Forum Discussion
Understanding throughly PTH alert: on what is it triggering?
Hi, One of our customers is using the Microsoft ATA for some time now. We noticed for several months "Identity theft using Pass-the-hash attack" alerts on the same machine by the same user. For...
Hi keith_be ,
We can't expose our logics, but Pass the Hash alert is triggered when an anomaly which indicates a potential PTH attack is identified. There are known issues of Citrix environment and this alert, maybe this is the case you are eperiencing?
Thanks,
Tali
Thanks for mentioning "known issues with Citrix and pass-the-hash alerts." That aligns with our false positive.
But come on, when I hear a vendor say "we can't expose the logic used to create this alert," as an analyst, I think "I don't want to use that tool." I just wasted 3 days looking into a system and the related domain controller looking for anomalous or suspicious evidence because 1) the alert didn't contain NEARLY enough information for me to make an educated decision (like what commands were used, how did the system determine this was worthy of an alert, if and what binaries were involved), and 2) researching the alert online didn't give me any additional useful information.
Vendor responses like this make me want to disable any of those alerts and create my own. At least I understand how my custom alerts are triggered and I can tune them.
</disappointment>
But come on, when I hear a vendor say "we can't expose the logic used to create this alert," as an analyst, I think "I don't want to use that tool." I just wasted 3 days looking into a system and the related domain controller looking for anomalous or suspicious evidence because 1) the alert didn't contain NEARLY enough information for me to make an educated decision (like what commands were used, how did the system determine this was worthy of an alert, if and what binaries were involved), and 2) researching the alert online didn't give me any additional useful information.
Vendor responses like this make me want to disable any of those alerts and create my own. At least I understand how my custom alerts are triggered and I can tune them.
</disappointment>