Forum Discussion
Remote Credential Guard triggers a Pass-the-Hash alert in MDI
Remote Credential guard which has been available since WS2016 and which can be enabled as specified here: https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-gua...
Hi @brigen
The way Remote Credential Guard (RCG) operates can indeed trigger a Pass-the-Hash (PtH) attack alert in Microsoft Defender for Identity (previously known as Azure Advanced Threat Protection or Azure ATP).
RCG uses a similar approach to a PtH attack to authenticate the user on a remote system - it takes the user's password hash and uses it to authenticate the user remotely. This is a secure and legitimate behavior of RCG, but it may be interpreted as a PtH attack by Microsoft Defender for Identity, which seeks to identify malicious activities and suspicious behaviors in your network, including PtH attacks.
Although this is a false positive, Microsoft recommends that all security alerts be checked to ensure they are not indicative of actual malicious activity. If determined that the alert is being caused by the legitimate use of RCG, you may need to adjust the alert settings in Microsoft Defender for Identity to prevent these alerts from being generated in the future.
However, any adjustment to the alert setting should be done with care as it could inadvertently lessen the effectiveness of detecting true security attacks. Always consult Microsoft's official documentation or seek advice from an IT security expert when making security changes.
The way Remote Credential Guard (RCG) operates can indeed trigger a Pass-the-Hash (PtH) attack alert in Microsoft Defender for Identity (previously known as Azure Advanced Threat Protection or Azure ATP).
RCG uses a similar approach to a PtH attack to authenticate the user on a remote system - it takes the user's password hash and uses it to authenticate the user remotely. This is a secure and legitimate behavior of RCG, but it may be interpreted as a PtH attack by Microsoft Defender for Identity, which seeks to identify malicious activities and suspicious behaviors in your network, including PtH attacks.
Although this is a false positive, Microsoft recommends that all security alerts be checked to ensure they are not indicative of actual malicious activity. If determined that the alert is being caused by the legitimate use of RCG, you may need to adjust the alert settings in Microsoft Defender for Identity to prevent these alerts from being generated in the future.
However, any adjustment to the alert setting should be done with care as it could inadvertently lessen the effectiveness of detecting true security attacks. Always consult Microsoft's official documentation or seek advice from an IT security expert when making security changes.
Hello josequintino ,
Thanks for your answer but this is not what I was looking for. I know how RCG works and why it would trigger an alert. But we are talking about a Microsoft security feature (RCG) to PREVENT PtH and Microsoft Security solution used to DETECT PtH . If these two don't work together then that's something Microsoft should fix.
Excluding this from the alert means EVERY server where RCG is enabled on must be excluded, if all servers enforce RCG well then you just made the alert useless.
The real solution should come from the MDI team to figure out a way to see how legitimate auth using RCG does not trigger an MDI PtH alert.
- We got this a lot too. What helped us was to change our methods to use a jump host and exclude that jump host from this detection rule. We then switched over from RCG to using a RDGW with smart card authentication on the same jump host. For us the detection rule was for PtT as we use Kerberos for all authentication here.
