Pass the Hash attack false positives? RRS feed

  • Question

  • Running v1.7.5757.57477 and recently got four PTH alerts, and in each case it states the has was stolen from one of the computers previously logged into by the user and then used on a system, which in each case happened to be the user's primary system in which they logged into.

    Would this be potential false positives? I would be more worried if the hash was used on a system not associated with the user.


    Tuesday, July 18, 2017 7:58 PM


  • True, if the hash was used on a machine regularly used by the user, it's most likely a false positive.
    • Marked as answer by JeffRW Wednesday, July 19, 2017 1:09 PM
    Tuesday, July 18, 2017 8:39 PM

All replies