Forum Discussion
Suspected identity theft (pass-the-ticket) on multiple endpoints false positive
I have recently analysed a few Suspected identity theft (pass-the-ticket) alerts which I think are false positives. I've been digging into the logs to try and figure this out, but I'm starting to think the reason was staring me in the face all along.
I'm no expert on this type of alert, but what I've understood is host B steals host A's Kerberos ticket to access network resources. However, I believe Identity Protection has misidentified an IP address as a hostname. Looking forward to any opinions:
3 Replies
- I'm in the early stages with MDI and learning mode. Getting ton of suspected pass the ticket alerts and they all have :: as common ipv6 since most of user machines are on always on vpn. I'm hesitant to exclude :: since this isn't correct practice. How do I suppress these in detection rule or other alternative to exclude?
Hi Anfo13 ,
It isn’t necessarily a mistake. In Sentinel, you can map the IP to the Host entity type (see here: Host entity schema)
Also depending on the detection rule logic and log sources, yada yada, seen instances where the IP gets mapped to a host entity type name just due to where the IP appeared in the log and the rule logic not accounting for it.Nevertheless, I believe the source for this alert is Defender for Identity which monitors the event logs and attempts to resolve IPs internally and fallback to MDE DeviceNetworkInfo. If everything else checks out, it could be a DNS issue.
One question to ask, did victimA log onto hostA in the past to even allow attackerB to attempt a theft? If not, it could be a name resolution issue. Otherwise, go from there.
Best,
Dylan
Hi DylanInfosec
Thanks for your interest. I suspect about now is the right time to throw a spanner in the works:
Between 15:29 and 15:32 it appears the user changed to a different IP subnet. Perhaps ethernet to WLAN. It was also here that the new IP has been somehow identified by Sentinel as a host.
