Over 1 million tech questions and answers.

ATA Not Detecting Pass-The-Ticket/Pass-The-Hash Attack Simulations

Q: ATA Not Detecting Pass-The-Ticket/Pass-The-Hash Attack Simulations

ATA Version: 1.9.7478.57683
I'm following the ATA Playbook to trigger PTT and PTH alerts in our deployment.

Log in as a privileged user on Windows Laptop (COMPA)SSH to COMPA from Kali Linux (KALIB)Run mimikatz on COMPA from KALIB to export privileged user tickets.Copy tickets from COMPA to KALIB using smbclientUse tickets on KALIB to browse the root directory on remote domain controllers
However, ATA is not generating PTT or PTH alerts after this activity. What is the problem?

Read other answers
RELEVANCY SCORE 200
Preferred Solution: ATA Not Detecting Pass-The-Ticket/Pass-The-Hash Attack Simulations

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

RELEVANCY SCORE 186

Hi All,
I tested the following attacks in Microsoft Advanced Threat Analytics and found them
not to be working.

Bruteforce Attack Pass-The-Ticket Pass-The-Hash Sensitive account exposed Using Plain-Text Authentication
I have tested other attacks like Reconnaissance
using DNS, Broken Trust, Honey Token account suspicious activities but they are working perfectly fine. I don't know
what's the issue with the above 4.
For
1. Bruteforce Attack:
I used thc-hydra-windows and triggered a dictionary attack using a list of passwords.

2. Pass-The-Ticket:
I used mimikatz to steal the kerberos ticket from a PC on which Admin is logged on. Impersonating an attacker, I copied the .kirbi file and Injected that file(using mimikatz again) to another PC on which a domain user is logged in.

3. Pass-The-Hash:
(Same as above)
4. Sensitive account exposed in plain text authentication:
I used mimikatz command 'sekurlsa :: logonpasswords' and was able to get passwords of all the users who logged on to that PC. But this was also not detected by MATA.

Please help me with the above issues. If possible, provide the tools using which I can trigger and detect those attacks.
Regards 

Read other answers
RELEVANCY SCORE 161.2

Hello,

I am using Microsoft Advanced Threat Analytics v1.7.2 evolution. I am following ATA Attack simulation playbook. It can detect enumeration and Pass-the-Hash successfully but it is unable to detect Pass-the-Ticket and Golden Ticket attack. I have set up lab
environment in ESXi environment and has set up Lightweight Gateway on the DC.
Couple of weeks before i set up lab on HyperV environment and it was working fine. Don't know what is the issue here. Please help me resolve this. 

Read other answers
RELEVANCY SCORE 134.8

I have Microsoft ATA set up in a lab environment and it is not detecting pass the ticket and golden ticket attacks when following the playbook. It does detect enumeration and pass the hash and other anomolies.
The computers i have in the lab environment running in Proxmox VE are:
Victim-PC (Windows 7)
Admin-PC (Windows 7)
ATACenter (Server 2012)
Domain Controller (Server 2012) (lightweight gateway setup)

I also had a strange problem using Netsess tool to obtain the ip address of the NuckC user logged into the admin-pc machine. I have gone over every inch of the setup i could and did follow the directions for the playbook directly. Not sure if this had some
effect on why those things were not detected. Any insight on this would be helpful.

Read other answers
RELEVANCY SCORE 130.8

Could you explain how the pass the ticket attack is determined or how to verify that this is an actual problem and not a falso positive?
I am piloting ATA in my environment and have already received three warnings regarding pass the ticket.
It is only for computer accounts and not users.

Read other answers
RELEVANCY SCORE 128

We have been running ATA for a little over a month putting in gateways as we get resources and DC configured. We have had 3 instances of being notified that a pass the ticket attack was performed involving 3 distinct sets of 2 computers. in all cases it
appears that both computers were coming in from a VPN solution. They are not nat'ed or using DirectAccess but VPN is sort of similar so I'm starting to wonder if these are false positives. Is there any guidance on how a VPN segment can cause false positives
to show pass the ticket attacks? Some general understand on what is going on under the hood would help.

