SOLVED

Correlation issue for Identity theft using Pass-the-Ticket attack and roaming users

%3CLINGO-SUB%20id%3D%22lingo-sub-261741%22%20slang%3D%22en-US%22%3ECorrelation%20issue%20for%20Identity%20theft%20using%20Pass-the-Ticket%20attack%20and%20roaming%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-261741%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20wondering%20if%20anyone%20has%20experienced%20(what%20I%20think%20is)%20a%20correlation%20issue%20for%20the%20%22%3CSPAN%3EIdentity%20theft%20using%20Pass-the-Ticket%20attack%22%20ATP%20alert.%20I%20believe%20this%20happens%20when%20a%20user%20moves%20their%20laptop%20(IP%20address)%20from%20one%20subnet%20to%20another%26nbsp%3B(which%20for%20us%20is%20when%20a%20user%20moves%20from%20wired%20Ethernet%20to%20WiFi%2C%20as%20an%20example)%20in%20a%20short%20period%20of%20time.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CBR%20%2F%3EWe%20seem%20to%20get%20a%20few%20false%20alerts%20under%20the%20PTT%20or%20PTH%20banner%20as%20a%20result.%20When%20investigating%20further%20by%20way%20of%20DHCP%20logs%20etc%2C%20it%20is%20discovered%20that%20the%20machine%20(MAC%20address)%20is%20in%20fact%20the%20same%20machine.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-261861%22%20slang%3D%22en-US%22%3ERe%3A%20Correlation%20issue%20for%20Identity%20theft%20using%20Pass-the-Ticket%20attack%20and%20roaming%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-261861%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Justin%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20right%20in%20case%20of%20PTT.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20some%26nbsp%3Bcases%2C%20where%20the%20IP%20addresses%20are%20changing%20rapidly%2C%20Azure%20ATP%20might%20not%20be%20able%20to%20determine%20if%20different%20IP%20addresses%20are%20used%20by%20the%20same%20computer%2C%20or%20by%20different%20computers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20a%20common%20issue%20with%20undersized%20DHCP%20pools(VPN%2C%20WiFi%2C%20etc.).%20DHCP%20pools%20with%20short%20lease%20times%20or%20shared%20IP%20addresses%20(NAT%20devices).%26nbsp%3B%20you%20can%20find%20it%20in%20our%20suspicious%20activity%20guide%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fatasaguide-ptt%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fatasaguide-ptt%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3ETali%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hi, 

 

I was wondering if anyone has experienced (what I think is) a correlation issue for the "Identity theft using Pass-the-Ticket attack" ATP alert. I believe this happens when a user moves their laptop (IP address) from one subnet to another (which for us is when a user moves from wired Ethernet to WiFi, as an example) in a short period of time.


We seem to get a few false alerts under the PTT or PTH banner as a result. When investigating further by way of DHCP logs etc, it is discovered that the machine (MAC address) is in fact the same machine.

 

1 Reply
Highlighted
Best Response confirmed by Justin Lipple (Occasional Visitor)
Solution

Hi Justin,

 

This is right in case of PTT.

 

In some cases, where the IP addresses are changing rapidly, Azure ATP might not be able to determine if different IP addresses are used by the same computer, or by different computers.

 

This is a common issue with undersized DHCP pools(VPN, WiFi, etc.). DHCP pools with short lease times or shared IP addresses (NAT devices).  you can find it in our suspicious activity guide: https://aka.ms/atasaguide-ptt

 

Thanks,

Tali