locked
Asking for the explanation behind the Source Computer Resolution Method column values in the ATA alerts RRS feed

  • Question

  • Hello,

    I received one "Identity theft using pass-the-ticket attack" alert indicating that one person’s Kerberos tickets were stolen from 1 machine to 2 other computers and used to access 2 resources.

    Please look below at the information from the "Network Activities" tab in the excel file related to the alert in question:

    Time (UTC)

    Source Ip Address

    Source Computer

    Source Computer Resolution Method

    Destination Ip Address

    Destination Computer

    xx.02.2017 08:58:47,417

    10.***.***.**1

    WS*****1

    Netbios, Cached

    10.***.***.**3

    DC*********1

    xx.02.2017 09:33:20,746

    10.***.***.**2

    WS*****2

    Netbios

    10.***.***.**3

    DC*********1

    xx.02.2017 09:33:27,121

    10.***.***.**2

    10.***.***.**2

    None

    10.***.***.**4

    DC*********2

    xx.02.2017 09:33:27,157

    10.***.***.**2

    WS*****2

    Hint, Cached

    10.***.***.**4

    DC*********2


    May I know why NetBIOS (that is used to identify the computer name and TCP/IP is the transport mechanism for NetBIOS communication traffic) is a relevant piece of information in this scenario?

    May I also know what is the difference between "Netbios, Cached" and "Netbios" in terms of ATA?

    Also, what does "Hint, Cached" stand for? The cache hint is useful for small lookup tables and what does it have to do in terms of ATA?

    A yet another question is related to "None" under "Source Computer Resolution Method”. What might be the reason why there is no information in terms of a certain entry? What might this mean, then?

    Please also note that WS*****2 is an Apple IOS Device.

    Might the Wi-Fi subnet be the reason for this? As we know, the IP addresses are being catched only for 15 seconds in such subnets. It's the same just like in the case of the VPN subnets, unless I'm mistaken here?

    How about the Apple IOS devices, too? Might they mislead ATA somehow? Especially as e.g. the unusual protocol implementation from Mac OS X might be treated as "suspicious" by Microsoft’s ATA?

    Thank you very much in advance.

    Regards,
    MSSOC
    Sunday, October 8, 2017 11:00 AM

Answers

  • Here is what I know:

    We use several methods for name resolution, NetBios, NTLM/RPC & DNS.

    We specify which method was used in such case. 

    Cached means that we didn't actively checked just now as we hold a short term cache,

    if we just checked an IP few seconds ago, we avoid pinging the machine right away again.

    None: means non of the resolution methods worked, so we stayed with IP address and could not resolve to computer name.

    Rapidly changed addresses via Wifi could cause PTT false positives.

    • Marked as answer by MSSOC Monday, October 9, 2017 6:35 AM
    Sunday, October 8, 2017 12:28 PM
  • A Hint means we passively saw this name with the ip address in a network activity, we didn't find it actively.

    Cache means the same - we remembered it from a recent event.

    ATA doesn't care much for the OS, mostly the protocol, so Apple devices should not be a problem as far as I know.

    • Marked as answer by MSSOC Monday, October 9, 2017 8:42 AM
    Monday, October 9, 2017 8:11 AM

All replies

  • Here is what I know:

    We use several methods for name resolution, NetBios, NTLM/RPC & DNS.

    We specify which method was used in such case. 

    Cached means that we didn't actively checked just now as we hold a short term cache,

    if we just checked an IP few seconds ago, we avoid pinging the machine right away again.

    None: means non of the resolution methods worked, so we stayed with IP address and could not resolve to computer name.

    Rapidly changed addresses via Wifi could cause PTT false positives.

    • Marked as answer by MSSOC Monday, October 9, 2017 6:35 AM
    Sunday, October 8, 2017 12:28 PM
  • Dear Eli,

    Thank you so much for your answer.

    May I know, though, what "Hint, Cached" means?

    Also, does anyone know if e.g. an Apple OS based device can mislead ATA in terms of this name resolution method and its value?

