microsoft are interested in addressing this any time soon. This is what they said in reply to a recent Premier call I logged:

     I have discussed this with the ATA Product Group, and unfortunately this will not be included in the next version of ATA.

     

    There were several reasons which went in to the decision: technical challenges; risk of missing genuine alerts; but primarily this features had very few requests for immediate implementation.   User feedback is one of the main ways that we prioritise new feature requests.  Your feedback has been added to the list, and this is something we may see in future versions, but as of now this is not going to make it in to at least the next release.

     

     Sorry it is not more positive news.

     

    So I guess if you have such an unusual environment that you actually use Citrix (!) you need to take this in to account before deploying ATA. Unfortunately I'm not aware of any ATA alternatives?

    Wednesday, January 30, 2019 2:51 PM
  • Unfortunately it doesn't look like Microsoft are interested in addressing this any time soon. This is what they said in reply to a recent Premier call I logged:

     I have discussed this with the ATA Product Group, and unfortunately this will not be included in the next version of ATA.

     

    There were several reasons which went in to the decision: technical challenges; risk of missing genuine alerts; but primarily this features had very few requests for immediate implementation.   User feedback is one of the main ways that we prioritise new feature requests.  Your feedback has been added to the list, and this is something we may see in future versions, but as of now this is not going to make it in to at least the next release.

     

     Sorry it is not more positive news.

     

    So I guess if you have such an unusual environment that you actually use Citrix (!) you need to take this in to account before deploying ATA. Unfortunately I'm not aware of any ATA alternatives?

    RichardATA / J_Wiggins - check out Preempt Security (https://www.preempt.com).  PtH is one type of attack Preempt can detect, then take action with MFA / blocking capabilities.  

    Monday, February 25, 2019 8:18 PM
  • Our "noise" issue is even with Successful Logins to the Citrix.

    We receive a large number of "Suspicion of identity theft based on abnormal behavior" Alerts.
    As a Healthcare facility, our users roam to different workstations & VDI-thinclients across the facilities.
    They are constantly going to different workstations, and then Citrix Receiver session authenticates then into the numerous Citrix Farm Servers.

    Wednesday, February 27, 2019 6:43 PM
  • I agree that this is a issue - we get tons of "Identity theft using Pass-the-Ticket attack". 

    This issue occurs under 2 circumstances
    1) Users who are log onto a VPN
    2) Users who log onto VDI workstations.

    Disabling PTH scanning significantly diminishes the usefulness of this tool.


    Wednesday, March 27, 2019 1:10 PM
  • I also agree, as we have 8000 users that uses VDIs or Citrix as their Workspace, and the Client machine only as a "thin client". The amount of false positives is insane and is making ATA more or less useless, beacause i do NOT want to remove the PTH detection all together. I would really like to be able to filter out based on naming Convention or by IP range on these. 
    Friday, April 12, 2019 1:05 PM