none
False positive for pass-the-ticket attack when PC moves between wired and wireless RRS feed

  • Question

  • I had a pass-the-ticket attack SA today that I believe is the result of a computer moving from a wired to a wireless network.

    The DNS cache was used to resolve the original computer name (during the Kerberos TGS request) but there was no cache hit when the ticket was used again (SMB access to the DC).

    First, does this seem like a plausible cause of a false positive?

    Second, is there any tuning others have done to eliminate these? 

    Tuesday, January 30, 2018 5:44 PM

All replies

  • Hello,

    Was the hash used from a computer that the targeted user owns or regularly uses? If yes, this is a false positive.

    Please see the following investigation for PSH.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 31, 2018 6:02 AM
    Moderator
  • Yes, I verified that all traffic came from the same PC.  The IP address changed when the device went from a wired to wireless network.  We confirmed this in the DHCP logs.

    I haven't had a false positive for this before so I'm wondering what was  unusual about this case.   Can you help me understand the rule used by ATA and the logic it uses to detect this condition (IP address change)?

    Wednesday, January 31, 2018 11:53 AM
  • Hi,

    It seems like a FP. It can happen when we fail to resolve the IP address.

    There are common cases when it is harder to resolve IPs like in case of wireless networks and NAT. In wireless networks the IPs are changing fast what makes the resolution more difficult.

    Can you please share with us the details of the SA? You can contact me privately using atashare at microsoft com, please mention a link to this post.

    Sunday, February 4, 2018 12:41 PM
  • I have sent the Excel file.

    Is there a way for ATA to consume DHCP logs (similar to the way it can consume VPN logs) to more closely track this sort of endpoint movement?

    Monday, February 5, 2018 12:55 PM