Forum Discussion
keith_be
May 03, 2019Copper Contributor
Understanding throughly PTH alert: on what is it triggering?
Hi, One of our customers is using the Microsoft ATA for some time now. We noticed for several months "Identity theft using Pass-the-hash attack" alerts on the same machine by the same user. For...
Tali Ash
Microsoft
Hi keith_be ,
We can't expose our logics, but Pass the Hash alert is triggered when an anomaly which indicates a potential PTH attack is identified. There are known issues of Citrix environment and this alert, maybe this is the case you are eperiencing?
Thanks,
Tali
keith_be
May 06, 2019Copper Contributor
Hi Tali,
Thanks for your response. I was already afraid you couldn't share the logic. Maybe it is possible to share with specific partners. Tuning a detection capability without knowing the internal logics is rather difficult. I believe Citrix is using passthrough authentication and that might trigger the alert. Strangely in the environment I am talking about, this is not always triggering. We cannot simulate it. Any further details or detailed guidance (maybe offline) would be highly appreciated.
Kind regards,
Keith
Thanks for your response. I was already afraid you couldn't share the logic. Maybe it is possible to share with specific partners. Tuning a detection capability without knowing the internal logics is rather difficult. I believe Citrix is using passthrough authentication and that might trigger the alert. Strangely in the environment I am talking about, this is not always triggering. We cannot simulate it. Any further details or detailed guidance (maybe offline) would be highly appreciated.
Kind regards,
Keith