Forum Discussion
Remote Credential Guard triggers a Pass-the-Hash alert in MDI
Remote Credential guard which has been available since WS2016 and which can be enabled as specified here: https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-gua...
Hello josequintino ,
Thanks for your answer but this is not what I was looking for. I know how RCG works and why it would trigger an alert. But we are talking about a Microsoft security feature (RCG) to PREVENT PtH and Microsoft Security solution used to DETECT PtH . If these two don't work together then that's something Microsoft should fix.
Excluding this from the alert means EVERY server where RCG is enabled on must be excluded, if all servers enforce RCG well then you just made the alert useless.
The real solution should come from the MDI team to figure out a way to see how legitimate auth using RCG does not trigger an MDI PtH alert.
We got this a lot too. What helped us was to change our methods to use a jump host and exclude that jump host from this detection rule. We then switched over from RCG to using a RDGW with smart card authentication on the same jump host. For us the detection rule was for PtT as we use Kerberos for all authentication here.