Understanding throughly PTH alert: on what is it triggering?

Occasional Contributor



One of our customers is using the Microsoft ATA for some time now. We noticed for several months   "Identity theft using Pass-the-hash attack" alerts on the same machine by the same user. Forensically investigating this machine we don't see any abnormal or suspicious behavior/activity. According to the ATA tuning  guide you need to determine if the hash was used from computers the user is using regularly, to check if the alert is a false positive or not. This is clearly the case. So it is inline with our forensic investigation. But I am still interested to understand why the alert is triggering for this particular user on this particular workstation. Especially if I want to exclude this alert in the future for this particular user. Could you shine some light on the internals how this alert mechanism is working?


Kind regards,


2 Replies

Hi @keith_be ,


We can't expose our logics, but Pass the Hash alert is triggered when an anomaly which indicates a potential PTH attack is identified. There are known issues of Citrix environment and this alert, maybe this is the case you are eperiencing?




Hi Tali,

Thanks for your response. I was already afraid you couldn't share the logic. Maybe it is possible to share with specific partners. Tuning a detection capability without knowing the internal logics is rather difficult. I believe Citrix is using passthrough authentication and that might trigger the alert. Strangely in the environment I am talking about, this is not always triggering. We cannot simulate it. Any further details or detailed guidance (maybe offline) would be highly appreciated.

Kind regards,