locked
Pass the Hash attack false positives? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Running v1.7.5757.57477 and recently got four PTH alerts, and in each case it states the has was stolen from one of the computers previously logged into by the user and then used on a system, which in each case happened to be the user's primary system in which they logged into.

    Would this be potential false positives? I would be more worried if the hash was used on a system not associated with the user.

    Thx

    Tuesday, July 18, 2017 7:58 PM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote
    True, if the hash was used on a machine regularly used by the user, it's most likely a false positive.
    • Marked as answer by JeffRW Wednesday, July 19, 2017 1:09 PM
    Tuesday, July 18, 2017 8:39 PM

All replies

  • Question
    Sign in to vote
    1
    Sign in to vote
    True, if the hash was used on a machine regularly used by the user, it's most likely a false positive.
    • Marked as answer by JeffRW Wednesday, July 19, 2017 1:09 PM
    Tuesday, July 18, 2017 8:39 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thx for the reply
    Wednesday, July 19, 2017 1:09 PM