Over 1 million tech questions and answers.

False pass-the-hash when Citrix pass-through authentication in use

Q: False pass-the-hash when Citrix pass-through authentication in use

I have recently installed ATA (1.8.6645.28499). It is now in to the second week of its learning phase and it is raising a considerable number of false pass-the-hash alerts when users initiate Citrix sessions from their usual PC using pass-thru authentication,
eg a typical alert would be:
Bloggs,Fred's hash was stolen from one of the computers previously logged into by Bloggs,Fred and used from xx1234
Clearly this is spurious - in each case the user is initiating a Citrix session from their
own PC and the xx1234 represents a Citrix server in the farm in every case.
1) Why am I only receiving a handful of related PTH alerts each day when I have many thousands of Citrix users, all authenticating in the same manner?
2) How can I supress these alerts?
What I effectively want to say is 'IF the suspected PTH is being triggered BY the user on their OWN PC and the target server is in our Citrix farm' then ignore it. I can't see a way of setting an exclusion range like this for PTH events though?
Thanks

Read other answers
RELEVANCY SCORE 200
Preferred Solution: False pass-the-hash when Citrix pass-through authentication in use

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

RELEVANCY SCORE 135.6

I've noticed that when users attempt to log into a Citrix session but provide the wrong password initially, but then provide the correct password the "Identity Theft Using Pass-The-Hash Attack" is triggered. I assume this is because Citrix makes
use of pass-through authentication. Is there anything I can do to tune these out or reduce the number of false positives that are observed?

Read other answers
RELEVANCY SCORE 132

We are getting a Pass the Hash warning for two users (only one has happened more than once) that I am pretty sure is a false positive.  The message says the hash was stolen from one computer that the user logged into and was used by the same user on
her desktop.  

I am guessing an app is doing something weird or something but cant pinpoint it.  Anything i can do to try to track it down?





Identity theft using pass-the-hash attack

Savannah ***** (*****)'s hash was stolen from one of the computers previously logged into by Savannah ******   (************) and used from DT-S*******.

Read other answers
RELEVANCY SCORE 130.8

Running v1.7.5757.57477 and recently got four PTH alerts, and in each case it states the has was stolen from one of the computers previously logged into by the user and then used on a system, which in each case happened to be the user's primary system in
which they logged into.
Would this be potential false positives? I would be more worried if the hash was used on a system not associated with the user.

Thx

Read other answers
RELEVANCY SCORE 127.2

Hi All,
I tested the following attacks in Microsoft Advanced Threat Analytics and found them
not to be working.

Bruteforce Attack Pass-The-Ticket Pass-The-Hash Sensitive account exposed Using Plain-Text Authentication
I have tested other attacks like Reconnaissance
using DNS, Broken Trust, Honey Token account suspicious activities but they are working perfectly fine. I don't know
what's the issue with the above 4.
For
1. Bruteforce Attack:
I used thc-hydra-windows and triggered a dictionary attack using a list of passwords.

2. Pass-The-Ticket:
I used mimikatz to steal the kerberos ticket from a PC on which Admin is logged on. Impersonating an attacker, I copied the .kirbi file and Injected that file(using mimikatz again) to another PC on which a domain user is logged in.

3. Pass-The-Hash:
(Same as above)
4. Sensitive account exposed in plain text authentication:
I used mimikatz command 'sekurlsa :: logonpasswords' and was able to get passwords of all the users who logged on to that PC. But this was also not detected by MATA.

Please help me with the above issues. If possible, provide the tools using which I can trigger and detect those attacks.
Regards 

Read other answers
RELEVANCY SCORE 103.2

Hi everybody,
Could someone please explain, if he had succeeded, the pass-the-hash attack with ATA ?
I have :

1 Center1 Gateway1DC1 workstation
From the workstation, I use the DC hash password admin for authentication. I have access to the DC but ATA don't detect this scenario.

Read other answers
RELEVANCY SCORE 102

I got a pass the hash alert but it is on a Direct Access server.
A previous pass the ticket alert asked me if the computer was a DirectAccess proxy, this alert does not.
I do not see a way to do this for this new alert.

Read other answers
RELEVANCY SCORE 102

We are currently in monitor mode with ATA and have been receiving alerts since going live on Sunday 10/20.   The alert says the users hash is being passed from an unknown system to the system that is used by the owner of the hash that is being
passed. I am not sure why it is identifying an unknown system and saying the system is passing a hash to the users legitimate system.

