ATA not detecting Pass-the-Ticket and Golden Ticket Attack RRS feed

  • Question

  • Hello,

    I am using Microsoft Advanced Threat Analytics v1.7.2 evolution. I am following ATA Attack simulation playbook. It can detect enumeration and Pass-the-Hash successfully but it is unable to detect Pass-the-Ticket and Golden Ticket attack. I have set up lab environment in ESXi environment and has set up Lightweight Gateway on the DC.

    Couple of weeks before i set up lab on HyperV environment and it was working fine. Don't know what is the issue here. Please help me resolve this. 

    Monday, March 6, 2017 1:45 PM

All replies

  • Hello Arpan,

    There is a known issue for ATA running on VMWare ESXi. You can fix it firstly, and then to see if this can resolve current issue.

    Dropped port mirror traffic alerts when using lightweight gateway on VMware.

    If you are using domain controllers on VMware virtual machines, you might receive alerts about Dropped port mirrored network traffic. This might happens because of a configuration mismatch in VMware. To avoid these alerts, you can check that the following settings are set to 0 or Disabled in the virtual machine: 

    IPv4 TSO Offload

    Also, consider disabling IPv4 Giant TSO Offload. 

    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 7, 2017 7:02 AM