none
ATA Not Detecting Pass-The-Ticket/Pass-The-Hash Attack Simulations RRS feed

  • Question

  • ATA Version:  1.9.7478.57683

    I'm following the ATA Playbook to trigger PTT and PTH alerts in our deployment.

    1. Log in as a privileged user on Windows Laptop (COMPA)
    2. SSH to COMPA from Kali Linux (KALIB)
    3. Run mimikatz on COMPA from KALIB to export privileged user tickets.
    4. Copy tickets from COMPA to KALIB using smbclient
    5. Use tickets on KALIB to browse the root directory on remote domain controllers

    However, ATA is not generating PTT or PTH alerts after this activity.  What is the problem?

    Friday, July 26, 2019 4:20 PM

All replies

  • Could be many things...

    First, note that PTT has a delay of ~2 hours, so if you just checked now, wait for it.

    second, do you have full DC coverage with gateways?

    Are there any health alerts in the console?

    Friday, July 26, 2019 9:12 PM
  • Could be many things...

    First, note that PTT has a delay of ~2 hours, so if you just checked now, wait for it.

    second, do you have full DC coverage with gateways?

    Are there any health alerts in the console?

    Two hours is a long time, but I checked just now and still no alerts.

    I do have full DC coverage and there were no health alerts in the console. 

    Friday, July 26, 2019 9:16 PM
  • If 2 hours passed since the attack happened, I suggest to open a support ticket, as logs will need to be checked, as there might be clues there as to why ATA decided not to alert.

    Friday, July 26, 2019 9:25 PM
  • If 2 hours passed since the attack happened, I suggest to open a support ticket, as logs will need to be checked, as there might be clues there as to why ATA decided not to alert.

    Will do.


    Monday, July 29, 2019 1:39 PM
  • Hi, I am having the exact same issue. ATA 1.9 will simply not detect Golden Ticket attempts, even though I have followed the ATA deployment Guide to the letter, I've waited 12 hours after creating the ticket to use it the second time and everything but still no alert.

    Did you ever end up finding out how to resolve this issue? This is very time sensitive for me.

    Thanks!

    Tuesday, August 6, 2019 2:05 PM
  • Are you sure you meant to say "Golden Ticket" and not "pass the ticket" ?
    Tuesday, August 6, 2019 2:22 PM
  • Hi, I am having the exact same issue. ATA 1.9 will simply not detect Golden Ticket attempts, even though I have followed the ATA deployment Guide to the letter, I've waited 12 hours after creating the ticket to use it the second time and everything but still no alert.

    Did you ever end up finding out how to resolve this issue? This is very time sensitive for me.

    Thanks!

    My issue was with Pass The Ticket/Pass The Hash, not Golden Ticket attacks.
    Tuesday, August 6, 2019 2:27 PM
  • Are you running 1.9 Update 2?

    Any health alerts in the console about the Center or the gateways?

    Tuesday, August 6, 2019 2:31 PM
  • Nope, everything in the lightweight gateway is running perfectly. It correctly triggers PTH and Malicious Replication of Directory Services whenever I do those activities, but for the life of me I cannot get the Golden Ticket Alert to trigger in ANY event..

    FYI I am running 19.7312.32791

    • Edited by mainuke Tuesday, August 6, 2019 3:06 PM
    Tuesday, August 6, 2019 2:58 PM
  • The above should be moved to a separate post to avoid confusion.
    Tuesday, August 6, 2019 3:22 PM