Should we respond to alerts that are generated during the 30 day monitoring period or should they be ignored until that period is completed?

Read other answers
RELEVANCY SCORE 100.8

Hey guys.
We installed ATA on a customer and started getting Pass-the-Hash alerts after configuring the port forwarding for 4776.
We're currently looking into these events. One of them, however, has lost all data regarding which user and computer was affected - the hash is still there but all other information is gone.

Is this a known issue? Is there something we can do to recover the info/prevent this from happening again?
Thank you very much in advance,



Miguel Duarte

Read other answers
RELEVANCY SCORE 100.8

Hi,
Last week I successfully simulated "Pass the hash" in my environment using mimikatz.
However, using back the same machine, same ID, and same method, it just don't work now.
DNS Reconnaissance, Directory Reconnaissance, LDAP binding all can detect. 
Any idea why?
Regards,
Hau

Read other answers
RELEVANCY SCORE 98

Running: Windows XP and Windows 7 environment with Receiver 3.4.0.29577 on Workstations.

We have Logon Mode set to Pass-Through with Windows Credentials.

Problem: We will get users that get prompted for their USER/PASS at the Citrix Logon after they logon to Windows.
 

Read other answers
RELEVANCY SCORE 97.2

For some reason every time windows starts up i get a found new hardware message for my mouse, keyboard, monitor and video card. Even after I install the drivers. It tells me that none of these pass xp authentication. I checked and everything is ok to use with XP. Why is this? Also when I turn on the power I end up in bios and I have to hit F1 to continue... if I dont windows wont boot up, this just started happening after I had a problem with my new video card. Thank you for your time.

A:will not pass authentication

Hi InwoodK!!

Try to turn off the computer. Try to take out the CMOS battery from the computer, and put it back after a couple of minutes. Try to restart the computer back after that. See if that resolves the issue










WARNING!
Make sure you turn off the power plug before opening the case. It is better if you unplug the power cable from the wall socket as well. If you have any doubt, STOP AND ASK FIRST!! Make sure also you discharge yourself before touching anything inside the computer. You can do so by touching the computer case for a moment before opening it.

Read other 1 answers
RELEVANCY SCORE 95.2

I was trying to  use Hp client security on my elite x2 1012 G1. I set up a password and fingerprints as it was very first time for me to use it.  however, after setting it up, whenever I try to open it, it gives me screen below.  basically it tells me to verify my self with the options which does not exist.  It does not seems like normal, is there anything I need to do to fix this?  Or, is it not really an issue?   

A:HP client security - not being able to pass authentication s...

It seems like it is solved now. I updated the client security and it solved itself. 

Read other 1 answers
RELEVANCY SCORE 93.2

Hello,  We are upgrading from HPDM 4.6 to 4.7 and the server's keystore file was deleted in the process. As a result we get this log message every time we try to send a task to one of our machines: "Agent refused the task because the Device Management Gateway failed to pass the authentication." I deleted the two key files in C:\Windows\xpeagent on one of the machines and that seems to have resolved the issue -- for that machine. Repeating this process for ALL of our machines would be a daunting task. Is there another way to resync these devices with the server or are we out of luck? If we do have to touch each machine individually, does anyone have any tips or scripts for speeding up the process? Thanks in advance for any advice you can offer!

Read other answers
RELEVANCY SCORE 92.8
RELEVANCY SCORE 92.4

I'm getting the famous enter admin pass on boot (no BIOS update, laptop been off for a year (no OS atm) and I just started trying to fix it.  The error code I get is: [ 54549743 ] I hope that helps get my mobo unlocked!











Solved!
View Solution.

A:HP-2000 Enter Admin Pass/Power on Pass at Boot

@PoetheProgrammr? Enter    41421385 Regards, DP-K

Read other 2 answers
RELEVANCY SCORE 92.4

Ok so i am furious with Micro$oft now! the other day i was FORCED to change my microsoft account after much nagging i did so and i dont like changing logins too much. (this was a week ago)
now for some random reason on earth without my permission my windows login also changed login passwords to the microsoft account. I DONT WANT THAT! that password is too long and complicated for someone who locks his computer every 5 minutes or so. why did this just kick in now? i changed M$ account pass over a week ago and today it decides to change windows login?! can i change JUST my local windows login separate from microsoft login?
if i try to change pass from settings it it goes online and says you cant use password that has been used before.

