Forensic Artifacts From a Pass the Hash Attack

DEF CON 23

Presented by: Gerard Laygui
Date: Thursday August 06, 2015
Time: 15:00 - 15:50
Location: Track Four

A pass the hash (PtH) attack is one of the most devastating attacks to execute on the systems in a Windows domain. Many system admins are unaware about this type of attack and the amount of damage it can do. This presentation is for the system admins that don't have a full time forensics person working with them. This presentation will help identify key windows events and explain why these events are important. The presentation will also show various free tools that can assist in examining some of the common evidence left behind. The presentation will explain and demonstrate a pass the hash attack against common windows systems in an example domain. In the end, the presentation may offer some insight into what an attacker wants and needs to use PtH to pivot in a network.

Gerard Laygui

Gerard has been in the IT industry for almost 20 years. He has held various network admin, system admin, web admin and security related positions throughout his career. He currently works for a Fortune 50 company doing compromise forensics and malware reverse engineering.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats