Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Correlation issue for Identity theft using Pass-the-Ticket attack and roaming users

Copper Contributor

Hi, 

 

I was wondering if anyone has experienced (what I think is) a correlation issue for the "Identity theft using Pass-the-Ticket attack" ATP alert. I believe this happens when a user moves their laptop (IP address) from one subnet to another (which for us is when a user moves from wired Ethernet to WiFi, as an example) in a short period of time.


We seem to get a few false alerts under the PTT or PTH banner as a result. When investigating further by way of DHCP logs etc, it is discovered that the machine (MAC address) is in fact the same machine.

 

2 Replies
best response confirmed by Justin Lipple (Copper Contributor)
Solution

Hi Justin,

 

This is right in case of PTT.

 

In some cases, where the IP addresses are changing rapidly, Azure ATP might not be able to determine if different IP addresses are used by the same computer, or by different computers.

 

This is a common issue with undersized DHCP pools(VPN, WiFi, etc.). DHCP pools with short lease times or shared IP addresses (NAT devices).  you can find it in our suspicious activity guide: https://aka.ms/atasaguide-ptt

 

Thanks,

Tali 

 

 

Hello Tali Ash. We too have seen an up tick in these alerts. It looks to me that it does revolves around DNS trying assign an IP address to two different devices or one device has the IP but DNS is trying to assign to a second device. Well keep watching this post for any updates.
Is there any tuning options in DofI to tune these out?
1 best response

Accepted Solutions
best response confirmed by Justin Lipple (Copper Contributor)
Solution

Hi Justin,

 

This is right in case of PTT.

 

In some cases, where the IP addresses are changing rapidly, Azure ATP might not be able to determine if different IP addresses are used by the same computer, or by different computers.

 

This is a common issue with undersized DHCP pools(VPN, WiFi, etc.). DHCP pools with short lease times or shared IP addresses (NAT devices).  you can find it in our suspicious activity guide: https://aka.ms/atasaguide-ptt

 

Thanks,

Tali 

 

 

View solution in original post