A:Can i change windows login pass without changing microsoft pass too?

Originally Posted by xdarkmario


Ok so i am furious with Micro$oft now! the other day i was FORCED to change my microsoft account after much nagging i did so and i dont like changing logins too much. (this was a week ago)
now for some random reason on earth without my permission my windows login also changed login passwords to the microsoft account. I DONT WANT THAT! that password is too long and complicated for someone who locks his computer every 5 minutes or so. why did this just kick in now? i changed M$ account pass over a week ago and today it decides to change windows login?! can i change JUST my local windows login separate from microsoft login?
if i try to change pass from settings it it goes online and says you cant use password that has been used before.



Don't go for a password. Use the PIN option That's just what you need and it's really a great thing as well.

Read other 4 answers
RELEVANCY SCORE 91.6

We have been running ATA for a little over a month putting in gateways as we get resources and DC configured. We have had 3 instances of being notified that a pass the ticket attack was performed involving 3 distinct sets of 2 computers. in all cases it
appears that both computers were coming in from a VPN solution. They are not nat'ed or using DirectAccess but VPN is sort of similar so I'm starting to wonder if these are false positives. Is there any guidance on how a VPN segment can cause false positives
to show pass the ticket attacks? Some general understand on what is going on under the hood would help.

Read other answers
RELEVANCY SCORE 90

i have a hp touchsmart 610-1000 i forgot my power on password i need some help to get on my computer

A:i have a touchsmart 610-1000 cant get pass the power on pass...

 Hi, Attach the completed model number, for example 610-1031f How Do I Find My Model Number or Product Number?

Read other 3 answers
RELEVANCY SCORE 89.6

Hi
I have just installed ATA 1.6 and using the Lightweight Gateway on all our DC's.

After I have enabled and configured event forwarding I see a lot of "Identity theft using pass-the-hash attack" alerts, and there is way to many for me to believe that we have been hacked/under attack.
Have any of you any ideas of what I might be doing wrong?

Read other answers
RELEVANCY SCORE 88.8

I had a pass-the-ticket attack SA today that I believe is the result of a computer moving from a wired to a wireless network.
The DNS cache was used to resolve the original computer name (during the Kerberos TGS request) but there was no cache hit when the ticket was used again (SMB access to the DC).
First, does this seem like a plausible cause of a false positive?
Second, is there any tuning others have done to eliminate these? 

Read other answers
RELEVANCY SCORE 86.8

Hello everyone! Can you help me with a (hopefully) simple problem?
I have a Access 2003 SQL Pass-thru query that I need to prompt the user for Begin Date and End date, then put these values in the query. I read the Help, but I still don't understand HOW!
Questions: (BTW, this query is being generated from the Switchboard)
1. How do I prompt the user for the dates in Access? I can't use parameters and I don't understand how to use a prompt otyher than that.
2. How do I get those user responses into the query below
3. How do I write the querydef?

The SQL query is attached

Thanks!
Emil
 

A:Prompt&Pass value to pass-thru query

Read other 16 answers
RELEVANCY SCORE 81.6

I removed Simple pass and validity software, and I am still required to enter the master password that simplepass asked me to set up, I uninstalled all drivers, and software, and removed all remnants from registry, and I am still required to enter the password at login, i have done the netplwiz thing,  and bios says password is clear, so how do i remove this password requirement that i didnt have before i installed simplepass.

Read other answers
RELEVANCY SCORE 68.4

Good morning.
I'm in the process of deploying Microsoft ATA in my environment.
I received an alert for an overpass the hash. I've been working with my IR colleagues on the alert, but we haven't found a root cause yet.
Has anyone encountered any false positives with this style of alert?

Read other answers
RELEVANCY SCORE 64.4

Hi
I'm not sure if this is the right place to post this but i need to install some programs for my use and the administrator has placed UAC on everything i try to install , it's not the typical UAC but the one where you have to type a password before it lets you click yes. I can't seem to do anything , like task scheduler msconfig etc.

How do i get pass this?

A:Getting Pass W7 UAC

Sorry, but you don't. You will need your network administrator.

Read other 2 answers
RELEVANCY SCORE 64.4

I had purchased windows 2010 and xp pro as w many other programs. PAID 4 them with my earned dollar! n my pass keys do not work! I have paid good money, alot of money, on many of their programs! Why cant I have a pass key thats allowed to work since mine doesnt??!!??
Both times ive called microsoft, all they want to do is sell me another program. My pass keys should work if I purchased them with my money!!

