none
False pass-the-hash when Citrix pass-through authentication in use

    Question

  • I have recently installed ATA (1.8.6645.28499). It is now in to the second week of its learning phase and it is raising a considerable number of false pass-the-hash alerts when users initiate Citrix sessions from their usual PC using pass-thru authentication, eg a typical alert would be:

    Bloggs,Fred's hash was stolen from one of the computers previously logged into by Bloggs,Fred and used from xx1234

    Clearly this is spurious - in each case the user is initiating a Citrix session from their own PC and the xx1234 represents a Citrix server in the farm in every case.

    1) Why am I only receiving a handful of related PTH alerts each day when I have many thousands of Citrix users, all authenticating in the same manner?

    2) How can I supress these alerts?

    What I effectively want to say is 'IF the suspected PTH is being triggered BY the user on their OWN PC and the target server is in our Citrix farm' then ignore it. I can't see a way of setting an exclusion range like this for PTH events though?

    Thanks

    Wednesday, December 20, 2017 10:14 AM

All replies

  • Hello,

    There are two ways for suppressing the alerts. You can either configure that either from the suspicious activity or the configuration page. You can learn more from the following article.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/excluding-entities-from-detections

    In addition, you can follow the procedures in the following article for investigating this suspicious activity.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 21, 2017 8:26 AM
    Moderator
  • Hi,

    I'm afraid that does not answer either question. There IS no way of excluding pass-the-hash on the standard exclusion page, if there was I would be using it. The events in question are not suspicious, so I do not want to exclude any users, computers etc in this particular circumstance. What I DO need to be able to do is ignore events when this alert is triggered by the user that is logged on to (their own) trigger PC and who (via Citrix pass-through authentication) subsequently logs on to our Citrix farm using that token, which is normal behaviour. Ideally I want to be able to exclude suspect PTH events IF they are being used to authenticate to our Citrix servers (so I could exclude a target subnet range here). The subnet exclusion needs to be for target IP range, not source. The 'offending' user could be on a wide range of subnets within our company and they could be using any PC so I cannot exclude by user, source device or source subnet. I need to ensure that any suspect PTH events that are not hitting our Citrix farm continue to be raised for proper investigation as usual.

    I'm still at a loss to know why I'm not seeing many thousands of these events as I've yet to be able to determine the differences between Citrix logins that do raise the alerts (a tiny fraction) and those that don't (the majority). Source device, subnet, recency of password change etc do not appear to have any common link.


    • Edited by RichardATA Thursday, December 21, 2017 12:06 PM
    Thursday, December 21, 2017 11:43 AM
  • Q1:

    If the user is a known user of the machine we will not open PTH alert. That’s is why some users alert and some don’t.

    Q2:

    There is no way to add exclusion to this specific detection.

    That being said...

    We are interested though in learning more about this scenario and see how we can auto detect it's a FP for vNext.
    That would need us to get some info from your DB to learn exactly what ATA learned.

    If you wish to help fix that, please contact me at atashare at microsoft com, and mention this post,
    I will privately get back to you with more instructions.

    Thanks,

    Eli

    Thursday, December 28, 2017 12:37 PM
  • Hi, do you know when the fix for this will get included? It doesn't appear to have made the 1.9 release as I am still getting the false positives unfortunately!

    Thanks

    Richard

    Wednesday, June 13, 2018 10:42 AM