Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Detecting PwDump

from [M. Burnett] Network Security [Permanent Link]
Subject: RE: Detecting PwDump
Date: Thu, 13 Apr 2006 18:04:40 -0600 
There are a number of ways that you can detect pwdump when it is run either
locally or remotely, especially if you have some way to correlate multiple
event log events. 

If you audit object access, privilege use, and process tracking in the event
logs you will see access to lsass.exe and pwdump.exe (or pwservice.exe
remotely). You will also see use of SeDebugPrivilege. A number of these
events in a row will alert you to someone using pwdump with very high
certainty. 

I also noticed that Windows Defender creates an event in the System event
log when pwdump runs.


Mark Burnett




-----Original Message-----
From: Simon Taplin [mailto:simont@pop.co.za] 
Sent: Thursday, April 13, 2006 9:03 AM
To: Focus-Ms
Subject: Detecting PwDump

Is there anyway to detect if someone is using pwdump3/6 using the network
feature to dump passwords from a Windows 2000/2003 Server?

Simon



---------------------------------------------------------------------------
---------------------------------------------------------------------------


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  MS06-013 Cumulative IE Update (912812) Issues, Thor (Hammer of God)
Next by Date:  Re: Detecting PwDump, Shawn Merdinger
Previous by Thread:  Detecting PwDump, Simon Taplin
Next by Thread:  Re: Detecting PwDump, Shawn Merdinger
Indexes:  [Date] [Thread] [Top] [All Lists]