Pass the Hash False Positive?? RRS feed

  • Question

  • We are getting a Pass the Hash warning for two users (only one has happened more than once) that I am pretty sure is a false positive.  The message says the hash was stolen from one computer that the user logged into and was used by the same user on her desktop.  

    I am guessing an app is doing something weird or something but cant pinpoint it.  Anything i can do to try to track it down?

    Identity theft using pass-the-hash attack

    Savannah ***** (*****)'s hash was stolen from one of the computers previously logged into by Savannah ******   (************) and used from DT-S*******.

    Monday, June 6, 2016 12:28 AM

All replies

  • Hi

    I have just installed ATA 1.6 and using the Lightweight Gateway on all our DC's.

    After I have enabled and configured event forwarding I see a lot of "Identity theft using pass-the-hash attack" alerts, and there is way to many for me to believe that we have been hacked/under attack.

    Have any of you any ideas of what I might be doing wrong?

    Tuesday, May 17, 2016 10:06 AM
  • Hi

    We see the same (specially after enabling event forwarding). In almost all cases the hash has been "stolen" and used on the users own computer, so I have been thinking the same as you, it might be an application that does something strange (or wrong detectiong by ATA)

    We are running ATA 1.6 and using the lightweight gateway.

    I have created this: https://social.technet.microsoft.com/Forums/security/en-US/482be1a8-5aee-40ea-94e0-679631319029/a-lot-of-identity-theft-using-passthehash-attack-after-enabling-event-forwarding?forum=mata

    let's see if we can solve this one together.

    Tuesday, June 7, 2016 6:00 AM
  • I'm seeing similar.  

    For each of the Alerts, all of the users have only had a single occurence.  When I've reviewed the workstations where it occurred and any other workstations they have touched, I can't find any sort of definitive event.  

    My only other thought/clue is that we have Citrix Receiver and VMware View clients on some of them, where upon the Windows Login, the Start Menu (autostart) triggers these clients which do another authentication via the Citrix or Vmware Farms.

    I'm trying to review the users workflow to see if there is some sort of other events/apps at work here. 

    Our similar "pass-the-ticket" events appear to be related to our Citrix Netscaler VPN clients, where a user has a laptop that's occassionally used remotely.   The Citrix Netscaler VPN client does install an icon in the Start menu, so that when the user brings the laptop back on the internal domain network, they login via the regular network and seconds later the vpn client connects and logs them in via the vpn device.

    Tuesday, June 7, 2016 3:26 PM
  • im glad im not the only one.  

    So collectively what should we be looking at when we get these?  The users have stated that they have done nothing different and work on the same computer they always do.  Anything we can use to try to start understanding this?  I tried to comb the event log but found nothing there either. 

    Wednesday, June 8, 2016 1:42 AM
  • Hi Rasmus,

    I'm also seeing the same alerts.  Did you find an answer?


    Wednesday, June 8, 2016 6:41 AM
  • This is not solved yet.

    Please let me know if you find a way to solve it.

    Friday, June 10, 2016 2:17 PM
  • Any news?
    Monday, June 20, 2016 8:48 AM
  • Nothing here. 

    I have only about 20 instances of it over the past three months of running ATA on 18 Domain Controllers w/ around 7500 user accounts that are authenticating 24x7.

    Again, in each of the cases - it's a single instance with a different user each time.

    Each of the Alerts don't have the original computer name.   It has the user and the current device where the copied hash was attempted, not the original device from which the hash was supposedly copied.

    I'm at a loss on how to troubleshoot this any further.  

    Monday, June 20, 2016 4:33 PM
  • Hi,

    We are experiencing the same issues with false positive PtH alerts. Single instances, often different users - once or twice the same user. 

    Any idea what is happening ? 

    Saturday, July 30, 2016 1:05 PM
  • Same problem here.

    2 domains

    5 sites for each domain

    1 or 2 DC per site. (Depending if redundancy is needed)

    What we noticed is that the users hash is stolen from somebody else's computer towards their own. This has led us to believe that there is a problem in detecting the correct hostname. (Reverse lookup most likely running behind on the forward lookup or an issue with the cache.) This also happens when the user reinstalls their computer, we sometimes get a message that an MiniNT-win******* stole credentials and used those on the new hostname.

    Tuesday, August 9, 2016 7:49 AM
  • I recently installed Update 1 for 1.6 (https://support.microsoft.com/en-us/kb/3172500) which mentions these false positives.  It seems like the number has gone down by I'm still seeing them.

    I haven't performed any significant investigation but the messages seem very much like normal behavior.  For example, I see something like this:

        User's hash was stolen from one of the computers previously logged into by User and used from Users's device

    It's always a case of the hash being stolen from an unidentified, previously used device and then used on their primary device.

    Friday, August 19, 2016 6:04 PM
  • Hi all,

    We are going to improve the PtH detection in the upcoming version (v1.7) to address those issues.

    Please stay tuned.

    Thanks for your feedback and patience,

     Microsoft ATA Team.

    Monday, August 22, 2016 2:42 PM
  • Hi

    I’m in the process of upgrading our environment to v1.7 – I hope that will solve our false positive problem.

    Stay tuned, I will keep your updated.

    Wednesday, August 31, 2016 7:08 PM
  • I don't know if this could have been the source of some of our false positives but after updating to 1.7, two of our four gateways reported that they were not receiving mirrored traffic from their DCs.

    One of these was a VM and was legitimately broken as it had been moved to another node in the Hyper-V cluster at some point (but never generated an alert under ATA 1.6).

    The other gateway was receiving mirrored traffic.  After confirming with Netmon, I restarted the ATA service and that seems to have cleared the health issue.

    It's still too early to tell but I'll post back with an update tomorrow as well if I've seen any more false positives or not.

    Thursday, September 1, 2016 2:12 AM
  • Wauw guys (the ATA team)!!! You have made great improvements in 1.7, thank you a lot!!

    After the upgrade to 1.7 we have not seen any false positive “pass-the-hash attack”, I will keep monitoring it for the next ~week and then give an update again.

    FYI: We made a full upgrade, and our upgrade time was around 7-8 hours.
    Thursday, September 1, 2016 3:31 PM
  • It's been a few days since updating to 1.7 and we still haven't seen any alerts for pass the hash attacks.  So I think that took care of the false positives.
    Monday, September 5, 2016 2:44 PM