Read other answers
RELEVANCY SCORE 128

hi,
Ata has alert about pass the ticket attack -  a kerberos tickets were stolen from one computer to other, at the same time both computers  has renewed their ip from dhcp server maybe the renew causing the alert to pop up? 
i can't find anything unusual on the computer.


thanks

Read other answers
RELEVANCY SCORE 127.6

Running v1.7.5757.57477 and recently got four PTH alerts, and in each case it states the has was stolen from one of the computers previously logged into by the user and then used on a system, which in each case happened to be the user's primary system in
which they logged into.
Would this be potential false positives? I would be more worried if the hash was used on a system not associated with the user.

Thx

Read other answers
RELEVANCY SCORE 126.4

Got 2 alerts for Identity theft using pass-the-ticket attack.

Checked with my network team for the IP's involved in the alert. I went through requested them to provide details over this IP.

Does the IP address of one or both computers belong to a subnet that is allocated from an undersized DHCP pool, for example, VPN or WiFi? 
Is the IP address shared? For example, by a NAT device?
--------------------------------------------------------------------------------------------------------------
Below is the network team reply: 
Please note that IP is part of subnet on Ballina Ireland Data VLan . It is currently DHCP free.

Please note that IP address is part Wireless Network 2 Atlanta Office Center.
It is currently DHCP free.

Is the IP address shared? For example, by a NAT device? NO.
---------------------------------------------------------------------------------------------------------------
Can this be the cause of the Alert ? It is currently DHCP free.
If not then what else I need to look for here.

Read other answers
RELEVANCY SCORE 126

I've noticed that when users attempt to log into a Citrix session but provide the wrong password initially, but then provide the correct password the "Identity Theft Using Pass-The-Hash Attack" is triggered. I assume this is because Citrix makes
use of pass-through authentication. Is there anything I can do to tune these out or reduce the number of false positives that are observed?

Read other answers
RELEVANCY SCORE 126

I have recently installed ATA (1.8.6645.28499). It is now in to the second week of its learning phase and it is raising a considerable number of false pass-the-hash alerts when users initiate Citrix sessions from their usual PC using pass-thru authentication,
eg a typical alert would be:
Bloggs,Fred's hash was stolen from one of the computers previously logged into by Bloggs,Fred and used from xx1234
Clearly this is spurious - in each case the user is initiating a Citrix session from their
own PC and the xx1234 represents a Citrix server in the farm in every case.
1) Why am I only receiving a handful of related PTH alerts each day when I have many thousands of Citrix users, all authenticating in the same manner?
2) How can I supress these alerts?
What I effectively want to say is 'IF the suspected PTH is being triggered BY the user on their OWN PC and the target server is in our Citrix farm' then ignore it. I can't see a way of setting an exclusion range like this for PTH events though?
Thanks

Read other answers
RELEVANCY SCORE 125.2

Hello,

I received the following alert:

Identity theft using pass-the-ticket attack
USER-NAME's Kerberos tickets were stolen from 2 computers to 2 computers and used to access ldap/DC-NAME.DOMAIN-NAME/DomainDnsZones.DOMAIN-NAME.

The network activities indicate the following:
Network activity #1 - WORKSTATION 1 was resolved through the Hint, Cached method by DOMAIN CONTROLLER 1 - the Resource Name is krbtgt/DOMAIN-NAME - Source Account Name is USER-NAME
Network activity #2 - WORKSTATION 2 was resolved through the RpcNtlm method by DOMAIN CONTROLLER 1 - the Resource Name is ldap/DC-NAME.DOMAIN-NAME/DomainDnsZones.DOMAIN-NAME - Source Account Name is USER-NAME
Network activity #3 - WORKSTATION 1 was resolved through the Hint, Cached method by DOMAIN CONTROLLER 1 - the Resource Name is ldap/DC-NAME.DOMAIN-NAME/DomainDnsZones.DOMAIN-NAME - Source Account Name is USER-NAME

The user on WORKSTATION 1 did not use any other machine.
The user on WORKSTATION 2 did not use any other machine, too.
Both users did not use VPN.
The DC resolved the machine names successfully.

Is the authentication issue / one-way replication of application directory partitions, including DomainDNSZones the root cause here?

