Understanding throughly PTH alert: on what is it triggering?

%3CLINGO-SUB%20id%3D%22lingo-sub-523349%22%20slang%3D%22en-US%22%3EUnderstanding%20throughly%20PTH%20alert%3A%20on%20what%20is%20it%20triggering%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-523349%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20of%20our%20customers%20is%20using%20the%20Microsoft%20ATA%20for%20some%20time%20now.%20We%20noticed%20for%20several%20months%26nbsp%3B%26nbsp%3B%20%22Identity%20theft%20using%20Pass-the-hash%20attack%22%20alerts%20on%20the%20same%20machine%20by%20the%20same%20user.%20Forensically%20investigating%20this%20machine%20we%20don't%20see%20any%20abnormal%20or%20suspicious%20behavior%2Factivity.%20According%20to%20the%20ATA%20tuning%20%26nbsp%3Bguide%20you%20need%20to%20determine%20if%20the%20hash%20was%20used%20from%20computers%20the%20user%20is%20using%20regularly%2C%20to%20check%20if%20the%20alert%20is%20a%20false%20positive%20or%20not.%20This%26nbsp%3Bis%20clearly%20the%20case.%20So%20it%20is%20inline%20with%20our%20forensic%20investigation.%20But%20I%20am%20still%20interested%20to%20understand%20why%20the%20alert%20is%20triggering%20for%20this%20particular%20user%20on%20this%20particular%20workstation.%20Especially%20if%20I%26nbsp%3Bwant%20to%20exclude%20this%20alert%20in%20the%20future%26nbsp%3Bfor%20this%20particular%20user.%20Could%20you%20shine%20some%20light%20on%20the%20internals%20how%20this%20alert%20mechanism%20is%20working%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%2C%3C%2FP%3E%3CP%3EKeith%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-532148%22%20slang%3D%22en-US%22%3ERe%3A%20Understanding%20throughly%20PTH%20alert%3A%20on%20what%20is%20it%20triggering%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-532148%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F307919%22%20target%3D%22_blank%22%3E%40keith_be%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20can't%20expose%20our%20logics%2C%20but%20Pass%20the%20Hash%20alert%20is%20triggered%20when%20an%20anomaly%20which%20indicates%20a%20potential%20PTH%20attack%20is%20identified.%20There%20are%20known%20issues%20of%20Citrix%20environment%20and%20this%20alert%2C%20maybe%20this%20is%20the%20case%20you%20are%20eperiencing%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3ETali%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-533832%22%20slang%3D%22en-US%22%3ERe%3A%20Understanding%20throughly%20PTH%20alert%3A%20on%20what%20is%20it%20triggering%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-533832%22%20slang%3D%22en-US%22%3EHi%20Tali%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20your%20response.%20I%20was%20already%20afraid%20you%20couldn't%20share%20the%20logic.%20Maybe%20it%20is%20possible%20to%20share%20with%20specific%20partners.%20Tuning%20a%20detection%20capability%20without%20knowing%20the%20internal%20logics%20is%20rather%20difficult.%20I%20believe%20Citrix%20is%20using%20passthrough%20authentication%20and%20that%20might%20trigger%20the%20alert.%20Strangely%20in%20the%20environment%20I%20am%20talking%20about%2C%20this%20is%20not%20always%20triggering.%20We%20cannot%20simulate%20it.%20Any%20further%20details%20or%20detailed%20guidance%20(maybe%20offline)%20would%20be%20highly%20appreciated.%3CBR%20%2F%3E%3CBR%20%2F%3EKind%20regards%2C%3CBR%20%2F%3EKeith%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

 

One of our customers is using the Microsoft ATA for some time now. We noticed for several months   "Identity theft using Pass-the-hash attack" alerts on the same machine by the same user. Forensically investigating this machine we don't see any abnormal or suspicious behavior/activity. According to the ATA tuning  guide you need to determine if the hash was used from computers the user is using regularly, to check if the alert is a false positive or not. This is clearly the case. So it is inline with our forensic investigation. But I am still interested to understand why the alert is triggering for this particular user on this particular workstation. Especially if I want to exclude this alert in the future for this particular user. Could you shine some light on the internals how this alert mechanism is working?

 

Kind regards,

Keith

2 Replies
Highlighted

Hi @keith_be ,

 

We can't expose our logics, but Pass the Hash alert is triggered when an anomaly which indicates a potential PTH attack is identified. There are known issues of Citrix environment and this alert, maybe this is the case you are eperiencing?

 

Thanks,

Tali

Highlighted
Hi Tali,

Thanks for your response. I was already afraid you couldn't share the logic. Maybe it is possible to share with specific partners. Tuning a detection capability without knowing the internal logics is rather difficult. I believe Citrix is using passthrough authentication and that might trigger the alert. Strangely in the environment I am talking about, this is not always triggering. We cannot simulate it. Any further details or detailed guidance (maybe offline) would be highly appreciated.

Kind regards,
Keith