A:pass key

We are not agents for Microsoft...and we are not obligated nor legally capable of answering questions regarding MS policies.
 
If you have a computer problem which deals with Windows XP...and you want someone here to try to assist you...please post some details of the problem, rather than comments regarding items relating solely to Microsoft and conduct of Microsoft business.
 
Louis

Read other 4 answers
RELEVANCY SCORE 64.4

hello,

im working on a Dell Latitude E6400 laptop and i need to do some work from home.
however, my new modem is not allowing my jobsite's vpn to pass thru so I can connect to it. How do i connect??
 

A:allow vpn to pass thru

msTHELP said:


hello,

im working on a Dell Latitude E6400 laptop and i need to do some work from home.
however, my new modem is not allowing my jobsite's vpn to pass thru so I can connect to it. How do i connect??Click to expand...

my wireless connection is in excellent connection by the way
 

Read other 2 answers
RELEVANCY SCORE 64.4

Hi,
I've got a problem I'm hoping someone can help me with..

I've got a Belkin F5D8231-4 v2 N1 Wireless Router and a D-Link DSL-504G 4 Port Modem which I am trying to setup a VPN Connection through.
I'm using the built in VPN server in Windows XP Professional SP2, I can connect to the VPN internally but not externally - When trying to connect externally the client freezes up on "verifying username and password" but I dont think its even getting as far as connecting to the server.
I've opened up the ports in the firewall, and have forwarded port 1723 on TCP to the servers internal static IP address. The modem itself is running in Bridge mode to the router so I'm assuming that I don't have to open any ports or anything on that for it to work. I have contacted Belkin who assure me that a VPN can be established through that router, and weren't able to offer me much assistance.

what I've got setup is this:
modem (192.168.2.253) ---> Router (192.168.2.254) - - - - (wireless) - -> VPN Server (192.168.2.2)

I haven't actually been able to find anything that suggests that the clients are even getting through the modem and router to the server.. Any suggestions?
 

A:VPN Pass-Through

Read other 6 answers
RELEVANCY SCORE 64.4

Hi,
I am having difficulties to enable VNP pass-through on my DFL-800 router. Iím not very familiar with some of the technical terms such as IPSec, PPTP, and L2TP and what do they actually do. My previous router Linksys RV082 had no problems. There was one option to disable or enable VPN pass-thought and everything was simple. I have setup up a VPN connection on my Windows XP and Vista and off I went. I could connect to my work network by supplying host name www.mycompany.com and my login credentials.

When I replaced my routers and try to connect, Windows connection hangs on Authenticating User Name and Password. And then fails saying that could not connect to a network.
Obviously my router blocks some communications.

Could you please let me know how to set-up this D-Link router as I am running out of ideas.
There is too many settings in this box to play with and Iím not really sure what to touch, how and what not to.

I have tried to play with IpRules Ė trying to create some and enable IPSec, PPTP, and L2TP one at the time but none of those attempts was successful.

Iím a little pissed off at my self at this moment that I have to use my old Linksys because I canít figure out how this new box works.

Please help!!!

Cheers:

CC
 

Read other answers
RELEVANCY SCORE 63.6

Hello everybody,
I have my pc, running windows xp pro, I forgot my password, can someone tell me what can I do?

Thank you
 

A:forgot pass! help!

There is free software available on the Internet to change the password of an local user's account.

Due to conflicting information, I'm not sure if it's ok to post on this forum.

So send me an e-mail and I'll send you the link.
 

Read other 3 answers
RELEVANCY SCORE 63.6

Hi,
I have activated my OWA on my Exchange 5.5. How do I make OWA accessible from a dialup connection? My Exchange 5.5 is behind my FW1 server. I have set rules to allow http and https for my exchange server. Anything else I should look into?

Cheers,
keet
 

Read other answers
RELEVANCY SCORE 63.6

Let's say Computer#1 has a USB harddrive connected (it can be F:, G:, E: whatever Windows assigns, I do not want to assign a fixed letter for various reasons).

The external drive and several other folders are allowed to be shared on the local network.

What is needed in Computer#2 (or #1) so that files on that USB harddrive can be read and modified from Computer#2. The drive is visible in Windows Explorer, but the message talks about missing permissions, consequently, can't read and can't write while the standard file sharing works just fine between the two computers.

