Forum Discussion

Anfo13's avatar
Anfo13
Copper Contributor
Jun 02, 2024

Suspected identity theft (pass-the-ticket) on multiple endpoints false positive

I have recently analysed a few Suspected identity theft (pass-the-ticket) alerts which I think are false positives. I've been digging into the logs to try and figure this out, but I'm starting to thi...
DylanInfosec's avatar
DylanInfosec
Iron Contributor
Jun 03, 2024

Hi Anfo13 ,

It isn’t necessarily a mistake. In Sentinel, you can map the IP to the Host entity type (see here: Host entity schema)


Also depending on the detection rule logic and log sources, yada yada, seen instances where the IP gets mapped to a host entity type name just due to where the IP appeared in the log and the rule logic not accounting for it.

 

Nevertheless, I believe the source for this alert is Defender for Identity which monitors the event logs and attempts to resolve IPs internally and fallback to MDE DeviceNetworkInfo. If everything else checks out, it could be a DNS issue.

 

One question to ask, did victimA log onto hostA in the past to even allow attackerB to attempt a theft? If not, it could be a name resolution issue. Otherwise, go from there.

 

 Best,

Dylan

Anfo13's avatar
Anfo13
Copper Contributor
Jun 04, 2024

Hi DylanInfosec 

Thanks for your interest. I suspect about now is the right time to throw a spanner in the works:

Between 15:29 and 15:32 it appears the user changed to a different IP subnet. Perhaps ethernet to WLAN. It was also here that the new IP has been somehow identified by Sentinel as a host.