    Thank you in advance.

    Regards,
    MSSOC
    Monday, October 9, 2017 4:52 AM
  • A Hint means we passively saw this name with the ip address in a network activity, we didn't find it actively.

    Cache means the same - we remembered it from a recent event.

    ATA doesn't care much for the OS, mostly the protocol, so Apple devices should not be a problem as far as I know.

    • Marked as answer by MSSOC Monday, October 9, 2017 8:42 AM
    Monday, October 9, 2017 8:11 AM
  • I have an IP address in an SA that seems to have a very erratic resolution pattern. Can I get more details about the "Hint" source?   I'd like to understand why it alternates between high and low certainty.

    Source Computer Certainty Source Computer Resolution Method
    Low Hint, Cached
    High Hint, Cached
    Low Hint, Cached
    Low Hint, Cached
    Low Hint
    Low Hint, Cached
    Low Hint
    Low Hint, Cached
    Low Hint
    Low Hint, Cached
    Low Hint, Cached
    Low Hint
    High Hint, Cached
    Low Hint
    Low Hint, Cached
    Low Hint, Cached
    Low Hint, Cached
    Low Hint, Cached
    Low Hint, Cached
    Low Hint, Cached
    Low Hint, Cached
    High Hint, Cached
    High Hint, Cached
    High Hint, Cached
    High Hint, Cached
    High Hint, Cached
    High Hint, Cached
    High Hint, Cached
    High Hint, Cached


    • Edited by hukel Wednesday, November 1, 2017 6:48 PM
    Wednesday, November 1, 2017 6:47 PM
  • Hint means we saw the IP with the machine name together in a recent network activity.

    depending on the type of activity, the certainty can vary. 

    Wednesday, November 1, 2017 8:43 PM
  • Dear Eli,

    Could you please explain under what circumstances / due to what factors / depending on what types of activities the certainty can vary?

    Thank you in advance.

    Regards,
    MSSOC
    Thursday, November 2, 2017 7:16 AM
  • Sorry, this goes into specific implementation details and IP we don't generally disclose, and that might change rapidly between versions, so we don't want customers to relay on specific implementation or logic that we tune over time.

    Thursday, November 2, 2017 9:22 AM
  • Dusting off this thread . . .  we had a PtH suspicious activitity where:

        ""SourceComputerCertainty"" : null,
        ""SourceComputerResolutionMethod"" : ""None"",

    This seemed to happen when a user changed from wired to wireless and ATA detected the TGT being used from a new IP.  How can we see what methods were tried for this computer resolution (and the results of each)?  Is it logged on the Center somewhere?

    In most events I see data more like this.

        ""SourceComputerCertainty"" : ""High"",
        ""SourceComputerResolutionMethod"" : [""Netbios"", ""RpcNtlm"", ""Hint"", ""Cached""],


    Thursday, October 11, 2018 2:51 PM
  • All methods are always used, so if you got "None" it means none of the methods worked.
    Thursday, October 11, 2018 8:37 PM
  • Thanks.  So that I'm clear, is the DNS method basically a PTR lookup?  Can you tell me more about how these other resolutions work?

    • Netbios
    • RpcNtlm

    In our case, the KerberosTgs happened at 18:33:43.402 but we didn't get the email until the SystemUpdateTime of the SA, about two hours later.   Did ATA try the name resolutions at the first time or at the second time?   The user had gone back to the wired network by the second time.

    SystemCreationTime           : 2018-10-10T18:33:43.075892Z
    SystemUpdateTime             : 2018-10-10T20:46:06.5430476Z


    Thursday, October 11, 2018 9:03 PM
  • Those are simply protocols that makes the endpoint identify itself.

    The resolution is done a few seconds after the traffic happened.

    the alert can be postponed because we try to use other methods to see if this is a false positive before we make it visible. for example, if we learned this IP is NAT or something like that.

    Eli.

    Friday, October 12, 2018 12:35 AM