Hello,
I received one "Identity theft using pass-the-ticket attack" alert indicating that one person’s Kerberos tickets were stolen from 1 machine to 2 other computers and used to access 2 resources.
Please look below at the information from the "Network Activities" tab in the excel file related to the alert in question:
|
Time (UTC)
|
Source Ip Address
|
Source Computer
|
Source Computer Resolution Method
|
Destination Ip Address
|
Destination Computer
|
|
xx.02.2017 08:58:47,417
|
10.***.***.**1
|
WS*****1
|
Netbios, Cached
|
10.***.***.**3
|
DC*********1
|
|
xx.02.2017 09:33:20,746
|
10.***.***.**2
|
WS*****2
|
Netbios
|
10.***.***.**3
|
DC*********1
|
|
xx.02.2017 09:33:27,121
|
10.***.***.**2
|
10.***.***.**2
|
None
|
10.***.***.**4
|
DC*********2
|
|
xx.02.2017 09:33:27,157
|
10.***.***.**2
|
WS*****2
|
Hint, Cached
|
10.***.***.**4
|
DC*********2
|
May I know why NetBIOS (that is used to identify the computer name and TCP/IP is the transport mechanism for NetBIOS communication traffic) is a relevant piece of information in this scenario?
May I also know what is the difference between "Netbios, Cached" and "Netbios" in terms of ATA?
Also, what does "Hint, Cached" stand for? The cache hint is useful for small lookup tables and what does it have to do in terms of ATA?
A yet another question is related to "None" under "Source Computer Resolution Method”. What might be the reason why there is no information in terms of a certain entry? What might this mean, then?
Please also note that WS*****2 is an Apple IOS Device.
Might the Wi-Fi subnet be the reason for this? As we know, the IP addresses are being catched only for 15 seconds in such subnets. It's the same just like in the case of the VPN subnets, unless I'm mistaken here?
How about the Apple IOS devices, too? Might they mislead ATA somehow? Especially as e.g. the unusual protocol implementation from Mac OS X might be treated as "suspicious" by Microsoft’s ATA?
Thank you very much in advance.
Regards,
MSSOC
