ATA Alert: Identity theft using pass-the-ticket attack RRS feed

  • Question

  • Got 2 alerts for Identity theft using pass-the-ticket attack.

    Checked with my network team for the IP's involved in the alert. I went through requested them to provide details over this IP.

    1. Does the IP address of one or both computers belong to a subnet that is allocated from an undersized DHCP pool, for example, VPN or WiFi? 
    2. Is the IP address shared? For example, by a NAT device?


    Below is the network team reply: 

    Please note that IP is part of subnet on Ballina Ireland Data VLan . It is currently DHCP free.

    Please note that IP address is part Wireless Network 2 Atlanta Office Center. It is currently DHCP free.

    Is the IP address shared? For example, by a NAT device? NO.


    Can this be the cause of the Alert ? It is currently DHCP free. If not then what else I need to look for here.

    Wednesday, May 2, 2018 10:07 AM

All replies

  • Hi Rahul

    There is more scoping needed to conclude what is going on in your case. I have a list that I follow

    Things to look for:
    1. From which machine does this traffic come from?
    2 From which Network does this come from?
    3 What account is  communicating?
    4. To where is the service communicating?
    5. What is the capabilites of this account?

    Based on this we can evaluate if additional information is needed to be collected for forensics.
    Information to be collected:
    1. What information is present in ATA regarding the computer where the account credentials were exposed?
    2. Is the computer verified with high certainty?
    3. What other actions have been captured by ATA on this machine?
    4. Is the machine showing abnormal number of LDAP calls from this machine?
    5. Is the machine showing abnormal number of Kerberos calls from this machine?
    6. Is the machine showing abnormal number of NTLM calls from this machine?
    7. What users were recently logged on to the machine?
    8. What other network traffic is going from this machine, based on firewall logs?
    9. Based on the IP-adress, we can get hold of which network segement the machine is communicating from.
    10. From what other computers is the account being used?
    11. Is any of the machines being connected from a short lease network?
    12 Is the machine switching between different network in a short timeframe, for example going from WiFi to a Wired network?


    Wednesday, May 2, 2018 1:20 PM
  • Hello,

    You can follow the procedures in the investigation guide below. You can learn more by referring to the following documentation.


    Best regards,

    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 31, 2018 8:23 AM
  • Hi Andy Liu,

    I have gone through the Microsoft documentation but didn't fetch me much help here.

    Can You please help here I pulled of Windows Event logs and his ID is seen accessing on that Machine. Can you help here to investigate the issue here.

    Event Timeline:

    Event 1

    Message=An account was successfully logged on


    Security ID: <DOMAIN>\<userid>

    Logon Type: 3

    Impersonation Level: Impersonation

    Network Information: Workstation Name: <USER Machine> Source Network Address: <10.xx.xx.66>



    Message=A network share object was accessed.


    TaskCategory=File Share

    Subject: Security ID: NA\<user id> Account Name: <User ID>

    Network Information: Object Type: File Source Address: 10.xx.xx.66 Source Port: 59275



    Tuesday, September 11, 2018 10:29 AM