Share via

ATA . Identity theft using Pass-the-Ticket attack

Santosh Paga - (IRMC) 21 Reputation points
2021-02-25T16:12:40.767+00:00

Hi Team, I'm new to ATA product . Unable to understand the action needed to take for this alert. I have went through the link to get clarification . https://learn.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide UserA 's Kerberos tickets were stolen from hostnameY to 10.X.X.X and used to access other machines. User are not aware of this activity or they are not technical guys to confirm it . What action would be required to take on this issue. regard santosh

Microsoft Security | Intune | Configuration Manager | Other
0 comments
Accepted answer
  1. Reza-Ameri 17,341 Reputation points Volunteer Moderator
    2021-02-25T16:36:09.29+00:00

    The article explain it well.
    Is that the sensitive account meaning contains sensitive data?
    If yes, take a look at:
    https://www.microsoft.com/security/blog/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/
    In case, it is not a sensitive account, then just reset the password from AD or Azure AD.
    You should investigate the IP address and attack too.
    Try run a virus scan on the device and make sure it is update.
    There is also a good article about this attack and mitigation, take a look at :
    https://www.microsoft.com/en-us/download/details.aspx?id=36036

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.