cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community
Find out more
SOLVED

Correlation issue for Identity theft using Pass-the-Ticket attack and roaming users

Justin Lipple
Occasional Visitor

‎Sep 24 2018 09:51 PM

‎Sep 24 2018 09:51 PM

Correlation issue for Identity theft using Pass-the-Ticket attack and roaming users

Hi, 

 

I was wondering if anyone has experienced (what I think is) a correlation issue for the "Identity theft using Pass-the-Ticket attack" ATP alert. I believe this happens when a user moves their laptop (IP address) from one subnet to another (which for us is when a user moves from wired Ethernet to WiFi, as an example) in a short period of time.


We seem to get a few false alerts under the PTT or PTH banner as a result. When investigating further by way of DHCP logs etc, it is discovered that the machine (MAC address) is in fact the same machine.

 

1,220 Views
1 Like
1 Reply
Reply
1 Reply
best response confirmed by Justin Lipple (Occasional Visitor)
Tali Ash

‎Sep 25 2018 02:17 AM - edited ‎Sep 25 2018 02:20 AM

‎Sep 25 2018 02:17 AM - edited ‎Sep 25 2018 02:20 AM

Solution

Re: Correlation issue for Identity theft using Pass-the-Ticket attack and roaming users

Hi Justin,

 

This is right in case of PTT.

 

In some cases, where the IP addresses are changing rapidly, Azure ATP might not be able to determine if different IP addresses are used by the same computer, or by different computers.

 

This is a common issue with undersized DHCP pools(VPN, WiFi, etc.). DHCP pools with short lease times or shared IP addresses (NAT devices).  you can find it in our suspicious activity guide: https://aka.ms/atasaguide-ptt

 

Thanks,

Tali 

 

 

1 Like
Reply