Answered by:
Asking for the explanation behind the Source Computer Resolution Method column values in the ATA alerts

Question
-
Hello,
I received one "Identity theft using pass-the-ticket attack" alert indicating that one person’s Kerberos tickets were stolen from 1 machine to 2 other computers and used to access 2 resources.
Please look below at the information from the "Network Activities" tab in the excel file related to the alert in question:
Time (UTC)
Source Ip Address
Source Computer
Source Computer Resolution Method
Destination Ip Address
Destination Computer
xx.02.2017 08:58:47,417
10.***.***.**1
WS*****1
Netbios, Cached
10.***.***.**3
DC*********1
xx.02.2017 09:33:20,746
10.***.***.**2
WS*****2
Netbios
10.***.***.**3
DC*********1
xx.02.2017 09:33:27,121
10.***.***.**2
10.***.***.**2
None
10.***.***.**4
DC*********2
xx.02.2017 09:33:27,157
10.***.***.**2
WS*****2
Hint, Cached
10.***.***.**4
DC*********2
May I also know what is the difference between "Netbios, Cached" and "Netbios" in terms of ATA?
Also, what does "Hint, Cached" stand for? The cache hint is useful for small lookup tables and what does it have to do in terms of ATA?
A yet another question is related to "None" under "Source Computer Resolution Method”. What might be the reason why there is no information in terms of a certain entry? What might this mean, then?
Please also note that WS*****2 is an Apple IOS Device.
Might the Wi-Fi subnet be the reason for this? As we know, the IP addresses are being catched only for 15 seconds in such subnets. It's the same just like in the case of the VPN subnets, unless I'm mistaken here?
How about the Apple IOS devices, too? Might they mislead ATA somehow? Especially as e.g. the unusual protocol implementation from Mac OS X might be treated as "suspicious" by Microsoft’s ATA?
Thank you very much in advance.
Regards,
MSSOCSunday, October 8, 2017 11:00 AM
Answers
-
Here is what I know:
We use several methods for name resolution, NetBios, NTLM/RPC & DNS.
We specify which method was used in such case.
Cached means that we didn't actively checked just now as we hold a short term cache,
if we just checked an IP few seconds ago, we avoid pinging the machine right away again.
None: means non of the resolution methods worked, so we stayed with IP address and could not resolve to computer name.
Rapidly changed addresses via Wifi could cause PTT false positives.
- Marked as answer by MSSOC Monday, October 9, 2017 6:35 AM
Sunday, October 8, 2017 12:28 PM -
A Hint means we passively saw this name with the ip address in a network activity, we didn't find it actively.
Cache means the same - we remembered it from a recent event.
ATA doesn't care much for the OS, mostly the protocol, so Apple devices should not be a problem as far as I know.
- Marked as answer by MSSOC Monday, October 9, 2017 8:42 AM
Monday, October 9, 2017 8:11 AM
All replies
-
Here is what I know:
We use several methods for name resolution, NetBios, NTLM/RPC & DNS.
We specify which method was used in such case.
Cached means that we didn't actively checked just now as we hold a short term cache,
if we just checked an IP few seconds ago, we avoid pinging the machine right away again.
None: means non of the resolution methods worked, so we stayed with IP address and could not resolve to computer name.
Rapidly changed addresses via Wifi could cause PTT false positives.
- Marked as answer by MSSOC Monday, October 9, 2017 6:35 AM
Sunday, October 8, 2017 12:28 PM -
Dear Eli,
Thank you so much for your answer.
May I know, though, what "Hint, Cached" means?
Also, does anyone know if e.g. an Apple OS based device can mislead ATA in terms of this name resolution method and its value?
Thank you in advance.
Regards,
MSSOCMonday, October 9, 2017 4:52 AM -
A Hint means we passively saw this name with the ip address in a network activity, we didn't find it actively.
Cache means the same - we remembered it from a recent event.
ATA doesn't care much for the OS, mostly the protocol, so Apple devices should not be a problem as far as I know.
- Marked as answer by MSSOC Monday, October 9, 2017 8:42 AM
Monday, October 9, 2017 8:11 AM -
I have an IP address in an SA that seems to have a very erratic resolution pattern. Can I get more details about the "Hint" source? I'd like to understand why it alternates between high and low certainty.
Source Computer Certainty Source Computer Resolution Method Low Hint, Cached High Hint, Cached Low Hint, Cached Low Hint, Cached Low Hint Low Hint, Cached Low Hint Low Hint, Cached Low Hint Low Hint, Cached Low Hint, Cached Low Hint High Hint, Cached Low Hint Low Hint, Cached Low Hint, Cached Low Hint, Cached Low Hint, Cached Low Hint, Cached Low Hint, Cached Low Hint, Cached High Hint, Cached High Hint, Cached High Hint, Cached High Hint, Cached High Hint, Cached High Hint, Cached High Hint, Cached High Hint, Cached - Edited by hukel Wednesday, November 1, 2017 6:48 PM
Wednesday, November 1, 2017 6:47 PM -
Hint means we saw the IP with the machine name together in a recent network activity.
depending on the type of activity, the certainty can vary.
Wednesday, November 1, 2017 8:43 PM -
Dear Eli,
Could you please explain under what circumstances / due to what factors / depending on what types of activities the certainty can vary?
Thank you in advance.
Regards,
MSSOCThursday, November 2, 2017 7:16 AM -
Sorry, this goes into specific implementation details and IP we don't generally disclose, and that might change rapidly between versions, so we don't want customers to relay on specific implementation or logic that we tune over time.
Thursday, November 2, 2017 9:22 AM -
Dusting off this thread . . . we had a PtH suspicious activitity where:
""SourceComputerCertainty"" : null,
""SourceComputerResolutionMethod"" : ""None"",This seemed to happen when a user changed from wired to wireless and ATA detected the TGT being used from a new IP. How can we see what methods were tried for this computer resolution (and the results of each)? Is it logged on the Center somewhere?
In most events I see data more like this.
""SourceComputerCertainty"" : ""High"",
""SourceComputerResolutionMethod"" : [""Netbios"", ""RpcNtlm"", ""Hint"", ""Cached""],
Thursday, October 11, 2018 2:51 PM -
All methods are always used, so if you got "None" it means none of the methods worked.Thursday, October 11, 2018 8:37 PM
-
Thanks. So that I'm clear, is the DNS method basically a PTR lookup? Can you tell me more about how these other resolutions work?
- Netbios
- RpcNtlm
In our case, the KerberosTgs happened at 18:33:43.402 but we didn't get the email until the SystemUpdateTime of the SA, about two hours later. Did ATA try the name resolutions at the first time or at the second time? The user had gone back to the wired network by the second time.
SystemCreationTime : 2018-10-10T18:33:43.075892Z
SystemUpdateTime : 2018-10-10T20:46:06.5430476Z
Thursday, October 11, 2018 9:03 PM -
Those are simply protocols that makes the endpoint identify itself.
The resolution is done a few seconds after the traffic happened.
the alert can be postponed because we try to use other methods to see if this is a false positive before we make it visible. for example, if we learned this IP is NAT or something like that.
Eli.
Friday, October 12, 2018 12:35 AM