What are your thoughts?

Regards,
MSSOC

Read other answers
RELEVANCY SCORE 124

I had a pass-the-ticket attack SA today that I believe is the result of a computer moving from a wired to a wireless network.
The DNS cache was used to resolve the original computer name (during the Kerberos TGS request) but there was no cache hit when the ticket was used again (SMB access to the DC).
First, does this seem like a plausible cause of a false positive?
Second, is there any tuning others have done to eliminate these? 

Read other answers
RELEVANCY SCORE 124

Good morning, I installed Microsoft ATA 1.6 as soon as was available and now I start to receive security message from behaviour and attack events. I need to verify "Identity theft using pass-the-ticket attack" event anyone could suggest me
any test and verification? thank you

Read other answers
RELEVANCY SCORE 114

Hello,
I came across an unusual pass-the-ticket ATA alert. Please take a look below:
Time (UTC)    Source Ip Address    Source Computer   Source Computer Resolution Method                Destination Ip Address
06.10.2017   20:01:58,538           10.***.**.**1        LT******1           Netbios, RpcNtlm, Hint, Cached    10.***.***.*3
06.10.2017   20:05:29,289           10.***.**.**1        LT******1           Netbios, RpcNtlm, Hint, Cached    10.***.***.*3
06.10.2017   20:45:52,151           10.***.**.**2        LT******2           Dns, Cached                                
10.***.***.*3
06.10.2017   20:45:52,615           10.***.**.**2        LT******2           Dns, Cached                  &... Read more

Read other answers
RELEVANCY SCORE 113.6

Hi
I have just installed ATA 1.6 and using the Lightweight Gateway on all our DC's.

After I have enabled and configured event forwarding I see a lot of "Identity theft using pass-the-hash attack" alerts, and there is way to many for me to believe that we have been hacked/under attack.
Have any of you any ideas of what I might be doing wrong?

Read other answers
RELEVANCY SCORE 103.2

Hi everybody,
I've been trying the pass-the-ticket attack for a week now with mimikatz.
This is my lab :

1 Center1 Gateway1DC1Workstation
From the worstation, I use the admin ticket. I have access for example to this folder \\dc\admin$. But ATA doesn't detect this scenario. Could someone help me please. 
Thanks!!

Read other answers
RELEVANCY SCORE 103.2

Hi all,
This is a question for my own information and knowledge as I'm new to ATA.

In ATA, I understand the need for DNS Reconnaissance IP exclusions.  There may be machines where legitimate DNS administrative tasks need to be performed, and you don't want these machines triggering alerts in ATA when someone runs the NSLookup command
etc.

What I'm trying to get my head around is why you would want Pass-The-Ticket IP Address exclusions.  What is the scenario where you would add an IP or IP Range to be excluded from PtT alerting?

http://www.dreamension.net

Read other answers
RELEVANCY SCORE 102.8

Hi everybody,
Could someone please explain, if he had succeeded, the pass-the-hash attack with ATA ?
I have :

1 Center1 Gateway1DC1 workstation
From the workstation, I use the DC hash password admin for authentication. I have access to the DC but ATA don't detect this scenario.

Read other answers
RELEVANCY SCORE 102

I'm trying to find out what triggers a pass the ticket alert.   We have a case where a user logged in with another user's credentials on a different
computer over vpn at the same time that user was on campus and a pass the ticket alert was triggered.  Is the alert triggered when an exact TGT with the exact hashes and exact sessions are seen on a different computer?  Or is it some
other trigger?
In other words: is this an indication that the other user installed malware to steal the ticket from a user's computer and then use the
Kerberos ticket to log into vpn and ATA saw an exact duplicate ticket with the same hashes and sessions?  
This seems very unlikely because the other user would have had to use the Kerberos ticket to log into VPN, which first communicates with a radius
server (no Kerberos ticket used at this point) before it communicates with the DCs.  So the other user probably had a username and password already, and if that were true, why use a stolen Kerberos ticket that will trigger alerts when one could just get
a new one when logging in.  it doesn?t seem to make sense for this to be the case.
Or does ATA see the same username in a different subnet at the same time and assume that the ticket was stolen without verifying that the tickets
are exactly the same?  
Or is there some mechanism built into Kerberos that forwards copies of Kerberos tickets to the same user whe... Read more

