Pass the hash from unknown source RRS feed

  • Question

  • We are currently in monitor mode with ATA and have been receiving alerts since going live on Sunday 10/20.   The alert says the users hash is being passed from an unknown system to the system that is used by the owner of the hash that is being passed. I am not sure why it is identifying an unknown system and saying the system is passing a hash to the users legitimate system.

    Should we respond to alerts that are generated during the 30 day monitoring period or should they be ignored until that period is completed?

    Thursday, October 20, 2016 5:51 PM

All replies

  • Hi benzimm,

    Deterministic detections (Like PtH) are not require 30 days learning.

    Specific for PtH (and PtT) please make sure you are using the most current version (currently v1.7) as prior versions had some false-positive scenarios that been addressed in v1.7.

    If after upgrade to v1.7, you still get those alerts, than you should respond to it.


     Microsoft ATA Team.

    P.S. - If upgrading to v1.7, make sure to use latest update (

    Thursday, October 27, 2016 5:11 PM
  • We have seen PTH false positives when a laptop moves from the wired network to wireless.   The wireless IP address is not being associated with the PC.

    Is there a log we can review to see what "Source Computer Resolution Method" was tried for an IP?   This is all we see in the Network Activities sheet.

    Source Computer Source Computer Certainty Source Computer Resolution Method
    High Netbios, RpcNtlm, Hint, Cached
    PC_NAME High Netbios, RpcNtlm, Hint, Cached
    PC_IP   None
    PC_IP   None
    PC_IP   None

    Tuesday, November 28, 2017 4:08 PM
  • Saw this today (but alerted that it was a PtT, rather than PtH) for users on the VPN, albeit we saw source and destination, but not looking like they're accurate. Going to investigate more tomorrow. We're at v1.8.
    • Edited by 98cwitr Thursday, November 30, 2017 12:18 AM
    Thursday, November 30, 2017 12:14 AM