Identity theft using Pass-the-Hash attack verify false positive

%3CLINGO-SUB%20id%3D%22lingo-sub-534589%22%20slang%3D%22en-US%22%3ERe%3A%20Identity%20theft%20using%20Pass-the-Hash%20attack%20verify%20false%20positive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-534589%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F271823%22%20target%3D%22_blank%22%3E%40m_krone%3C%2FA%3E%26nbsp%3B%2C%20sorry%20to%20hear%20that%20no%20one%20replied%20to%20your%20support%20case%20yet%2C%20this%20is%20not%20usually%20the%20case.%3C%2FP%3E%0A%3CP%3ECan%20you%20please%20send%20me%20the%20support%20case%20ID%20so%20I%20can%20make%20sure%20someone%20responds%3F%20(and%20also%20check%20what%20happened...)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-534568%22%20slang%3D%22en-US%22%3EIdentity%20theft%20using%20Pass-the-Hash%20attack%20verify%20false%20positive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-534568%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20some%20messages%20about%20%22Identity%20theft%20using%20Pass-the-Hash%20attack%22%20in%20our%20ATA.%20Checked%20also%20some%20things%20on%20the%20client%20but%20cannot%20find%20some%20suspicious%20activities.%20I%20opened%20a%20MS%20ticket%20some%20weeks%20ago%20and%20did%20not%20get%20any%20information%20or%20at%20least%20a%20status%20mail.%3C%2FP%3E%3CP%3EI%20think%20this%20is%20an%20false%20positive%20but%20its%20a%20good%20case%20for%20us%20to%20troubleshoot%20this.%3C%2FP%3E%3CP%3ECan%20anyone%20from%20Microsoft%20have%20a%20look%20at%20the%20case%20and%20why%20we%20don't%20get%20any%20infos%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20else%20have%20some%20ideas%20how%20to%20verify%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EMiguel%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-534568%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-752196%22%20slang%3D%22en-US%22%3ERe%3A%20Identity%20theft%20using%20Pass-the-Hash%20attack%20verify%20false%20positive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-752196%22%20slang%3D%22en-US%22%3E%3CP%3EHello.%20Can%20you%20please%20share%20experience%20how%20to%20eliminate%20this%20false%20positive%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-755636%22%20slang%3D%22en-US%22%3ERe%3A%20Identity%20theft%20using%20Pass-the-Hash%20attack%20verify%20false%20positive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-755636%22%20slang%3D%22en-US%22%3EHi%2C%20unfortunately%2C%20we%20couldn't%20got%20any%20solution%20for%20this.%20We%20are%20currently%20investigating%20by%20our%20self.%20Since%20Eli%20got%20a%20contact%20for%20us%20which%20was%20responding%20we%20tried%20to%20solve%20the%20problem%20but%20after%203%20weeks%20of%20just%20standard%20mails%20that%20Microsoft%20has%20currently%20too%20many%20requests%20with%20an%20delay%20to%20up%20to%204%20weeks%20we%20finally%20got%20a%20closure%20email%20of%20the%20ticket%20without%20and%20solution.%20Also%20a%20response%20to%20work%20on%20this%20ticket%20got%20denied%20and%20now%20its%20gone.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1546981%22%20slang%3D%22en-US%22%3ERe%3A%20Identity%20theft%20using%20Pass-the-Hash%20attack%20verify%20false%20positive%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1546981%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20also%20getting%20the%20same%20alert%20but%20unable%20to%20find%20anything%20in%20user%20machine.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hello,

 

I have some messages about "Identity theft using Pass-the-Hash attack" in our ATA. Checked also some things on the client but cannot find some suspicious activities. I opened a MS ticket some weeks ago and did not get any information or at least a status mail.

I think this is an false positive but its a good case for us to troubleshoot this.

Can anyone from Microsoft have a look at the case and why we don't get any infos?

 

Does anyone else have some ideas how to verify this?

 

Regards

Miguel

4 Replies
Highlighted

@m_krone , sorry to hear that no one replied to your support case yet, this is not usually the case.

Can you please send me the support case ID so I can make sure someone responds? (and also check what happened...)

Highlighted

Hello. Can you please share experience how to eliminate this false positive? 

Highlighted
Hi, unfortunately, we couldn't got any solution for this. We are currently investigating by our self. Since Eli got a contact for us which was responding we tried to solve the problem but after 3 weeks of just standard mails that Microsoft has currently too many requests with an delay to up to 4 weeks we finally got a closure email of the ticket without and solution. Also a response to work on this ticket got denied and now its gone.
Highlighted

Hi,

 

I am also getting the same alert but unable to find anything in user machine.