Is what I want even possible?

I recall, from long ago, that at work it was possible for pass-through commands to go to some printer attached to another computer, so how different is that process? Not that I remember how it was done

Read other answers
RELEVANCY SCORE 63.6

I get a password pop up about every 20 minutes. The pop up requests user name and pass word. The areas for the information is filled in and when I click on OK or Cancel or the X to close the box the box goes away.
Not a major problem but would like to make it go away. This just started after SBC re-set my e-mail accounts. Several attempts to get a fix from them has not worked.
 

A:Pass word pop up

Read other 6 answers
RELEVANCY SCORE 63.6

When I set up our netlink wireless router some time in the dim past, I set it up with 128 WEP Encryption and a pass code phrase. Sometimes when I'm hooking up a computer to the network, I get the option to enter the pass phrase only, other times I have to enter the whole gazillion character wep key. How can I get it to always prompt me for the pass phrase? Soooo much easier!

Thanks.
 

A:WEP Key vs. Pass Phrase

I recommend against the pass phrase, since many times it won't yield the same key on different brands of equipment.
 

Read other 1 answers
RELEVANCY SCORE 63.6

Dear Community, when I try to hardreset my computer it says that it needs to be repaired. How can I fix this problem? I have an HP stream 11 from 2015.

Read other answers
RELEVANCY SCORE 63.6

home pc is password protected and I cannot remember it, tried every combo, no luck HELP!
 

A:by pass password

Please see the TSG Rules.

Passwords - Please do not ask for assistance with forgotten passwords and/or bypassing them. As there is no way to verify the actual situation and/or intentions, no assistance will be provided and any such threads will be closed., we no longer provide any help with lost passwords or getting around password protection. Obviously, we can't determine the real intent here, so our policy is to abstain from any assistance in these matters.Click to expand...

Closed.
 

Read other 1 answers
RELEVANCY SCORE 63.6

I AM TIRED OF THIS ISSUE! EVERY SINGLE TIME MY BROWSER UPDATES, THE SIMPLE PASS STOPS FUNCTIONING. WHY HP, WHY IN THE HELL YOU MAKE AND SELL PC'S WITH SOMETHING YOU DO NOT CARE ABOUT???? DO YOU MAYBE REALIZE THAT PEOPLE BUY THIS KIND OF PC BECAUSE OF THE FEATURE OF FINGERPRINT SCANNER???? I AM TIRED OF LOOKING FOR ANY KIND OF STUPENDOUS SOLUTIONS, DISABLINGS AND WORK AROUNDS! YOU SELL PC WITH A SCANNER, YOU SHOULD BE UPDATING TO ALL OF YOUR CUSTOMERS! FIREFOX 48 -- NOT WORKING WINDOWS IE - NOT WORKING MS EDGE - NOT WORKING CHROME - NOT WORKING WHAT GIVES????!!!!

Read other answers
RELEVANCY SCORE 63.6

The scenario is that I have multiple APs in the building but one network. So generally id like to know if users are able to log into the wifi of the same SSID but to connect to certain APs, there will be an extra password that needs to be entered. Is this possible?
 

A:Is it possible to set same SSID but different pass for APs?

What are you trying to prevent users from doing when they connect to certain APs since everything is on one network?
 

Read other 1 answers
RELEVANCY SCORE 63.6

Hello, I've tried two different usbc dongles that have pass through charging and neither work with my Dell xps 13 9365.  I've done the bios update and all current driver updates.  With only two usbc ports having pass through charging is pretty important.  I currently have the Satechi usbc hub where the hdmi and the usb3 ports work; just not the usbc pass through charging.  Any idea? 

Read other answers
RELEVANCY SCORE 63.6

Hi: I have problems with my computer password. When I suspend my pc it does not recognize my pc password, but when I restart my pc I put my pass and it works. Please if some one know how can I solve this problem.
Huaso
 

A:Problems with pass

Read other 6 answers
RELEVANCY SCORE 63.6

can not connect to private wifi signal even after entering pass key. keep getting a bubble saying i have pass key mismatch. windows 7?
 

A:mismatched pass key

Disable encryption on the router and try to connect that way. If successful you can probably re-enable encryption and reconnect.
 

Read other 3 answers
RELEVANCY SCORE 63.6

please I have forgotten my pass word

A:pass word

@dka2016? Power-on password or Windows login password??? REO

Read other 1 answers