locked
Pass-the-Hash Domain Controler RRS feed

  • Question

  • Hi

    I recently underestod that my DC Was hacked with pass-the-Hash attack.

    I don`t know how to finde the source of problem and stop their activity.

    I guess they created a user account with appropriate permission or run the wmi or powershell script but I don't know how could I stop them.

    Pls Help me...

    Regards

    Thursday, July 31, 2014 9:34 AM

All replies

  • Hello,

    May i ask how did you noticed that your DC was hacked with PTH? what did you saw? 

    Was it a malware?

    Do you know what account was exposed? 

    Thanks,


    Ohad Plotnik

    VP Professional Services, MVP
    Aorato LTD.
    Protection through entity behavior.
    www.Aorato.com


    Monday, August 4, 2014 12:26 PM
  • Hi

    he claim domain that he got the domain administrator password and domain user on active directory .

    i read some article at this site  https://www.pentestgeek.com/2012/11/16/dumping-domain-password-hashes-using-metasploit-ntds_hashextract-rb/

    he did some thing like this , I really do not know how to solve the problem?

    Sunday, August 10, 2014 4:35 PM
  • Hi

    he claim domain that he got the domain administrator password and domain user on active directory .

    i read some article at this site  https://www.pentestgeek.com/2012/11/16/dumping-domain-password-hashes-using-metasploit-ntds_hashextract-rb/

    he did some thing like this , I really do not know how to solve the problem?

    Sunday, August 10, 2014 4:36 PM