none
Pass the ticket attack. False Positive? RRS feed

  • Question

  • We have been running ATA for a little over a month putting in gateways as we get resources and DC configured. We have had 3 instances of being notified that a pass the ticket attack was performed involving 3 distinct sets of 2 computers. in all cases it appears that both computers were coming in from a VPN solution. They are not nat'ed or using DirectAccess but VPN is sort of similar so I'm starting to wonder if these are false positives. Is there any guidance on how a VPN segment can cause false positives to show pass the ticket attacks? Some general understand on what is going on under the hood would help.
    Tuesday, October 6, 2015 2:35 PM

All replies

  • Hi

    You should configure Short-term lease subnets on the Detection page.

    Enter the subnet range (in slash notation) for the IP address ranges that are being used by your VPN servers.  Remember to click the plus sign to add the range and then click Save.

    Short-term lease subnets

    HTH

    Thanks

    ATA Team


    Gershon Levitz [MSFT]

    Wednesday, October 7, 2015 9:21 AM
    Moderator
  • In our case we already have our short term lease subnet defined as the subnet that has shown the pass the ticket activity. This VPN subnet is behind a Dell SonicWALL. Is it possible that the SonicWALL device is getting the packets mixed up somehow and this is why the pass the ticket is showing up there. In the last month we have had 3 occurrences of this. In each case it's limited to 2 computers and never the same one twice. It seems since we have only seen this from that subnet the SonicWALL is somehow responsible for this.

    We don't know what a real attack would look like but suspect that there would be more activity with repeat offenders and various subnets if it was real.
    Wednesday, October 7, 2015 2:28 PM
  • We had one more of these last night. It always comes from our VPN subnet and so far is always a separate pair of computers that trip the alert. It seems almost impossible that this is a real event that only happens on the VPN subnet behind our SonicWALL and always between different computers. Any insights? I'm considering adding the first few IP addresses of the VPN subnet to the pass the ticket exclusion list.
    Thursday, October 8, 2015 2:45 PM
  • We had one more of these last night. It always comes from our VPN subnet and so far is always a separate pair of computers that trip the alert. It seems almost impossible that this is a real event that only happens on the VPN subnet behind our SonicWALL and always between different computers. Any insights? I'm considering adding the first few IP addresses of the VPN subnet to the pass the ticket exclusion list.

    I hope this is not the fix, as apparently each IP has to be done individually, an I have a few thousand VPN IPs....

    Monday, April 11, 2016 5:50 PM
  • We ended up putting our whole network in the short term lease and that slowed it down but did not stop it entirely. As a side note we noticed that almost always it's a Microsoft Surface that's involved. I don't know if that's because we have 7% of or fleet as Surfaces and they are clearly more mobile than most or if there is something else about those devices that is causing this. Basically we are down to getting one every 3 weeks or so and after a quick initial analysis always dismiss the alert.
    Monday, April 11, 2016 5:57 PM
  • What did you enter in the short term lease subnets? for example 10.1.1.0/24

    If you remember what you originally entered also that would be helpful. 

    You do not need to reply with your real IP address ranges in your network. 

    Thx

    ATA Team


    Gershon Levitz [MSFT]

    Tuesday, April 12, 2016 8:56 AM
    Moderator
  • 192.168.128.0/18 The first 2 octets are different in our case.
    Tuesday, April 12, 2016 6:18 PM
  • We have found two scenarios; one vpn related and the second is two devices simultaneously.

    First, we have Citrix Netscalers as a vpn client.  Citrix's install package puts an icon for the vpn client in the "Startup" folder.  (Citrix won't changed that install step.)  Whenever one of our users' with a laptop installs the vpn client, but doesn't remove this startup icon, and logs into his pc, the PC connects first via our internal Lan, and then the startup icon starts a vpn session soon after.

    I have some odd cases that I can't resolve completely.  In these cases, the users logged onto the domain via two devices at nearly the sametime.  in checking the users and the devices - these incidents are in understandable circumstances.  There is no NAT/VPN.   I've checked over the devices in question.  The only item of mention is that the user logged onto one device and then the other soon after.    No RDP or fileshare.  They scan clean via SCEP and Fireamp.

    Tuesday, April 19, 2016 6:58 PM
  • Upgrading to 1.6 seemed to solve the issue.
    Friday, May 13, 2016 8:50 PM