Forensic Artifacts From a Pass the Hash Attack

From CactusCon 2015: Forensic Artifacts From a Pass the Hash Attack by Gerard Laygui

Abstract:

Gerard Laygui

Forensic Artifacts of Pass the Hash

A pass the hash (PtH) attack is one of the most awesome attacks to execute on the systems in a Windows domain. Many system admins are unaware about this type of attack and the amount of damage it can do.  This presentation is for the system admins that don’t have a full time forensics person working with them.   The presentation will  explain and demonstrate a pass the hash attack against common windows systems in an example domain.  The presentation will also show various tools that can assist in gathering and examining some of the common evidence left behind.  In the end, the presentation may offer some insight into what an attacker wants and needs to use PtH to pivot in a network

Slides:

View the slides here

Demo Videos:

  1. TBD
  2. TBD
  3. TBD