Read other answers
RELEVANCY SCORE 102

We've gotten these alerts before so I know they fire sometimes.   Today we ran a red team exercise and did NOT get an alert.
I see both the original KerberosTgs request for the user (from computer A) and the KerberosAp request  (using the stolen TGT from computer B) in the ATA logs so I think the necessary inputs are there.    However, it has been four hours now
since the usage and no detection.
Can anyone give me some tips for drilling deeper?

Read other answers
RELEVANCY SCORE 102

I have installed and have been testing the ATA in a test AD Forest. I have successfully tested against the honey token account and DNS Reconnaissance.

I am now testing for Pass-the-ticket detection that is touted on the Microsoft ATA announcement pages. I used MimiKatz on one server to obtain a ticket of the Domain Admin account performing a CIFS session to a DC $ADMIN share and transferred it
to another machine logged in as a non Domain Admin account. I then was able to use Mimikatz to replay that token and then access the DC's directory and copy a sensitive file from the NTDS folder. ATA did not report any such behavior. if I understand
the ATA correctly, it should have discovered PTT and reported it. Based upon the documentation, it just magically works when you set up the ATA.

What am I missing here? the only thing I did not do was grant the ATA GW access to the client computers in the Domain. Since we are a large Enterprise, it would be difficult to get that kind of by-in from all depts.

I have yet to test the plain text simple binds.
Assistance please.
Brian B.  

Read other answers
RELEVANCY SCORE 101.6

We are getting a Pass the Hash warning for two users (only one has happened more than once) that I am pretty sure is a false positive.  The message says the hash was stolen from one computer that the user logged into and was used by the same user on
her desktop.  

I am guessing an app is doing something weird or something but cant pinpoint it.  Anything i can do to try to track it down?





Identity theft using pass-the-hash attack

Savannah ***** (*****)'s hash was stolen from one of the computers previously logged into by Savannah ******   (************) and used from DT-S*******.

Read other answers
RELEVANCY SCORE 101.6

I got a pass the hash alert but it is on a Direct Access server.
A previous pass the ticket alert asked me if the computer was a DirectAccess proxy, this alert does not.
I do not see a way to do this for this new alert.

Read other answers
RELEVANCY SCORE 101.6

We are currently in monitor mode with ATA and have been receiving alerts since going live on Sunday 10/20.   The alert says the users hash is being passed from an unknown system to the system that is used by the owner of the hash that is being
passed. I am not sure why it is identifying an unknown system and saying the system is passing a hash to the users legitimate system.

Should we respond to alerts that are generated during the 30 day monitoring period or should they be ignored until that period is completed?

Read other answers
RELEVANCY SCORE 101.2

HI !

We are currently running ATA 1.7 and there seems to be no way to add a whole subnet to the Pass-the-Ticket Detection Exclusions. I tried the common dash notation like 127.0.0.1/24 but that doesnt work. The SAVE button doesnt come active.

Read other answers
RELEVANCY SCORE 100.8

Hi,
Last week I successfully simulated "Pass the hash" in my environment using mimikatz.
However, using back the same machine, same ID, and same method, it just don't work now.
DNS Reconnaissance, Directory Reconnaissance, LDAP binding all can detect. 
Any idea why?
Regards,
Hau

Read other answers
RELEVANCY SCORE 100.8

Hey guys.
We installed ATA on a customer and started getting Pass-the-Hash alerts after configuring the port forwarding for 4776.
We're currently looking into these events. One of them, however, has lost all data regarding which user and computer was affected - the hash is still there but all other information is gone.

Is this a known issue? Is there something we can do to recover the info/prevent this from happening again?
Thank you very much in advance,



Miguel Duarte

Read other answers
RELEVANCY SCORE 98

Microsoft Advanced Thread Analytics - Pass-the-Ticket address exclusions

Hello - How can i add an IP Range ?
I need to exclude the VPN IP Address Range, because we have a lot of false-positive Pass-the-Ticket Alerts when User switch IP due to VPN connection.

Read other answers
RELEVANCY SCORE 92.8
RELEVANCY SCORE 92.4

Ok so i am furious with Micro$oft now! the other day i was FORCED to change my microsoft account after much nagging i did so and i dont like changing logins too much. (this was a week ago)
now for some random reason on earth without my permission my windows login also changed login passwords to the microsoft account. I DONT WANT THAT! that password is too long and complicated for someone who locks his computer every 5 minutes or so. why did this just kick in now? i changed M$ account pass over a week ago and today it decides to change windows login?! can i change JUST my local windows login separate from microsoft login?
if i try to change pass from settings it it goes online and says you cant use password that has been used before.

A:Can i change windows login pass without changing microsoft pass too?

Originally Posted by xdarkmario


Ok so i am furious with Micro$oft now! the other day i was FORCED to change my microsoft account after much nagging i did so and i dont like changing logins too much. (this was a week ago)
now for some random reason on earth without my permission my windows login also changed login passwords to the microsoft account. I DONT WANT THAT! that password is too long and complicated for someone who locks his computer every 5 minutes or so. why did this just kick in now? i changed M$ account pass over a week ago and today it decides to change windows login?! can i change JUST my local windows login separate from microsoft login?
if i try to change pass from settings it it goes online and says you cant use password that has been used before.



Don't go for a password. Use the PIN option That's just what you need and it's really a great thing as well.

Read other 4 answers
RELEVANCY SCORE 92.4

I'm getting the famous enter admin pass on boot (no BIOS update, laptop been off for a year (no OS atm) and I just started trying to fix it.  The error code I get is: [ 54549743 ] I hope that helps get my mobo unlocked!











Solved!
View Solution.

A:HP-2000 Enter Admin Pass/Power on Pass at Boot

@PoetheProgrammr? Enter    41421385 Regards, DP-K

Read other 2 answers
RELEVANCY SCORE 90

i have a hp touchsmart 610-1000 i forgot my power on password i need some help to get on my computer

A:i have a touchsmart 610-1000 cant get pass the power on pass...

 Hi, Attach the completed model number, for example 610-1031f How Do I Find My Model Number or Product Number?

Read other 3 answers
RELEVANCY SCORE 88.8

Hi there,

Today I was going to enable my HP Simple Pass 2012 software again, but then I got a notification saying "the sensor was not connected". I tried tons of videos, from system scans to going into Device Manager. But it did not work.

Please help someone-would gladly appreciate it

A:HP Simple Pass 2012 not detecting fingerprint scanner?

Try this:

Start> In search box type Programs and features> Enter> See if you can find a listing for Validitity> Single click the listing and see if you get a repair option

If it asks if you want to uninstall it, say no.

You can also go to Device manager, and under Biometric devices see if Validity sensor is listed, and if it is working correctly.

You might also try to see if there is a newer driver version on the HP site, especially if you haven't used the feature for a while.

A Guy

Read other 5 answers
RELEVANCY SCORE 86.8

Hello everyone! Can you help me with a (hopefully) simple problem?
I have a Access 2003 SQL Pass-thru query that I need to prompt the user for Begin Date and End date, then put these values in the query. I read the Help, but I still don't understand HOW!
Questions: (BTW, this query is being generated from the Switchboard)
1. How do I prompt the user for the dates in Access? I can't use parameters and I don't understand how to use a prompt otyher than that.
2. How do I get those user responses into the query below
3. How do I write the querydef?

The SQL query is attached

Thanks!
Emil
 

A:Prompt&Pass value to pass-thru query

Read other 16 answers
RELEVANCY SCORE 81.6

I removed Simple pass and validity software, and I am still required to enter the master password that simplepass asked me to set up, I uninstalled all drivers, and software, and removed all remnants from registry, and I am still required to enter the password at login, i have done the netplwiz thing,  and bios says password is clear, so how do i remove this password requirement that i didnt have before i installed simplepass.

Read other answers
RELEVANCY SCORE 66.4

Team,
We had an alert on Win SERVER for Kerberos golden ticket activity, which says ticket usage was over a period of 13 hours which exceeded allowed maximum of 10 hours.
Need help to evaluate this alert.

Checked with AD team they confirmed no change in Group Policy has been made.
Now next where else we need to check for investigation for this alert.

Read other answers
RELEVANCY SCORE 64.4

Hi,
I am having difficulties to enable VNP pass-through on my DFL-800 router. Iím not very familiar with some of the technical terms such as IPSec, PPTP, and L2TP and what do they actually do. My previous router Linksys RV082 had no problems. There was one option to disable or enable VPN pass-thought and everything was simple. I have setup up a VPN connection on my Windows XP and Vista and off I went. I could connect to my work network by supplying host name www.mycompany.com and my login credentials.

When I replaced my routers and try to connect, Windows connection hangs on Authenticating User Name and Password. And then fails saying that could not connect to a network.
Obviously my router blocks some communications.

Could you please let me know how to set-up this D-Link router as I am running out of ideas.
There is too many settings in this box to play with and Iím not really sure what to touch, how and what not to.

I have tried to play with IpRules Ė trying to create some and enable IPSec, PPTP, and L2TP one at the time but none of those attempts was successful.

Iím a little pissed off at my self at this moment that I have to use my old Linksys because I canít figure out how this new box works.

Please help!!!

Cheers:

CC
 

Read other answers
RELEVANCY SCORE 64.4

I had purchased windows 2010 and xp pro as w many other programs. PAID 4 them with my earned dollar! n my pass keys do not work! I have paid good money, alot of money, on many of their programs! Why cant I have a pass key thats allowed to work since mine doesnt??!!??
Both times ive called microsoft, all they want to do is sell me another program. My pass keys should work if I purchased them with my money!!

A:pass key

We are not agents for Microsoft...and we are not obligated nor legally capable of answering questions regarding MS policies.
 
If you have a computer problem which deals with Windows XP...and you want someone here to try to assist you...please post some details of the problem, rather than comments regarding items relating solely to Microsoft and conduct of Microsoft business.
 
Louis

Read other 4 answers
RELEVANCY SCORE 64.4

Hi,
I've got a problem I'm hoping someone can help me with..

I've got a Belkin F5D8231-4 v2 N1 Wireless Router and a D-Link DSL-504G 4 Port Modem which I am trying to setup a VPN Connection through.
I'm using the built in VPN server in Windows XP Professional SP2, I can connect to the VPN internally but not externally - When trying to connect externally the client freezes up on "verifying username and password" but I dont think its even getting as far as connecting to the server.
I've opened up the ports in the firewall, and have forwarded port 1723 on TCP to the servers internal static IP address. The modem itself is running in Bridge mode to the router so I'm assuming that I don't have to open any ports or anything on that for it to work. I have contacted Belkin who assure me that a VPN can be established through that router, and weren't able to offer me much assistance.

what I've got setup is this:
modem (192.168.2.253) ---> Router (192.168.2.254) - - - - (wireless) - -> VPN Server (192.168.2.2)

I haven't actually been able to find anything that suggests that the clients are even getting through the modem and router to the server.. Any suggestions?
 

A:VPN Pass-Through

Read other 6 answers
RELEVANCY SCORE 64.4

hello,

im working on a Dell Latitude E6400 laptop and i need to do some work from home.
however, my new modem is not allowing my jobsite's vpn to pass thru so I can connect to it. How do i connect??
 

A:allow vpn to pass thru

msTHELP said:


hello,

im working on a Dell Latitude E6400 laptop and i need to do some work from home.
however, my new modem is not allowing my jobsite's vpn to pass thru so I can connect to it. How do i connect??Click to expand...

my wireless connection is in excellent connection by the way
 

Read other 2 answers
RELEVANCY SCORE 64.4

Hi
I'm not sure if this is the right place to post this but i need to install some programs for my use and the administrator has placed UAC on everything i try to install , it's not the typical UAC but the one where you have to type a password before it lets you click yes. I can't seem to do anything , like task scheduler msconfig etc.

How do i get pass this?

A:Getting Pass W7 UAC

Sorry, but you don't. You will need your network administrator.

Read other 2 answers